On 7 December 2022, the Romanian DPA published a press release highlighting the data processing requirements applicable for video monitoring of public spaces conducted by public authorities.
In brief, the Romanian DPA emphasizes that:
- information such as the image or the vehicle registration number represents personal data under Article 4 point 1 of the GDPR;
- public authorities act in their capacity as a controller under Article 4 point 7 of the GDPR, where they alone, or jointly with others, determine the purposes and means of personal data processing or where the purposes and means of processing are determined by applicable national law;
- the personal data processing through video monitoring of public places by local public authorities must be done in strict compliance with the lawfulness requirements laid down in Article 6 of the GDPR. However, the Romanian DPA highlights that the legitimate interest ground does not apply to processing carried out by public authorities in the performance of their tasks;
- in principle, public authorities (including administrative-territorial units) acting as controllers process personal data for compliance with a legal obligation in relation to (i) the specific legal provisions applicable to their field of activity and (ii) the purposes established in the limits of these provisions. Therefore, such authorities are required to (i) analyze the existence of a specific legal basis for each processing operation and (ii) comply with the specific legal regulations in their field of activity and the GDPR;
- the principles set under Article 5 of the GDPR also apply to personal data processing through video monitoring of public places by local public authorities;
- where controllers intend to use new technologies on a large scale, such as video monitoring of public places, a prior data protection impact assessment (DPIA) must be carried out, as per Article 35 of the GDPR and Romanian DPA’s Decision No. 174/2018;
- Article 24 of the GDPR requires the controller to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR, such as appointing a data protection officer, maintaining a record of processing activities, notifying a personal data breach (where applicable), ensuring the exercise of the data subject rights under Articles 12-22 of the GDPR, etc.;
- the protection of natural persons in relation to the processing of personal data is a fundamental right, the restriction of which can only be ordered if it is necessary within a democratic society, provided such a measure must be proportionate to the situation giving rise to it, applied in a non-discriminatory manner and without prejudice to the existence of the right or freedom (as per the Romanian Constitution). The Romanian DPA mentions the Romanian Constitutional Court’s Decision No. 498/2018 as an example in this respect;
- ultimately, reference is made to the example of the Romanian law allowing the Romanian Police to conduct photo-audio-video monitoring for the purpose of carrying out activities of prevention, detection, investigation or prosecution of crimes or execution of sentences. But on the other hand, the Romanian DPA reminds case law of the European Court of Human Rights (Judgment of 4 December 2008 in the case of S. and Marper v. the United Kingdom) ruling that “the protection afforded by Article 8 of the Convention would be unacceptably weakened if the use of modern scientific techniques in the criminal-justice system were allowed at any cost and without carefully balancing the potential benefits of the extensive use of such techniques against important private-life interests”.
The full press release is available here (only in Romanian).