The National Supervisory Authority for Personal Data Processing ('ANSPDCP') published, on 7 December 2022, guidance for public entities on lawful use of video surveillance systems in public spaces. In particular, the ANSPDCP reminded that, according to Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the processing of personal data via use of video surveillance systems is lawful if and to the extent that at least one of the lawful bases for processing applies.

Moreover, the ANSPDCP emphasised that, in principle, public entities, in their capacity as data controllers, process personal data in light of their duty to comply with a legal obligation, in relation to the specific legal provisions that are applicable to them which are based on national or EU law. Notably, the ANSPDCP highlighted that even public entities acting as data controllers must perform processing of personal data that is adequate and limited to what is necessary in relation to the established legal purposes of that processing, and that they must do so in a way which ensures adequate security for the data.

Lastly, the ANSPDCP noted that, pursuant to its Decision no. 174/2018 on the list of data processing activities which necessitate the execution of a Data Protection Impact Assessment ('DPIA'), the assessment of the impact on the protection of personal data performed by a data controller is mandatory when there is a large-scale processing of personal data through the innovative use or implementation of new technologies, such as facial recognition.

You can read the press release, only available in Romanian, here.