Video Surveillance The general provision adopted by the Garante - 29 aprile 2004 
[doc. web. n. 1116810]
[ doc. web. n. 1003482]
Video surveillance - The general provision adopted by the Garante
The Garante per la protezione dei dati personali
Having convened today in the presence of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary General,
Having regard to official records as well as to the considerations made pursuant to Section 15 of Regulations 1/2000,
Acting on the report submitted by Prof. Gaetano Rasi,
The Garante considers it appropriate to update and supplement its provision of 29th November 2000 - so-called "decalogue" - partly in order to bring processing operations performed by means of video surveillance into line with the Code that came into force on 1st January 2004 as well as with other pieces of legislation in force enhancing safeguards for citizens. On the other hand, it should also be pointed out that in the three years following implementation of the above provision several cases were submitted to the Authority via complaints, reports and requests for opinions, pointing to the increasingly frequent use - often in breach of the law - of audiovisual equipment to continuously acquire images - at times in association with sound - related to identifiable individuals; the relevant data are often recorded and stored as well.
In connection with the aforementioned safeguards, this provision (paragraphs 2 and 3) refers to some principles and describes the general requirements applying to all video surveillance systems; paragraphs 4, 5, and 6 contain guidance in respect of specific data processing operations. Obviously, in particular situations the Authority reserves the right to take ad hoc measures on a case-by-case basis.
The requirements set out herein are grounded on the respect for citizens' fundamental rights and freedoms and personal dignity, with particular regard to privacy, identity and personal data protection (see Section 2(1) of the data protection Code).
The Garante has paid due attention to the new right to personal data protection laid down in Section 1 of the Code, being aware that the appropriate protection of individuals' rights - which is the subject of the balancing carried out herein - is not prejudicial to the adoption of effective measures aimed at ensuring citizens' security and detecting crime.
Therefore, account has also been taken of the freedom of movement in public places. In these contexts it is not possible to deprive individuals of the right to move without interferences that are incompatible with a free democratic society (see Article 8 of the European Human Rights Convention as ratified in Italy by Act no. 848/1955) such as those resulting from invasive, oppressive data acquisitions in respect of an individual's whereabouts and movements - which is facilitated by the growing system interaction via Internet and Intranets.
Finally, the Garante drew inspiration from the guidelines issued by several international and Community fora with particular regard to the Council of Europe's guidelines of 20-23 May 2003 as well as to the documents drafted by the European data protection authorities within the framework of the Article 29 Working Party.
2. General Principles
Data may only be processed by means of video surveillance systems if the lawfulness requirements set out expressly in the Code for public bodies - i.e. fulfilment of institutional obligations, Sections 18 to 22 - and, on the other hand, private entities and profit-seeking public bodies - i.e. fulfilment of legal obligations, compliance with a "balancing of interests" decision by the Garante, or data subject's free, express consent, Sections 23 to 27 - are met. These requirements apply to different sectors and will be therefore separately referred to in the paragraphs below concerning the public and the private sectors, respectively.
Video surveillance should be carried out in accordance not only with the provisions on data protection, but with the requirements set out in other pieces of legislation in respect of the installation of audiovisual equipment.
In this regard, reference should be made to the civil and criminal law provisions in force concerning unlawful interference with private life and protection of a person's dignity, image, domicile and any other places deserving similar protection - such as restrooms, hotel rooms, beach cabins, cloakrooms. Account should be taken additionally of the legislation protecting employees, in particular of Act no. 300/1970 - so-called "Workers' Statute".
Specific limitations may be imposed by other laws and regulations providing for and/or envisaging the installation of equipment for local, airborne and/or satellite surveillance - see a decree-law of 24th February 2003 as converted, with amendments, into Act no. 88 of 24th April 2003. Whenever said laws and regulations involve processing of data relating to identified or identifiable individuals, they must be implemented in line with the principles set out in the Code as regards, for instance, security in sports facilities and stadiums, museums, public libraries and State archives, or else the installation of audiovisual equipment on passenger ships travelling on domestic routes (as per a decree of February 2000).
Moreover, it is obviously necessary to abide by the criminal law provisions banning interception of communications and conversations.
