New data protection rules for CCTV use

The Data Protection and Right of Information Commissioner has just recently approved, on 28.03.207, a new instruction regarding the level of security in the administration of personal data by subjects using CCVT security systems.

First, we recall that last year the Albanian parliament adopted a new law no.19/2016 on “Additional public safety measures” aiming to establish a framework of collaboration between public and private entities in Albania and the State Police in preventing, detecting and investigating criminal activities. Noteworthy, the law sets out mandatory requirements for all entities conducting an activity with added danger to the public such as gambling, businesses with more than 50 employees, businesses operating at night shift from 23:00 to 6:00, those with an annual turnover of over 10 million LEK, to name a few.

One key feature of the law is the obligation for aforementioned businesses to install within 6 months after the law has entered into force i.e. until June 2017, without exception, CCVT security systems, consisting of high resolution, infrared cameras with 2-month storage recording time. The local director of the State Policy will issue a Security Certificate to compliant entities. Subject of the law are obliged to make available to the state police and other bodies the audio-visual materials for investigation purposes.

CCTV images of people are deemed personal data protected under data protection legislation. Therefore, the Data Protection Commissioner has just recently approved the instruction on the level of security of personal data collected by CCTV security systems. The instruction is mandatory to all entities being awarded with the Security Certificate by the State Police.

Below is a summary of the main obligations that all relevant entities should consider when using CCTV systems:

  • Entities should assess impact that CCTV systems have in people’s privacy and keep related evidence;

  • Prominent signs should be used at the entrance or inside in the premises where the cameras places to inform people on the existence of CCTV cameras and recording of their actions;
  • Authorized persons are appointed who have access in the system’s processed data; these persons should sign a confidentiality declaration;
  • Evidence should be kept of all actions rendered for the processing of data and compliance with all security provisions on data protection must be confirmed;
  • Data subjects should be secured access to processed information; right to access should be capable of being proved;
  • Cameras are places in positions appropriate for their installed purpose;
  • A regulation should be drafted regarding the application of measures on data processing, retention and destruction and the authorized persons that have access to such data;
  • Data is transferred through a coded network with authorized access only for sender and the receiver.

The CCTV Surveillance Policy must be approved from all relevant entities and placed in their website for easy access to the public. The policy must set out the purpose of the CCTV surveillance, storage time, etc. and generally confirm compliance with the data protection law.

Non-compliant entities are subject to the penalties set out in the Law no.9887/2008 “On Protection of Personal Data”.





Anisa Rrumbullaku, Partner

[email protected]

The information provided in this newsletter is general in nature and does not constitute legal advice. CR PARTNERS SHPK cannot assume any liability in respect thereof. Before entering in commercial transactions, professional legal advice should be sought.