Filenews 26 October 2021
Clarifications on where the use of CCTV is allowed is given by the Commissioner for the Protection of Personal Data.
In detail what the Commissioner says:
In view of the fact that a plethora of questions continue to be received daily regarding the legality of the use of Closed Circuit Video Surveillance (CCTV) and the role of The Management Committees and the Management Companies in apartment buildings, I consider it appropriate to inform again about the following:
The provisions of the Law on the protection of personal data do not apply in the case of the installation of a CCTV in private areas (such as houses/ apartment buildings), because the processing is carried out by a natural person and concerns personal or residential activities. However, the scope of the CCTV's recording should not be outside the perimeter of the private area. In apartment buildings, the use of a CCTV by one occupant should not affect the privacy of others. In the event that a CCTV which has been installed by a tenant affects the privacy of others, the complaints are examined by the Cyprus Police, as my Office has no authority to enter private residences in order to be able to examine the images recorded by the CCTV. In the event that the CCTV will be installed by the management committee, its scope of registration should be limited to common areas following a decision of the residents that complies with the provisions of the Articles of Association.
Based on the Immovable Property (Tenacity, Registration and Valuation) Law (CAP.224), as amended, in Part IIA "Communal Buildings", in article 38KST (2)(c) it is stated that, "the Management Committee may conclude contracts in relation to any matter relating to the maintenance and management of the communal building."
Therefore, the Management Committee is the controller and the Management Companies are the processors as defined by the GDPR. The initial collection and storage of personal data of the tenants and / or the owners, for the purposes of managing the apartment building, is done exclusively by the Management Committee. The Management Companies, as processors, process the necessary data within the framework of their duties.
I also consider it appropriate to recall the following:
Image and sound data are personal data. The recording of image and sound is a processing of personal data, which in order to be lawful must comply with the provisions of the General Data Protection Regulation (GDPR) 2016/679 and the National Legislation of Law 125(I)/2018. Taking image and sound using a CCTV is only allowed if there is no less intrusive way to realize the purpose.
Examples where image capture using a CCTV is allowed:
- Entrance/exit of a building
- Outside an elevator, isolating the image exclusively in it
- Over a card payment device and/or a cash register, isolating the image exclusively in it
- Parking of apartment buildings after a decision of the Management Committee
Examples where image capture using a CCTV is not allowed:
- Toilets
- Corridors
- Waiting areas
- Inside the elevator
- Indoor/outdoor dining area of cafeteria, restaurant, etc.
It should be noted that it is in no way allowed to control the personal behaviour, personal contacts and efficiency of individuals through such systems.
Marking using warning signs is mandatory. Warning signs should be in conspicuous places, sufficient in number and clearly visible to the persons recorded. These plates must indicate (a) that a video recording is made, (b) the purpose of the video recording and (c) the data of the controller.
As regards the rights of data subjects, under the GDPR, persons registered by a CCTV may exercise their right of access.
The data are kept for a reasonable period of time, always in relation to the purpose they serve.
Where the establishment of a CCTV may result in a high risk to the rights and freedoms of natural persons, an Impact Assessment is required before processing in order to assess the impact of the planned operations.