2.2. Data Minimisation
Given that installing a video surveillance system entails imposition of a constraint on citizens, i.e. subjecting them to limitations or anyhow conditioning them, the data minimisation principle is to be applied - therefore, unnecessary, excessive and/or redundant applications are to be ruled out.
Each information system and the relevant software should be configured from the start in such a way as not to make use of data relating to identifiable persons if the purposes of the processing can be achieved by only using anonymous data - e.g. by configuring the software in such a way as to rule out the possibility of zooming in the filmed images if the purpose is traffic monitoring. The software should also be configured so as to regularly and automatically delete any recorded data.
Failure to comply with the data minimisation principle in respect of equipment installation and video surveillance activities will make the latter unlawful (see Sections 3 and 11(1), letter a), of the Data Protection Code).
In assessing whether deployment of a video surveillance system is appropriate with regard to the concrete danger level, it should be avoided to collect data in areas and/or activities exposed to no concrete danger and/or requiring no deterrents in reality - e.g. no cameras should be installed exclusively as a matter of distinction and/or glamour.
Video surveillance equipment should only be activated if other measures are considered to be insufficient and/or unfeasible following a careful analysis. This means that if its installation is aimed at protecting property as also related to hooliganism, other suitable solutions such as controls by security personnel, alarm systems, entrance protection devices, entrance enabling devices, etc. should be found to be equally ineffective.
One should refrain from making what is simply the least expensive, easiest or most rapidly applicable choice, which might fail to take account of the impact on other citizens' rights and/or different, legitimate interests.
As a rule, it is not justified to perform surveillance where the latter is not aimed at controlling events, situations and occurrences, but rather at promotional and tourist and/or advertising purposes via web cams and/or online cameras allowing identification of the individuals concerned.
Also the installation of non-functioning and/or fictitious cameras for merely demonstrative purposes - albeit entailing no processing of personal data - may condition the way people move and behave in public and private places, therefore it may be lawfully challenged.
Thus, video surveillance is only lawful if the so-called proportionality principle is complied with as regards both selecting whether to install what surveillance equipment and the individual processing phases (see Section 11(1), letter d), of the Code).
Obviously there is some discretion left to the data controller in applying the proportionality principle, which however does not mean that the controller's decisions are fully discretional and unobjectionable. Before deploying a video surveillance device, the data controller should assess, from an objective viewpoint and in selective manner, whether the planned implementation is actually proportionate in concrete to the purposes sought, which must be lawful.
This will prevent unjustified interferences in other data subjects' fundamental rights and freedoms.
As already pointed out, proportionality should be assessed with regard to all phases and/or mechanisms related to the processing, for instance in order to decide
- whether it is enough for security purposes to collect images that do not allow identification of the individual citizens, also via zooming,
- whether it is really indispensable for the specific purposes to collect detailed images,
- location, viewing angle, use of automatic zooming and fixed or mobile equipment,
- what data to collect, whether to record them or not, use a communication network or set up a database, index said database, use frame-freezing and/or digital technologies, associate the data with additional information or interconnect the system with other systems managed either by the same data controller or by third parties,
- the data retention period, if any, keeping in mind that the data may only be retained on a temporary basis.
In pursuance of this principle, it is also necessary to impose strict limitations on
- filming private premises or access areas to buildings, also in public places, where this serves a lawful, actual interest in connection with specific purposes,
- implementing specific solutions such as the connection with ad-hoc "centres" in charge of receiving sound and/or visual alarm signals, or else applying automatic measures following activation of automated alarm mechanisms and/or systems, e.g. closing of entrances, summoning of the security staff, etc., given that additional safeguards apply under the Code if the processing is aimed at profiling a data subject or his/her personality (see Section 14(1) ),
- duplication of the recorded images, and
- setting up of a database if deployment of a closed-circuit system enabling visual inspection of the images is enough for the purposes to be achieved, and recording is unnecessary, e.g. with a view to traffic monitoring or controlling customer flows at a public office.
2.4. Purpose Specification
The purposes to be achieved should be specific, explicit and lawful - as per Section 11(1), letter b), of the Code -, which requires data controllers to only seek the achievement of purposes falling under the respective scope of competence.
