Page 1

V
V
V

Office
Protection
Data
Personal

v 8 H £ r "M i

^

_

--¡I—.

—- -

■ '»i-Trr-

-••

in

Tips
The President of the Personal Data Protection Office
regarding the use of monitoring
vision

Version 1
June 2018

Page 2
2

Table of Contents
AND.

Introduction

3

II.

General information

5

1.

Applicable rules

5

2.

Important definitions

7

3.

Basics and rules for the application of video monitoring

9

4.

Processing process participants

12

5.

Protection of personal data

16

6.

Opinions of data protection authorities and documents of state control authorities regarding monitoring

vision 17
III.

List of questions on practical issues related to data processing

personal

18

Page 3
3

I. Introduction
Video surveillance is an invasive form of personal data processing and as such it should
be subject to specific verification by the administrator of the need for its use and necessity
security and control by inspection bodies.
The new Act on the Protection of Personal Data111 adopted on May 10, 2018 was amended
sectoral regulations regarding video monitoring used by employers, institutions
education and local government units. They entered into force on May 25, 2018, i.e. on
the commencement of application of the general data protection regulation, i.e. the GDPR [2]. The legislator does not
in this case, it has provided for specific transition periods to adapt to the new ones
regulation. Meanwhile, the administrators have many doubts of interpretation and concerns about
the possibility of the President of the Personal Data Protection Office imposing financial penalties for non-compliance
obligations incumbent on them. Additionally, administrators representing other sectors and industries, for
which the rules for conducting monitoring are not specified in the sectoral regulations, have doubts as to
legal grounds for running video surveillance systems.
In order to dispel these doubts, the President of the Office prepared these guidelines. They concern
video monitoring applied in accordance with the provisions of Regulation 2016/679. Tips for
the police and judicial sectors which are subject to Directive 2016/680 [3] may be issued
after the adoption of the provisions implementing the directive into the Polish legal system. 141 1234

[1] the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws, item 1000, hereinafter referred to as the Act or
uodo).
[2] Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
in connection with the processing of personal data and on the free movement of such data, and repeal
Directive 95/46 / EC (general data protection regulations) (Journal of Laws UE L 119 of 04.05.2016, p. 1 and Dz.
Of UE L 127 of 23/05/2018, p. 2), hereinafter also referred to as the regulation or the GDPR.
[3] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of persons
individuals with regard to the processing of personal data by competent authorities for the purposes of prevention
crime, investigation, detection and prosecution of prohibited acts i
enforcement of sanctions, on the free movement of such data and repealing the Council Framework Decision
2008/977 / JHA (Journal of Laws UE L 119 of 04.05.2016, p. 89 and Journal of Laws UE L 127 of 23.05.2018, p. 10), hereinafter
also a directive or a DODO.
[4] Draft act on the protection of personal data processed in connection with prevention and combating
crime, currently being dealt with by the Committee on European Affairs:
http://legislacia.rcl.gov.pl/docs//2/12310605/12502714/12502715/dokument343349.pdf

3

Page 4
4

Pursuant to Art. 34 sec. 1 and 2 of uodo, the President of the Office is the authority competent for protection
personal data and a supervisory authority within the meaning of:
1) of Regulation 2016/679,
2) Directive 2016/680 and
3) of Regulation 2016/794 [5].

This document has been prepared on the basis of art. 57 sec. 1 lit. d of the regulation
2016/679 as educational material. Binding evaluation of the correctness of the data processing operations
personal data, which is the use of video monitoring, is each time conducted by the President
Of the Office, in the course of appropriate proceedings referred to in Art. 57 sec. 1 lit. a and f of the regulation, i.e. in
as part of a data protection monitoring and enforcement control or a complaint against
processing of personal data.

Considering the doubts related to the new regulations and the diverse nature
currently used video monitoring systems President of the Office for Personal Data Protection
encourages you to participate in the consultation on this document. They are aimed at getting to know as precisely as possible
the needs and opinions of various circles in this matter. All the people concerned, in particular
trade associations and NGOs may make their views known. Notes to
points and suggestions for outstanding points that you think should remain
raised should be sent by July 15, 2018 to the following address : DESiWM@uodo.gov.pl . In the title of the message
please indicate the slogan "Monitoring Consultation". The result of the consultation will be the final publication
version of the tips.

[5 ] Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the Union Agency
European Law Enforcement Cooperation (Europol), replacing and repealing Council decisions
2009/371 / JHA, 2009/934 / JHA, 2009/935 / JHA, 2009/936 / JHA and 2009/968 / JHA (Journal of Laws UE L 135 with
May 24, 2016, p. 53).

4

Page 5
5

II. General information

1. Applicable Regulations
The use of video monitoring as a form of supervision over data subjects is binding
with the processing of personal data of all observed persons. In the Polish legal order,
despite the treatments, incl. The Ombudsman and the Inspector General for Data Protection
There was no general regulation of this issue so far. Legislative work in progress
were to break this state, but did not go beyond the conceptual work. For this reason, to evaluate matters
related to video surveillance, the provisions of the Protection Act were applied to the appropriate extent
personal data valid until May 25, 2018.
The existing (indicated below) and planned1 monitoring regulations apply to various sectors and
people. To the extent not regulated in such provisions, it is necessary to apply general provisions on
data protection. This is important, for example, in the case of monitoring in the workplace, where the regulations allow
to observe only people employed, and do not relate to visitors to the site (clients,
suppliers, inspectors, etc.).
All these processes are subject to the provisions of Regulation 2016/679 (which directly in Art. 35
mentions systematic large-scale monitoring of places accessible to the public), uodo and
specific laws and executive acts. They regulate the rights and obligations of the entities that may
observe primarily public places, people and property for the purpose of providing
safety. Among them, in particular, the regulations concerning the sectors should be mentioned:
a) public:
1) Article 9a of the Act of March 8, 1990 on Municipal Self-Government (Journal of Laws of 2018, item 994 and
1000);
2) Art. 4b of the Act of 5 June 1998 on poviat self-government (Journal of Laws of 2018, item
995 and 1000);
3) Article 60a of the Act of 5 June 1998 on voivodeship self-government (Journal of Laws of 2018,
item 913);
4) Article 5a of the Act of December 16, 2016 on the principles of state property management
(Journal of Laws, item 2259, as amended);
b) private:

