Camera footage is personal data
As soon as a person is identifiable in camera footage, that footage is personal data under the GDPR. This means all GDPR rules apply: you need a legal basis, you must inform data subjects, you may not retain footage longer than necessary, and you must secure it.
This applies to:
- Security cameras at your business entrance
- Cameras in a warehouse or workshop
- Cameras on a parking lot
- Camera doorbells (Ring, Nest type)
The only exception is purely household use: a camera filming only your own garden, without public space or neighbours in view.
What you must do: the basic obligations
1. You need a valid purpose
Valid purposes for business CCTV:
- Security of persons and goods - theft prevention, break-in detection
- Access control - recording who enters the premises
- Workplace safety - monitoring dangerous processes
“Checking whether employees are productive” is not a valid purpose.
2. You must place signage
Before anyone enters the monitored area, a clear sign must be visible with:
- The camera pictogram
- Your company name and contact details
- The purpose of the monitoring
- The retention period for footage
- A reference to your privacy policy (e.g. a URL or QR code)
3. You must keep footage for a short period
The standard retention period for CCTV footage is maximum 1 month. After this period, footage must be automatically overwritten or deleted.
Exceptions:
- An incident has been recorded (theft, vandalism, accident): you may retain relevant footage until fully resolved
- A competent authority requests the footage: police or judicial authorities may request footage for an investigation
4. You must document it in your processing register
CCTV belongs in your processing register, with purpose, categories of data subjects, retention period, security measures, and legal basis (usually legitimate interest).
Cameras and employees: extra strict rules
The basic rule: you may not film employees as a monitoring tool.
What IS allowed:
- Cameras in common areas (warehouse, production hall) for safety purposes, provided employees are informed
- Cameras at the entrance for access control
- Temporary cameras to investigate a specific, reported issue (e.g. repeated theft), provided proportionate
What is NOT allowed:
- Cameras aimed at individual workstations to monitor performance
- Cameras in changing rooms, toilets, break rooms, or union offices
- Hidden cameras without employee knowledge
- Permanent, targeted monitoring of specific employees
When do you need a DPIA?
A DPIA is required for:
- Large-scale, systematic monitoring of publicly accessible areas
- Systematic employee monitoring via cameras
- Combination of cameras with other technology (facial recognition, behaviour analysis)
For a small business with 2-3 cameras at the entrance and warehouse, a DPIA is usually not needed. But document your considerations.
Common mistakes
- No or incomplete signage - the pictogram is there, but without contact details or purpose
- Retaining footage too long - “we just let the system record until the hard drive is full” is not a policy
- Cameras aimed at the public road - you may only film your own premises
- Not informing employees - cameras are installed months before anyone hears about it
- Sharing footage via WhatsApp - sending footage to colleagues after an incident is a data breach
What should you do now?
- Check your signage - is there a correct sign with all required information?
- Set the retention period - configure your system to overwrite footage after maximum 30 days
- Add CCTV to your processing register
- Inform your employees - via the employee privacy policy
- Limit access - determine who may view footage and log who has accessed it
GDPRWise helps you document all your processing activities, including CCTV. Complete with retention periods, signage checklist, and recommendations.