Conversely, it has been found that some public and private bodies avail themselves inappropriately of video surveillance for purposes related to public security and the prevention and/or detection of criminal offences, which actually fall under the exclusive competence of judicial and law enforcement authorities.
On the other hand, in many cases video surveillance systems are actually deployed as a complementary tool in order to enhance security inside/outside buildings and plants where manufacturing, industrial, commercial and/or service-related activities are carried out or else to facilitate exercise of either the data controller's or third parties' defence rights in civil and criminal proceedings based on images to be used as evidence of crimes and misdemeanours.
In any case, only specific, explicit purposes may be sought, i.e. the purposes should be made known directly by means of adequate communications and/or public notices - subject to the cases in which data acquisition is ordered by judicial authorities. No generic and/or unspecified purposes are allowed, in particular if they are incompatible with the purposes to be expressly specified and lawfully sought (see Section 11(1) of the Code). The purposes specified as above are to be accurately reported in the information notice.
Data subjects should be informed that they are going to access or find themselves in an area under video surveillance and that the data are being recorded, as the case may be; this also applies in the case of public events and shows such as concerts or sports events and in connection with advertising activities via web cams.
The information notice should contain the items referred to in the Code (see Section 13) and may be worded in a summary, though clear-cut and unambiguous manner.
Pursuant to Section 13(3) of the Code, the Garante has drafted a simplified standard "minimum" information notice that is annexed to this provision, to be used, in particular, in outside areas unless the prior checking requirements specified below apply. This standard notice can be obviously adjusted to the specific circumstances. In the presence of several cameras as related to especially large areas and the use of different filming arrangements, several notices will have to be deployed.
As regards premises other than outside areas, the standard notice should be supplemented by at least a detailed notice containing the items referred to in Section 13 of the Code with particular regard to purposes and data retention.
The information notice
- should be placed in or close to the areas under surveillance without being necessarily affixed to the cameras,
- should be dimensioned and placed in such a way as to be clearly visible,
- may contain a symbol or logo that is clearly and immediately comprehensible. Different symbols/logos may be used depending on whether the images are only viewed or also recorded.
3.2. Specific Requirements
3.2.1. Prior Checking
Personal data should be processed within the framework of video surveillance activities by complying with the measures and precautions laid down by the Garante, also via a general provision, following the prior checking carried out either ex officio or further to an application lodged by the data controller (see Section 17 of the Code) whenever there exist specific risks for fundamental rights and freedoms as well as for data subjects' dignity.
To that end, the Garante provides hereby that all data controllers should subject video surveillance systems entailing image collection either in connection and/or matched and/or compared with other specific personal data - e.g. biometric data -, identification codes related to electronic cards, or voice recognition devices to the prior checking of this Authority - if necessary, again, on the basis of general provisions - as a measure that is appropriate in order to foster compliance with the relevant legislation (see Section 143(1), letter c), of the Code).
The Garante's prior checking shall also be required if the images are digitalised or indexed, which allows automated and/or personal searches, and if so-called dynamic-preventive surveillance is implemented, i.e. if the surveillance is not limited to statically filming a given place, but can also track routes and/or physical characteristics (e.g. via facial recognition) and/or sudden events, or else types of behaviour whether already categorised or not.
The aforementioned processing operations require the Garante's prior authorisation, also based on a general authorisation, if they concern sensitive or judicial data, e.g. if the surveillance concerns diseased individuals or prison inmates (see Sections 26 and 27 of the Code).
3.2.3. Other Types of Prior Assessment
No prior checking by the Garante is required with regard to data processing operations performed by video surveillance falling outside the scope of points 3.2.1. and 3.2.2. above, unless this is provided for by the Authority. The fact of making available documents concerning video surveillance projects - often of a generic nature and unsuitable for distance assessment - to the Garante should not be construed as implicit acceptance if no explicit response is received from the Authority, as the silent acceptance principle does not apply to these cases.
