GDPR and CCTV: Video Surveillance Compliance Requirements Explained

Operating a camera in a public or semi-public space is one of the most common ways organisations collect personal data — and one of the most frequently mismanaged under GDPR. Footage of identifiable people is personal data from the moment it is recorded, and every principle in the Regulation applies to it.

This guide maps the specific GDPR obligations that apply to video surveillance: the legal framework, signage and transparency requirements, data retention limits, when a DPIA is mandatory, how to handle subject access requests, and when anonymization is the right tool to reduce ongoing compliance risk.

Disclaimer: This content is for general informational purposes only and does not constitute legal advice. Regulations and supervisory authority guidance vary by jurisdiction and change over time. Always consult a qualified legal or data protection professional for advice specific to your situation.

TL;DR

• CCTV footage is personal data: capturing identifiable individuals triggers the full GDPR framework — Articles 5, 6, 13/14, and 35 all apply.
• You need a lawful basis before you switch on the camera: legitimate interests (Article 6(1)(f)) is the most common route, but it requires a documented balancing test.
• Retention must be defined and enforced: most DPAs consider 30 days a reasonable default; incident footage may be kept longer with documentation.
• Anonymization before sharing is the most reliable way to eliminate downstream GDPR risk — anonymize CCTV footage automatically or start with a file right now.

Why CCTV falls squarely under GDPR

GDPR Article 4(1) defines personal data as any information relating to an identified or identifiable natural person. Footage from a camera that can capture a person's face, gait, vehicle registration plate, or any other identifying feature is personal data. Recital 51 explicitly includes genetic, biometric, and health data as requiring stronger protection, and biometric data used to uniquely identify a person — including facial geometry extracted from video — is a special category under Article 9, requiring additional justification.

The practical implication: every CCTV system operated in the EU (or targeting EU residents) must comply with all six principles in Article 5:

Principle	Article 5 reference	What it means for CCTV
Lawfulness, fairness, transparency	5(1)(a)	You need a legal basis; individuals must be told they are being recorded
Purpose limitation	5(1)(b)	Footage collected for security cannot be repurposed for HR monitoring without a new basis
Data minimisation	5(1)(c)	Camera angles should capture only what is necessary; avoid recording areas beyond scope
Accuracy	5(1)(d)	Timestamps and metadata must be correct; corrupted footage should be deleted
Storage limitation	5(1)(e)	Retention period must be defined, documented, and enforced automatically
Integrity and confidentiality	5(1)(f)	Footage must be protected against unauthorised access, theft, and tampering

Article 5(2) — the accountability principle — requires you to be able to demonstrate compliance with all of the above, not merely assert it.

Establishing a lawful basis

You must identify a lawful basis under Article 6 before recording begins. The three most relevant for surveillance are:

• Legitimate interests (Article 6(1)(f)): the most commonly used basis for private-sector CCTV. Requires a Legitimate Interests Assessment (LIA) documenting: (i) the legitimate interest pursued (e.g. crime prevention, asset protection), (ii) whether recording is necessary and proportionate, and (iii) a balancing test weighing your interest against the reasonable privacy expectations of the people filmed. If individuals would not expect to be recorded in that location, the balance may tip against you.

• Legal obligation (Article 6(1)(c)): applies where sector regulation mandates surveillance — for example, certain financial services premises or transport hubs. In this case the obligation itself provides the basis, but you must still comply with all other GDPR principles.

• Official authority (Article 6(1)(e)): available to public authorities exercising statutory functions, such as traffic monitoring or law enforcement bodies.

Consent is generally unsuitable for general-area surveillance. Consent must be freely given, specific, and withdrawable. Individuals who must pass through a monitored area to access services or employment are unlikely to be giving consent freely.

Special category data and Article 9

If your cameras are used in a way that processes biometric data to uniquely identify individuals — for example, facial recognition systems that match faces against a database — you are processing special category data under Article 9. You need both an Article 6 basis and one of the Article 9 conditions (most commonly Article 9(2)(g) substantial public interest, with a suitable legal basis in national law). This is a significantly higher bar and is currently under regulatory scrutiny in several EU member states.

Transparency: signage and privacy notices

Articles 13 and 14 require that data subjects be informed at the time of collection. For CCTV, this means clear, visible signage placed at all entry points to monitored areas before individuals enter them. Signage should include, at minimum:

• The identity of the data controller and contact details
• The DPO contact (if one is appointed under Article 37)
• The purpose of surveillance and the lawful basis relied upon
• The retention period (or the criteria used to determine it)
• The right to access footage of oneself (Article 15) and how to exercise it
• A reference to the full privacy notice (via URL or QR code) for layered compliance

The European Data Protection Board's Guidelines 3/2019 on video surveillance (adopted 2020) provide detailed guidance on compliant signage format and content. Supervisory authorities in some member states have adopted their own supplementary guidance.

