Drafting of an audit concept and data protection audit of video surveillance systems in public transport systems

Background

The client operates a public transport network with a large number of stations and means of local transport. For the video surveillance systems used in this network, a suitable documentation and auditing form was required. This had to meet the requirements of the GDPR and of the responsible supervisory authorities and be provided with clear comments so that the business units could fill it in and use it by themselves.

Legal Advice

I designed the corresponding documentation and check form and supported the client in its implementation. 

The check form covers in particular: 

• Documentation in accordance with Art. 30 GDPR (inventory of processing activities).
• Ensuring sufficient documentation of video surveillance (e.g., site plans, camera types, sample images, positions of notice signs)
• Ensuring sufficient notice boards (data protection notices).
• Limitation of video surveillance to the necessary level (e.g. live transmission vs. recording, storage period, access to recordings)
• Verification and documentation of the legal basis (taking into account relevant local and national regulation), in particular documentation of the legitimate interests as well as the necessity and appropriateness of the surveillance. 
• Ensuring data security 
• Review of whether a data protection impact assessment is necessary (threshold analysis).

Results

• Detailed and commented check form for video surveillance.
• Ensuring accountability (Art. 24 GDPR)
• Independent management by business units, thus reducing the workload of the legal and data protection departments