Last summer, an unidentified for using surveillance camera without sufficiently informing the subjects, as well as filming some of them continuously. This followed an investigation that started in February 2019. Banks, of course, need to have surveillance cameras and security systems to protect their assets and employees. But how can they balance security with privacy and data protection?
“Firstly, there [are] no specific rules linked to banks, and the same regime applies to banks as for any other kind of entity who would like to set up some video surveillance,” explained Alain Hermann, commissioner from the CNPD. “When a company wants to set up video surveillance,” said Hermann, “they have to have a legal basis.”
“A question of proportionality”
The General Data Protection Regulation is a privacy and security law in the European Union that came into force in May 2018. It regulates how organisations target or collect data related to people in the EU, and outlines how organisations must protect and handle data in a secure manner.
The GDPR lays out two of surveillance: legal obligations or legitimate interest. Legitimate interest is “usually” the legal basis that a company uses to carry out video surveillance, said Hermann.
For any entity that wants to set up , it has to be set up in a way that respects the rights of the people who are getting filmed, and particularly the employees, said Hermann. Cameras can be installed in such a manner that allows security to be ensured, but should not be filming employees all the time, for example. Places where employees can eat and rest are “usually not allowed,” he added. “It’s always a question of proportionality.”
So how do banks address this issue?
Delano reached out to two, randomly selected Luxembourg banks--Spuerkeess and ING--to get their views on this topic.
Banks must establish clear policies and procedures for collecting, processing, and storing employee data
“Banks must establish clear policies and procedures for collecting, processing and storing employee data. This includes outlining the purpose of the surveillance cameras and security systems, how they will be used, and who will have access to the data. Employees should be provided with transparent information about these policies and their rights, such as the right to access their personal data, and the purpose and legal basis for processing it. Banks, as any other data controllers, can never implement hidden surveillance measures,” said Catherine Alter, vice president and head of business unit regulatory compliance, data protection officer at Spuerkeess.
Personal data to be processed lawfully and fairly
ING Luxembourg, the second bank contacted by Delano on the topic of surveillance and data protection, highlighted the importance of the lawful and fair processing of personal data that is collected for “specified, explicit and legitimate purposes,” as per the law of 1 August 2018. It’s also important that the data collection and processing is adequate, relevant and not excessive, and that data is processed in a secure way, said ING.
Principle of “data minimisation”
Spuerkeess’s Alter also mentioned the GDPR principle of “data minimisation” in her response to Delano, “which requires the data controller (here: the bank) to process as little data as necessary to achieve the intended purpose (here: security--protection of the persons and assets). This leads to only recording areas where security is a concern, such as entrances and exits, and not recording areas where privacy is expected, such as restrooms or break rooms.”
Employees have the right not to be subject to continuous and permanent surveillance
“Employees have the right not to be subject to continuous and permanent surveillance. The principle of proportionality, another one required by GDPR, means that automatic and continuous surveillance of employees is to be avoided,” said Alter.
“This also means that the installation of video surveillance inside an office where one or more employees work permanently would be considered disproportionate to the intended purpose and constitute excessive interference with the employee’s privacy in their work. In such cases, the fundamental rights and freedoms of employees must prevail over the legitimate interests pursued by the employer.”
Data processing for “specific business purposes”
ING processes surveillance data for “specific data purposes,” noted the bank, one of which includes the protection of the “property” of the bank and its clients, which includes not only tangible assets, but “intellectual property rights, business knowhow and any other information to which confidentiality is attached.”
It also informs “clients about the purposes for which their personal data are processed” and which ING business is responsible for the processing, allows clients and employees to get an overview of their personal data and to correct, delete or block their personal data, and protects personal data from “unauthorised loss, alteration, disclosure or access,” said ING.
All of this information is indicated in an “easily accessible” privacy statement, said ING, which also has a “dedicated department [for] the protection of personal data, in charge of making sure that the bank complies with its regulatory obligations on [an] ongoing basis.”
Shift from “authorisation to accountability” after GDPR
But data monitoring rules were already in place in Luxembourg even before the GDPR, noted Hermann from the CNPD. From 2002 to 2018--when the GDPR came into force--video surveillance systems in the grand duchy were subject to authorisations from Luxembourg’s CNPD. “Entities had to fulfil a request for authorisation to be able to install video surveillance monitoring,” he explained, consisting of a form where they had to detail the purposes of the monitoring.
“After the GDPR, the system changed,” said Hermann. “We went from this regime of authorisation to accountability. So it means that each entity is responsible for ensuring that what he installs is compliant with the law. And then it’s our job to potentially control those systems which are installed.”
Videosurveillance, therefore, for the CNPD is “not a new topic,” said Hermann. “It’s even a very old topic. We have very good knowledge on this topic.” The CNPD issued guidelines about monitoring in the workplace, both before and after the entry into force of GDPR. The fine imposed in July 2022 was “not the first videosurveillance fine that we have given to companies in Luxembourg.”
Did GDPR significantly impact the privacy policies of banks?
“GDPR has replaced an EU directive that had been translated into Luxembourg law back in 2002,” said Spuerkeess’s Alter. “Based on that law, we already had a lot in place: a register of the processing activities, information notices to the customers about the data processing, a person in charge of that subject, security rules and policies regarding the access to clients’ data based on roles and tasks, regular communication with the CNPD, awareness campaigns to constantly remind the staff of how crucial confidentiality and professional secrecy are for our clients.”
Everyone, staff and customers, is nowadays aware of data protection rules
“GDPR mainly brought a lot of formalisation and publicisation of the above. Everyone, staff and customers, is nowadays aware of data protection rules. For Spuerkeess, the main impacts were more of an organisational nature--appoint a DPO, write and publish internal procedures, review the compliance of products and services with all GDPR provisions, inform the public through a data protection policy available online, as a complement to what already existed in our General Terms and Conditions--than fundamental,” said Alter.
“Transparency is also a good thing”: CNPD
The CNPD commissioner also discussed transparency around videosurveillance as being a potential crime deterrent. When entering a video-monitoring zone, “just a sign with a camera” is not enough to inform people that they are being monitored. Under the GDPR, when data processing takes place--in this case, the monitoring of individuals--information such as the purpose of this processing, who is responsible for the processing and where individuals can exercise their rights must be made available, said Hermann.
“I think this transparency is also a good thing,” he added, “because if people know that they’re filmed for security purposes in places, maybe they will not act badly. It’s information that may prevent some individuals from committing bad acts.”
How are inspections triggered?
The fine that launched this conversation around videosurveillance and privacy was the result of an investigation carried out by the CNPD. So how do these investigations get started in the first place?
There are two possibilities as to how controls on videosurveillance systems are “triggered,” explained Hermann. “The first one is either we--on the level of the commissioners--decide to make controls randomly, or we decide to set up a campaign of control in a specific sector.”
The second way is via reception of a complaint “from data subjects.” These can be, for instance, from employees who feel that they are being surveilled the entire day, or from third parties who request information.
Though videosurveillance and data protection was the topic of the interview, Hermann concluded by adding that the CNPD is not just concerned with videosurveillance. “We are the authority for enforcing data protection. So it means any processing of personal data falls under our supervision,” he said. “It means any sector, because you have personal data almost anywhere now. So we’re quite busy.”
The CNPD has around 60 employees “and is growing each year.”