The aforementioned processing operations are to be notified to the Garante exclusively if they fall under the scope of the notification provisions (see Section 37 of the Code). In this regard, the Authority provided that processing operations relating to unlawful and/or fraudulent conduct should not be notified if they concern image or sound data that are retained on a temporary basis exclusively for the purpose of securing or safeguarding individuals and/or property (see Provision no. 1/2004 of 31st March 2004 as available at www.garanteprivacy.it).
3.3. Data Processors, Persons in Charge of the Processing and Security Measures
3.3.1. Data Processors and Persons in Charge of the Processing
It will be necessary to specify, in writing, all the natural persons in charge of the processing, who are authorised to use the equipment and, if this is necessary for the purposes sought, inspect the recorded data (Section 30 of the Code). The number of said persons must be quite limited, in particular if external collaborators are employed.
The standard rules should also be complied with as regards the appointment of data processors; special care will have to be taken if the data controller avails himself of an external entity - including private surveillance agencies (see Section 29 of the Code).
"External" data processors and persons in charge of the processing may only be appointed if the external entity in question discharges tasks that are instrumental to and dependent upon the decisions made by the data controller. Obviously, this should not be an excuse to dodge the legislation concerning personal data protection - as might be the case, for instance, if the appointment of "external" persons in charge of the processing is used to dissimulate the communication of data to third parties without the data subjects' consent, or else if the entities exchanging the data at stake pursue different or incompatible purposes.
If the data are retained - for a limited period as per the proportionality principle -, a multi-tier framework should be envisaged as regards accessing the system and using the information by having also regard to maintenance requirements. Misuse should be prevented by suitable measures based, in particular, on the use of a physical or logical "double key", which should allow images to be viewed immediately and in full exclusively where necessary - e.g. as regards maintenance staff, or to extract data for defending a claim or responding to a request for access, or else to support the activities of the competent judicial and/or law enforcement authorities. It should be considered that the regulated access to recorded images by the staff in charge is actually a security factor.
Finally, regular training of the staff in charge is appropriate in order to refresh them on their duties, safeguards and liabilities both when the video surveillance systems are deployed and whenever their mechanisms of use are modified (see Annex B to the Code, Rule no. 19.6).
3.2.2. Security Measures
The data should be safeguarded via suitable preventative security measures so as to minimise the risk that they are destroyed or lost - also by accident -, accessed without authorisation or processed unlawfully and/or in a manner that is not in line with the purposes for which they have been collected (se Section 31 of the Code).
Some measures - the so-called "minimum security measures" - are mandatory under criminal law as well. If the data controller avails himself of an external entity, he must be provided by the installator with a written statement of the intervention performed attesting to its conformity with the relevant regulations (see Sections 33 to 36 and 169 of the Code as well as Annex B to the Code, point 25).
3.4. Retention Period
In pursuance of the proportionality principle, the temporary retention of the data - if any - should be in proportion to the degree of indispensability of such retention and its duration should not be longer than is necessary, further to pre-determined criteria, to achieve the purposes sought.
Retention should be limited either to a few hours or, at the very most, to the twenty-four hours following image acquisition, subject to specific requirements mandating a longer retention period with regard to holidays and/or the closing time of offices and shops as well as in case a specific request made by judicial or law enforcement authorities for investigational purposes is to be granted.
Only in some specific cases is it allowed to retain the data for longer - and in any case for no longer than one week - either on account of special technical requirements (e.g. transportation means) or because of the dangerousness of the activity carried out by the data controller (e.g. in some places such as banks it may be necessary to identify individuals that visited the bank a few days prior to a robbery to make a reconnaissance of the premises).
Any extension of the retention period should be considered as an exceptional measure to be assessed, at all events, by having regard to the requirements deriving from past and/or actually impending occurrences or else to the need for keeping and/or delivering a copy that has been specifically requested by judicial or law enforcement authorities in connection with investigations in progress.
The system deployed should be programmed so as to perform automatic data erasure from all media at a pre-determined time - if technically possible -, also via redubbing, in accordance with mechanisms that will have to prevent the erased data from being re-used.
3.5. Documenting the Policy Adopted
The reasons underlying the policy adopted as above will have to be adequately documented in a separate instrument to be kept by the data controller as well as the data processor, also in view of its production on the occasion of inspections and/or in connection with the exercise of data subjects' rights or litigations.
