CCTV camera rules: what is allowed at a business and at home
A security camera looks simple: you mount it and you keep an eye on things. Yet strict rules apply, because the moment you film people you process personal data. For a business and for the home largely the same principles apply. You may monitor your own premises, but you may not film further than necessary. This article sets out what is allowed, what is not, and what you must do with the footage.
Want to check quickly whether your camera setup is right? Can you answer yes to each of these?
- Does your camera film only your own premises or entrance?
- Do staff and visitors know there are cameras?
- Is the footage stored securely with limited access?
- Is the footage erased after a maximum of 4 weeks?
- Do you know how to have the storage drive destroyed on replacement?
If you hesitate on any of these, below you read exactly what is allowed with cameras at a business and at home.
The GDPR applies the moment you film people
A security camera feels like a security measure, but under the GDPR it is mainly a processing of personal data. Everyone who appears recognisably in view is a data subject with rights. That applies to staff, customers, visitors and passers-by. So you may not simply mount a camera anywhere. You need a legitimate interest, such as protecting your premises or preventing theft, and you may not film more than is needed for that purpose. That is called proportionality, and it is the thread running through all the rules in this article, whether you run a business or mount a camera at home.
When does the GDPR apply to your camera?
For a business the GDPR always applies, even for a sole trader. For private individuals it is more nuanced. If you film purely inside your own home or garden for personal use, that falls under the household exemption and the GDPR does not apply. But the moment your camera looks beyond your own property, for example the pavement, the street or the neighbour's house, that exemption lapses. From then on you are the controller and the same duties apply as for a business. Many people with a doorbell camera do not know this and unknowingly film far more than is allowed.
Business cameras: only your own premises
The principle for a business is clear. You may bring your own building, premises, car park and entrance into view. You have a legitimate interest in that, because you protect your property and your people. What you may not do is structurally film the neighbours' land, other businesses or the public space. A camera on the facade that sweeps the whole street is not allowed. So aim the camera so that it covers exactly what you want to monitor and no more than that. When in doubt, make a sketch of what each camera has in view. Such a sketch also helps later, when at an inspection you must explain why each camera hangs where it does.
Do not film further than necessary
Sometimes a small piece of public road cannot be avoided, for example right in front of the entrance. That is allowed, provided it really stays limited to what is needed to monitor your own access. The standard is always the same: as little of the surroundings in view as possible. Modern cameras can black out parts of the image with a privacy mask. Use that function to screen off the pavement, the opposite side or other people's windows. That way you keep only your own premises in focus and you avoid recording more than is allowed.
Inform staff and visitors
Camera surveillance must never happen secretly. You must inform everyone who can come into view in advance. For visitors you do this with a clear sign at the entrance, so they know there are cameras before they come in. For staff it goes further. They must know where the cameras are, with what purpose, how long the footage is kept and who can view it. Record that in a camera protocol or in the staff handbook. Transparency is not a formality, it is a hard requirement under the GDPR.
The works council and consent
If your company has a works council, it has a right of consent when placing cameras that also bring staff into view. Camera surveillance is, after all, a staff monitoring system. Consent of the works council is required for that. Without that consent you may not put the cameras into use. If you have no works council, you must still inform staff well and weigh their interests. A camera aimed only at the till or the entrance may also clash with employees' right not to be followed constantly. Always weigh that interest.
Hidden cameras: almost never allowed
Secret filming is in principle prohibited. An employer may deploy a hidden camera only in exceptional cases, always under strict conditions. There must be a concrete suspicion, for example of theft by staff. It must be temporary. It must be the last resort after other measures failed. Afterwards you must inform the people involved that secret filming took place. Outside this narrow framework a hidden camera is unlawful. At home the same applies: a hidden camera that films others without them knowing quickly causes problems.
Cameras at home and the doorbell camera
A doorbell camera or a camera on the facade is popular, but the rules are often overstepped. You may film your own front door, driveway and garden for your own safety. That falls under the household exemption as long as you stay within your own property. The problem arises the moment the camera looks further. A doorbell camera that also records the pavement, the street or the neighbour's garden falls under the GDPR. Then you must be able to explain why that is needed, you must secure the footage well and the retention periods apply. So mount the camera low and aimed at your own door.
Not the neighbour's garden or the pavement
The boundary lies at your own property. The neighbour's garden, their windows, their driveway and the public pavement you may not bring structurally into view. Neighbours have a right to privacy in their own home and garden. If you film that anyway, they can ask you to readjust the camera. Ultimately they can even go to court or to the data protection authority. Avoid trouble by aiming the camera well from the start and using a privacy mask for the parts that are not yours. A good conversation with the neighbours beforehand prevents a lot of arguing afterwards.
Signs and visibility
A camera sign is more than a formality. It makes clear in advance that filming takes place, so nobody is surprised. At a business the sign hangs visibly at every entrance of the filmed area. On the sign or in an underlying protocol it states who is responsible, with what purpose filming takes place and how someone can exercise their rights. At home too a sign is wise as soon as your camera touches more than only your own property. It is a simple measure that shows you are transparent and that considerably strengthens your position in case of a complaint.