Data retention and storage limitation

You must define a specific retention period before deployment, document it in your Record of Processing Activities (Article 30), and enforce it with automatic deletion. Manual processes are not considered reliable by most DPAs.

Scenario	Generally accepted retention range
General security / crime deterrence	Up to 30 days (common DPA benchmark)
Active incident under investigation	Duration of investigation + reasonable buffer
Regulatory requirement (sector-specific)	As prescribed; document the legal reference
Subject Access Request pending	Until request is resolved

Footage retained beyond the documented period without justification is a direct Article 5(1)(e) violation and a common finding in DPA audits.

When a DPIA is required

Article 35 GDPR requires a Data Protection Impact Assessment before processing that is "likely to result in a high risk" to individuals. The Article 29 Working Party's list of processing types that generally require a DPIA (WP248, adopted by EDPB) includes:

• Systematic monitoring of a publicly accessible area on a large scale
• Use of innovative technology (e.g. facial recognition, behavioural analytics)
• Processing on a large scale

Even if your deployment does not meet all these criteria, a DPIA is strongly recommended as a demonstration of accountability. A well-documented DPIA:

• Describes the processing and its purposes
• Assesses necessity and proportionality
• Identifies risks to data subjects and their severity
• Documents mitigation measures (access controls, encryption, retention enforcement, signage)
• Consults the DPO (if appointed)
• Is retained and updated when the system changes

If, after completing a DPIA, high residual risks remain that cannot be mitigated, Article 36 requires you to consult your supervisory authority before processing.

Responding to data subject rights

Individuals whose image appears in footage have enforceable rights under GDPR. The most common in a CCTV context are:

Right of access (Article 15): a data subject can request a copy of footage in which they appear. You have one month to respond (extendable to three in complex cases). The challenge: a single clip may contain other identifiable people, whose data you cannot disclose to the requester. Before providing the footage, you must redact or blur all third parties — otherwise providing the footage breaches the GDPR rights of everyone else in it.

Right to erasure (Article 17): may apply where the footage is no longer necessary, consent is withdrawn, or there is no overriding legitimate ground. Less straightforward when legitimate interests or legal obligations underpin the collection.

Right to restriction (Article 18): the individual can ask you to freeze processing while a dispute about accuracy or legitimate grounds is resolved.

Managing these requests at scale — especially the redaction of third parties before disclosure — is operationally intensive without automated tooling.

Anonymization before sharing: the practical risk reduction tool

The most frequent GDPR complication in CCTV is not storage or signage — it is sharing footage with third parties: insurers, lawyers, media, or posting clips publicly. Each new disclosure is a separate processing activity requiring its own legal basis.

Anonymization sidesteps this problem. If you blur all faces, license plates, and other identifying details before sharing, the resulting footage is no longer personal data (Recital 26 GDPR) — and the GDPR obligations for the recipient largely fall away. This is the most defensible approach when:

• Sharing an incident clip with an insurer or legal team
• Responding to a subject access request (redacting third parties)
• Publishing footage for safety awareness or training
• Providing footage to researchers or journalists

Automation matters here because manual blurring is slow, inconsistent, and difficult to audit. Anonymize CCTV footage automatically with AI that locates faces and plates across every frame, then deterministic processing removes them irreversibly — with a generated audit record documenting what was removed and when. The pipeline is auditable by design, which supports your Article 5(2) accountability obligation.

For context on why irreversibility matters — and how anonymization differs from pseudonymization — see anonymization vs. pseudonymization.

Compliance checklist for CCTV operators

Use this as a baseline before or during a CCTV audit:

• Lawful basis identified and documented in a Legitimate Interests Assessment or equivalent
• Record of Processing Activities (Article 30) entry created for the CCTV system
• Privacy notices / signage deployed at all monitored area entry points
• Retention period defined, documented, and enforced by automated deletion
• DPIA completed (required if large-scale or publicly accessible area)
• Access controls on footage storage limiting access to named roles
• Incident response process for subject access and erasure requests
• Process to redact third parties before responding to subject access requests
• Third-party processors (cloud storage, VMS vendors) covered by Article 28 contracts
• DPO consulted (if one is appointed)
• Periodic review cycle scheduled (at least annually, or on system change)

Start anonymizing CCTV footage before you share it

Video surveillance is a legitimate and widely used security tool. The compliance burden under GDPR is real but manageable when you have clear policies, documented legal bases, enforced retention, and tooling that handles the hard part — anonymizing footage before it leaves your control.

Anonymize a file now →