1 Including art. 4, 25 and 166 of the bill amending certain acts in connection with ensuring their application
of the regulation 2016/679, http: //legislac¡a.rcl.gov.pl/pro¡ekt/12302951/katalog/12457732#12457732

5

Page 6
6

1) Art. 15b of the Gambling Act of November 19, 2009 (Journal of Laws of 2018, item 165
with later d.).
2) Art. 11 of the Act of March 20, 2009 on the safety of mass events (Journal of Laws of 2017
r. item 1160 as amended d.).
c) health, employment and education:
1) Article 222 of the Act of June 26, 1974 - the Labor Code (Journal of Laws of 2018, items 917 and 1000);
2) Article 108a of the Act of 14 December 2016 - Education Law (Journal of Laws of 2018, item 996 and
1000);
3) Art. 43e of the Act of August 19, 1994 on the Protection of Mental Health (Journal of Laws of 2017
r. item 882 as amended d.)
4) Art. 22 sec. 3 of the Act of April 15, 2011 on medical activities (Journal of Laws of 2018,
item 160 as amended d.).
d) law enforcement agencies and courts:
1) Articles 15 and 19 of the Act of 6 April 1990 on the Police (Journal of Laws of 2017, item 2067, as amended)
d.);
2) Article 20g of the Act of March 21, 1985 on public roads (Journal of Laws of 2017, item 2222
with later d.);
3) Article 157 of the Act of November 17, 1964, Code of Civil Procedure (Journal of Laws of 2018
r. item 155 as amended d.);
4) Article 147 of the Act of 6 June 1997, Code of Criminal Procedure (Journal of Laws of 2017,
item 1904 as amended d.).

At the same time, it should be borne in mind that they have been adopted for many years and do not have to
contain a complete regulation of the discussed form of supervision. In such cases, they will apply
had the provisions of Regulation 2016/679 or Directive 2016/6802.
The specific provisions on
video monitoring does not provide for any transition periods which the legislator has not decided on.
Also, the provisions of the GDPR do not provide for additional deadlines for adaptation. Accordingly, the President
The Office accepts that these provisions and the relevant provisions of the GDPR apply to everyone
existing and future visual surveillance systems. At the same time, the supervisory authority is aware
the fact that the adaptation of the systems to the new regulations requires consultation with

2 Until the implementing act is adopted, Art. 175 of the Act, according to which the selected ones apply
the provisions of the current act on the protection of personal data.

6

Page 7
7

involved entities, changes to internal documents and fulfillment of obligations towards
people being watched. Therefore, the data protection authority will come first
monitored the progress in adapting to the new requirements. Such actions should be through
controllers and processors taken promptly to demonstrate a commitment to
ensuring compliance with applicable law. Activities will follow
verifying compliance with the rules for applying video monitoring provided for in the GDPR and
specific provisions.

2. Important definitions
Everyone has the right to the protection of their personal data. The regulation introduces
standards for the implementation of this right. In particular, it regulates the following definitions:

2.1. personal data - any information about an identified or identifiable person
physical ("data subject").
Please note that an identifiable natural person is one who can be directly identified
or indirectly identify, in particular on the basis of: name and surname, number
identification, location data, online identifier or one or more specific ones
factors determining physical, physiological, genetic, mental, economic, cultural or
the social identity of a natural person. However, personal data will not be individual information about
to a large degree of generality. They will become them only when they are combined with other, additional ones
information that, as a consequence, will allow them to be related to a specific person. Information no
is considered as making it possible to identify a person if it would require excessive costs,
time or activities.
Based on the provisions of the regulation, the following can be distinguished:
a) the so-called ordinary, such as name, surname, address, date and place of birth,
telephone number, profession, image, etc.
b) special categories of personal data (so-called sensitive data), listed in art. 9 and 10
the regulation disclosing data:
- racial or ethnic origin,
- political views,
- religious or philosophical beliefs,
- membership in trade unions,

7

Page 8
8

- genetic data,
- biometric data to uniquely identify a natural person,
- data concerning the health, sexuality or sexual orientation of that person,
- data on criminal convictions and offenses or related acts
security measures.

It should be borne in mind that the processing of special categories of data is a necessity
fulfillment of additional guarantees for their protection included in Art. 9 sec. 2 and art. 10 GDPR and
specific national rules.
In line with the judgment in Case C-434/163, the concept of personal data also includes written data
answers given by the person taking the vocational examination and any answers
comments by the examiner relating to these responses. This means that personal data is not
they only need to come from the data subject.
Referring to the scope of personal data processed by the appropriate video surveillance
is to indicate, in particular, images, specific features of people and identification numbers
(e.g. vehicle registration plate numbers and side numbers).

2.2. processing - an operation or a set of operations performed on personal data or sets
personal data in an automated or non-automated manner, such as collecting,
recording, organizing, organizing, storing, adapting or modifying,
downloading, viewing, using, disclosing by uploading, disseminating or
other types of sharing, matching or combining, limiting, deleting or destroying.

In the case of video monitoring, these will be operations involving in particular
saving, viewing, sharing and deleting recordings of recorded events and people
regardless of the nature of the medium in which they are stored (system hard drives, recordings
stored in the memory of the device enabling remote access - smartphone, portable computers
e.t.c.).