3.6. Data Subjects' Rights
Identifiable data subjects should be enabled to effectively exercise their rights under the Code, with particular regard to the right of accessing the data concerning them, verifying the purposes, mechanisms and logic underlying the processing, and having unlawful processing operations terminated especially if no suitable security measures have been adopted or if the system is used by individuals without the required authorisations (see Section 7 in the Code).
When responding to a request for access to stored data, all the data concerning the identifiable petitioner will have to be taken into account; reference may be made to data concerning third parties exclusively insofar as this is provided for by the Code (see Section 10(3) ). To that end, it may be appropriate to verify the petitioner's identity by requesting an ID document to be either produced or attached, showing a recognisable image of the petitioner in question.
4. Specific Sectors
4.1. Employment Context
In performing surveillance, it is necessary to comply with the prohibition against distance monitoring of employees, also in case services are provided via electronic networks by means of the so-called web contact centres. Additionally, the safeguards applying to the employment context should be abided by if video surveillance is deployed for organisational and production requirements, or else with a view to occupational safety (see Section 4 of Act no. 300/1970, and Section 2 of legislative decree no. 165/2001).
These safeguards should be complied with both inside buildings and in other places where work is performed; this requirement has been already pointed out in other provisions by this Authority concerning installation of video cameras on buses, in that these cameras should not permanently focus on the driver's seat and the images - being collected for security and crime detection purposes - may not be used to monitor, albeit indirectly, the employees' activities.
It is not admissible that video surveillance systems are deployed in premises that are reserved exclusively for employees or else are not intended for the performance of work - e.g. restrooms, cloakrooms, showers, cupboards, recreational areas.
The use of cameras at the workplace to document activities and/or operations exclusively for educational and/or institutional/business communication purposes with the involvement of employees may be considered to be similar to a temporary processing operation aimed at the occasional publication of papers, essays and other intellectual works. In this case, the provisions on journalistic activities laid down in the Code are applicable, subject to the limitations on freedom of the press required by the need to safeguard privacy as well as without prejudice to compliance with the code of conduct for journalistic activities and the employees' right to protect their own images by also objecting, on legitimate grounds, to their dissemination.
4.2. Hospitals and Treatment Centres
Supervision of medical facilities and monitoring of patients hospitalised in certain departments and/or units such as resuscitation units should be limited to the cases in which this is absolutely indispensable on account of the sensitive nature of many data to be possibly collected in this way, by limiting the scope of surveillance to certain premises and well-defined time ranges. Furthermore, all the additional precautions required to ensure full-fledged protection of privacy and dignity of patients will have to be adopted, also in pursuance of the provisions laid down in the Code with regard to health care institutions (Section 83). The data controller should ensure that only those specifically authorised thereto may access the images - e.g. medical and nursing staff - and that the latter are not inspected by third parties such as, for instance, visitors. Special care will have to be taken in setting out the mechanisms for the relatives of patients hospitalised in restricted access units - e.g. resuscitation units - to view the images, as they should only be allowed to see the images concerning their own relative(s) by means of suitable technical arrangements.
Images suitable for disclosing health must in no case be disseminated, under penalty of criminal punishments as per Section 22(8) and Section 167 of the Code. It is absolutely to be prevented that images showing patients are disseminated via monitors located in premises that are freely accessible to the public. If deployment of a video surveillance system in a health care institution is not aimed at the treatment of patients, but rather serves administrative and/or security purposes such as supervision of the building or some of its premises, and it is likely that such system allows collecting images suitable for disclosing health, the public entity acting as data controller will have to refer to this processing operation in the regulatory instrument to be adopted in respect of sensitive data under the Code (Section 20).
4.3. Schools and Similar Institutions
The installation of video surveillance systems in schools should ensure "the student's right to privacy" as per Section 2(2) of Presidential decree no. 249/1998 and take account of the sensitive issues related to processing - if any - of data on minors.
To that end, use of these systems may be admissible if absolutely indispensable - e.g. because of repeated acts of hooliganism -, however they must be deployed only in the areas concerned and activated after closing time by also strictly regulating access to the relevant data. Any activities aimed at safeguarding ordre public and/or detecting offenders such as drug pushers, solicitors, etc. fall exclusively under the scope of competence of judicial and/or police authorities.
4.5. Places of Worship and Burial Grounds
The installation of video surveillance systems at churches and other places of worship and/or other meeting places for members of religious confessions must be the subject of a carefully thought-out assessment given the risk that the images collected in this way are used for discriminatory purposes as well as because of the sensitive nature of the information concerning membership of a specific religious confession.
In order to ensure respect for burial grounds, it is admissible to deploy video surveillance systems inside these areas exclusively if such systems are aimed at preventing the concrete risk of hooliganism.
5. Public Bodies
5.1. Discharge of Institutional Tasks
Public bodies may perform video surveillance exclusively to discharge institutional tasks to be specified and referred to accurately, in respect of which they must act as data controllers in pursuance of the relevant provisions (Section 18(2) of the Code). Otherwise, processing the data is unlawful even if a public body appoints members of law enforcement agencies as data processors or else uses electronic networks in breach of the Code (see Section 19(2) ).
This circumstance has actually occurred in respect of some municipalities maintaining that they would be directly pursuing, under administrative law, purposes related to prevention and detection of crimes, which in reality fall under the scope of competence of judicial and police authorities. Therefore, it is appropriate to refer here to the considerations made in the past with regard to the decrees issued by some municipalities concerning prostitution in public places. Though carried out for the sake of a public interest, video surveillance must comply with the principles referred to above.
If a public entity is really discharging tasks entrusted under the law in connection with public security and/or detection, prevention and suppression of crime, the video surveillance of identifiable data subjects may be carried out in the presence of actual, proportionate requirements concerning prevention or suppression of concrete, specific dangers as impending on a good - this is the case, for instance, of premises exposed to actual dangers or events that can reasonably produce prejudicial effects.
Therefore, it is unlawful to perform pervasive video surveillance of whole areas in a city - perhaps imaged in full and without intermission in the absence of adequate requirements - if the conditions referred to above are not fulfilled. By the same token, it is prohibited to electronically connect several entities, at times via an electronic "centre", as this may result into recording a considerable amount of personal data and tracking all the passages occurring over a given time span.
It is equally unjustified to deploy video surveillance equipment exclusively with a view to monitoring compliance with the prohibition against smoking or littering, walking on grass, posting bills, taking pictures, and any other activities such as depositing garbage in the appropriate bins - all these being cases actually submitted to the Garante's attention.
The specific laws and regulations and the functions lawfully set out by each public body make up the operating framework within which processing is permitted. As required by the Code, any communication to third parties is only allowed if it is expressly provided for by laws and/or regulations (see Section 19(3) ).
Furthermore, specific provisions are laid down in the Code in order to allow - in accordance with strict safeguards - audiovisual imaging to document the institutional activities of public bodies (see Sections 20-22 and 65 of the Code). Except for the provisions made in respect of health care professions and bodies, public bodies are not required to obtain the data subjects' consent (see Section 18(4) of the Code).
5.2. Information Notice
Contrary to the representations made by some public bodies, the information to data subjects should be provided in accordance with the mechanisms described in paragraph 3.1.; posting the information notice on the organisation's bulletin board and/or public bills is not enough. These approaches may contribute to ensuring openness of the procedure, however they are not sufficient in themselves as the information is to be made available in the areas and premises where video surveillance is performed.
5.3. Access to City Centres
In implementing access detection systems for city centres and restricted traffic areas, municipalities are required to comply with Presidential decree no. 250 of 22nd June 1999. The latter requires municipalities to obtain an ad-hoc administrative authorisation and limit access data collection by only recording the images in case of breaches of law (see Section 3 of decree no. 250/1999). Processed data may be stored for no longer than is necessary to challenge such breaches and settle the relevant disputes; they may only be accessed for law enforcement and/or criminal investigation purposes.
5.4. Urban Transportation Security
Under some especially risky situations, it can be considered that deployment of video surveillance systems on public transportation means is lawful. These systems may also be lawfully installed at some stops of transportation means especially in urban peripheral areas, where criminal events often occur such as attacks, mugging, and so on.
Here reference should be made to the above considerations concerning the fact that only police forces are in charge of detecting, preventing and suppressing offences and have the right to access the images - to be stored for a few hours - exclusively following the actual commission of offences. Special care will have also to be taken in setting the viewing angle of the cameras, placing suitable information notices on board the transportation means and at the stops - where third parties may also happen to transit -, and preventing systematic imaging of irrelevant items and/or details concerning passengers.
5.5. Depositing Waste
In pursuance of the above principles, video surveillance of areas that are unlawfully used for the disposal of dangerous waste and substances is permitted if other measures are found to be ineffective and/or unfeasible. As already pointed out, this type of surveillance is not allowed and should be carried out by alternative means if it is aimed at detecting breaches of administrative regulations concerning arrangements and time schedule for depositing urban waste.
6. Private Bodies and Profit-Seeking Public Bodies
Unlike public bodies, private bodies and profit-seeking public bodies may only process personal data with the data subjects' prior express consent, or else if one of the lawfulness requirements other than consent is fulfilled (see Sections 23 and 24 of the Code).
If video surveillance equipment is implemented by private bodies and profit-seeking public bodies, the possibility of lawfully obtaining the data subjects' consent may be markedly limited in concrete by features and operating mechanisms of said equipment; indeed, it often happens that a wide range of individuals are concerned by the surveillance and it is difficult or downright impossible to contact them before carrying out the processing operations. At times this is related to the purposes sought - e.g. security, deterrence, etc. -, which are difficult to reconcile with the need to request explicit acceptance by an individual intending to access certain premises or use certain services. Consent is only valid if it is based on prior, adequate information, and if it is explicit and documented in writing. Therefore, assumed and/or implied consent, as well as prima facie evidence consent, i.e. the fact that consent is only indicated by the implicit acceptance of surveillance following access to certain premises, are not to be regarded as valid.
In the private sector, apart from the cases in which it is possible to obtain the data subjects' free, explicit, and documented consent, there may arise the need to check whether another lawfulness requirement can be fulfilled as an alternative to consent. This issue is addressed in the paragraphs below.
6.2. Balancing of Interests
A suitable alternative to explicit consent can be found in the provisions on balancing of interests (see Section 24(1), letter g), of the Code). This decision implements said provisions by specifying the cases in which images may be acquired without the data subjects' consent if - in accordance with the arrangements set out herein - this is done in order to pursue the data controller's or a third party's legitimate interests by means of evidence, or else to protect individuals and property against attacks, thefts, robberies, damage, and hooliganism, or for fire prevention and occupational safety purposes.
In the light of the wide range of safeguards and conditions referred to above, it would not appear to be necessary for the Garante to impose additional conditions and limitations with regard to some processing operations in the private sector that are mentioned below.
6.2.2. Recording of Images
Compared with data acquisition as such, certain processing operations are more intrusive if the data are recorded on media, matched with other types of information, or stored in databases - at times following activation of a pre-set alarm device. This is due to the multifarious processing activities for which the data in question may be used also with a view to different purposes.
In the presence of actual, concrete dangers, recording of such data is allowed to safeguard individuals, property and/or business assets - e.g. with regard to goods that have already been repeatedly targeted by criminals - in respect of the delivery of specific public services - such as transportation services - and/or activities - for instance, those performed in public places, entailing the handling of monies and/or valuables, or else requiring protection of business and industrial secrecy in connection with specific activities.
6.2.3. Video Surveillance without Recording
If the images are viewed in real time only, or else stored for a few hours via CCTV systems, legitimate interests may be protected in respect of actual, concrete dangers affecting the security of individuals and property - including shops that are exposed to criminal risks because of the presence of monies, valuables and other goods (jewelleries, supermarkets, banks, post offices). Video surveillance may be found to be excessive and disproportionate if other effective devices for supervision and/or control have already been deployed, or else in the presence of security staff.
In using surveillance equipment to image, for the legitimate interests referred to above, areas outside buildings and other premises - e.g. parking and loading/unloading areas, accesses, emergency exits, etc. -, the processing will have to be carried out in such a way as to limit the viewing angle to the area to be actually safeguarded, i.e. by refraining from imaging nearby areas and/or irrelevant items such as streets, buildings, shops, institutions, and so on.
6.2.4. Video Entry Systems
Video entry systems and other devices acquiring images and/or sound data without recording them are permitted in order to identify people intending to enter private premises. These systems are usually deployed at the entrance of buildings and other premises close to bells or audio entry systems exactly to monitor prospective visitors. Their existence is to be made known by means of easily locatable information notices, if they are not used for exclusively personal purposes (see Section 5(3) of the Code).
Conversely, other supervision and monitoring devices are often difficult to locate partly because of the lack of adequate information, nor is their location signalled in any other manner. In some cases, several cameras located also inside a building - e.g. on landings, passageways, staircases - are activated simultaneously and image visitors, albeit for a short time, until they enter a flat. Also in these cases adequate information is mandatory.
6.2.5. Imaging of Common Areas
Installing the devices described above in areas either close to private dwellings or inside tenement houses and related premises - e.g. parking places - falls outside the scope of application of the Code if the data are not communicated on a systematic basis and/or disseminated; however, some precautions are required in order to safeguard third parties (see Section 5(3) of the Code). To prevent unlawful interference in another's private life, which is an offence punished under Section 615 of Italy's Criminal Code, the viewing angle should be limited to the areas included in one's own property - e.g. those opposite the entrance to one's own house; no common areas such as yards, landings, staircases, common parking places, and no areas opposite other tenants' houses should be imaged irrespective of whether the data are recorded or not.
Conversely, the Code applies if a surveillance system is deployed to image common areas by several owners and/or tenants, a condominium, the respective managers - including managers of residential properties and time-shared properties -, professional firms, companies and/or not-for-profit bodies.
Installation of such systems is only allowed with a view to ensuring individual security and protecting property against concrete dangers - consisting, as a rule, in the previous occurrence of offences -, or else in connection with activities that entail, for instance, holding monies, valuables and other goods at one's disposal, as may be the case with credit factoring or trading in valuables and coins with numismatic value.
If video surveillance systems are used that envisage no data recording, proportionality should be assessed in comparison with other measures whether already adopted or to be possibly adopted such as standard alarm systems, armouring of doors and gates, use of automatic gates, deployment of access enabling systems, and so on.
7. Provisions and Punishments
The Garante hereby calls upon all the actors concerned to abide by the provisions made herein as well as by the provisions termed herein as appropriate pending the adoption of more specific measures, which might result either from a prior checking provision issued by this Authority (see Section 17 of the Code) or from the code of conduct the Garante has encouraged to draft in order to more specifically regulate other issues related to the processing of personal data "with electronic image acquisition devices" (see Section 134 of the Code).
The necessary measures provided for herein will have to be complied with by all data controllers. Otherwise the data processing operations are to be considered as either unlawful or unfair, depending on the specific circumstances, and as a consequence
- The personal data processed in breach of the relevant provisions may be banned from use (see Section 11(2) of the Code),
- The Garante may order the processing to be blocked or prohibited (see Section 143(1), letter c), of the Code), and similar measures may be taken by criminal and/or civil judicial authorities, and
- The applicable administrative and/or criminal sanctions may be imposed (see Section 161 and following ones of the Code).
GIVEN THE ABOVE PREMISES, THE GARANTE:
- Provides that data controllers acting in the sectors concerned adopt the necessary and appropriate measures referred to herein pursuant to Section 154(1), letter c), of the Code, in order to bring the processing into line with the legislation in force,
- Specifies hereby the cases in which, further to the above premises and in pursuance of Section 24(1), letter f), of the Code, private bodies and profit-seeking public bodies may process personal data by means of video surveillance in accordance with the limitations and conditions set out herein with a view to pursuing legitimate interests and without requiring data subjects' consent, and
- Lays down a simplified standard information notice, which is annexed hereto and may be used in accordance with the conditions specified in the above premises.
Done in Rome, this 29th day of April 2004
The Secretary General
- Instructions on how to use this form can be found in paragraph 3.1
- If the images are not recorded, replace "registration" [recording] by "filming" [rilevazione]