GDPR for Video Surveillance

This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

This is the EU-baseline article of the privacy-and-compliance block, written for the security integrator, product manager, smart-building or retail lead, or city and enterprise security owner who is specifying, buying, or building a surveillance system that will operate in — or serve people in — the European Union. GDPR is the most-copied privacy law on earth, so the discipline it forces (a documented purpose, a lawful basis, minimal data, short retention, real transparency) is the same discipline that keeps you out of trouble in most modern jurisdictions, even where the statute has a different name. You do not need a legal background to read this: every term is defined in plain language and tied to the named article of the regulation, and the goal is to leave you able to ask an engineer or a vendor the right questions and recognise a non-compliant design before it is built. The companion article BIPA and US biometric privacy law covers the US side; this one is the EU.

First, the frame: what GDPR is and when it grabs your cameras

The General Data Protection Regulation — its full legal name is Regulation (EU) 2016/679, and it has applied across the EU since 25 May 2018 — is the law that governs how organisations handle personal data, meaning any information relating to an identified or identifiable living person (Article 4(1)). Recorded video of a place where people appear is squarely personal data, because a face, a gait, a uniform with a name badge, or the car someone arrives in can all tie the footage to a specific individual. That is the fact the whole article hangs on: a camera pointed at people is processing personal data, and GDPR is therefore watching.

Two role definitions decide who carries the duties. The controller (Article 4(7)) is the organisation that decides why and how the surveillance happens — the building owner, the retailer, the city department. The processor (Article 4(8)) is whoever handles the footage on the controller's behalf under instruction — most importantly, a cloud Video Management System (VMS) provider, the software-and-storage service that ingests and records your camera streams. The controller wears most of the legal weight, but as we will see, the processor relationship has its own hard requirements. If you build or operate the system, you are almost always the controller, and "the vendor handles it" is not a defence.

A common hope is that small or private deployments are exempt. GDPR does carve out processing by a person for "purely personal or household activity" (Article 2(2)(c)), but the European Data Protection Board (EDPB) — the EU body whose Guidelines 3/2019 are the controlling interpretation for cameras — reads that exemption narrowly. A home camera that captures the public pavement or a neighbour's garden falls back inside GDPR, controller duties and all. For any commercial, civic, or workplace system, assume you are fully in scope.

Everything that follows is built on the seven principles in Article 5: process lawfully, fairly, and transparently; for a specified purpose; with data minimised to what is necessary; kept accurate; stored no longer than needed; and held securely — plus the catch-all in Article 5(2), accountability, which says you must not only comply but be able to demonstrate it. We covered the minimisation principle as a design discipline in privacy by design for surveillance; this article walks the rest as concrete obligations.

The first question on every system: your lawful basis

Before any other duty, GDPR demands a lawful basis — a legitimate, documented legal ground for processing the data at all (Article 6(1)). There are six, but for surveillance only a few are realistic, and choosing the right one is the first design decision, not an afterthought.

Lawful basis (Article 6(1))	When it fits surveillance	What it requires of you
Legitimate interests (f)	The default for private operators — protecting property, staff, and customers	A documented three-part assessment (the "LIA"); fails if a person's rights override your interest
Public task (e)	Public authorities exercising official functions (e.g. municipal CCTV)	A basis in law for the task; proportionality
Legal obligation (c)	Where a statute or regulator requires recording (e.g. some gaming, banking rules)	The specific legal requirement, named
Consent (a)	Rare for open-area CCTV; possible in tightly controlled spaces	Freely given, specific, informed, revocable — unworkable when you film everyone who passes
Vital interests (d) / Contract (b)	Edge cases only	Narrow; rarely the right fit for general surveillance

For most businesses the answer is legitimate interests (Article 6(1)(f)), and the EDPB's April 2026 guidance confirms it is, with public-task necessity, the most likely ground. But "legitimate interests" is widely misunderstood as a label you simply claim. It is a test you must pass and record — the Legitimate Interests Assessment (LIA) — and it has three parts the EDPB spells out explicitly:

First, the purpose test: is there a real, clearly articulated legitimate interest, belonging to you or a third party, that is current and not hypothetical? A bookshop worried about theft after three break-ins has one; "general security" with no concrete problem does not. A speculative or fictional threat is not enough — you need a real situation, ideally evidenced by past incidents.

