Under the GDPR, CCTV usage is classified as processing personal data. Organizations must have a lawful basis (e.g., legitimate interest or consent), display clear signage, limit data retention periods, and ensure footage security. Individuals retain rights to access, delete, or restrict their data. Non-compliance can result in fines up to €20 million or 4% of global turnover.
Why Is the Infrared Not Working on Security Cameras?
How Long Can CCTV Footage Be Stored Under GDPR?
Footage retention must align with the stated purpose. For crime prevention, 30 days is typical. Longer periods require justification (e.g., ongoing investigations). Automated deletion systems are recommended. Retention beyond necessity violates GDPR’s storage limitation principle and increases breach risks.
Organizations must document retention policies and align them with operational needs. For example, retail stores might retain footage for 14 days to investigate shoplifting incidents, while transportation hubs may extend to 90 days for accident investigations. Regulators scrutinize timelines during audits, requiring evidence that retention periods aren’t excessive. A common pitfall is retaining “just in case” footage without clear justification, which often triggers penalties. Implementing automated deletion protocols minimizes human error and ensures compliance. For legal holds (e.g., active litigation), footage should be isolated from routine deletion cycles and access-restricted to authorized personnel.
| Use Case | Typical Retention Period | Justification Requirements |
|---|---|---|
| Crime Prevention | 30 Days | Risk assessment documentation |
| Workplace Safety | 60 Days | Incident reporting protocols |
| Legal Proceedings | Until Case Resolution | Court order or attorney request |
What Security Measures Are Mandatory for CCTV Data Under GDPR?
Encryption, access controls, and audit logs are essential. Footage should be stored on secure servers with restricted permissions. Regular vulnerability assessments and staff training minimize breaches. Third-party vendors must comply via Data Processing Agreements (DPAs). Unauthorized access or leaks trigger mandatory 72-hour breach notifications to authorities.
Advanced encryption standards like AES-256 are recommended for both stored footage and data in transit. Multi-factor authentication should govern access to surveillance systems, with role-based permissions limiting viewing/download capabilities. Audit logs must track who accessed footage, when, and for what purpose – these logs themselves require protection under GDPR. Physical security measures like biometric locks on server rooms complement digital safeguards. For cloud-based systems, controllers must verify providers adhere to ISO 27001 or equivalent certifications. Regular penetration testing identifies vulnerabilities, while employee training programs reduce insider threats. A 2023 case saw a Belgian hospital fined €75,000 after staff improperly shared unencrypted CCTV files via email.
| Requirement | Implementation Example |
|---|---|
| Encryption | AES-256 for stored footage |
| Access Control | Biometric + PIN authentication |
| Audit Trails | Automated logs with tamper-proof timestamps |
Expert Views
“GDPR compliance for CCTV isn’t optional—it’s a meticulous balance of security and privacy,” says a data protection officer at a leading EU consultancy. “Organizations often underestimate signage and retention rules. Regular audits and staff training are non-negotiable to avoid catastrophic fines.”
Conclusion
GDPR transforms CCTV from a simple security tool into a regulated data processor. Compliance demands clear policies, robust security, and respect for individual rights. Organizations must proactively address signage, retention, and access protocols to avoid penalties and build public trust.
FAQ
- Does GDPR apply to home CCTV systems?
- Yes, if cameras capture public spaces or shared areas. Household exemptions are narrowly interpreted.
- Can I request deletion of CCTV footage under GDPR?
- Yes, via a SAR. Controllers must comply unless legitimate reasons (e.g., legal disputes) require retention.
- Are employers allowed to monitor workplaces with CCTV under GDPR?
- Only with a lawful basis (e.g., safety) and clear employee notifications. Covert surveillance is rarely permitted.