The FG can play an important role in translating open standards into practice. To do so, however, the FG must be properly involved in a timely manner. This is also stated in the law.
A municipality purchases security cameras for use in the city hall. This makes the municipality a data controller.
This case starts with the question: what is the relationship between the protection of personal data and the purpose of hanging the cameras? The FG can advise at this initial stage and make the organization think about what is necessary. For example, can the municipality achieve the goal even with fake cameras? Should the images be stored, and if so, for how long? Can the municipality ask stakeholders for their opinions first?
Once all the facts and circumstances are clear, the FG can advise on the various scenarios. The municipality in the role of data controller then makes a thoughtful choice. In doing so, open standards must be filled in. For example, in the area of data minimization, retention periods or access to and security of the collected images. Does the municipality ignore the FG's advice? Then a substantiation is needed.
Is the FG involved too late or too limited? For example, because the business process has already been completely set up, the DPIA has already been written and the cameras have already been purchased? Then the FG's role can only be small in advising on the open standards. After all, at that point the FG can only test and advise on the question of whether the organization has not fallen below the minimum level of protection when interpreting the open standard. And whether the processing is therefore still lawful. Especially when no internal policy or vision has been developed, the DPO can only test against general frameworks such as the AVG, EDPB guidelines and case law. This is a missed opportunity and can cause problems.