3 Judgment of the Court of Justice of 20 December 2017 in Case C-434/16 Peter Nowak v Data
Protection Commissioner

8

Page 9
9

3. Basics and rules for the application of video monitoring
3.1. Grounds for the processing of personal data
Regulation 2016/679 defines the rules for the processing of personal data and the grounds
enabling their processing.
Ordinary data processing may take place only under one of the conditions
specified in art. 6, and in the case of sensitive data in art. 9 and 10 of the Regulation.
The basis for ordinary data processing may be:
a) the consent of the data subject for processing in one or more
specific goals;
b) performance of a contract to which the data subject is a party or taking action on
request of such a person prior to the conclusion of the contract;
c) fulfillment of the legal obligation incumbent on the administrator;
d) protection of the vital interests of the data subject or of another natural person;
e) performance of a task carried out in the public interest or in the exercise of the exercise
the public authority vested in the controller;
f) purposes resulting from legitimate interests pursued by the administrator or
by a third party, except where overriding these
interests or fundamental rights and freedoms of the data subject,
requiring the protection of personal data, in particular when the data subject,
is a child.

The latter ground does not apply to the processing carried out by the authorities
public in the performance of their tasks. This means that only private entities can rely
on this premise, unless they participate in the performance of public tasks. Thus, public authorities that
they use video monitoring to perform their tasks, they must be based on regulations
allowing or ordering this form of performance of their tasks.

From the above, it is clear that the most appropriate application of video monitoring
the premises are fulfillment of the legal obligation incumbent on the administrator, performance of the task
carried out in the public interest or in the exercise of delegated public authority
the administrator and the purposes resulting from the legitimate interests pursued by
administrator, for public and private sector entities, respectively.

9

Page 10
10

The processing of special categories of personal data is, in principle, prohibited
except for the situations specified in Art. 9 sec. 2 and art. 10 of the Regulation. Pursuant to Recital 51 of the GDPR,
the processing of photographs should not always constitute processing of special categories of data
personal data, as photographs are included in the definition of "biometric data" only where they are
processed with special technical methods that enable unambiguous identification of the person
physical or confirmation of its identity. Such personal data should not be processed unless
the regulation allows for their processing in special cases, which should be taken into account
that the law of the Member States may contain specific provisions on data protection
adapting the application of the provisions of the regulation so that legal obligations can be fulfilled
or perform a task carried out in the public interest or in the exercise of official authority
entrusted to the administrator. Bearing in mind that recordings can be analyzed frame by frame
image and using special technical methods (automatic image analysis) used for
identification of observed persons, only such monitoring systems will process the data
biometric within the meaning of art. 9 sec. 1 GDPR. These types of operations will be exhaustive
legal grounds and fulfillment of additional processing obligations
special categories of personal data. This includes in particular carrying out an impact assessment for
data protection pursuant to art. 35 sec. 3 lit. b GDPR next to the assessment required for monitoring systems
on the basis of lit. c of the same recipe.
The President of the Office has prepared a proposal for a list of the types of processing required
is to carry out a data protection impact assessment4. The final version of the document indicates that
what processing operations using video monitoring require an assessment
effects. These are:

1) Systematic large-scale monitoring of publicly accessible sites
elements of recognizing the features or properties of objects that are located in the monitored
space. This group of systems does not include video monitoring systems in which
the image is recorded and used only for the analysis of violation incidents
rights.
Extensive space monitoring systems. Means of public transport, cities offering
public to track people and systems

borrowing

bicycles, 4

4 https://giodo.gov.pl/pl/1520281/10430; https://uodo.gov.pl/pl/123/212

10

Page 11
11

obtaining data beyond the data

cars and demarcating zones

necessary for the provision of the service.

paid parking.

2) Automated decision making with legal, financial or similar effects
significant effects.
Monitoring systems used for

Roads covered by segmental measurement

traffic management or counteraction

speed (the system collects information no

threats / abuses

road,

only about infringing vehicles, but

enabling detailed supervision of each

about all vehicles appearing in

driver and his behavior on the road in

controlled area, road sections

particular

systems allowing

on

automatic vehicle identification.

equipped with an electronic system
viaTOLL toll collection.

3.2. Principles of personal data processing
The main rules for the processing of personal data are set out in Art. 5 sec. 1 GDPR,
by putting them in the form of the basic obligations of the administrator. Its content shows that personal data
must be:
a) processed in accordance with the law, fairly and transparently for the data subject
( legal compliance, fairness and transparency );
b) collected for specific, explicit and legitimate purposes and not further processed in
a manner inconsistent with these purposes ( purpose limitation );
c) adequate, relevant and limited to what is necessary for the purposes for which they are
processed ( data minimization );
d) correct and, where necessary, updated, and personal data that is incorrect in light
the purposes of their processing must be immediately removed or rectified ( correctness );
e) stored in a form that permits the identification of the person to whom they relate, for a period not
longer than necessary for the purposes for which the data are processed ( limitation
storage );
f) processed in a manner ensuring adequate security of personal data, incl
protection against unauthorized or unlawful processing and accidental

11

Page 12
12

loss, destruction or damage by appropriate technical measures or
organizational ( integrity and confidentiality ).

In accordance with paragraph 2 of the said provision, the controller is responsible for compliance
these principles and must be able to demonstrate compliance with them ( accountability ).

