By Teresa Basile, Christine E. Lyon, and Janelle J. Sahouria of Morrison & Foerster

Spain’s strict new limitations on video surveillance

In recent months, Spain has imposed substantial new restrictions on video surveillance and other types of videotaping of individuals without their consent. These developments underscore important differences between U.S. and Spanish privacy law.

Spain’s approach to video surveillance is illustrated by a recent enforcement action, in which Spain’s Data Protection Authority (the AEPD) fined a 20 year-old for posting a video on YouTube without the consent of the individual shown in the video. This case received significant media attention, as the video showed a group of teenagers harassing a disabled person, and led to public outrage over the mistreatment of the victim. The AEPD investigated the incident and determined that the videotaping violated Spain’s Data Protection Law (the LOPD) because the victim had not consented to being recorded. In a subsequent statement, the AEPD explained that the LOPD generally requires a person or entity making a video recording to obtain the consent of each person who can be identified in the video recording:  “The collection of images of a person, as long as [the images] allow the identification of that person, is regulated by [the LOPD] and requires the consent of the person involved.”  This consent obligation applies even if the individual is videotaped in a public location, as discussed below.

Applicability of Spain’s data protection law to video surveillance

The LOPD provides that “the processing of personal data shall require the unambiguous consent of the data subject, unless laid down otherwise by law.” Processing is broadly defined to include collection, recording, storage, or transfer of personally identifiable information. The AEPD has explained that “collecting the images of a person in a public place constitutes data processing” as long as the images allow identification of that person. In other words, Spain recognizes an inherent right not to be videotaped without consent, even in public locations. This is a noteworthy difference from U.S. law, which generally recognizes a privacy interest only if the individual had a reasonable expectation of privacy in the location where the video surveillance occurred.

This leads to the question of whether a company operating in Spain may use video surveillance within its facility. In general, video surveillance may serve multiple functions:  protecting the safety of employees and customers in publicly accessible areas (such as retail areas), identifying theft by customers or employees, and deterring theft and other misconduct. The AEPD recently issued guidelines for video surveillance, which attempt to balance individual privacy rights with the legitimate purposes served by video surveillance.

New video surveillance guidelines

The new Video Surveillance Guidelines (the Guidelines) must be read as a complement to Instruction 1/2006 on the processing of personal data when using cameras or video cameras for security purposes.

In general, the processing of personal data by means of video surveillance systems requires the data subject’s consent. Exceptions to this rule can be found in the Spanish Private Security Law and in section 20 of the Labor Statute, as described in more detail below.

When using video surveillance systems for security purposes, private companies must comply with certain requirements.

First, before creating any databases that contain video surveillance files, private companies must notify the AEPD of their intention to create video surveillance files. In comparison, there is no need to notify the AEPD when video surveillance systems are used to simply play or broadcast images in real time (without storing such images as files).
Second, private companies have a duty of information vis-à-vis those individuals whose images are to be captured. Organizations must place at least one sign in zones that are under video-surveillance, notifying individuals that they are under surveillance. These signs must be placed “in a sufficiently visible zone, in open as well as enclosed spaces.”  In addition, organizations must provide affected individuals with certain information as required under the LOPD.

Third, organizations must ensure that technical and organizational measures are in place to guarantee the security of the data, and to protect against alteration, loss, or unauthorized processing or access to the video surveillance files.
Lastly, the video surveillance files can be stored for a maximum of one month, unless data are needed for purposes of criminal or administrative investigations.

In addition to the above rules, another set of requirements is prescribed for those organizations wishing to use video cameras for monitoring purposes in the workplace. Section 20.3 of the Spanish Labor Statute allows the video monitoring of employees, without their consent, in order to check that employees are fulfilling their labor obligations. Nonetheless, there are minimum requirements to be observed by the organizations:

  • There must be no other alternatives or more appropriate means to accomplish this purpose than the use of such video surveillance;
  • The implementation of video surveillance systems must be strictly limited to the uses and locations necessary for fulfilling the purpose of the employee monitoring;
  • Video surveillance systems cannot be located in facilities meant for employees’ private use (e.g., toilets, restrooms, or recreation rooms);
  • Employees’ right to their private lives must be respected, and private conversations cannot be recorded;
  • Organizations must fully respect their employees’ information rights (i) by notifying the employees’ union representatives that a video surveillance system is to be put in place, (ii) by placing the information sign described above as set out in the Instruction 1/2006, and (iii) by means of a personalized notice;
  • In cases where video surveillance files are created, the notification requirement described above applies;
  • Employees’ images must be deleted within 30 days, unless these data are needed for investigative purposes (crimes or non compliance with labor obligations);
  • Employees’ rights of access to and erasure of their images must be guaranteed;
  • Organizational and technical measures to secure data must be implemented; and
  • The company retained to install the video surveillance equipment must comply with specific requirements pursuant to Spanish sector based law.

Additionally, video surveillance systems installed by financial entities are governed by separate sector specific laws.

Penalties for non compliance

The AEPD is empowered to enforce the LOPD and levy fines for violations. Penalties are based on the severity of the infringement, but the fines can be very harsh compared to those imposed in other European Union Member States. In 2007, the AEPD collected ?19.6 million in fines. Additionally, the Spanish Criminal Code allows imprisonment for certain violations of the LOPD (e.g., unauthorized access to personal data, use, or theft of such data).

Practical implications

While Spain has stricter rules on video surveillance than many other EU Member States, Spain’s approach demonstrates general principles that apply in all EU Member States:

   1. Privacy rights in the EU are not limited to situations in which an individual has a reasonable expectation of privacy, or a reasonable expectation that he or she will not be observed. To the contrary, EU data protection laws recognize an inherent right of privacy against surveillance, even in the workplace or other public places.
   2. A company cannot diminish these EU privacy rights simply by announcing its intent to conduct surveillance or monitoring. Notice is a fundamental requirement of EU data protection laws, but notice does not in itself suffice, because other obligations arising under those laws must also be met.

For these reasons, companies operating in Spain or other EU Member States should exercise caution in implementing video surveillance or other monitoring practices, even if the same practices are acceptable in the U.S. or other countries.

Christine Lyon is a partner in the Palo Alto office of Morrison & Foerster LLP. Her practice concentrates on privacy and employment law, including counseling, litigation, and transactional work.

Janelle Sahouria is an associate in the San Francisco office of Morrison & Foerster, where she is active in the firm’s pro bono efforts.

Teresa Basile is an associate in the Brussels office of Morrison & Foerster LLP and is a member of the firm’s Litigation Department. Her practice includes advising multinational companies on different aspects of EU competition law, such as cartels, mergers, and abuse of dominance, as well as data protection and privacy law at both the EU and national levels.




If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»