HomeKnowledge base › How long to keep CCTV footage
Security

How long to keep CCTV footage? The 4-week rule and the exceptions

How long to keep CCTV footage under the GDPR

How long may you keep CCTV footage? For ordinary security footage the data protection authority uses a guideline of at most 4 weeks, so 28 days. Longer is allowed only when there is a concrete incident or an ongoing legal claim. After the period the footage must be erased or overwritten. This article explains where those 4 weeks come from, when you may deviate and how to clear footage out correctly afterwards.

The question of how long CCTV footage may be kept sounds simple, but the answer touches the core of the GDPR straight away. CCTV footage is personal data, because everyone who appears on camera is identifiable. So the same principle applies to recordings as to any other personal data: you do not keep it longer than necessary. How that works out in practice is set out below. For the full overview of keeping and destroying, see the detailed pillar on CCTV footage retention and destruction.

The standard: about 4 weeks

The data protection authority uses a guideline that CCTV footage is kept for at most four weeks. Four weeks is 28 days. That is, for most organisations, more than enough to discover an incident and secure the right footage. The law does not state an exact number, but this period has become the norm in practice. Whoever sticks to it is on safe ground. Whoever wants to keep footage longer needs a concrete reason for it. Four weeks is therefore not an obligation to fill up, but an upper limit for the ordinary situation. In most cases you notice a theft, a complaint or damage within a few days. The time remaining within those four weeks is your margin to react calmly and secure the right footage before it is overwritten.

Why 4 weeks is the norm

Behind those four weeks lie two GDPR principles. The first is storage limitation: you do not keep personal data longer than the purpose requires. The second is proportionality: the intrusion on privacy must be in proportion to the purpose. The purpose of security cameras is to spot incidents and deal with them. A period of weeks is enough for that, not months. The longer you keep footage, the larger the intrusion becomes without the purpose being served any better. Four weeks is the balance that the supervisor considers reasonable.

What is ordinary security footage?

The four-week guideline applies to ordinary security footage. That is footage of an entrance, an office, a warehouse, a car park or a facade, made to counter theft, vandalism or unsafe situations. On that footage are faces of staff and visitors, sometimes number plates and movement patterns. It is not special category personal data within the meaning of the GDPR, but it is ordinary personal data that deserves protection. For this category four weeks is the starting point. If you have cameras with a different purpose or a different sensitivity, the assessment may turn out differently.

The exceptions: incident and keeping longer

Keeping footage longer than four weeks is allowed, but only with a reason. The GDPR permits three situations:

  • A concrete incident that requires investigation, such as theft, aggression, an accident or a complaint.
  • An ongoing legal claim for which the footage serves as evidence.
  • A specific legal duty that requires longer retention, which is rare.

The same rule applies to every exception: keep only the relevant fragment, not the whole archive. You cut out the minutes around the incident, set those aside and let the rest simply be overwritten. That way the exception stays limited to what is genuinely needed.

How long is too long?

A fixed period of several months for ordinary footage, without a reason, is almost always too long. Supervisors look critically at systems that keep everything for months simply because the drive happens to be large. That is not a valid reason. The sensitivity of the place also matters. In a quiet indoor space with few incidents even a period shorter than four weeks can be more appropriate. In a high-risk place four weeks may be exactly right. The point is not that you fill up the period, but that you can explain why your period fits your situation. A useful rule of thumb is to ask yourself how much time you realistically need to notice an incident and deal with it. If that answer is a few days, then a period of weeks is already generous. Whoever keeps footage for months without that assessment risks the supervisor labelling the period as excessive. Moreover, with every extra week the amount of footage you must protect against unauthorised access grows. Keeping it short is therefore not only tidy for privacy, it also reduces your own risk in a data breach.

Who decides the retention period?

You decide the retention period yourself as the controller, so as the organisation or person who places the cameras. You make the trade-off between the security purpose and the privacy of the people in shot. You record that choice and can substantiate it. It is not a matter of a supplier leaving the default setting of the NVR in place. The responsibility for the period lies with you, not with the maker of the system. That is why the period also belongs in your own documentation, not only in the software.

What happens after the retention period?

After the retention period the footage must go. Keeping it is no longer allowed, because the purpose has been met or the period has passed. In practice that erasure usually happens automatically: an NVR or DVR overwrites the oldest recordings with new ones as soon as the drive is full. If that overwrite cycle matches your period, you meet the requirement. Footage you have set aside for an incident you erase as soon as the matter is resolved. Leaving it after the period is a breach, even if nobody ever views the footage.

Overwriting by the NVR or DVR

The ordinary way footage disappears is overwriting. An NVR or DVR records continuously and erases the oldest footage by itself when the drive fills up. So what matters is that the overwrite cycle matches your retention period:

  • Set the overwrite time to four weeks or less.
  • Check that the drive is not so large that footage stays longer than intended.
  • Put incident footage in a separate folder with its own period.
  • Record the setting, so you can show that the cycle is right.

Overwriting is enough for day-to-day operation. It only becomes a different story when the system itself is replaced.

Overwriting versus destroying the drive

As long as the system is running, overwriting is fine. But when the NVR or DVR leaves the building, on an upgrade, a fault or the end of its life, overwriting is not enough. There is still footage on the old hard drive, and with the right software it can often be recovered. A drive that leaves the premises without secure destruction is a data breach in the making. That is why the drive belongs out and physically destroyed, not handed to the installer and not put with the scrap metal. How that shredding works is in have a hard drive shredded.

