CCTV footage and GDPR rights: access, lawful basis and signage
A camera feels like a security measure, but under the GDPR footage is above all a processing of personal data. Everyone who appears recognisably on it has rights. Think of the right to request footage of themselves, the right to erasure or the right to object. Whoever installs cameras has duties in return, from a sound lawful basis to a clear sign at the entrance. This article explains those rights and duties, for businesses with a camera system and for individuals with a doorbell camera.
Want to check quickly whether you have this in order? Can you answer yes to each of these?
- Do you have a recorded lawful basis for your cameras?
- Is there a clear sign that filming takes place?
- Do you know how to handle an access request within one month?
- Can you make other people on a recording unrecognisable?
- Is it recorded when footage is automatically erased?
If you hesitate on any of these, the sections below explain how the rights and duties around CCTV footage work.
CCTV footage is personal data
The core of the whole story is that footage falls under the GDPR the moment someone appears recognisably on it. A face is personal data, but so is a number plate, a distinctive tattoo or a clothing style that makes someone identifiable. That makes installing a camera a processing of personal data, with all the duties that come with it. You need a lawful basis, you must inform the people in shot and you must be able to act on their rights. That applies to a large business system just as much as to a doorbell camera by the front door. Many business owners do not think about this, because a camera in their mind only protects. Yet the data protection authority assesses a camera exactly like any other processing, with the same requirements around lawful basis, transparency and retention. The supervisor looks not at your intention but at the intrusion on the privacy of the people you film.
The lawful basis: usually legitimate interest
For a camera system you almost always rely on the lawful basis of legitimate interest. Protecting property, preventing theft or the safety of staff and visitors are legitimate interests. Consent rarely works for camera surveillance, because a passer-by cannot in practice freely say yes or no to it. Legitimate interest is no blank cheque. You may only deploy the camera if your interest outweighs the intrusion on the privacy of the people you film. You have to make that weighing in advance and record it. Without that record you cannot justify the camera if an inspection ever asks.
The balancing test in practice
The balancing test is a short, honest analysis that you put on paper. You describe which problem the camera solves, why a less intrusive measure does not suffice and how you keep the intrusion as small as possible. Think of cameras that only film your own premises and not the public road, of recordings without sound and of a short retention period. The more sensitive the place, the heavier your interest must be. A camera over a till or warehouse is easier to defend than a camera in a changing room or toilet, where recording is almost never allowed.
Signage is mandatory
You may not film covertly. The people who appear in shot must know a camera is there before they walk into its range. In practice you do that with a clear sign at the entrance bearing a camera symbol. On or near that sign, or through a reference to your website, you state who is responsible, why filming happens and where someone can go with questions. Covert camera surveillance is allowed only by rare exception, for example with a concrete suspicion of theft. Even then it applies under strict conditions and for a short time. Afterwards you still inform the people involved. A hidden camera as a permanent measure is almost always unlawful.
The right of access to CCTV footage
One of the most concrete rights is the right of access. Someone who suspects they are on your footage may request it. That sounds more complicated than it is, but it does require a fixed working method. The requester does not have to give a reason. You may ask them to indicate the time and location as precisely as possible, so you can find the right fragment. If you cannot recognise the person on the footage or the moment is too vaguely described, you may ask for additional information before you search.
How do you handle an access request?
You handle an access request for CCTV footage in a fixed order:
- Verify the identity of the requester, so you do not give footage to the wrong person.
- Find the right fragment based on date, time and location.
- Make others unrecognisable, for example by blurring the faces and number plates of third parties.
- Provide the result in a secure way, or offer to let the footage be viewed on site.
Making third parties unrecognisable is the most important point of attention. The requester has a right to footage of themselves, not to that of others who happen to be in shot. If blurring is not feasible, you can opt for a viewing session on site instead of a copy. Record in advance who within your organisation handles such a request and which software you use to blur faces. That prevents a request from sitting until the fragment is overwritten. Document too what you provided and when, because the handling of an access request also belongs to your accountability under the GDPR.
Deadline and cost of an access request
You respond to an access request in principle within one month. For a complex request you may extend that period by two months, provided you say so in time and with reasons. Providing the footage is in principle free. Only for an excessive or repeated request may you charge a reasonable fee or refuse the request, but you must be able to justify that well. Bear in mind that the standard retention period of four weeks is short. If you respond too slowly, the fragment may already be overwritten by the recording cycle.
The right to erasure and objection
Besides access there are two other rights that often come up. The right to erasure means someone can ask to delete footage of themselves. You do not always have to comply, for example if the footage is needed as evidence in an incident, but you must assess and answer the request. The right to object lets someone object to the processing on grounds of their particular situation. With legitimate interest you then have to weigh again whether your interest still outweighs that of the data subject. Always record your decision and the reasoning behind it.
