Each year the DPC receives numerous queries and complaints from various individuals complaining specifically about the use of CCTVs in restroom areas by various organisations such as public houses, nightclubs, restaurants and transport depots. More particularly, the complaints allege that the cameras are pointing over specific areas in restrooms where there is an increased expectation of privacy, such as over cubicles or urinals.

While, the DPC has engaged with organisations on a one-to-one basis, the issue of the lawfulness of the processing of personal data by way of CCTVs in restrooms needs to be considered more generally. Consequently, the DPC has examined these issues further and updated its Guidance on CCTVs for Data Controllers by including a specific section on ‘The use of CCTV in areas of an increased expectation of privacy.

An individual raised a concern with their employer in the beauty industry regarding what they believed was excessive use of CCTV cameras in the workplace. The individual stated that they were not informed that the cameras were being installed and had concerns that the devices were capable of recording both audio and video. In response to their concerns, the organisation advised the individual that the cameras were installed for the safety of staff and that no audio was recorded.

The individual then submitted a complaint to the DPC as they were dissatisfied with the response received from the organisation. As part of its examination, the DPC queried the organisation on the alleged audio recordings via the CCTV cameras. The organisation provided the DPC with evidence in the form of a letter from the CCTV system supplier, which confirmed that the cameras did not have audio recording capability.

Regarding the background as to why the organisation made the decision to install CCTV cameras, the organisation informed the DPC that it initially installed the cameras following a series of security issues including incidents of theft. However, it also stated that the cameras were installed for the safety of staff when working alone. Whilst the individual claimed that they were unaware the cameras had been installed, the organisation stated that the cameras had been in place for three years prior to the individual making a complaint to the DPC and that the individual had provided training to the staff in relation to same.

The organisation cited a number of lawful basis for the processing of data in this manner, including Article 6(1)(d) of the GDPR as its lawful basis stating that the cameras are necessary to protect the vital interests of its staff. Article 6(1)(d) of the GDPR states that the processing of personal data shall be lawful if ‘processing is necessary in order to protect the vital interests of the data subject or of another natural person’. It further cited Article 6(1)(f) of the GDPR which states that processing shall be lawful if ‘processing is necessary for the purposes of the legitimate interests pursued by the controller...’ as the organisation has a legitimate interest in the security of the workplace, safety of staff and prevention of crime.

In response the DPC informed the organisation that Article 6(1)(d) of the GDPR may only be relied upon by an organisation where the processing of personal data is necessary to protect a person’s life or mitigate against a serious threat to a person. As such, the DPC advised the organisation that it could not rely on Article 6(1)(d) of the GDPR as its lawful basis for the use of CCTV cameras in the workplace. Regarding its reliance on Article 6(1)(f) of the GDPR, the organisation confirmed that it had conducted a legitimate interest balancing test prior to the installation of the CCTV cameras. The organisation further stated that the processing was limited to what is necessary and cited its requirement for safety purposes. It stated that footage was retained for a period of 20 days and had put in place access controls to the footage.

Following its examination of the complaint, the DPC found that the organisation had demonstrated a valid lawful basis for the processing of personal data by means of CCTV cameras under Article 6(1)(f) of the GDPR.