Concerns raised about cameras at self-service supermarket checkouts

Tesco said its new front-facing self-service checkout camera trial is complying with its GDPR requirements, but concerns have been raised by a solicitor who specialises in data protection. File Picture.

Tesco said its new front-facing self-service checkout camera trial is complying with its GDPR requirements, but concerns have been raised by a solicitor who specialises in data protection. File Picture.

Concerns have been raised about the installation of front-facing cameras at self-service checkouts at a number of Tesco stores in Ireland.

The supermarket chain has claimed the move is an additional security feature for customers.

Six stores — Artane, Cabra, Clarehall, Dundalk, Dundrum, and Stillorgan — are involved in the trial.

Simon McGarr, a solicitor who specialises in litigation and data protection issues, and who shops in one of these stores, has raised concerns about the potential retention of the images.

“At the moment, I don't know whether this image is just flashed up on the screen and then vanishes, or whether a copy of it is kept for some period of time, or whether it's associated with my purchases,” he said.

Mr McGarr was among a number of people who questioned Tesco on social media, asking for details on the new cameras. 

Tesco initially referred people their privacy notice. However, Mr McGarr says this does not contain any mention of facial data processing whatsoever.

In response to a query from the Irish Examiner, a Tesco spokesperson said the purpose of the trial is to provide an additional security measure for customers.

“This trial is operating in line with GDPR requirements,” the spokesperson said. "A data privacy impact assessment was undertaken prior to the trial and all of our stores have signage in relation to CCTV."

Tesco declined to comment further on how the information will be stored, whether it would be kept alongside other details such as purchasing history, and for how long it would be retained.

A spokesperson for the Data Protection Commission said organisations using such technology must ensure they meet their data protection obligations under the GDPR.

“An organisation must have a legal basis to justify the processing of personal data, such as the consent of the individual concerned or a contract with the individual," the spokesperson stated. 

"They must ensure they are only collecting the minimum amount of personal data necessary to conduct their business, that the data kept is accurate, and have an appropriate retention period in place to ensure the data is not kept for any longer than is necessary.

“They must also be fair and transparent with individuals and inform them of the reasons for collecting their personal data, what it will be used for and how long they intend to keep it.” 

More in this section

Lunchtime News

Newsletter

Get a lunch briefing straight to your inbox at noon daily. Also be the first to know with our occasional Breaking News emails.

Cookie Policy Privacy Policy Brand Safety FAQ Help Contact Us Terms and Conditions

© Examiner Echo Group Limited