VIDEO SURVEILLANCE AND DATA BREACH UNDER THE LENS OF THE PRIVACY GUARANTOR
It’s best not to overlook the regularities of public and private video surveillance systems, carefully evaluating the legal basis for processing, duration of image retention, and disclosures, and paying particular attention to data breaches and possible processing of biometric data. In a ruling on July 22, 2021, [https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9689657], this was clarified by the Guarantor for the Protection of Personal Data, which every six months provide general guidance on the inspections to be carried out on its initiative or through the Special Privacy and Telematics Fraud Unit of the Italian Finance Police. For the second half of 2021, primarily public and private video surveillance systems will be under observation. In particular, those that process biometric data for facial recognition. Corporate video surveillance also, therefore, requires the installation of a sign with all the minimum information and the referral to a suitable second-level information notice that can also be posted on the company website or provided ordinarily, as clarified by the same Guarantor in the injunction order No. 191 of May 13, 2021, in which the labor protection nucleus of the Ferrara Carabinieri certified the placement of some cameras inside a company without the placement of any sign or information on site. Upon receipt of the notice, the Garante activated a sanctions procedure that ended with an administrative penalty application. Article 13 of European Regulation No. 679/2016, the GDPR, requires the application of a summary sign with a referral to detailed information on the processing purposes and the data subject’s rights. In addition to video surveillance systems, processing by marketing and profiling companies, data brokers, and reputational databases would also be under the Authority’s lens in the second half of 2021, as well as processing by recovery and care institutions and companies falling under the food delivery sector and data breach.