4. Participants in the processing process
4.1. Data subject - observed person
Identified or identifiable natural person whose data will be collected
through the video monitoring system, it may exercise the rights set out in Chapter III of the Regulation.
Taking into account the specificity of video monitoring, it should be stated that the exercise of control powers
the observed person may be required to provide information about
situations in which it could be in the area of ​operation of the monitoring system. This may include
time periods or situations in which the person participated, details of clothing, etc.
the last sentence of recital 63, if the controller processes large amounts of information about the data subject
relate to, he should be able to request, before providing the information, that the data subject
relate to, specified the information or processing activities to which the request relates. If the regulations
do not stipulate otherwise, an answer to the inquiries of the observed person should be given
without undue delay, at the latest within one month.

4.2. Administrator
The implementation of the rules for the processing of personal data is the responsibility of the administrator to whom
in accordance with Art. 4 point 7 of the Regulation is a natural or legal person, public authority, unit or other
an entity that independently or jointly with others determines the purposes and methods of data processing
personal. Laws may decide who is the data controller in the public sector
specific.
The administrator of the data of observed persons ( operator of the monitoring system ) is the entity,
which makes decisions about the installation, goals and area covered by the monitoring system in his
disposal. It may be operated by persons managing and representing it outside, such as the company's management board,
school head, etc. These officers are obliged to provide in the unit they manage

12

Page 13
13

organizational, lawful processing of personal data and are responsible for
actions of all persons authorized to process data.
When deciding to use this form of supervision, the controller should verify whether
the goals he pursues justify the observation of people. The administrator should be aware
the principle of purpose limitation in Art. 5 sec. 1 lit. b GDPR. Therefore, it must take into account the need to protect the law
to privacy and protection of personal data and limiting them only to the extent necessary. Means,
that monitoring can be introduced with other, less intrusive methods of assurance
security is inadequate. For example cameras may be redundant if the area of ​the lobbies
schools is being watched by teachers on duty or the school grounds after its closure
monitored by a caretaker or security staff. It is the right thing to do too
involving representatives of persons in the decision-making process regarding the application of monitoring
watched. Currently, it is provided for by the already cited provisions of the Labor Code and Educational Law,
which indicate the need for consultation with employees or the governing body
and the school community.
When deciding to implement monitoring, the administrator must remember about
conducting a data protection impact assessment . It is required when a processing operation
due to its nature, scope, context and objectives, it is likely to cause
high risk of violating the rights or freedoms of natural persons. Pursuant to Art. 35 sec. 3 lit. c GDPR, it is
mandatory for monitoring places accessible to the public. It may be in its conduct
a helpful data protection officer, if appointed.
Pursuant to Art. 35 sec. 7, the assessment includes at least:
(a) a systematic description of the planned processing operations and the purposes of the processing, including where it is
this application - legitimate interests pursued by the administrator;
(b) an assessment of whether the processing operations are necessary and proportionate in relation to the purposes;
c) assessment of the risk of violation of the rights and freedoms of data subjects referred to in para.
1; and
(d) measures planned to address the risks, including safeguards and measures and mechanisms
security to ensure the protection of personal data and demonstrate compliance
of this regulation, taking into account the rights and legitimate interests of persons,
data subjects and other persons concerned.

Purpose limitation and minimization principles require the monitoring area to be limited to
necessary coverage . It should be borne in mind that the interests of the administrator may not in every situation
how to unduly restrict the rights to privacy and data protection, and legitimate expectations

13

Page 14
14

people watched for intimacy. Therefore, the administrator should hold back
from monitoring in sensitive areas such as changing rooms, toilets etc. Likewise
monitoring the area of ​neighboring properties can be considered as
disproportionate.
The fulfillment of the information obligation included in the observed person is of significant importance
in art. 13 GDPR . It must be, in accordance with Art. 12 of the Regulation, implemented in a concise, transparent,
understandable and easily accessible form, clear and simple language. Some of the above
of special provisions, it additionally indicates signs or sound announcements that should be marked
rooms and monitored area (the above-mentioned provisions of the Labor Code and Educational Law). Full
information on monitoring, including all the requirements of Art. 13 of the GDPR should be available locally
monitored, e.g. on boards or in the form of a document available at the reception or at
administrator's representative. So it is possible to fulfill the information obligation by providing
basic information and supplementing it in subsequent information layers. Signs informing about
the monitoring application may be available before entering the observation area.

In art. 37 of the regulation indicates when the administrator appoints a data protection officer
(DPO) . At that moment, the inspector rests, among others, legal obligation to monitor compliance
this Regulation, other Union or Member State data protection legislation, and
the policies of the controller or the processor in the field of personal data protection, incl
segregation of duties as well as implementation of awareness-raising activities, staff training
involved in processing operations and conducting related audits, and
providing, upon request, recommendations as to the data protection impact assessment and monitoring its performance
(Article 39 (1) (b) and (b) of the GDPR).

4.3. Processor
Pursuant to Art. 4 point 8 of the GDPR, the processor may be a natural person or
legal entity, public authority, entity or other entity that processes personal data on behalf of
administrator.
A detailed regulation of this relationship is contained in Art. 28 of the Regulation. The administrator can
entrust the performance of such a service to entities that provide sufficient guarantees of implementation
appropriate technical and organizational measures to ensure that the processing meets the requirements
of this Regulation and protects the rights of data subjects. Processing by the entity
the processor takes place primarily on the basis of a contract that specifies:
a) the subject and duration of processing,
14

Page 15
15

b) the nature and purpose of the processing,
c) type of personal data and categories of data subjects,
d) the duties and rights of the administrator.
In addition, the entity entrusted with the processing of the data by the data controller is responsible
to the data controller for data processing contrary to the concluded contract. The conclusion of such
contracts do not change the status of their administrator - is fully responsible for their correctness
processing.
In the case of video monitoring, this may apply to the order to conduct monitoring
in connection with the protection of the facility by a professional entity.

