The use of closed circuit video surveillance (CCV) and other audio and video recording devices of identifiable individuals is subject to the provisions of the Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018), as amended (the “Law”) and the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) because such action constitutes an automated processing of personal data.
Taking Videos and GDPR Implications: General Rules
The use of CCTV for image capture and voice recording in Cyprus is permissible only when no less intrusive means are available to achieve the intended purpose. It is crucial that these systems are not used to monitor personal behaviour, contacts, or performance of individuals and surely cannot be used without regard to the individual's right to privacy and that any member of the public have rights regarding the monitoring and/or recording of their image or activities using such systems.
Article 4 of the Law states that the controller (in this case, the person or organization deciding the purpose and manner of recording/visualization), shall ensure that personal data:
Under Article 6 of the GDPR, data processing is lawful only if at least one of the following conditions is met:
GDPR Implications
Currently there is no specific legislative framework governing the use of cameras in Cyprus. According to the Commissioner’s guidelines, the legal basis for processing (including collection, use, storage, and sharing) images and/or audio from dash cams is the prior consent of the affected individuals. Without such consent, such processing violates GDPR principles of legality, purpose limitation, and data minimization.
Taking Videos and GDPR Implications: CCTV in Public Spaces
The legality of using CCTV in public spaces in Cyprus shall be based on compliance with the GDPR and the Law.
Such CCTV may justifiably be used in public places for reasons of crime prevention, crime detection, bringing charges against offenders, public safety, national security, health and safety and regulation of traffic.
According to the Commissioner’s guidance, it is permissible to use CCTV at building entrances/exits, outside elevators (focused merely on the elevator), on top of banks’ card/cash machines and parking spaces. Nevertheless, it is not permitted to use CCTV in corridors, waiting areas, restrooms, dining areas and inside elevators.
To ensure GDPR compliance, warning signs should be prominently displayed to inform persons that such recordings are taking place. Of course such warning signs should designate the presence of CCTV, identify the data controller and explain the purpose of such recording. Furthermore, data subjects should have the right to access their recorded data and the retention period for recorded data should be limited to what is essential for the purpose stated (proportional). It should also be mentioned here that any recorded footage should be stored in a secure location with limited access to authorized people/personnel only. It would be advisable to consult the Commissioner prior to installing any such system. In cases where CCTV installation poses a high risk to individual rights and freedoms, a Data Protection Impact Assessment (DPIA) is required before implementation.
Taking Videos and GDPR Implications: CCTV in Private Places
The installation of CCTV in private places, i.e. at homes for personal or domestic activities does not fall under personal data protection laws in Cyprus, provided that such surveillance and/or recordings do not extend beyond that private space’s perimeter.
Audio Recording and GDPR Implications
Individuals have reasonable expectations that their conversations are not being recorded and shall remain confidential; that is why recording audio data (i.e. conversations) is considered highly invasive and intrusive and is generally prohibited. The Commissioner has determined that recording image and/or sound is equally an extreme measure and excessive for achieving the stated purpose of the controller. This conclusion is consistent with those of other European Data Protection Authorities.
Conducting a Data Protection Impact Assessment (DPIA)
A DPIA is mandatory under the GDPR for projects likely to involve a high risk to personal data. The purpose of conducting a DPIA is to identify risks and implement measures to mitigate such risks to persons' rights and freedoms. This is why it should be done before effecting and/or initiating any data processing activity, that is ideally during the planning stages.
Conclusion
To ensure GDPR compliance when using video and audio surveillance in Cyprus, organizations should have in mind the following: