We received a complaint that concerned the use of CCTV cameras by the data controller in the complainant’s work premises, and the viewing of that CCTV footage (which contained personal data of the complainant, consisting of, among other things, images of the complainant) for the purpose of monitoring the complainant’s performance in the course of his employment with the data controller.

At the time of the complaint, the data controller had a CCTV policy in place, which stated that the reason for the CCTV system was for security and safety . This was also stated on signage in place in areas where the CCTV cameras were in operation . The facts indicated that the purposes for which the complainant’s personal data was initially collected were security and safety . However, during a meeting with the complainant, a manager informed the complainant that CCTV footage containing the com- plainant’s personal data had been reviewed solely for the purposes of monitoring the complainant’s performance in the course of the complainant’s employment with the data controller. This purpose was not one of the specified purposes of processing set out in the CCTV policy and signage . The controller acknowledged that the use of the complainant’s personal data in this way was a contraven- tion of its policies .

Where personal data is processed for a purpose that is different from the one for which it was collected, the purposes underlying such further processing must not be incompatible with the original purposes . In relation to the use of the complainant’s personal data, the purpose of monitoring their performance was separate and distinct from the original purposes of security and safety for which the CCTV footage was collected . On that basis, the processing of the complainant’s personal data contained in the CCTV footage for the purpose of monitoring performance was further processing for a purpose that was incompatible with the original purposes of its collection .

A further issue arose regarding the security around the manner in which the CCTV system and CCTV logs were accessed . In written responses to the DPC, the controller stated that, at the time of the complaint, access to CCTV footage was available on a standalone PC in the department, which did not require log-in information . The responses from the controller indicated that access to CCTV footage was not logged either manually or automat- ically . The absence of an access log for the CCTV footage was a deficiency in data security generally. Data controllers must implement appropriate security and organisational measures, in line with Article 32 of the GDPR, in relation to conditions around access to personal data .

The CCTV policy has since been substantially revised and replaced by a new policy. The controller confirmed that the PC utilised has now been deactivated and removed . Access to CCTV recordings is now limited to a single individual in the specific unit and recordings are reviewed only in the event of a security incident or accident .

Of particular relevance in this type of situation are the obligations to process personal data fairly (Article 5(1) (a)), and to obtain such data for specific purposes and not further process it in a manner that is incompatible with those purposes (Article 5(1)(b)) . Further, appropriate security measures should be in place to ensure the security of the personal data (Article 5(1)(f) and Article 32) .