4.4. Recipient of the data
In art. 4 point 9 of the GDPR regulates the definition of recipient, which means a natural or legal person,
public authority, unit or other entity to which personal data is disclosed. Public authorities,
which may receive personal data as part of a specific proceeding in accordance with Union law
or the law of a Member State are not considered recipients and processing by them
the data obtained must comply with the applicable data protection laws
according to the purposes of the processing. It must inform about the recipients or their categories
administrator. In practice, this may mean the need to inform people observed in
as part of the information obligation under Art. 13 of the GDPR that the data may be transferred to the company
protecting the facility that manages the system, or to people who show the need to obtain
access to recordings (interest pursued by a third party), e.g. to persons injured in
situations recorded by the system cameras. It is possible that the recordings will be like that
include personal data of observed people who participated in the event, and making them available
data overrides interests or fundamental rights and freedoms. Recipient
data is required to process them in accordance with the principles of data protection and only to the extent
the goal they are pursuing. For example, if property damage is recorded by another
a person (e.g. a bump in a car park), the site manager may decide to make the recording available
including the image of the perpetrator or vehicle registration plates to the injured person, who
he wants to assert his rights. However, this must be done with respect for the rights and freedoms of persons
bystanders. This means that the recording should not include other people's data
not involved in the event.

15

Page 16
16

In the case of requests for access to recordings addressed to the administrator by the authorities
public and law enforcement services, they should be related to the performance of tasks of these entities and
in accordance with the applicable rules for obtaining personal data.
In both of the above situations, sharing cases should be fine
documented. According to the principle of accountability, it is necessary for the controller to be able to demonstrate
that he processed data in accordance with applicable law.

5. Protection of personal data
The administrator and the processor implement appropriate technical and organizational measures,
to ensure the level of safety taking into account the state of the art, cost of implementation and
the nature, scope, context and purposes of processing, as well as the risk of violating the rights or freedoms of persons
physical with different probability of occurrence and weight. This includes the requirements under Section II
Chapter 4 of the GDPR - Security of personal data.
The administrator keeps documentation describing the method of data processing and the methods used
technical and organizational measures, as well as records of persons authorized to process them. Down
data processing, if the controller so decides, only persons may be allowed
acting under the authority of the controller or processor and process them only on
administrator command.
In a situation where special provisions do not specify requirements as to technical measures, i
organizational, it is the administrator who has discretion in this matter and is responsible for demonstrating that they are
enough.

16

Page 17
17

6. Opinions of data protection authorities and documents of control authorities
state law regarding video monitoring
6.1. Inspector General for Personal Data Protection
6.1.1. GIODO guidelines on the use of video monitoring in schools
6.1.2. Lessons with GIODO - Lecture 1. Video surveillance at school (7th edition of the "Your data
- Your business")

6.2. Art. 29
6.2.1. Working document on the processing of personal data for supervision by use
video cameras (WP 67) - available in English
6.2.2. Opinion 4/2004 on the processing of personal data for surveillance by camera
video (WP 89)

6.3. European Data Protection Supervisor
6.3.1. Video monitoring guidelines for European Union institutions and agencies - available in
English version

6.4. Supreme Chamber of Control - information on the results of the control
6.4.1. Functioning of city video monitoring and its impact on improving safety
public (no. P / 13/154)
6.4.2. The use of video monitoring in schools and its impact on the safety of students
(No. P / 16/076)
6.4.3. Protection of the intimacy and dignity of patients in hospitals (no. P / 17/103)

17

Page 18
18

III. List of questions on practical issues related to
with the processing of personal data
1. What should be taken into account before deciding on the installation of monitoring
at school?
Video surveillance is a tool for interfering with the constitutionally protected right of an individual to
privacy. Therefore, all actions interfering with this right should be made prudently and with
respecting applicable law - in accordance with the principle of legality expressed in art. 7
Of the Polish Constitution. This applies in particular to the protection of the child's right to privacy.
In addition, the administrator should ask himself about the adequacy of introducing monitoring
video , as a method to ensure the safety and protection of property. The school principal should
assess whether other, less privacy-intrusive solutions would not bring the expected and
sufficient safety performance. An element of the assessment
Therefore, there should be an analysis of the needs and purposefulness of building a video monitoring system along with its forecast
effectiveness in the context of the impact on privacy (privacy impact assessment). It may turn out
that less intrusive solutions are an alternative to a costly monitoring system and
can successfully replace it.
Video surveillance also creates the risk of processing personal data of other people
(who are not employees or users, such as school students) who may find themselves in
monitored area (entrances to the area, its surroundings - streets, pavements, playgrounds or playgrounds).
With regard to these persons, the administrator is obliged to inform about the use of observation, provide
access to their data and their security. It should also be remembered that the monitoring system could by the way
it can also be used indirectly as a work supervision and control tool. The question remained
discussed below in answer to question 4.

2. What is the legal basis for installing monitoring?
Considering the issue of the legal basis for the processing of personal data by them
administrator, using the monitoring system, it should be indicated that separate legal provisions regulate
some cases of protection of persons and property by specific entities using video monitoring,
e.g. the already mentioned provisions of the Labor Code, Educational Law, or the provisions of acts on local governments:
commune, poviat and voivodship, as well as the provisions of the act on the principles of property management
state.
In cases not covered by specific provisions, as a legal basis
the processing of personal data in the field of image by private sector entities belongs
indicate the prerequisite of legality as specified in art. 6 sec. 1 lit. f of the Regulation 2016/679 , recognizing
18

Page 19
19

ensuring the safety of persons and property in the area monitored by law
justified purpose of the data controller.
It should be emphasized that, in accordance with the position of the Court of Justice of the EU expressed in
of case C-212/13 Rynes5, the protection of persons and property can be considered a legitimate interest
administrator within the meaning of art. 7 lit. f) Directive 95/46 / EC. However, it must be related each time
with respect for the rights and freedoms of the observed person and with the fulfillment of statutory obligations
administrator. This means, inter alia, respecting the privacy of individuals in elevated areas
expectations of privacy (changing rooms, etc.) and fulfillment of information obligations towards persons
watched.
Please note that Art. 6 sec. 1 letter f of the GDPR with regard to entities from the public sector, art.
6 sec. 1 letter f of the GDPR will not apply.

