CCTV footage: retention period and destruction under the GDPR
CCTV footage of an office, warehouse or car park feels to the owner like a security measure. Under the GDPR it is above all a processing of personal data, because every passer-by on the image is identifiable. That brings rules with it: a basis, a proportionate retention period and a destruction process. This article lines up the retention periods and destruction routes.
The default retention period: 4 weeks
The Autoriteit Persoonsgegevens applies the guideline that CCTV footage may be kept for a maximum of 4 weeks. Longer is allowed only if:
- There is a concrete incident that requires investigation (theft, violence, complaint).
- A specific law requires longer retention (rarely applicable).
- A legal claim is pending for which the footage is evidence.
For each of these exceptions: keep only the relevant segment, not the whole archive.
What is on CCTV footage?
The obvious: faces of visitors and employees. Less obviously:
- Registration plates of cars in the car park.
- Body patterns that can be linked to other systems (ML-driven face and posture recognition).
- Routes and presence patterns.
- Visual information in shot (customer correspondence on a desk, screen dumps).
CCTV footage is therefore not only "who was where when", but potentially also "what were they doing". Under the GDPR that is a heightened processing category.
An average business system records, per day, tens to hundreds of hours of footage. On an annual basis that runs into thousands of hours with identifiable persons.
How is CCTV footage stored?
- Local NVR/DVR: hard drive inside the camera recording unit.
- Server-based: central server in your own server room.
- Cloud (Verkada, Eagle Eye, Genetec, etc.): storage at the supplier.
- SD cards in IP cameras: local short-term storage.
Each storage form has its own destruction route at end of lifecycle or end of use.
Destruction at end of retention period
"Automatic" destruction happens through the NVR itself: old recordings are overwritten by new ones. Provided the cycle matches the 4-week policy, that is GDPR-compliant. Important:
- Set the overwrite time to ≤ 4 weeks.
- Document this in the records of processing.
- For incident retention: separate folders or tags, with a retention policy.
Destruction at end of lifecycle (NVR replacement)
If your NVR or camera recording system is replaced, the old HDD with recordings comes out. Policy:
- Inventory all storage media in the system (NVR HDD, any backup SDs).
- Verify that the supplier (at replacement) does not take the old HDD without destruction.
- Remove the HDD for on-site destruction.
- Destroy at DIN H-4 or H-5.
- Keep the certificate per HDD.
For the mechanics, read how a hard drive is shredded.
Destruction at relocation or organisation end
At a relocation or business closure, CCTV footage often gets forgotten. The NVR stays behind or goes into interim storage. Both scenarios are GDPR risk:
- At relocation: take the NVR with the system, or destroy the HDD before leaving the location.
- At liquidation or merger: destroy the HDD before handover to the receiver or successor. The data belongs to the current controller.
Cloud CCTV footage
For cloud camera systems, destruction runs through the supplier contract:
- Request a data deletion attestation at contract end.
- Verify that backups and logging are also removed.
- Request a NIST 800-88-compliant process for the physical layer.
Read also really deleting cloud data.
Identify what you actually have
Most organisations we visit do not know how many camera systems they have. A typical list is:
- Main NVR for entrance and office.
- Separate camera controller for the warehouse.
- Old DVR still actively recording but not being watched.
- SD cards in standalone IP cameras at department level.
- A cloud system for one branch site.
The annual compliance review should include a complete inventory of all camera systems and their recording media.
Documentation in the records of processing
In your records of processing there should be a row for CCTV footage:
- Purpose: security of building / car park.
- Category of data subjects: employees, visitors, passers-by.
- Category of data: footage, registration plates.
- Retention period: 4 weeks, longer at an incident exception.
- Storage location: NVR ABC or cloud supplier XYZ.
- Destruction method: automatic overwrite; at replacement DIN H-4.
Replacing your NVR? Destroy the old HDD.
We come on-site, take the HDD out of the old NVR and shred it at DIN H-4 or H-5, with a certificate.
Request a quoteCamera system due for replacement? Email us via desnipperaar.nl to schedule on-site HDD destruction.