No sooner had the federal states decided to equip the police with body camera technology and successfully introduced it in some federal states than private security companies followed suit and equipped their employees with body cameras. Not a bad idea, one might think, but what does it look like in reality? How are data protection requirements being met?
If you take a closer look at the reality and delve deeper into the topic of data protection and body cameras, it is hard to imagine that data protection requirements can be even remotely met or guaranteed. If you look at the guidance provided by data protection authorities on the use of body cameras, it seems that companies quickly reach their limits.
What exactly is important when using body cameras in the private security industry? 
GUIDELINES FOR GDPR-COMPLIANT USE OF BODY CAMS IN THE PRIVATE SECURITY INDUSTRY I would now like to describe in more detail what private security companies must pay attention to and demonstrably implement in order to use body cam technology in a GDPR-compliant manner.
The GDPR components of body cam use When purchasing body cams, the following circumstances must always be checked: 1. Which hardware/software is being shortlisted? 2. Who is responsible for hosting and administering the technology? 3. For what purpose will the camera technology be used? 4. Have all documents relating to the operation of the body camera technology been created? 5. Are all necessary contractual documents available? 6. Have all employees been trained accordingly? 7. Is a daily usage log kept? 8. Has the use of body cams been taken into account in the service instructions? Basically, it is now just a matter of working through the above 8 points properly and conscientiously in order to achieve a high level of data protection. Here are a few tips and pieces of information on how you can accomplish these points without too much stress, without high costs and with as little time expenditure as possible.
Point 1: Which hardware/software is being shortlisted? There are numerous products and solutions available on the body camera technology market. Basically, the decision as to which body camera technology and software to use can be made quite easily. It is important to avoid products that are manufactured and hosted in so-called unsafe third countries, e.g. the USA or China. The purchase price may well be attractive, but there are definitely hurdles to overcome in terms of data protection that will quickly make you forget about the savings. Only technology that is manufactured in Germany or within the EU and is GDPR-compliant should be shortlisted. This will save you a lot of hassle and significantly minimise the data protection effort involved.
We can recommend the body cam from NetCo Professional Services GmbH in Blankenburg im Harz. NetCo’s body cam meets the requirements of the GDPR in terms of technology and software and also offers an attractive price/performance ratio.
Point 2: Who is responsible for hosting and administering the technology? Let’s stick with the NetCo body camera to better illustrate the issue. A body camera always consists of three essential components. These are: * The body camera * The server software
- The client software for the PC The server application can be operated in two ways: * External hosting by NetCo * Self-hosting by the customer Description of external hosting by NetCo
In order to be able to fully use, administer and configure the body cam, the corresponding administration software (server application) must be installed and operated on a web server. NetCo offers a full service here, i.e. NetCo takes over the hosting for the company and also ensures that the server technology and software are secure and up to date. This procedure is described as external hosting and requires a directory of technical and organisational measures (TOM), which must be documented in a data protection documentation (see point 5). To ensure that this point is fulfilled, NetCo provides the customer with this directory (TOM). Similarly, NetCo provides a contract for the order data agreement, which is essential for point 6.
The advantages of this option are obvious. The customer has very little work to do and does not have to create their own documentation in relation to the GDPR, as this is provided by the manufacturer. In addition, the server location is in Germany and therefore complies with the requirements of the GDPR.
Description of self-hosting by the customer Of course, there are reasons and requirements for operating the Body Cam Server application on your own web servers. However, it should be noted that in this variant, the directory of technical and organisational measures (TOM) for server operation must be created and verified by the customer. It is also important to ensure that the server is located within the EU and that no data is communicated to an unsafe third country. It is also important that operation in cloud applications from Google and Amazon (AWS) must be documented separately and verified by a so-called data protection impact assessment (DPIA).