3. Can the administrator install dummy surveillance cameras?
The position of the data protection authority in this matter remains unchanged - the use of dummy
should be banned . On the one hand, dummy cameras introduce the potentially monitored
a sense of interference in the sphere of privacy and, on the other hand, a misleading sense of increased security.
Undesirable effects associated with the use of monitoring, also with dummy cameras, whether in the open
space, such as school playgrounds, or in closed ones, such as cloakrooms or corridors, may predominate
over the possible benefits of their use and thus call into question
the effectiveness and adequacy of this tool in achieving the intended purpose in the given circumstances.

4. Can workplace monitoring be used to control work?
The possibility of using specific employee control tools, as a rule, should be specified in
the act, along with guarantees protecting employees against their abuse by the party
administrator. Pursuant to the provisions of the Labor Code, monitoring is to ensure safety
employees or property protection or production control or the confidentiality of information provided
disclosure could harm the employer. Monitoring is beyond the scope of these purposes
as a means of supervising the quality of work performance. While there may be temptations to monitor on occasion
it was a tool, e.g. for controlling the length of breaks or leaving the workplace, and also
observation of activities performed during the performance of work. This is clearly emphasized by Art. 180a paragraph 2
Educational law. Therefore, it is unacceptable to install monitoring in classes where

5 Judgment of the Court of Justice of 11 December 2014 in Case C-212/13 Frantisek Rynes v. Urad
for the protection of separate thighs

19

Page 20
twenty

during the classroom, it is the teacher (not the video surveillance camera) who supervises
over the safety of students and property. The same applies to their supervision of employees
superior. According to the Constitution of the Republic of Poland, GDPR or the Labor Code, entities that use monitoring
should be guided primarily by the principles of purpose limitation and data minimization. They provide that
data must be collected for specific, explicit and legitimate purposes. Also,
only data that is adequate, relevant and limited to what is necessary can be obtained
for the purposes for which they are processed. In other words, only means are required
proportionate to the purposes of personal data processing. In the case of monitoring, this is the goal
ensuring the safety and security of people and property, and not supervision of effectiveness or
the efficiency of the work performed by the employee.

5. What are the obligations of the administrator who uses monitoring towards the observed persons
visionary?
The administrator should inform people who may potentially become him on his premises
covered that monitoring is applied and what area is covered by it. Provide your name, address, area as well
the purpose of monitoring and other information included in Art. 13 GDPR.
People remaining in the monitored area must be aware of where they are
are found, monitoring activities are carried out. Boards informing about installed monitoring
they should be visible, synthetic, permanently placed not too far away from
places to be supervised, and the dimensions of the boards must be proportional to the place where they are located
placed. Additionally, pictograms informing about the surveillance of cameras may be used.
It is not enough to mark the area under monitoring only with pictograms, as it should be
also meet the information obligation set out in Art. 13 GDPR. However, this does not mean a necessity
posting all the information indicated in this provision. In such a situation, possible application
layered information notes.
The administrator should immediately answer any questions of the person being observed under
its rights, in particular in accordance with Art. 12 - 22 GDPR.

6. What are the rights of the persons subject to monitoring?
Each person has the right to be informed about video surveillance and the right to
protect your image against dissemination, unless separate regulations provide otherwise.
The obligation to provide such information results from Art. 13 of the GDPR, and the provisions of Chapter III in detail
define the rights of the data subject.
The rights of persons subject to monitoring include, among others:

twenty

Page 21
21

- the right to be informed about the existence of monitoring in a specific place, its range, purpose, name
the entity responsible for the installation, its address and contact details;
- the right to access the recordings in justified cases;
- the right to request the deletion of data concerning her;
- the right to anonymize the image on registered images and / or delete related to it
personal data;
- the right to data processing for a limited period.

7. What conditions should be met in connection with the installation of cameras in the school?
The school, as the entity responsible for the installation of monitoring and subsequent collection
and storage of camera records, must comply directly with the provisions of the Education Law and
of regulation 2016/679. The basic condition for the use of video monitoring at school is
inform the entire school community in advance about the installation of this system by hanging in
information boards on this subject prominently. They should inform not only about presence
CCTV cameras and its range, but incl. also about the purpose of their installation and the conditions under which
the school uses this surveillance tool. It is also important to inform about your rights
the monitored right to control her personal data.
It should be emphasized that pursuant to Art. 39 sec. 1 point 5a of the Education System Act, it is the director
schools perform tasks related to ensuring the safety of students and teachers during classes
organized by the school, and in accordance with paragraph 4 of the cited provision, in the performance of its tasks
cooperates with the pedagogical council, parents and the student council. This rule has been respected
in art. 108a of the Educational Law, according to which the entire school community should cooperate with
the director and the leading body in the decision to launch video monitoring
on the premises of the facility. Notwithstanding the foregoing, the director should conduct a risk assessment.
It should also be remembered that the introduction of monitoring should be preceded by an analysis in
the scope of the possibility of using other, less privacy-intrusive measures. There where
monitoring already exists, but consultations should be carried out along with a status review
security in connection with the use of monitoring, also in order to decide whether it is
the use is still justified. The impact of the monitoring system on safety should be periodic
examined, in order to determine whether such a solution brings the intended effects and does not violate it in a way
excessive rights of the watched persons.

