Video-surveillance footage often contains images of people. As this information can be used to identify these people either directly or indirectly (i.e. combined with other pieces of information), it qualifies as personal data (also known as personal information). Almost all EU institutions and bodies have video surveillance in operation on their premises: from small executive agencies with only a few cameras (CCTV), to EU institutions and bodies with seats in a number of Member States operating several hundreds of cameras; all EU institutions and bodies using CCTV have a publically available policy outlining what they do and why.
Well-designed and selectively used video-surveillance systems are powerful tools for tackling data security issues; badly designed systems merely generate a false sense of security while also intruding on our individual privacy and infringing other fundamental rights.
Data quality - Cameras can and should be used intelligently and should only target specifically identified security problems thus minimising the gathering of irrelevant footage (data minimisation). This not only reduces intrusions into privacy but also helps to ensure a more targeted, and ultimately, more efficient, use of video-surveillance.
Right of information - Notices can be found in EU institution buildings informing staff and visitors about the security cameras in place. These signs are mandatory because individuals affected by video-surveillance must be informed upon its installation about the monitoring, its purpose and the length of time for which the footage is to be kept and by whom.
Retention period - Although the installation of cameras might be justified for security purposes, the timely and automatic deletion of footage is essential. The EDPS requires all EU institutions to have clear policies regarding the use of video surveillance on their premises including on potential storage.
The following non-exhaustive list is a selection of documents for further reading: