More and more surveillance cameras are installed today in private places, as well as in public places in order to, among others, prevent malicious acts. These measures often result in the collecting of information that make it possible to identify a natural or legal person’s identity (specific or identifiable), thus, raising the question of the protection of personal data.

As a result, the Commission submits these measures to the authorisation request from the moment they are implemented by natural and legal persons governed by private law (article 6 of the law no. 1.165), organisations governed by private law entrusted with a mission of general interest or a concessionaire of public utility (article 7 of the law no. 1.165) for the purpose of video surveillance.

Moreover, the Commission submits these measures to the opinion request from the moment they are implemented by natural and legal persons governed by public law or public authorities (article 7 of the law no. 1.165).

It is important to note, however, that in the absence of any data recording (simple viewing in real-time); the data controller is then not subject to any formality.

A mandatory prerequisite: Authorisation from the Minister of State or the decision from the assembly of co-owners

Pursuant to article 10-1 of the law no. 1.165, “Personal data must be collected and processed fairly and lawfully.” The Commission is therefore demanding, as a mandatory prerequisite for it to be seized that a data controller has obtained either the authorisation from the Minister of Statet when the video surveillance is implemented by natural and legal persons governed by private law, organisations governed by private law entrusted with a mission of general interest or a concessionaire of public utility, or the decision of the assembly of co-ownerst when this same measure is implemented in a block of flats constituting co-ownership.

This document attesting the lawfulness of the processing must be enclosed imperatively with the request form filed with the Commission.

However, this mandatory prerequisite does not apply to measures of video surveillance implemented by natural or legal entities governed by public law or public authorities.

The data subjects

The data subjects concerned by a video surveillance system are all persons likely to enter within the range of the cameras. Thus, may be affected customers, employees, residents, caretakers, service providers, and/or even suppliers.

Functionality

In order to take into consideration the intrusive nature of implemented video surveillance systems, these must only be operated within the scope of the following functionality:

• To protect persons;
• To protect goods/assets;
• To control access;
• To allow the gathering of evidence in case of an offence or infringement.

In addition to the aforementioned functionality may also be added functionality specific to the activity of the involved data controller, such as, for example, to evaluate the material and staff on a building site when the aforementioned data controller is a company of public utility.

The justification

Pursuant to article 10-2 of the law no. 1.165, all automated processing pertaining to video surveillance systems shall be justified.

Often it will be justified by the essential purpose of the legitimate interest pursued by the data controller (for example, to protect his or her shop and the valuable assets contained therein against the risk of theft as well as his or her employees against the risk of aggression).

The video surveillance system may also be justified by a legal obligation to which the data controller is subject or for the purpose of public interests pursued by private organisations concessionaire of public utility or entrusted with a mission of general interest (for example, an obligation in the statement of work to install cameras in sensitive places).

The consent of the person may also be mentioned, but this justification will be assessed strictly by the Commission, and shall be substantiated and explained, especially in case of subordination.

Furthermore, it is the responsibility of the data controller to prove that the rights and freedom of the data subjects are protected.

Thus, the Commission requests that the data controller specifies that the video surveillance measures implemented:

• Do not enable the monitoring of the work or working hours of the employees;
• Do not exercise a permanent and inappropriate control of the data subjects.

Furthermore, the data controller must confirm, if relevant, that no cameras are installed in:

• The cloakrooms, lavatories (facilities), bath-shower rooms, changing rooms;
• The offices and the private rooms put at the disposal of the employees to relax or take meals;
• The access pathways or corridors to the flats;
• Pointing towards public streets or places.

The collected and processed data

In accordance with the provisions of article 10-1 of the law no. 1.165, the data collected must be “adequate, relevant and not excessive” with regards to the purposes for which they were collected and/or further processed.

The Commission judges therefore that the following information can be collected and processed:

• Identity: image, face, silhouette of the persons;
• Electronic identification data: connection logs of the persons authorised to access the images;
• Time-based and timestamp information: place and identification of the camera, date and time when the image was taken.

With regards to collecting voice (audio) in the case of operating a video surveillance system, the Commission considers frequently that such collecting is clearly excessive in view of the functionality of the processing. Indeed, the collecting of audio (voice) for the purpose of, for example, protecting goods/assets and persons, may lead to a surveillance considered to be inappropriate with regards to the data subjects. The Commission pays particular attention to the justification provided by the data controllers.

Sources and storage of data

The data have for source the video surveillance system itself.

Furthermore, in accordance with the article 10-1 of the law no. 1.165, data are only stored “during a period not exceeding the one set out for the purpose for which the data were collected”, that is to say, one month.

Recipients of the data

The collected data is likely to be communicated to the Department of Public Security and to Monegasque Courts for the purposes of a judicial investigation.

Furthermore, when a video surveillance system is installed at the request of the data controller’s insurance company, the data may also be transferred to the insurers for the purposes of a compensation claim enquiry.

Finally, in view of the particular activity of certain data controllers, some specific and distinct entities may also be made recipients of the data to accomplish their missions and/or to ensure the proper execution of their services (for example, the project manager and the project manager when the data controller is a company of public utility).

Conditions for informing the data subjects

In accordance with article 13 of the law no. 1.165, all video surveillance systems must be brought to the attention of the data subjects.

Although the data controller is free to choose the information method that he or she considers the most appropriate to his or her structure or activity, the Commission may nevertheless demand that the information be distributed, in all cases, by means of a notice board indicating visibly, understandably, clearly, and permanently the existence of the device including, a minima:

• A pictogram (icon) representing a camera;
• The name of the service to which requests can be addressed to exercise the right of access.

Exercise of the right of access

If the data controller is free to choose the manner in which data subjects can exercise their right of access, it is imperative, with regards to video surveillance that the answer to the request for right of access is carried out on site.

Persons with access to the data

Pursuant to the article 17-1 of the law no. 1.165, the data controller must “establish a list of names of authorised persons who alone shall have access, strictly confined to the performance of their duties, to premises and facilities used for processing and the data being processed”.

This list of persons authorised to access the processing must be kept up-to-date.

However, the data controller no longer has to provide the name of each person when completing the form. He or she may simply indicate the category of the persons authorised to access the data (management, salesperson, IT service provider, and so on) and specify the rights of which they will dispose (registration, modification, consultancy, maintenance, all rights...)

Security appendices: Questions to ask

In accordance with article 17 of the law no. 1.165, aforesaid, the technical measures and organisation implemented in order to ensure the security and confidentiality of the processing in terms of the risks represented by the processing itself and the nature of the data to be protected must be maintained and updated according to the state-of-the-art, in order to maintain the high level of reliability expected throughout the implementation of the processing.

Furthermore, the different architectures of video surveillance must rely on connections to servers and peripherals that must be protected by a login and a password qualified as strong and inactive ports must be disabled.

Finally, a copy or an extract of the data issued from the processing shall be encrypted on its target support.

In addition, in order to complete the security appendices a well as possible, it might be useful to ask oneself the following questions:

• Is the server installed in a closed area that can only be accessed by authorised persons?
• What clearance policy has been implemented?
• Is the server protected by a login identifier and password specific to each authorised person?
• Do the authorised persons have access to the server only or do they also have access to the cameras?
• Is there an interconnection with the internet? If so, is access made through the information systems or through a dedicated access?
• Is it possible to perform remote accesses (tablets, Smartphone...)? If so, are these accesses protected by a login identifier and password specific to each user? Are they encrypted?
• Are the cameras mobile? Are they equipped with a microphone?
• In case of data extraction:
• On which support is the extraction done (USB stick, CD...)?
• Is the support encrypted? Are the data encrypted?

In addition to this information, it is imperative to also enclose two schemas to the request:

• A schema of the technical architecture that identifies the server, the cameras, and all other connections, and that describes the data flow;
• A schema showing the localisation of the cameras that identifies all the cameras and details their localisation as well as their viewing angle.

The specific case of cameras installed in a private home of natural persons

Nowadays, a number of individuals use video protection systems to protect their homes, notably against burglaries.

If a natural person is not subject to any formality when he or she installs cameras in his or her private property for private use exclusively, he or she must still report the processing to the Commission once employees or service providers (nannies, medical personnel, delivery services...) intervene at home and the images are being recorded. Indeed, this system must not be used to control the work or the working time of an employee, or cannot lead to a permanent control and inconvenience the data subjects (persons concerned).

It will be incumbent upon the data controller to inform all persons likely to intervene at the premises of the presence of the cameras and their purpose.

Moreover, the installation of cameras must be done in such a way that only the concerned private spaces are filmed, paying particular attention that the neighbourhood or the public roads or pathways (through windows, bay windows...) are not within the range of the video protection.

For more information, please refer to the following rulings that are available on our website:

• Ruling no. 2010-13 of the 3 May 2010 supporting the recommendation on video surveillance systems implemented by natural and legal persons governed by private law;
• Ruling no. 2011-83 of the 15 November 2011 supporting the recommendation on video surveillance systems implemented in blocks of flats;
• Ruling no. 2015-33 of the 25 March 2015 supporting the recommendation on automated processing of personal data for the purpose of “home video-protection” exclusively implemented by natural persons using the regular services of house staff or service providers.