Monitoring private property with surveillance cameras is a legitimate interest of the owner. Nevertheless, in some situations, the legitimate interests of the data subjects outweigh this. If necessary, the supervisory authority can even order the deactivation of the surveillance camera. However, once the surveillance camera is deactivated, the supervisory authority's powers cease.
A deactivated surveillance camera does not fall under the GDPR. However, legal claims against the owner may arise from other legal bases.
May the supervisory authority order the removal of a surveillance camera?
The plaintiff is the owner of a property developed with a shopping center, including an advertising billboard. Several surveillance cameras were attached to this billboard, one of which monitored the junction of a street leading to the shopping center's parking lot. The supervisory authority ordered the deactivation and removal of this surveillance camera. The data processing by the surveillance camera was deemed unlawful. The administrative court dismissed the action filed against the removal order. It stated that a deactivated surveillance camera does not process data, meaning the scope of the GDPR is not applicable. Furthermore, Art. 58 para. 2 lit. f GDPR does not authorize the authority to issue a removal order.
The appeal lodged with the Higher Administrative Court (OVG) against the administrative court's judgment was unsuccessful.
Why does a deactivated surveillance camera not fall under the GDPR?
According to the Higher Administrative Court (OVG) of Rhineland-Palatinate, video recordings and their temporary storage by a surveillance camera do constitute data processing operations within the meaning of Art. 4 GDPR. However, the surveillance camera in question no longer processes personal data. It was undisputed that the plaintiff had deactivated the surveillance camera in question. The supervisory authority's corresponding order is also legally binding. The OVG Rhineland-Palatinate also based its legal opinion on corresponding views in data protection literature and the Data Protection Conference (cf. Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, 1st edition 2019, Appendix 1 to Art. 6 para. 43; likewise: Data Protection Conference, Guidance on Video Surveillance by Non-Public Bodies, July 17, 2020, No. 1.1, p. 5).
Why was the plaintiff not required to remove the surveillance camera?
The OVG Rhineland-Palatinate concurred with the administrative court's legal opinion that the supervisory authority, via Art. 58 para. 2 lit. f GDPR, can only order a restriction of processing, but not the removal of equipment. Art. 58 para. 2 lit. f GDPR also does not authorize the issuance of a removal order as a "technical and organizational measure within the processing environment." The obligation to implement such measures does not exist in isolation. They must always be viewed in connection with data processing operations. In the absence of data processing by the surveillance camera, there is no scope for technical and organizational measures.
Removal of a surveillance camera as a precautionary measure?
The supervisory authority also based the removal order on the argument that it could not control whether the owner might secretly reactivate the surveillance camera. This risk could only be mitigated by removing the surveillance camera.
In response, the OVG Rhineland-Palatinate argued that, according to Art. 58 para. 6 sentence 1 GDPR, each Member State is free to equip its supervisory authorities with additional powers beyond those listed in paragraphs 1 to 3. The national legislator has so far only made use of this opening clause in the form of § 40 para. 3 sentence 3 and para. 6 sentence 2 of the German Federal Data Protection Act (BDSG) (cf. Simitis/Hornung/Spiecker gen. Döhmann, op. cit., Art. 58, para. 74), but not with regard to the authorization to issue a removal order.
Can I now install surveillance cameras without risk?
The answer is unequivocally: No!
You must observe the following:
– As soon as you install and activate a surveillance camera, you must comply with the GDPR. You must affix a clearly visible sign indicating video surveillance outside the monitored area. Furthermore, the surveillance must be proportionate. Many specific considerations must be taken into account here. You may also need to conduct a Data Protection Impact Assessment (DPIA) according to Art. 35 GDPR before commissioning the surveillance camera.
– Should you install a surveillance camera but not activate it, the GDPR is not applicable. Orders from the supervisory authority aimed at deactivation or removal will ultimately be unsuccessful. HOWEVER: Do not take orders from the supervisory authority lightly. As a rule, you must at least respond in principle to communications from the supervisory authority.
– Deactivated surveillance cameras or dummy cameras can nevertheless lead to legal infringements if there is a "surveillance pressure." This occurs when third parties must objectively and seriously fear surveillance by surveillance cameras or dummy cameras (cf. BGH, Judgment of March 16, 2010, Ref. VI ZR 176/09). In this case, the general right to personality of the individual, in its manifestation as the right to informational self-determination, is infringed. Therefore, you would have to expect defense, injunctive relief, and compensation claims from affected parties.
As you can see, the subject of surveillance cameras presents various pitfalls. It is imperative to seek legal counsel before installing a surveillance camera or a dummy camera.
Source: Higher Administrative Court of Rhineland-Palatinate, Judgment of 25.06.2021, Ref. 10 A 10302/21
Lower instances: Administrative Court Mainz, Judgment of 24.09.2020, Ref. 1 K 584/19.MZ
We are pleased to offer our services as advisors across the entire spectrum of IT/IP and data protection law. We have already advised numerous clients on the subject of "video surveillance" and can also assist you with a Data Protection Impact Assessment (DPIA).
GoldbergUllrich Attorneys at Law 2021
Julius Oberste-Dommes LL.M. (Information Law)
Attorney-at-Law and
Specialist Attorney for Information Technology Law
