Data protection: Video surveillance - what to watch out for now

What impact will the new data protection law have on video surveillance?

Jürg Schneider, Dr. iur., Attorney at Law, Walder Wyss AG: With the new Data Protection Act (DSG), personal data is better protected. This naturally also applies in relation to video surveillance and covers all data relating to an identified or identifiable natural person. The DSG applies to the processing of data. Processing means any handling of personal data: as soon as a person can be identified on a video recording, it is personal data. Even the deletion or anonymization of such data falls under the term processing of personal data. In case of doubt, it should always be assumed that personal data is involved and that the FADP therefore applies.

What is the term "processing principles" in the new DPA all about?

Processing principles oblige companies, but also public authorities, to observe certain principles such as proportionality, purpose limitation, transparency or data security as early as the planning stage of a video surveillance system and to ensure compliance with them (see box below "Adhering to certain principles").

What does the duty to inform in the new DPA mean with regard to video surveillance?

Art. 19 FADP states that there is a general duty to inform and that data controllers must adequately inform data subjects when their personal data is processed. To give a concrete example: If a person can be recorded by a video surveillance system, this person must receive information - usually by means of a data protection declaration - about this data processing. In a first step, the information is provided by the operator of the system, for example, with a "Video Surveillance" sign (see illustration): It is mandatory that the name of the responsible operator and the purpose of the video surveillance be listed on the sign. For further information, reference must be made on the sign, as a second step so to speak, to the data protection declaration on the website. This data protection declaration must contain the information required in accordance with Art. 19 DSG.

What happens if I do not inform correctly or in time?

The federal data protection commissioner, for example, could initiate an investigation. This could lead to having to adjust one's information. Anyone who intentionally provides false, incomplete or no information can be subject to criminal sanctions upon request. The responsible person(s) in the company risks a fine of up to 250,000 Swiss francs. Conclusion: It is advisable to take the information obligations under data protection law seriously - especially in connection with video surveillance systems.

What must a security company consider when installing and operating a video surveillance system for a third party?

If a security company installs a video surveillance system for an end customer and operates it for the purposes of the end customer on its behalf and obtains access to personal data, the security company is a so-called commissioned data processor under the DPA. In this case, a so-called commissioned data processing agreement must be concluded between the end customer and the security company (also known as a data processing agreement or DPA). This DPA must clearly regulate which instructions and security requirements of the end customer the security company must follow, what the security company may do with the personal data and where the limits of the processing lie. If an order processing agreement is missing, this can also be sanctioned under criminal law upon request.

What special features need to be considered with regard to video surveillance?

Anyone who operates a plant and has 250 or more employees must create and maintain a so-called processing directory. This shows, for example, which categories of personal data are processed for which purpose and to whom data may be disclosed. In certain cases, the processing directory must also be kept for fewer than 250 employees, namely if particularly sensitive personal data is processed on a large scale or if so-called high-risk profiling is carried out. Another important point is the data protection impact assessment (Art. 22 FADP). It must be prepared if the processing of personal data may entail a high risk to personality or fundamental rights. Such a risk applies, for example, in the case of video surveillance in public areas, such as a train station concourse, if personal data is processed in the process.

What is the difference in data protection regulation in Switzerland and the EU?

The new data protection law in Switzerland is based on the principle of permission. This means that the processing of personal data is permitted unless it is prohibited. In the EU General Data Protection Regulation (EU GDPR), the approach is exactly the opposite: the processing of personal data is prohibited unless it is permitted. In practice, however, the requirements in Switzerland and the EU in the area of data protection are very similar, even if the approach is different.

What is it about the so-called justification reason?

In the case of video surveillance, the so-called justification means the following: If there is an overriding interest on the part of a company in video surveillance, this is usually considered a justification ground. In such a case, video surveillance is possible even without the consent of a data subject. An overriding interest is therefore, for example, the ¬prevention of criminal acts (e.g. theft) at a retailer or in a watch and jewelry store. I would also like to note that in the case of video surveillance of employees - or if employees are also recorded during video surveillance of third parties - additional requirements of labor law must be observed, as has been the case up to now. Permanent video surveillance of employees in the workplace is generally prohibited for health reasons.

How long may an operator store video surveillance data?

Here, reference must again be made to the principle of proportionality already mentioned, as well as to the obligation to destroy or anonymize personal data as soon as it is no longer necessary for the purpose of processing. A few years ago, the Federal Data Protection Commissioner stated that a video recording should generally not be stored for longer than 24 hours. In practice, however, this is a very short period of time, and the principle of proportionality also allows for longer storage of personal data - especially when it comes to crime prevention and, for example, video recordings are only to be evaluated after an act of vandalism.

Who may have access to the video data?

In principle, only those people who need to work with the video surveillance data may have access to it. In a company with 500 employees, this might be the head of security and the management. This rule can also be derived from the principle of proportionality - because the group of people who can access the personal data must be kept as small as possible.

What happens to existing video surveillance systems that are not yet compliant with the new DPA?

The new Data Protection Act has been in force since September 1, 2023 and must be complied with from that date. It is important to check existing video surveillance systems and their operation for compliance with the new data protection law. Any deficits must be remedied by the operator. For example, missing information signs and data protection declarations must be attached and created immediately.

Adhere to certain principles

The operator of a video surveillance system must always take appropriate technical and organizational protective measures. Art. 6 and 8 of the FADP contain the aforementioned principles:
Transparency: It must be recognizable that one is obtaining personal data.
Earmarking: Personal data must be processed for a specific purpose. In the case of a video surveillance system in a jewelry store, for example, this may be the prevention of a crime.
Proportionality: Processing of personal data must always be suitable and necessary to achieve the purpose.
Legality: This principle refers to other legal provisions that must not be violated when processing personal data - for example, Art. 179quater StGB, which prohibits, among other things, recording of facts from a person's confidential sphere without that person's consent.
Data Correctness: Personal data must always be correct. If, for example, it is determined that existing personal data is not (or no longer) correct, it must be corrected accordingly.
Data security: The operator of a video surveillance system, for example, must ensure that personal data does not fall into the wrong hands. In an age of increasing cybercrime, the issue of data security is of great importance.