Point 3: For what purpose is the camera technology used? When it comes to using body camera technology for your own company or on behalf of third parties, the data protection hurdles are relatively high and many of the frequently cited references to the intended use are not GDPR-compliant. This raises the question: When is the use of body cameras compliant with data protection regulations? The German Data Protection Conference provides the following answer: _The use of body cameras in compliance with data protection regulations must be measured against Art. 6 (1) (f) of the General Data Protection Regulation (GDPR) and § 4 of the Federal Data Protection Act (BDSG). According to this, the processing of personal data is permissible insofar as it is suitable (2.) and necessary (3.) for the exercise of domestic authority or the protection of legitimate interests (1.) of controllers or third parties, and insofar as the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not outweigh this.
In principle, the following reasons for purpose limitation can be used for the use of body-cams and mobile cameras (e.g. for construction site surveillance): * Protection of security personnel from assault * Subsequent identification of the suspect * Securing evidence for possible civil law claims
Note: Reasons that may be cited for the investigation of criminal offences should be avoided, as these are the sole responsibility of the law enforcement authorities. ## Point 4: Have all documents relating to the operation of body camera technology been created? The GDPR-compliant use of body camera and mobile camera technology must always be considered from two perspectives. On the one hand, there is the manufacturer of the technology and, on the other, the user, i.e. the responsible body. Assuming that the manufacturer has taken all GDPR requirements into account, it is now up to the responsible body to correctly implement the GDPR and to document this accordingly. This includes the following activities: * Creating a camera security concept
- Creating a processing directory for the camera technology and the corresponding software * Creating a directory of technical and organisational measures (TOM) for internal measures * If the software technology is operated on a separate server, a directory of technical and organisational measures must also be created for this
- Creating an authorisation concept (Who is allowed to work with the camera? Who administers the server software? Who operates the client software? Who has access to the data and when, etc.?)
- Create a deletion and backup concept * Create a daily log of camera use
- Do all employees who work with personal data have the appropriate training certificates? Admittedly, this is a lot of paperwork, but it is absolutely necessary. In order to be able to fulfil these documentation obligations 100%, the use of so-called data protection management software is recommended. Data protection management software
We recommend our data protection management software so that you can document and verify your data protection in a clear and up-to-date manner. With our DMS, you can create all the necessary documents (processing directories, TOM, DSFA) with just a few clicks and also receive all the necessary information. In addition, our software features an integrated and GDPR-compliant video conferencing system, a whistleblower system and an e-learning platform for internal training.
Point 5: Are all the necessary contract documents available? Without contract documents, complete and GDPR-compliant documentation is inconceivable. Basically, you must oblige all partners and companies that have a direct or indirect influence on your body cam use to sign data processing agreements and also guarantee the suitability of the relevant companies. To briefly mention a few examples of which contractual partners can be considered for your project, here is a small overview: Contract for commissioned data processing * Manufacturer/distributor of the body camera * For hosting on your own server, contract with hosting provider * When using an external data protection officer * When using external DPM software
Joint responsibility contract In the case of private security companies, it is also important to ensure that, if the body cam is used on behalf of a customer (e.g. ShopGuards, Doorman, etc.), a joint responsibility contract is in place. ## Point 6: Have all employees been trained in data protection? When using body cam technology, three types of employees must be taken into account.
- Employees who operate a camera * Employees who subsequently process the corresponding image/video material * Employees who administer the software and servers in the case of “self-hosting” Depending on how the technology is used, the training courses should have different focal points so that the relevant employees are trained precisely for their specific tasks and can demonstrate the appropriate expertise. The training courses should be repeated every 12 months. All training courses are already prepared in the Pro version of the DPMS Management System provided by us, enabling quick and smooth training success.
Point 7: Is a daily usage log kept? In order to be able to seamlessly log and verify the period of use and the actual recording times, it is mandatory to keep a so-called usage log. How this is kept and which software is used for this purpose is of secondary importance. Some people may think that all the essential details are logged by the camera technology and stored in log files, but some additional data is required that cannot be recorded by the technology. For interested users, we offer our digitised deployment log for body-cams in two different forms.
- Operational log for joint responsibilities * Operational log for public transport operations You are welcome to take a look at our digital operational log for joint responsibilities without obligation. Please use the following link and user data:
Digital deployment log Customer ID: 86e0b665-2022 | Customer number: 50500