To think this is against GDPR

[Outandabout43]

Listening and watching a private conversation on CCTV from a mobile phone that happened on comercial property between the owner of the business and a paying customer. Conversation was nothing to do with the business

Still not GDPR. Have a Google and find out why.

the owner of the business knew there was cctv present with audio

the owner of the business knows that this is acceptable on your phone

the owner of the business, have they set out a rule for this equipment? Is there a hand book? Was there tracing when this equipment was put in the phone? Is it your private phone or company phone?

Recordings (videos and audio) are covered by GDPR.

It is no different to showing someone a document or accessing a record on the system - if the data is shared with someone who shouldn't see it, that's a data breach.

I think GDPR does apply. Images and voice recordings do constitute personal data if individuals are identifiable.

Perhaps you should have a Google.

Which of the data protection principles in the UK GDPR equivalent do you think have been breached?

Yes GDPR. Recordings are data.

Why did you show it to someone else?

I think the GDPR thing is neither here nor there tbh. It's a massive invasion of the owner and customer's privacy and that's what'll likely get you the sack

CCTV is absolutely covered by GDPR. Any business with CCTV has to be registered with the ICO & there are rules around what it can be used for.

You as an employee did nothing wrong in watching it yourself IF you are an authorised person in your workplace.

showing the recording to someone else was totally out of order and is a breach of data unless you have a legitimate reason (which would be things like an asssult had happened so showing it to the police or to an insurance company following an accident.

this could easily be gross misconduct.

Its the sharing of the footage that could very well get you fired for gross misconduct even if the video would have recorded without you watching it.

Having done all the training in 2018 when it was introduced, I do think there may be a GDPR breach here. I don’t think it’s particularly egregious and I don’t know how it would be proven, but don’t share audio recordings of people without their consent? Probably good advice anyway.

ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/cctv-and-video-surveillance/guidance-on-video-surveillance-including-cctv/checklist-for-limited-cctv-systems/

Presumably, personally data (video images and voice recordings) have been disclosed to an unauthorised individual without the OP having had any lawful basis for sharing that data.

The OP herself may not have had any lawful basis for viewing the data, but that's less clear and depends to some extent on the nature of her job role and the specific details of the employer's own policies.

It is the sharing of the image/audio that is the issue, assuming you are authorised to monitor cctv as part of your employment.

You let someone else watch it too? Bloody hell. What possessed you? It's definitely gross misconduct, nothing to do with GDPR but I wouldn't be surprised if you are let go or, at the very least, put on probation.

from the ICO

Under the UK GDPR and DPA 2018, you have an obligation to implement appropriate technical and organisational measures. These show that you have considered and integrated the principles of data protection law into your processing activities. It is also important that you identify an appropriate lawful basis, and justify any processing to be necessary and proportionate.
If you are a controller, and your surveillance system is processing the personal data of identifiable individuals, you are required to register and pay a data protection fee to the ICO, unless exempt or you already pay the fee..
The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance. Your accountability obligations are maintained throughout the life of the processing.
Specifically under Article 30 of the UK GDPR, organisations are required to maintain a record of the processing activities taking place. This applies to both controllers and processors that use surveillance systems. The records you keep should cover areas such as the purpose(s) for the lawful use of surveillance, any data sharing agreements you have in place and the retention periods of any personal data.
For surveillance systems, you must take a data protection by design and default approach and perform a Data Protection Impact Assessment (DPIA) for any processing that is likely to result in a high risk to individuals. This includes:

• processing special category data;
• monitoring publicly accessible places on a large scale; or
• monitoring individuals at a workplace.

You should assess whether your use of surveillance is appropriate in the circumstances. As part of your assessment, you should also take into account the reasonable expectations of the individuals whose personal data are processed and the potential impact on their rights and freedoms. You should record your considerations and mitigations in a DPIA prior to any deployment of a surveillance system that is likely to result in a high risk to individuals. If high risks cannot be mitigated, prior consultation with the ICO is required.

When you've recorded it you then become a data processor and there are rules re what you can do with the data, re using it for the purpose for which it was intended and not other purpose. In showing it to someone else, I think you have committed a breach unless you had a very good reason to do so, e.g. evidence of theft. For gossip, you're bang to rights.

Why on earth did you show a personal conversation to third party?

Probably not agains GDPR but if you have accessed the CCTV without good reason and used it to spy on people’s personal conversations it could very well be gross misconduct and still be something you are disciplined or fired for.

CCTV recordings are data, and if that data is accessed incorrectly it is a GDPR data breach.