Where may the footage be stored?
The footage is personal data, so the storage must be secure. Locally on an NVR or DVR in a locked room is allowed, provided unauthorised people cannot reach it. If you store in the cloud, the supplier must offer appropriate security and you sign a processing agreement. Encryption, strong passwords and updates are the minimum. Keep the footage within the European Economic Area, or arrange a valid transfer ground if the storage lies outside it. A camera that sends its footage unsecured to an unknown server is itself a data breach in the making. Cheap cameras from abroad sometimes send their footage to a manufacturer in another country without you noticing. So check in advance where the footage ends up and prefer a system where storage stays in your own hands.
Limit access to the footage
Not everyone may reach the footage. Limit access to the few people who really need the footage for their work, such as a security guard or the owner. Record who has access and log who views footage and when. That way you prevent recordings lying around or a curious colleague watching along. If an image is shared with the police after an incident, record which fragment was provided and to whom. Limited and traceable access is a core part of careful camera surveillance. Also give visitors the option to request their own footage, because they have a right to access what was recorded of them. A fixed procedure for such requests prevents you from deciding hastily under pressure.
How long may you keep the footage?
The data protection authority uses as a guideline a maximum of 4 weeks. Longer is allowed only if a concrete incident is at play, such as a theft or a collision. In that case you keep only the relevant fragment and not the whole archive. Most systems overwrite old recordings automatically, provided you set the cycle correctly. So set the retention period to four weeks or shorter and record that. More on periods and the destruction afterwards is in the pillar on CCTV footage retention and destruction. General retention periods are in the GDPR retention periods cheatsheet.
Destroying the footage and the drive
Erasing is more than throwing a file in the bin. With automatic overwriting the footage disappears by itself, but on replacement of the camera system the old hard drive stays behind full of recordings. That drive must be made illegible, because erased data is often still recoverable. The safe route is to have the drive physically shredded to a DIN level, with a certificate of destruction as proof. That way you cover both the paper trail and the digital storage. How destruction works in general is in the overview on data destruction.
Dos and don'ts at a glance
- Do: film only your own premises, entrance or car park.
- Do: put up a visible sign and inform staff in advance.
- Do: secure the storage and limit who can view the footage.
- Don't: structurally film the public street, the pavement or the neighbours.
- Don't: mount hidden cameras outside the narrow legal framework.
- Don't: keep footage longer than 4 weeks without an incident.
Common mistakes
- The whole street in view. A camera that sweeps the public road is not proportionate.
- No sign or protocol. Without information in advance the surveillance is unlawful.
- Unsecured storage. Footage on an open server or weak password is a data breach.
- Drive in the bin. The old storage drive belongs destroyed, not thrown away.
A real-world example
Imagine a shop mounts three cameras: one at the till, one at the entrance and one at the rear exit. The camera at the entrance also films a good stretch of pavement. After a report from a passer-by it turns out this goes too far. The shopkeeper readjusts the camera, lays a privacy mask over the pavement, puts up a clear sign and sets the retention period to four weeks. The camera protocol goes into the staff handbook. At an inspection everything is in order. The cameras protect the shop without the privacy of passers-by being violated.
Have the old storage drive of your camera system destroyed?
Are you replacing your NVR or DVR? We collect the old drive within 20 km of Amsterdam, destroy it to the right DIN level and you receive a certificate as proof. No call-out fee.
Request a quoteFrequently asked questions
May I film the public street with my security camera?
Only the small part strictly needed to monitor your own entrance or premises. Bringing the whole pavement or street into view is not allowed, that is not proportionate under the GDPR.
Do I have to put up a sign for a camera?
Yes. At a business you must inform staff and visitors in advance, usually with a clear sign at the entrance. Hidden filming is allowed only in exceptional cases.
May my doorbell camera film the pavement and the street?
You may film your own front door and premises, but not structurally the public pavement, the street or the neighbour's garden. As soon as you film beyond your own property the GDPR applies.
May an employer install hidden cameras?
Almost never. Hidden camera surveillance is allowed only with a concrete suspicion, temporarily, as a last resort and with information to staff afterwards.
How long may I keep CCTV footage?
The guideline is a maximum of 4 weeks, longer only for a concrete incident. After that the footage must be erased and on replacement the storage drive must be destroyed.
Conclusion
A security camera is allowed, both at a business and at home, but within clear limits. Film only your own premises, no further than necessary and never structurally the public road or the neighbours. Inform staff and visitors in advance, arrange the consent of the works council where needed and leave hidden cameras alone outside the strict exceptions. Secure the storage, limit access and erase the footage after a maximum of four weeks. And do not forget the last step: on replacement, have the old storage drive destroyed with a certificate. That way you keep your premises safe without violating privacy.
See also the pillar on CCTV footage retention and destruction and the deeper articles on how long to keep CCTV footage, destroying and erasing CCTV footage and CCTV footage and GDPR rights.
Camera system due for replacement? Request a quote via desnipperaar.nl. We collect the old storage drive, destroy it to the right DIN level and you receive a certificate as proof.