Destroying the drive securely on replacement

When replacing a camera system you follow a fixed route. First inventory all storage media, so the drive in the NVR but also any SD cards in stand-alone cameras. Take the drive out before the old equipment is taken away. Have it physically destroyed at the right level for data carriers, usually DIN H-4 or H-5. Keep a certificate per drive with the serial number. That way you can later show the footage is irreversibly gone. This connects to demonstrable destruction, with a certificate of destruction as proof for your file. Never simply hand the drive to the engineer who installs the new system. To them the old device is scrap, to you it still holds personal data you remain responsible for. The same goes for SD cards in stand-alone IP cameras and for any backup drive. So inventory everything that ever recorded footage before it leaves the building. A drive you have shredded yourself yields conclusive proof, while a device that goes missing in a skip lands you in trouble at an inspection.

CCTV retention period: an overview

The table below summarises what applies in most cases. It remains a guideline, because your own assessment comes first.

SituationGuideline retention periodWay of clearing out
Ordinary security footageAt most 4 weeksAutomatic overwriting
Busy place, few incidentsShorter than 4 weeks can fitAutomatic overwriting
Concrete incidentUntil the matter is resolvedFragment aside, then erase
Ongoing legal claimUntil the case is closedFragment aside, then erase
System or drive replacedNot applicablePhysically destroy the drive

Business versus home

For a business the GDPR rules apply in full: a purpose, a period of around four weeks and documentation. For a private individual with a camera at home it is different. If you film only your own grounds, that falls under the household exemption and the GDPR does not apply strictly. But as soon as your camera captures the public road or the neighbour's garden, that exemption lapses and the same rules apply as for a business. At home too, four weeks is then a sensible upper limit. The rules for both situations are in CCTV camera rules for business and home.

Recording the period in the record of processing

The chosen retention period belongs in your record of processing. There you record, per camera system, what the purpose is, which categories of people appear in shot, how long you keep the footage and how you clear it out afterwards. That way the period is not just a setting in the NVR, but a conscious choice you can substantiate. If a question comes from a supervisor or a data subject, you can show at a glance that your period is right. The overview of common periods for other data is in the GDPR retention periods cheatsheet.

What if footage leaks?

If CCTV footage leaks, for example because an old drive was thrown out unsecured, that can be a data breach you must report within 72 hours to the data protection authority. A retention period that is too long increases the damage, because the more footage you still had, the more can end up in the open. A neat period reduces the risk instead. If you can show that old footage had already been overwritten or the drive already destroyed, you are on stronger ground. How the reporting duty works is in reporting a data breach in 72 hours.

Common mistakes

  • Keeping everything for months because the drive is large. That is not a valid reason.
  • Leaving the default setting. Check that the overwrite cycle matches four weeks.
  • Keeping the whole archive for an incident instead of only the relevant fragment.
  • Handing over the old drive to the installer without destruction and a certificate.

In order in 4 steps

  1. Determine your retention period and keep to four weeks, unless shorter fits better.
  2. Set the overwrite cycle to that period and check that it is right.
  3. Record the period in your record of processing with purpose and storage location.
  4. Destroy the drive securely on replacement, with a certificate as proof.

NVR or DVR due for replacement? Destroy the old drive.

Tell us which data carriers are going out and you get a fixed price. We collect the drive, destroy it to the right level and you receive a certificate as proof. No call-out fee within 20 km of Amsterdam.

Request a quote

Frequently asked questions

How long can you keep CCTV footage?

For ordinary security footage the data protection authority uses a guideline of at most 4 weeks, so 28 days. Longer is allowed only for a concrete incident or an ongoing legal claim, and then only the relevant fragment.

What is the retention period for CCTV footage?

The standard is about 4 weeks. In a busy place with few incidents a shorter period can be more appropriate. A fixed period of months without a reason is usually too long.

What happens to CCTV footage after the retention period?

The footage must be erased. On an NVR or DVR that happens automatically by overwriting, provided the cycle is set to four weeks or less. When the system is replaced, the drive is securely destroyed.

How long does a business keep CCTV footage?

Most businesses keep it for four weeks. The period is recorded in the record of processing, together with the purpose and storage location. Incident footage is kept separately until the matter is resolved.

May a private individual keep CCTV footage longer?

If you film only your own grounds, the GDPR does not apply strictly. If the public road or the neighbour's property comes into shot, the same rules apply and four weeks is a sensible upper limit at home too.

Conclusion

How long you may keep CCTV footage comes down to a clear rule of thumb. For ordinary security footage four weeks is the norm, shorter where that fits, longer only for an incident or a legal claim. After the period the footage must go, usually by overwriting and, on replacement, by destroying the drive securely. Record your period in the record of processing and make sure you can substantiate your choice. That way you comply with the GDPR and prevent old footage from lingering longer than allowed.

See also: the pillar on CCTV footage retention and destruction, and the related articles on destroying and erasing CCTV footage, CCTV footage and GDPR rights and CCTV camera rules for business and home.


Have an old recording drive securely destroyed? Request a quote via desnipperaar.nl. We collect the drive, destroy it to the right level and you receive a certificate as proof for your GDPR file.