8. What does the purpose limitation principle mean?

21

Page 22
22

The administrator who intends to introduce monitoring should demonstrate the legitimacy of its application, incl
proportionality of this measure to the aim it is intended to serve (e.g. improving safety). This rule applies
first of all, deciding whether monitoring in fact needs to be applied and what arguments prevail to
consider that it is a better means than any other available means to improve or improve safety, and whether
undesirable negative effects do not outweigh this form of control. Monitoring systems should be
applied after considering whether other preventive or protection measures are not required
image acquisition, will not be evidently insufficient or impossible to apply Na
for example, when there are not enough teachers and staff for on-call duty, or there are too many
a large area so that all sensitive places can be covered by this form of supervision.
Then, if it has been decided to choose monitoring as a necessary solution, it should happen
to select the appropriate technology, criteria for the use of devices in specific situations, and
data processing arrangements, also relating to the rules of access and period
storage. This principle also means that devices used for such supervision can be used
only as auxiliaries when the purpose actually justifies their use.
The administrator must also determine which special provisions will apply to the implemented one
by him of the monitoring system, when they define the acceptable monitoring objectives differently. For example:
• the employer may apply monitoring when it is necessary to ensure
employee safety or property protection or production control or behavior in
confidentiality of information, the disclosure of which could harm the employer;
• the school principal may implement monitoring when necessary to ensure
the safety of students and staff or the protection of property;
• a commune or a poviat may apply monitoring in order to ensure public order and
citizens' safety and fire and flood protection.

9. In what places can the monitoring be installed?
The administrator, after analyzing whether the benefits of the monitoring installation outweigh its undesirable ones
consequences, when deciding on the installation of the monitoring system, he should remember about the existence of these spaces, w
whose monitoring is unacceptable. It is mainly about places such as changing rooms, cloakrooms, toilets,
showers or bathrooms.
The Labor Code explicitly states that monitoring does not include sanitary rooms, cloakrooms, canteens and
smoking rooms or rooms made available to the company trade union organization. On the other hand, the Education Law to
forbidden areas includes rooms where teaching, educational and other activities take place
caring rooms, or those rooms where students are provided with psychological and pedagogical assistance,
as well as rooms for employees' rest and recreation, sanitary and hygiene,
a health prophylaxis room, as well as changing rooms and changing rooms. Places should be monitored
22

Page 23
23

designated where there are incidents or there is a real security risk, and
it is impossible to cover such places with other forms of supervision, such as in the case of schools, on duty
teachers or employees.
However, in relation to other places of installation of cameras, it should be considered whether their location
in particular, it does not infringe the principle of proportionality. For example, cameras should not be aimed directly
on the employee's computer screen and enable tracking of activities performed by him on it
device, as monitoring should not be used to supervise the execution
official duties. It should also be remembered that some zones in the workplace, such as the desk or
locker, are subject to a particularly strong and legitimate expectation of privacy.

10. What is the storage period for monitoring recordings?
The period of data retention, i.e. their storage after recording, is not in Polish law
clearly defined. For example, in the provisions of the Labor Code, Educational Law and the Act on
the municipal government was given a maximum period of 3 months . However, given that purpose
implementation of monitoring is to prevent damage to persons and property, it is necessary as far as possible
take a shorter storage time . This not only results in less interference with people's privacy
observed, but also reducing the cost of maintaining the system. In addition, take into account that
eg schools and workplaces are facilities constantly supervised by employees - acting teachers
shifts, security and watchmen. The image from the cameras can be monitored on an ongoing basis by the operator or
kept for the purpose of documenting incidents, but no longer than necessary until completion
appropriate explanatory activities. First of all, remember about the provision of Art. 5 sec. 1 lit. e
GDPR, which indicates that personal data must be kept in a permissible form
identification of the data subject for no longer than is necessary for the purposes for which
these data are processed . This period should be in weeks rather than months. Belongs
at the same time keep in mind that recordings of incidents may be kept longer - for the time being

clarification of the case or completion of relevant proceedings.

11. Do the provisions on the protection of personal data always apply to monitoring?
Video surveillance does not always involve the processing of personal data. Regulation 2016/679 i
national specific rules may apply to monitoring, if it is used for the purpose
processing of personal data. If the monitoring is used only to view a given place, and the recording
is not saved on the hard disk of the computer or other medium, then it is difficult to talk
on the processing of personal data. We are dealing with personal data when the image from the cameras
it contains images of people and is recorded in the monitoring system on data carriers. Keep in mind when doing so

23

Page 24
24

it should be noted that entities using monitoring systems usually equate data processing with
action taken to identify specific persons on the basis of recordings. Meanwhile, in
of the Regulation, the collection of data is already considered to be data processing.

12.

Who is the person responsible for the processing of personal data obtained in

connection with the application of monitoring?
The administrator is responsible for ensuring the safe operation of the monitoring system
vision and processing of personal data obtained this way. Pursuant to Art. 4 point 7 of the Regulation,
the controller is a natural or legal person, public authority, body or other entity that
independently or jointly with others, he or she determines the purposes and means of processing personal data. Who is
data controller, are also determined by specific provisions. For example, with this situation, we have to
deal in the case of the school. The person managing and representing it is to ensure that the data is processed
personal data of students and their parents or legal guardians, teachers and other school employees or
persons located on the premises of this facility took place in accordance with the law. Moreover, it is
responsible for the actions of all persons authorized to process data, including the inspector
data protection - if appointed by him.
Pursuant to Art. 108a of the Educational Law, the director makes the decision in agreement with the authority
who run the school or facility, after consulting the teachers 'council, parents' council and
student council. This does not mean that we are dealing with an institution of joint administration, Fr.
referred to in Art. 26 GDPR.
The fact that monitoring records are not always related to the processing of personal data is not at all
relieves the school in their possession from the obligation to secure such information from being accessed
unauthorized persons. If such a recording were to be used for a different purpose (e.g. published
on the Internet), then the data subject may assert his rights in court.
It should also be remembered that personal data is often shared with others
entities on the basis of commissioning an organization or performing some activity, e.g. while providing services
the entire monitoring system. Pursuant to Art. 28 GDPR, this is only permissible on the basis of a contract
concluded in writing . The entity entrusted with such operations may process data only to the extent
and the purpose provided for in the contract and is obliged to adequately secure the data in accordance with
provisions on the protection of personal data.

