How GDPR Regulates Dashcam?

How GDPR Regulates Dashcam?

To ensure the safety of the driver and to facilitate insurance claims in case of accidents, modern vehicles are outfitted with a number of cameras. Among these, the most popular is the dashboard cam or travel cam. This is an extremely common tool and is even required by law in certain situations, however, the camera can also record the personal information of other individuals such as their faces, license plates, etc. This article will go over how this processing activity is governed under the GDPR.

1. How does a dash cam work?

A dashboard cam (dashcam) or travel cam is a digital camera that is usually installed in front of the vehicle, there are also dashcams that are mounted at the rear of the vehicle. The camera will record footage of the vehicle while driving or at rest. The camera is usually powered by the vehicle’s electronic system and is set up to turn on automatically when the engine starts running. There are also dash cams that have a standby mode to stay on when the car is parked or automatically turn on upon impact or external tempering.

A simple dash cam does not store data but only transmits it to a monitor so the driver can be aware of the vehicle’s surrounding. For those that do record footage, the data recorded by the dash cam is stored inside a flash drive or the SD card of the camera which has limited space. When the storage device is full, the camera will overwrite the existing file. As such, depending on the size of the storage device, the footage would only be stored for a limited amount of time, unless the driver extracts the data to another storage device before it is overwritten. On the other hand, some dash cams come with cloud storage functionality where they can upload the footage to the cloud automatically when connected to the internet.

Some dashboard cameras have the function where they can manage the data to preserve certain events. These cameras continuously record and overwrite files – but if the vehicle is subjected to an impact, sudden braking or other incidents, the device automatically transfers and saves the recording segment that began a few seconds prior to the event and ended another few seconds following it.[i]

Dashcams allow the driver to document their driving and record any incidents on the road. This tool protects the user against fraudulent claims, theft and could lower insurance costs. Under certain jurisdictions, certain businesses involving vehicles are required to install dashcams on all of their vehicles.

2. Does GDPR regulate dash cam recording?

First of all, the footage recorded by the dashcam could include certain information regarding other individuals such as their faces, their vehicle’s license plate which would fall under the category of “personal data” pursuant to the GDPR.

Under Art 2.2(c) of the GDPR, personal data processing by a natural person in the course of a purely personal or household activity shall not fall within the scope of GDPR. However, in the case of František Ryneš, it was determined this exemption would not be applicable if the camera also captures footage of public places, even if the camera is installed on private property. As such, it is uncertain whether the personal use of a dashcam would be exempted from GDPR or not.

As for dashcams used in a professional manner (e.g. dashcams installed in vehicles used for businesses such as cabs, transport trucks, etc.), there is no doubt that the processing of the recorded footage would fall within the scope of GDPR.

In some countries in the EU, there are also other regulations regarding the use of dashcams such as requiring the dashcam to not obstruct the driver’s view and for all faces and registration numbers to be blurred out before publishing the footage.[ii]

3. How to properly use a dashcam in compliance with GDPR?

The first step to proper processing of dashcam footage is to identify a lawful basis under GDPR. Since obtaining the consent of the data subject is impractical in the context of dashcam footage, the most common legal basis used for the processing would be legitimate interest or in certain cases, legal obligations.[iii]

Additionally, the use of dashcams on multiple vehicles could also be considered as systematic monitoring of public spaces, and under Art 35 of the GDPR, the business must conduct a data processing impact assessment (DPIA) to assess the necessity, proportionality of the processing, the possible privacy risks and how to mitigate such risks.

It is also important that the business issues a proper dashcam policy in order to regulate how dashcams are installed, used and how the footage is processed. The policy should include, among others: the vehicles that would have dashcams installed, how the dashcams are to be installed, how the drivers must operate the dashcams (e.g. only turn the camera on during business hours), where the footage is stored, for how long the footage will be stored (footage with no incidents and footage with incidents), etc. The policy should be designed to adhere to the data processing principles of the GDPR under Art 5 such as only processing the footage for the purpose of resolving incidents, only storing the footage as necessary for processing purposes (e.g. deleting footage with no incidents after 24 hours), ensuring the security of the data, etc.

To comply with the data subjects’ right to be informed under Art 12 of the GDPR, the vehicles with dashcams installed should have a clearly visible sign or sticker of other forms of notice to indicate that the recording is taking place. A detailed privacy notice could be made available to the data subjects via the use of layered notice where the important information on the processing could be conveyed via a warning sign while more detailed information would be provided online via a QR code or a link on the warning sign. In the event of an accident, the driver should inform the parties involved of such recording immediately. Other rights of the data subjects such as right to access, right to erasure and objection, etc should also be respected and the business should set up channels through which the data subjects can exercise their rights.

PrivacyCompliance prides itself on its team of experts having achieved numerous internationally recognized certifications such as CIPM, CIPP/E, CISA, CISM, CRISC®, ISO27001 Lead Auditor, etc. With tried-and-tested knowledge and capacity, PrivacyCompliance is confident in being able to provide in-depth and comprehensive solutions on personal data compliance and protection.

[i] Teletrac Navman, ‘How does a dashboard camera work?’ <https://www.teletracnavman.com/fleet-management-software/video-telematics/resources/how-does-a-dashboard-camera-work> accessed 03 June 2024.

[ii] Nextbase, ‘European Dash Cam Legality 2022’ <https://nextbase.co.uk/hub/european-dash-cam-legality-2022-/> accessed 03 june 2024.

[iii] General Data Protection Regulation (GDPR), art 6(1).