A Guide to the GDPR and CCTV in the Workplace

You might be surprised to learn that CCTV footage is subject to the GDPR (General Data Protection Regulation)

Its rules don’t only cover written details, like names and addresses; it applies to any information that can identify someone. 

That includes pictures and videos, which is why you should be careful about the way you use CCTV. 

In this article, we look at the relationship between the GDPR and CCTV footage, and provide our tips to ensure that your video surveillance methods are GDPR-compliant. 

1. Make sure people know they’re being recorded

Transparency is a core principle of the GDPR. 

You must tell people when you’re collecting their personal information to allow them to exercise their data subject rights

These rights enable individuals to access the personal data organisations store on them and to challenge the way their information is used. 

You can make sure people are aware you’re recording them by posting signs that say CCTV is in operation. 

If you’re using CCTV to monitor employees, you should also explain in your privacy policy that they are being recorded.

2. Clearly state why you are using CCTV

Under the GDPR, it’s not enough to say that you’re collecting personal data; you also need to explain why you’re using it. 

This is where the Regulation’s lawful bases for processing come in. 

There are six bases in total and, except for consent, each one might be suitable in different circumstances: 

  • A contract with the individual: for example, to supply goods or services, which may include a provision that those services are monitored. 
  • Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement. 
  • Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s). 
  • A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions, hospitals and the police. 
  • Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms. 

If you’re recording a public area, you can meet this requirement by including a brief explanation on the signs you’ve posted. 

For example, it might say, “CCTV is in operation for the purpose of public safety”. 

Many retailers sell signs like this, leaving the purpose blank so that you can fill it in with the appropriate message. 

If you’re monitoring employees, you should explain the basis for processing in your privacy policy

Find out how to create a CCTV policy with our templates

3. Control who has access to CCTV

Your monitoring practices could do more harm than good if you don’t limit who can view the footage you’ve recorded. 

The GDPR requires that personal information should only be accessible to those who need to for their job. That will generally be security personnel and management. 

Other staff may need access depending on the purpose for processing, but the key point is that you should make every effort to ensure CCTV can only be viewed by those with permission. 

This means keeping the footage in a secure location. Physical tapes should be stored in a locked cupboard, and digital files should be saved in a folder that’s subject to access controls. 

You might also choose to encrypt digitally recorded CCTV footage to protect it further. This will be particularly useful when DSARs (data subject access requests) are submitted, as it ensures the information is protected when in transit. 

4. Delete footage when it’s no longer necessary

Most organisations have a retention period for CCTV footage, because it’s too impractical to keep the information indefinitely. 

Physical tapes will soon stack up, and digital files will eat up memory. However, you must now be more systematic about how long you keep recordings. 

The GDPR states that you can only store information for as long as it’s necessary for the purpose for which it was collected, and you must outline that timeframe before you start processing. 

You should therefore establish a system to make sure you delete information once the data retention deadline passes. 

As for how long ‘as long as necessary’ is, that depends entirely on why you are collecting the information. However, it’s unlikely that you will need to keep the data for more than a week or two.

Do your research with a DPIA

Before you set up CCTV cameras, you must complete a DPIA (data protection impact assessment)

This process helps organisations identify and minimise risks that result from data processing activities that are ‘likely to result in a high risk’ to the rights and freedoms of individuals. 

The GDPR states that this includes large-scale public monitoring, so there’s no getting around this requirement. 

Don’t think of it as burdensome bureaucracy, though. A DPIA will help you determine solutions to the issues we’ve addressed here, and help you ensure that the footage is adequate for its intended purpose. 


The penalties for non-compliance

The GDPR has raised the stakes for effective data protection and privacy, with non-compliant organisations facing hefty fines

One of the first penalties issued under the GDPR was levied against an Austrian retailer for its use of CCTV.

The organisation failed to inform people that it had set up surveillance cameras outside its shop, and as a result, it was fined €4,800 (about £4,250). 

We wouldn’t expect GDPR fines on that scale for poor CCTV practices, but any form of regulatory penalty for data protection failures will cause financial and reputational damage.

Those looking for help meeting their surveillance requirements should consider our CCTV Data Protection Policy templates.

Developed by our team of data protection experts, this set includes comprehensive guidance to help you create and document a surveillance system that meets the GDPR requirements.

It contains everything you need to know about:

  • Why your organisation requires CCTV surveillance and how to use these systems appropriately;
  • How surveillance should be considered according to laws, regulations, codes of practice and standards;
  • What elements of privacy will need to be considered before using CCTV surveillance;
  • How to store and process CCTV records in accordance with the GDPR’s data processing principles;
  • Advertising CCTV systems and recording on your premises;
  • Selecting surveillance systems and outsourcing partners; and
  • Assigning roles and responsibilities regarding CCTV.

A version of this blog was originally published on 3 October 2019. 

One Response

  1. samuel 18th August 2023