13. What actions should the controller take to protect personal data
obtained from monitoring?
Regardless of the data protection requirements specified in special provisions, pursuant to
Chapter IV of the GDPR (Article 24 et seq.), the controller, taking into account the nature, scope, context and purposes
24

Page 25
25

processing and the risk of violating the rights or freedoms of natural persons with varying degrees of probability i
weight, implements appropriate technical and organizational measures to ensure that the processing is carried out in accordance with
regulation and to be able to demonstrate it. These measures are reviewed and updated as necessary.
In particular, data should be secured against disclosure to unauthorized persons,
removal by an unauthorized person, processing in violation of the provisions and change, loss,
damage or destruction.

In addition, those who will be authorized to access

monitoring systems, are required to maintain the confidentiality of information obtained in the course of
conducting monitoring and those relating to the safe operation of these systems. Important
is that the person authorized to process the data could not use them for their own benefit and in
other purposes, such as publishing on the Internet. Then the data subject can assert his rights before
supervisory authority or a civil court.

14. Can a school without monitoring be a safe place to study and work?
Each time monitoring is introduced, it should be assessed in accordance with the principle of proportionality
in art. 31 sec. 3 of the Polish Constitution. On the other hand, the right to the protection of information about a person, enshrined in Art. 51
Of the Polish Constitution, may be limited, inter alia, by when it is necessary in a democratic state for him
security or legal order. Therefore, when deciding to enter school
monitoring, a balance should be struck between guaranteeing the rights of the individual (students,
teachers and other school staff, as well as parents and visitors to the facility) and general
the school's interest. The decision as to whether monitoring should be installed should be based on an assessment
the effectiveness of other, alternative and applicable measures that can provide
security. As practice shows, often these security measures do not have to be excessive,
complicated and costly at the same time. It is often sufficient to use other than
video monitoring of generally available technical means that can be an alternative to
expensive monitoring system and successfully replace it. The same is true for actions
organizational, which to a large extent can appeal to the imagination and be an expression of common sense.
The use of a school monitoring system should always be well thought out and limited to areas where
where it is necessary from a safety point of view and applied with regard to the impact on
the privacy of students, teachers and others.

15. Can the monitoring consist of mounting hidden cameras?
The provisions of the GDPR and national regulations do not allow the monitoring to be carried out with the help of
hidden cameras. Only the security services are authorized to conduct covert monitoring
and special activities under the laws regulating their activities. The use of hidden
cameras may be considered a redundant form of data processing, entail liability
25

Page 26
26

administrative and civil, and even criminal. Video surveillance areas must be marked
in accordance with the requirements set out in specific regulations and the GDPR.

16. Can the monitoring consist of installing cameras that enable sound recording?
Monitoring regulations do not, as a rule, allow the recording of sound accompanying events. Such
only law enforcement and special services have rights under the laws regulating them
activity. The use of audio recording may be considered a redundant form of data processing,
involve administrative, civil and even criminal liability.

17. Do the provisions on monitoring introduced in the Personal Data Protection Act have?
applicable to existing systems?
The provisions of the GDPR and specific laws apply to all systems covered by them
space monitoring. This means that existing systems urgently need to be adapted to new ones
requirements. Of course, the supervisor is aware that adapting the systems to new ones
regulations require consultation with the entities involved, changes to documents
internal and fulfillment of obligations towards the observed persons. Therefore, in the first place
the progress of the administrators in adapting to the new requirements will be monitored. Such activities
should be taken promptly by controllers and processors in order to
demonstrate efforts to comply with applicable law. Subsequently carried out
activities will be carried out by the President of the Personal Data Protection Office to verify compliance with the rules
use of video monitoring provided for in the GDPR and specific provisions.

18. How are the school or workplace - which monitors, for example, changing rooms - to apply the measures
technical making it impossible to recognize people in this room?
Technical measures that make it impossible to recognize people are indicated in Art. 222 § 2 of the Labor Code and art.
108a paragraph. 3 of the Education Law as examples of solutions ensuring the protection of dignity and others
personal interests of the people being watched. It is possible to use specific blurring software
fragments of the cropped image (including the figures of the people observed), or the setting of cameras in such a way that
violation of the dignity and other personal rights, or the principle of freedom and independence of relationships
professional, it was impossible. Technical solutions aimed at minimizing the risk of breach
the rights or freedoms of data subjects in relation to the monitoring of places where, as a rule
such monitoring is prohibited, should take into account the principle of ensuring the protection of personal data
the design stage and data protection by default included in Art. 25 GDPR . Please note that the premises
excluded from monitoring may be included in it only exceptionally, due to the existing threat to them
achieving the goal (safety of people and property, etc.). This could, for example, mean being temporarily placed under surveillance
26

Page 27
27

cameras of lockers that someone has broken into or stolen from. This is not a ground for
unlimited monitoring of these areas. In any case, the administrator should do a lot
be cautious about forbidden places monitoring and ensure the proportionality of such activities, as
this may involve complaints from observed persons and administrative and civil liability.

27

Page 28

Office for Personal Data Protection
ul. Stawki 2, 00-193 Warsaw
www.uodo.gov.pl

