Installing a workplace video surveillance system in Italy: need-to-knows
Published on 19th Jul 2023
- Installation of image detection systems must comply with the principle of data minimisation with regard to the choice of filming methods and location and the management of the various processing stages; the data processed must in any case be relevant and not excessive in relation to the purposes pursued. It is therefore advisable to obtain declarations / certifications to this effect from the manufacturer / installer of the video surveillance system.
Moreover, a video surveillance system may only be installed in the workplace for organisational and production requirements, to ensure safety at work and for the protection of company assets, in compliance with the guarantees provided for by the sectoral legislation (art. 4 Law 300/1970). Equipment may only be installed subject to a collective agreement entered into with the Works Council (if any). In the event that no Works Council is present, or alternatively in the event that the representations do not agree on installation, authorisation may be granted by the competent Territorial Labour Inspectorate.
- No authorisation from the Italian Data Protection Authority (Garante) is required to install a video surveillance system. According to the principle of accountability (art. 5(2) GDPR), it is, however, up to the data controller (the company) to assess the lawfulness and proportionality of the processing, taking into account the context and purposes of the processing, as well as the risk to the rights and freedoms of natural persons. The data controller must also assess whether the preconditions exist for carrying out a data protection impact assessment before starting the processing. A prior impact assessment is mandatory when the video surveillance system involves the use of new technologies that may present a high risk for individuals: for example, in the case of integrated systems linking cameras between different subjects or using intelligent systems. In other cases, a prior impact assessment is not mandatory; it is, however, a question of expediency and accountability.
- A privacy notice must be provided to anyone who may be the subject to filming by a video surveillance system. The notice can be provided using a simplified model (example) which must contain, among other information, details of the data controller and the purpose of the processing. The sign must be placed before entering the area under surveillance. The data subject must be able to understand which area is covered by a camera in order to avoid surveillance or adapt their behaviour where necessary. The notice must refer to a complete text containing all the elements referred to in art. 13 GDPR, indicating how and where to find this (e.g. on the data controller's website or posted on its notice boards or premises).
As a general rule, and taking into account the principles of data minimisation and limitation of storage, the retention periods are usually, as indicated by the Garante, 24 hours - 72 hours at weekends or during holidays - or a longer period if the extension is necessary to comply with a specific request by the judicial authority or the judicial police in connection with an ongoing investigation.
Longer retention times may be envisaged, but in that case a reasoned analysis of the need for the longer retention time must be carried out.
- The people who will be able to view the images in real time and those who will be able to access the stored recordings must be authorised by means of specific documents/letters of appointment in which detailed instructions concerning the obligations and prohibitions are provided.
The monitor should therefore be positioned in such a way as to avoid allowing the images to be seen by unauthorised persons such as, for example, persons passing in front of the reception/gateway.
- If the management of the video surveillance system - or a part of it - is outsourced (e.g. to the surveillance company that displays the images and/or has access to the recordings; installation company that has access to the system for maintenance and servicing purposes), the data controller (the company) will have to proceed to appoint the company that carries out the processing activities on its behalf, as the data processor according to art. 28 GDPR.
- Finally, since the processing of data deriving from a video surveillance system usually has as its legal basis the legal interest of the data controller (art. 6(f) GDPR), the Legitimate Interest Assessment (LIA) must also be drawn up.
In summary, a company wishing to install a video surveillance system in the workplace in Italy will have to:
- reach a trade union agreement or obtain authorisation from the competent T.L.I.;
- if necessary, draw up an impact assessment;
- affix the short notice poster;
- draw up a legitimate interest assessment;
- appoint the authorised persons;
- enter into a contract appointing an external data controller if video surveillance activity is outsourced.