La protection des données c’est toute l’année. Conseil du jour :
Tout mot de passe doit être fort, c’est-à-dire composé de caractères minuscules, de caractères majuscules, de chiffres et de caractères spéciaux.  

The 10 commandments of video surveillance

You operate a restaurant, a shop, or you run a company or a public service, you are co-owner and you want to use a video surveillance device.
                                                                      There are some things that you must know!

1 – A preliminary formality you shall carry out
All entities wanting to set up a video surveillance system should imperatively submit a request to the Commission, that is to say:

-> An authorisation request in the context of natural or legal governed by private law (article 6 of the law no. 1.165), or organisations governed by private law entrusted with a mission of general interest or a concessionaire of public utility (article 7 of the law no. 1.165);

Warning: The decision of the assembly of co-owners should also imperatively be enclosed when video surveillance system is implemented in a block of flats constituting co-ownership, or, for all other cases, the Authorisation from the Minister of State.

-> A request for an advisory opinion pertaining to natural and legal persons governed by public law or public authorities;

-> Ordinary declaration in the case of individuals using video-protection systems to protect their homes, notably against burglaries, where employees or service providers (nannies, medical personnel, delivery services...) intervene at the said home.

 2 – A justification you shall provide
Pursuant to article 10-2 of the law no. 1.165, all automated processing pertaining to video surveillance systems shall be justified.

Often it will be justified by the essential purpose of the legitimate interest pursued by the data controller (for example, to protect his or her shop and the valuable assets contained therein against the risk of theft as well as his or her employees against the risk of aggression).

The video surveillance system may also be justified by a legal obligation to which the data controller is subject or for the purpose of public interests pursued by private organisations concessionaire of public utility or entrusted with a mission of general interest (for example, an obligation in the statement of work to monitor bank counters).

Warning: The consent of the person may also be mentioned, but this justification will be assessed strictly by the Commission, and shall be substantiated and explained.

3 – Your neighbours you shall not spy
Considering the intrusive nature of implemented video surveillance systems, these must only be operated within the scope of the following functionality:

  • To protect persons;
  • To protect goods/assets;
  • To control access;
  • To allow the gathering of evidence in case of an offence or infringement.

All other functionality shall be scrutinised very carefully by the Commission.

Warning: The commission does not authorise video surveillance systems when these:

  • Have for objective to monitor the work or working hours of the employees;
  • Lead to permanent and inappropriate control of the data subjects.

Furthermore, the Commission asks that no cameras are installed in:

  • Cloakrooms, lavatories (facilities), bath-shower rooms, changing rooms;
  • Offices as well as private rooms put at the disposal of the employees to relax or to take meals;
  • Pathways or corridors used to access flats;
  • Pointing towards public streets or places.

4 – To other people’s conversations, you shall not listen
In accordance with the provisions of article 10-1 of the law no. 1.165, the data collected should be “adequate, relevant and not excessive” with regards to the final purpose for which they were collected and/or further processed.

In this context, the Commission judges therefore that the following information can be collected and processed:

  • Information relating to the data subject’s identity: image, face, silhouette of the persons;
  • Time-based and timestamp information: place and identification of the camera, date and time when the image was taken;
  • Electronic identification data: connection logs of the persons authorised to access the images and processing (login and password);
  • Connection data: Logs, traces, timestamps, journals

On the other hand, with regards to collecting voice (audio) when operating a video surveillance system, the Commission considers frequently that such collecting is clearly excessive in view of the functionality of the processing. Indeed, the collecting of audio (voice) for the purpose of, for example, protecting goods/assets and persons, may lead to a surveillance considered to be inappropriate with regards to the data subjects. The Commission will therefore be particularly vigilant to the justification provided by the data controller.

5 – The data subjects, you shall inform
In accordance with article 13 of the law no. 1.165, all video surveillance systems must be brought to the attention of the data subjects. These data subjects include all persons likely to enter within the range of the cameras. Thus, may be affected customers, employees, residents, visitors, caretakers, service providers, and/or even suppliers.

Although the data controller is free to choose the information method that he or she considers the most appropriate to his or her structure or activity, the Commission may nevertheless ask that the information be distributed, in all cases, by means of a notice board indicating visibly, understandably, clearly, and permanently the existence of the device including, a minima:

  • A pictogram (icon) representing a camera;
  • The name of the service to which requests can be addressed to exercise the right of access right of access in the Principality.

6 – A right of access, you shall provide
The right of access relates to the right of data subjects to obtain from an entity having implemented a video surveillance system the confirmation that the information relating to the said data subject has been collected and the communication of this information in a written, non coded form consistent with the content of the recordings.

If the entity is free to choose the manner in which data subjects can exercise their right of access (by post, email, phone, on-site), it is imperative, with regards to video surveillance that the answer to the request for right of access, namely viewing the images, is carried out only on site.

Furthermore, the data controller should make sure that only the person exercising his or her right of access be recognisable on the images.

7 – Internal access, you shall restrict
Recorded images should not be freely accessible to employees or customers.

Concerning the dispositions subject to the authorisation request, the data controller shall in accordance to the article 17-1 of the law no. 1.165, “establish a list of names of authorised persons who alone shall have access, strictly confined to the performance of their duties, to premises and facilities used for processing and the data being processed.”

This list of persons authorised to access the processing must be kept up-to-date.

Furthermore, for each category of authorised persons who have access to the information (management, vendors, IT provider...), the entity should determine with precision the access rights assigned to each of these categories (consultation as needed, differed consultation, delete, maintenance, full rights...).

The Commission pays particular attention to the categories of persons who have access to the information.

8 – Security measures, you shall take
In accordance with article 17 of the law no. 1.165, the technical measures and organisation implemented in order to ensure the security and confidentiality of the processing in terms of the risks represented by the processing itself and the nature of the data to be protected must be maintained and updated according to the state-of-the-art, in order to maintain the high level of reliability expected throughout the implementation of the processing.

Furthermore, the different architectures of video surveillance must rely on connections to servers and peripherals that must be protected by a login and a password qualified as strong and inactive ports must be disabled.

9 – Communications and remote access, you shall protect
The images from cameras are likely to be communicated to the Department of Public Security and to Monegasque Courts for the purposes of a judicial investigation or to the insurers for the purposes of a compensation claim enquiry.

It is therefore important that the copy or an extract of the information collected during the processing is encrypted on the supporting medium (CD, memory sticks, and so on).

Moreover, remote accesses when these are planned must be protected. The Commission asks that equipment permitting such access be imperatively protected by a strong password as well as by a protocol such as SSL (https, VPN, etc.).

In addition, the Commission asks that they be configured to lock automatically after a short period of inactivity.

Finally, with particular attention to “smartphones”, tablets, and laptops, the Commission asks that the access to the applications to view the images is also done via strong password.

10 – The storage period, you shall limit
Furthermore, in accordance with the article 10-1 of the law no. 1.165, data are only stored “during a period not exceeding the one set out for the purpose for which the data were collected”, that is to say, one month, except for electronic identification data, which are kept for the duration of the work.

In general, keeping the images a few days should be sufficient to carry out all necessary verifications in the event of an incident and to initiate any criminal proceedings.

When technically possible, the images must be configured to a maximum storage of one month in the system.