A DPIA for camera systems
For large-scale or systematic camera surveillance a data protection impact assessment is often mandatory, better known as the DPIA. Think of systematically monitoring a publicly accessible space or of cameras with smart recognition technology. In the DPIA you map the risks for the people in shot and describe the measures with which you limit those risks. Even when a DPIA is not strictly mandatory, a short risk analysis helps you to substantiate your weighing. The document shows in an inspection that you seriously weighed the privacy consequences before the cameras went on. Update the DPIA as soon as you add cameras, change the range or add new techniques such as number-plate recognition. A DPIA is not a one-off form but a living document that grows with your system.
First the retention period, then destruction
The rights of data subjects are not separate from the retention period. The data protection authority uses as a guideline that CCTV footage is kept for a maximum of four weeks, longer only with a concrete incident. The shorter you keep it, the less footage there is about which someone can make a request. What the periods are exactly and how you destroy recording media afterwards is in the pillar CCTV footage retention and destruction. A broader overview of common periods is in the GDPR retention periods cheatsheet.
A request about already-erased footage
It happens regularly that someone requests footage that is already gone. Because of the short retention period a fragment from last month is often already overwritten. That is no breach, provided your cycle matches your policy. In that case calmly explain that the retention period had passed and the footage was automatically overwritten. Refer to your record of processing or retention policy as support. A data subject has a right to the footage that still exists, not to footage that was already destroyed in line with the rules. That is precisely why a recorded retention period is also in your own interest.
The doorbell camera and the neighbours
Individuals also have to deal with these rules. A doorbell camera that only films your own front door and doormat falls under the household exemption and then the GDPR does not apply. As soon as the camera brings the pavement, the street or the neighbours' garden into shot, you process personal data of others and the same duties apply as for a business. So aim the camera as tightly as possible at your own premises, limit the field of view and keep footage no longer than needed. A neighbour who feels filmed may request access or erasure, even from a private individual. A good conversation with the neighbours often prevents a formal complaint. Show how the camera is set up and agree that recordings are kept briefly. If you cannot resolve it together, the neighbour can go to the data protection authority or to court.
A data breach involving footage
CCTV footage can also leak. A stolen recorder, an unsecured cloud account or footage accidentally sent to the wrong person are all data breaches. A serious data breach you report within 72 hours to the data protection authority. The shorter your retention period, the smaller the amount of footage involved in such a leak. What you do step by step in a breach is in reporting a data breach in 72 hours. Good security of the recording unit and the administrator account already prevents most incidents.
Demonstrable clear-out at end of life
Footage disappears by itself through the overwrite cycle, but the carrier it sits on does not. If you replace a recorder or camera system, the old hard drive often still holds footage. That drive should be physically destroyed, not disposed of unseen. You receive for it a certificate of destruction with the serial number, so you can show the footage is irrecoverably gone. The same applies to loose storage cards. How destruction of paper and data carriers works in general is in the overview data destruction.
Practical checklist
- Record your lawful basis with a short balancing test per camera.
- Put up a clear sign at every entrance to the range.
- Set the retention period to four weeks, longer only with an incident.
- Make sure you can blur or let footage be viewed on site.
- Destroy old carriers with a certificate when replacing the system.
Common mistakes
- No lawful basis on paper. Without a balancing test you cannot justify the camera in an inspection.
- No sign. Covert filming is allowed only by rare exception.
- Keeping too long. Footage from months ago without an incident should be gone.
- Providing the whole recording. Third parties in shot must be made unrecognisable.
Old recorder or hard drive with CCTV footage?
Tell us what you have and you get a fixed price. We collect the carrier within 20 km of Amsterdam, destroy it to the right level and you receive a certificate as proof. No call-out fee.
Request a quoteFrequently asked questions
Can someone request CCTV footage of themselves?
Yes. Through the right of access a data subject may request the footage on which they are recognisable. You verify the identity, make other people unrecognisable and respond within one month.
What is the lawful basis for CCTV?
Usually legitimate interest, for example securing a building. That requires a balancing test in which you weigh your interest against the privacy of the people in shot.
Is a sign at a camera mandatory?
Yes. You make clear that filming takes place, usually with a clear sign at the entrance, plus information about who is responsible and why filming happens.
What if the requested footage is already erased?
Then you can no longer provide it. Explain that the retention period had passed and the footage was overwritten by the cycle. Refer to your retention policy as support.
Does this also apply to my doorbell camera?
As soon as the camera films the public road or the neighbours' premises, yes. Then the same duties apply as for a business, including access and erasure.
Conclusion
CCTV footage is personal data and that brings rights and duties with it. Arrange a lawful basis with a balancing test, make the camera surveillance known with a sign and be prepared for an access request by verifying identity and making third parties unrecognisable. Keep the retention period short, assess requests for erasure and objection seriously and destroy old carriers demonstrably on replacement. That way you respect the privacy of the people in shot and are never empty-handed at a question or inspection.
See also the pillar CCTV footage retention and destruction and the in-depth articles on how long to keep CCTV footage, destroying and erasing CCTV footage and CCTV camera rules for business and home.
Have a carrier with CCTV footage destroyed? Request a quote via desnipperaar.nl. You receive a certificate as proof for your GDPR file.