Question:
Is the FSR 30-day CCTV retention requirement legal under EU law?
Short Answer:
Yes
Introduction:
The General Data Protection Regulations (GDPR) have a number of requirements for the collection, storage, and destruction of personal information, including video recording. Those requirements include the establishment of a GDPR Policy, assignment of a responsible person, notification of the GDPR Policy to interested parties, process for consent, the right to be forgotten, etc. It is a good idea to document the reason for, and retention time of collected data.
This article focuses on the retention time of CCTV recordings.
EU GDPR Regulations:
The EU GDPR Regulations do not specify the retention times for collected video recordings.
Data protection regulations in Europe specify that CCTV footage should only be retained for as long as necessary for the purpose for which it was collected. This typically ranges from a few days to a month or more.
In addition, the EU allows member states (countries) to establish their own versions of the GDPR. Germany further delegates the rules for GDPR management to each state. And of course, each company needs to establish their GDPR practices to meet their needs as well as comply with legal requirements.
Justification for 30 Day CCTV Retention:
Different industries have different retention requirements necessary to be effective for their stated purpose. In the logistics industry, CCTV retention is normally 30 days or longer to cover potential incidents like theft, damages, claims, losses, disputes, and other type events. It is important that companies justify the retention periods of recorded data in their GDPR Policy.
GDPR Germany:
Notes in the EU GDPR says that 72 hours is a reasonable retention time for collected data. It also recognizes a longer retention time may be allowed based on need. According to Art. 17 GDPR and ยง 24 para. 1 no. 2 BDSG, longer storage is possible. The most important fact is that the longer recording duration is justified.
Federal Data Protection Act (BDSG) says:
Section 4
Video surveillance of publicly accessible spaces
(1) Monitoring publicly accessible areas with optical-electronic devices (video surveillance) shall be permitted only as far as it is necessary
1. for public bodies to perform their tasks,
2. to exercise the right to determine who shall be allowed or denied access or
3. to safeguard legitimate interests for specifically defined purposes
Remember:
The purpose of the CCTV system is not to monitor the work productivity of employees.
The purpose of the CCTV system is to protect the company with respect to claims related to loss, damages and theft.
TAPA EMEA Position:
TAPA EMEA will not grant a waiver for the 30-day retention of CCTV images for FSR certification. Hundreds of companies around the world meet the 30-day retention requirements without issue.
Why?
30 days is the industry standard for the identification and processing of claims. If there is a security incident, the loss, damage, shortage, etc. might not be immediately evident during cargo inbound and out bound processing, shipping times, and storage.
Disclaimer:
This article is for informational purposes. Companies should address GDPR questions and concerns to a competent professional, such as a lawyer.