Processing personal data through video surveillance and GPS tracking is a widespread practice that is used for a variety of purposes. Nonetheless, this is a matter that is not clearly defined by law, and there is no consensus practice that would provide guidelines for data processors on how to achieve legal compliance.
Due to ambiguous regulations, uncertainties and errors are common in practice, posing potential problems and risks for both data subjects and data controllers (in the form of possible fines).
Based on our experience and (unofficial) consultations with representatives of the Commissioner for Information of Public Importance and Protection of Personal Data (hereinafter referred to as the “Commissioner“), we came up with short guidelines intended to help data controllers: 1) identify situations when this type of data processing is allowed in the first place, and 2) implement the required procedure under Serbian data protection laws:
Video surveillance
Because video surveillance involves an intensive processing of personal data, it is necessary to ensure that the purpose of processing personal data cannot be achieved in another, less invasive or less comprehensive manner.
Video surveillance is typically used to ensure the safety of people or property. In this case, the Risk Assessment Act prepared under the Law on Private Security (“Official Gazette of RS”, no. 104/2013, 42/2015, and 87/2018) should provide an answer to the question of whether the safety of persons and/or property can be ensured in another, less invasive way (other than video surveillance). According to unofficial practice expressed in the Commissioner’s opinions, if the risk assessment act deems it necessary and justified, video surveillance and data processing may be installed for the protection of persons and property.
Other conditions must be met in addition to the stated legal basis for processing personal data. In particular, video surveillance equipment must be installed and maintained by a licensed entity that has the necessary permits issued by the Ministry of Interior (for the installation of a technical protection system – video surveillance). Furthermore, because video surveillance entails systemic surveillance of individuals using new technologies under Article 54 of the Personal Data Protection Act, it is necessary to assess the impact of processing on the protection of personal data (DPIA), and if such assessment indicates that processing will create a high risk when it comes to personal data protection, it will be necessary to obtain the Commissioner’s prior opinion. The premises where the cameras are installed must be marked as subject to video surveillance, and the recordings must be kept for at least 30 days.
In some other cases, such as monitoring employees’ performance, video surveillance probably cannot be established because the results of employees’ work can almost always be monitored in another, less invasive way, such as insight into work results and output by the managers.
GPS tracking
Monitoring of company vehicles using GPS devices is very widespread in practice, and it is often used for monitoring of execution of work tasks by employees.
The processing of personal data through GPS tracking for this purpose is not allowed if the purpose (monitoring the fulfillment of work tasks) can be achieved in another, less invasive ways, which in this particular case would be written records, signed delivery notes, and other documentation that can confirm that the employee delivered the goods to a certain place, etc. Bearing in mind that to verify the fulfillment of work assignments, written documentation can always be set up, GPS tracking for this purpose is almost always considered excessive and thus illegal.
However, there are also certain situations where GPS vehicle tracking can be legally established. Namely, according to the Commissioner’s practice, GPS vehicle tracking can be established to locate the vehicle in case of theft or to determine the circumstances in the event of a traffic accident (e.g., speed of the vehicle). However, in this case, insight into the results of GPS vehicle tracking can only be allowed in case of vehicle theft or a traffic accident, and never for any other purpose (real-time vehicle tracking, etc.). It is also possible to establish GPS vehicle tracking to manage the risky behavior of the driver concerning traffic regulations (monitoring the speed of the vehicle in relation to the permitted speed on a given road section or monitoring the fastening of the seat belt, etc.) and sending the driver to additional training, which some companies in Serbia are already doing. However, even in this case, the GPS data cannot be used to track the movement of the vehicle in real-time or whether the vehicle was in certain locations that the user of the vehicle was supposed to visit as part of his work tasks.
As in the case of video surveillance, here too it is necessary to assess the impact of the processing operation on the protection of personal data, and potentially obtain the prior opinion by the Commissioner. Moreover, GPS tracking equipment be installed by licensed entities, and persons who will use vehicles must be informed in detail about the processing of personal data by GPS vehicle tracking devices.
By Damjan Despotovic, Milorad Glavan, Partners, DNVG Attorneys