Bulgarian Data Protection Authority issued a statement regarding the admissibility of using video surveillance systems with face recognition features for the purposes of improved security of the shopping premises and protection of the life and property of the visitors and traders. The statement was issued as a response to a request by a secuity company that provides security and video surveillance services to numerous shopping centers in the context of an increase of the number of incidents. The security company wanted to introduce and offer to its cliens (shopping malls and hypermarkets) video surveillance system that allows a facial recognition of persons whose biometric data have been manually entered into a database due to their previous anti-social behaviour on the premises of store(s) owned by the company's clients (e.g. thefts, attempted thefts, aggressive behaviour, etc.). The request from the company involved a substancial list of measures aiming to protect the rights of data subjects and to minimize the risks related to the planned processing of biometric data (facial recognition). The company also requested a statement from the Bulgarian DPA whether such processing could be based on the grounds of Art. 9, para. 2, item ‘g’ (public interest).
Bulgarian DPA, however, concluded that the planned processing is unlawful. The DPA considered that the planned activity constitutes a biometric categorisation within the meaning of Regulation (EU) 2024/1689 (AI Act) and indicated that this Regulation introduce substancial restrictions when such activities are performed by public authorities. They quoted Guidelines 3/2019 on processing of personal data through video devices of the EDPB and concluded that the potential exception that may allow processing of biometric data should apply to all persons that are filmed by the cameras. The conclusion of the DPA was that thefts or attempted thefts in the context of a “minor case” under the Criminal Code[6] cannot be a reason of important public interest within the meaning of the GDPR that would turn a store’s customers into “walking barcodes”. The creation of a separate register with facial images of customers who have been found to have attempted or committed shoplifting, as a form of subsequent processing of personal data, does not comply with the principle of “purpose limitation” under Art. 5, par. 1, b) of the GDPR, as well as with the requirements for processing data for purposes other than those for which they were initially collected (argumentative Art. 6, par. 4 of the GDPR) stated the Commission. Last but not least, the DPA found that the processing of data on the facial images of customers infringes the right to the protection of personal data and the inviolability of their private life and may also rise to forms of discrimination against them.
In its statement the DPA among the analysis of GDPR, AI Act and local legislation, took into considerations the practice of other EU DPAs (namelly, the once in the Netherlands and Spain).
Article provided by INPLP members: Prof. Dr. George Dimitrov and Desislava Krusteva-Doncheva (Dimitrov, Petrov & Co., Bulgaria)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
