CCTV vs. Privacy: GDPR Rules for your cameras
Installing surveillance cameras for the business may seem like a standard security measure. But are you aware that the moment it captures any piece of personal information, it falls under the scope of the GDPR and puts you at risk of being fined up to 20 million € or 4% of your annual income?
However, GDPR is not your enemy. Instead, it requires balancing your security needs against a person’s fundamental right to privacy. Following it protects not only your customers, but also your business from financial and reputational damage.
So, how does simple CCTV fall under the scope of GRPR?
The answer is simple: personal data.
The main goal of the GDPR is to protect fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.
GDPR:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
The definition of personal data is very wide, and in pure simplicity, every piece of information that allows anyone to identify them is considered to fall under this definition. Video surveillance brings the collection and retention of pictorial or audio-visual information on all persons entering the monitored space, which allows the identification of persons on the grounds of these details, which makes it personal data. Therefore, its capture, storage, and use constitute “processing” under the GDPR, making it subject to strict legal requirements.
5 Steps to ensure your CCTV protects you — not puts you at risk
Step 1: Establish and document your lawful basis
First of all, even before placing cameras, identification and documentation of “whys”, clear legal reasons for recording need to take place. In the GDPR context, this is called legitimate interest, and it’s your task to prove it.
Why it’s required: Article 6(1)(f) of the GDPR allows processing personal data if it’s necessary for your legitimate interests, but only if those interests aren’t overridden by the privacy rights of the data subjects.
What do you need to do:
– Define your purpose: Unfortunately, stating “security” as a reason , it is simply not enough. Be more specific based on the assessment of the situation, like “prevent vandalism and theft”, and stay truthful: only use the cameras to, indeed, prevent vandalism and theft in places that are proven to be vulnerable to such occurrences.
– Justify the necessity: The legitimate interest needs to be real and present, not hypothetical. This is a basis for “why” video surveillance is needed. Assess the situation, analyze the area, and conclude whether surveillance is really necessary.
– Perform the Balancing Test: This test needs to weigh: do the harms to data subjects outweigh the interests of your organisation? The Guidelines 3/2019 on processing of personal data through video devices emphasize that the balancing test must be documented and tailored to each situation. This part is crucial and often a reason for financial penalties, as supervisory authorities regularly impose fines based on this reasoning.
| For example, the State Commissioner for Data Protection and Freedom of Information in Lower Saxony has imposed a fine of 10.4 million euros for using video surveillance for at least 2 years with no legal justification and preserving footage for up to 60 days, while the company was claiming prevention and investigation of criminal offences and tracking the flow of goods in the warehouses. These reasons were not considered sufficient to legitimize the CCTV usage. In this case, the State Commissioner stated that it may have been acceptable to monitor the employees with cameras for a limited period of time. However, the CCTV was neither limited to a specific period nor to specific employees. |
Secondly, even before placing cameras, a risk assessment of the situation is required. For many CCTV systems, depending on the scale and data collected, it is a formal Data Protection Impact Assessment (DPIA). It is a legal requirement under Article 35 of the GDPR for any processing “likely to result in a high risk”.
DPIA should include:
– Purpose and description of the data collection
– Necessity and proportionality
– Risks of the conducted activities
– Solutions to reduce and resolve those risks
Avoiding conducting such an assessment may result in significant fines.
| By failing to conduct DPIA, a Finnish taxi company was fined 72,000€ for installing cameras in its vehicles, as monitoring employees is considered high-risk processing. While the Spanish DPA fined a supermarket chain €2.5 million for using facial recognition, ruling its DPIA was insufficient to justify the high risk to shoppers. |
Step 2: Be Transparent
Articles 12 and 13 of the GDPR require the provision of information in a concise, transparent, and easily accessible form. All the data subjects should be clearly informed that video surveillance is taking place. The EDPB has set a very specific “layered approach” standard for this.
First layer – At-a-glance notice
When placing a warning sign, the content of information it contains and its placement should be considered. A warning sign is required to be located approximately at eye level before the surveillance area, and display the most important information, such as the purposes of processing, the identity of the controller, and the existence of the rights of the data subject, together with information on the greatest impacts of the processing, in order to provide a clear overview of the intended. In addition, the sign needs to contain any information that could be unexpected for the data subjects, such as transmissions to third parties, especially if they are located outside the EU, and the storage period.
Second layer – Complete privacy notice
A complete information sheet (required by Art. 13(1)–(2) GDPR) should also be available at an easily accessible location and be referred to the first layer. It should be possible to access this information before entering the surveilled area through a non-digital source (e.g., phone number) and possibly a digital one, for instance, a QR code.
(Guidelines 3/2019 on processing of personal data through video devices Version 2.0 Adopted on 29 January 2020)
Step 3: Record as little as possible
One of the main principles of GDPR is the Data Minimisation principle. You must only capture information that is strictly aligned with your purpose. It affects your choice of camera positioning, angles, and system settings to avoid capturing unnecessary information. Ignoring this is leading to significant fines.
| A recent decision from the Belgian Data Protection Authority (DPA) provides a stark warning, as the owner of a student house was fined €9,700 for multiple GDPR violations related to their CCTV system. A central part of the ruling was a direct breach of the data minimisation principle. The investigation found that cameras installed to monitor the property were also filming the public road and parts of a neighbour’s property, including their garden and entrance door.The DPA ruled that this was a clear violation and the landlord had no legitimate purpose for capturing images of public spaces or a neighbour’s private home and had failed to implement any technical measures, like adjusting the camera’s field of view, to limit this excessive processing. |
Important notice: Disable the audio. The EDPB guidance is clear that audio recording should be disabled by default, as it is a highly intrusive measure and rarely justifiable.
Step 4: Set an Expiry Date
Security footage cannot be kept forever. The “Storage Limitation” principle in Article 5(1)(e) of the GDPR requires that data be kept for “no longer than is necessary”. The main task is to define a reasonable retention period and document it. The longer the storage period set, the more argumentation for the legitimacy of the purpose and the necessity of storage has to be provided.
The GDPR does not specify an exact number of days for the “necessary” period; rather, it depends entirely on the purpose defined. You must be able to justify your retention period based on your specific operational needs. As a general rule of thumb for most businesses, a retention period of 24 to 72 hours is considered to be a sufficient amount of time, as it allows for serving the main purpose of detection and reviewing possible incidents.
Step 5: Ensuring Integrity, Confidentiality, and the Right of access
On the final stage of CCTV GDPR compliance, it is required to uphold two fundamental principles – namely, security of processing and the rights of data subjects.
Article 32(1) of the GDPR obliges the implementation of “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” The main goal is to protect personal data gathered with the CCTV system from unauthorised access, disclosure, or loss. The benchmark for available and effective measures is set by the “state of the art”, interpreted by the European Union Agency for Cybersecurity.
The GDPR empowers individuals with the right of access. You must have procedures in place to handle these requests efficiently and correctly. Under Article 15 of the GDPR, individuals have the right to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to that data. As an additional requirement to bear in mind is the duration of the response, as failing to respond to a data subject request within the required timeframe (within one month of receipt of the request) may easily lead to a fine.
| As in the case of a Romanian company that was fined 15,000€ for violating Article 15 GDPR (Right of access) in combination with Article 12(3) (Failure to respond to data subject requests within the required timeframe) and 12(4) GDPR (Failure to provide information on actions taken in response to data subject requests).It also specifies that the obtained information should be a “copy”, which “shall not adversely affect the rights and freedoms of others”. The EDPB´s position is that before releasing footage to a data subject, the controller must redact (e.g., blur or mask) the personal data of any other individuals. |
Conclusion
The use of CCTV is legal, but conditional. It must be necessary, proportionate, transparent, and secure. GDPR draws a line between surveillance as a security measure and a substantial financial liability. Ensuring that your CCTV is GDPR-compliant should be viewed as a required business asset that either actively accumulates risk or buildstrust. By embedding these 5-step practices into your regular operational routine, you ensure that your commitment to both security and privacy is shielding your business, not exposing it to risk.