Second, the necessity test: is the surveillance genuinely necessary for that interest, or could a less intrusive measure achieve the same end? If better locks, lighting, or a smaller camera count would do the job, the cameras are not necessary, and the basis fails. You may process only the data the purpose actually needs.

Third, the balancing test: even with a real interest and genuine necessity, you may run the system only if your interest is not overridden by the interests, rights, and freedoms of the people being filmed. Here the EDPB names the factors that tip the scale: the size of the area and the number of people watched, and — decisively — their reasonable expectations. People expect not to be monitored in a gym, a restaurant, a changing room, or a toilet, so cameras there weigh heavily against you regardless of your security worry.

Figure 1. Picking the lawful basis. Most private operators land on legitimate interests (Art. 6(1)(f)); authorities on public task (Art. 6(1)(e)); statute-mandated recording on legal obligation. Consent rarely works for open-area CCTV because you cannot get it from everyone in frame.

Figure 2. Legitimate interests is a three-part test, not a label. A real and present interest, genuine necessity (no less intrusive option), and a balancing check against people's rights and reasonable expectations — all documented in a Legitimate Interests Assessment.

Common mistake: writing "legitimate interests" on the form and moving on. The basis is only as good as the assessment behind it. A regulator that asks to see your LIA and is handed nothing treats the processing as if it had no lawful basis at all — and an unlawful-basis finding is a top-tier violation. Do the three-part test, write it down, and revisit it when the system or the threat changes. The assessment is also where over-wide camera coverage and unnecessary analytics get caught while they are still cheap to change.

The line that changes everything: Article 9 and biometrics

Every duty so far assumes ordinary recording. The moment you turn on facial recognition, the legal ground shifts under your feet. Recording a person's image is processing personal data under Article 6. Converting that face into a mathematical template designed to single the individual out from everyone else is processing biometric data for the purpose of uniquely identifying a person — a special category of data under Article 9, with the underlying definition in Article 4(14).

Special-category data is prohibited by default. Article 9(1) says you may not process it at all unless one of a short list of exceptions in Article 9(2) applies. For commercial surveillance the only realistic exception is the data subject's explicit consent — and that is where most public-space facial recognition collapses. The EDPB's own worked example makes the trap concrete: a hotel that runs facial recognition to greet VIP guests cannot rely on the VIPs' consent alone, because the camera also captures every other guest and passer-by whose biometric data it processes. To be lawful it would need explicit consent from everyone in frame — which, in any open setting, you cannot get. The practical result is that facial recognition in a public or semi-public space is usually a non-starter under GDPR, not a feature you can toggle on.

This is the most consequential privacy decision in a surveillance project, and it deserves to be a deliberate, gated choice with its own lawful analysis — never a default left on because the camera supports it. How facial recognition actually works as a pipeline is covered in face recognition in surveillance; the US biometric regime, which adds personal liability on top of GDPR, is in BIPA and US biometric privacy law; and the techniques that let you keep an analytic while shedding the biometric risk are in face masking, redaction, and privacy-preserving analytics.

Figure 3. The Article 9 gate. Recording video runs on an Article 6 basis; facial recognition creates special-category biometric data that is prohibited unless an Article 9 exception applies. In open spaces the only realistic exception — explicit consent from everyone captured — is usually impossible.

Common mistake: enabling facial recognition because the camera and VMS offer it. The toggle is one click; the legal tail is multi-year. Under GDPR you would be processing special-category data with, in most open settings, no valid Article 9 basis. Treat the biometric switch as a gated decision requiring its own consent mechanics, Impact Assessment, and counsel sign-off. If you do not have all three, the safe default is off.

Telling people: transparency and the two-layer sign

GDPR requires that people know they are being filmed and can find out the details — the transparency duty in Articles 12 and 13. The EDPB translates this into a practical two-layer model that any deployment can implement.

The first layer is a warning sign, placed at eye level before a person enters the monitored area, so they can decide whether to proceed. The sign carries the most important information: the purpose of the surveillance, the identity (and contact) of the controller, the existence of the individual's rights, and a clear pointer to where the full details live — plus anything especially material, such as the use of any analytics. A sign that just says "CCTV in operation" does not meet the standard.

The second layer is the complete information sheet, holding everything Article 13 requires — the lawful basis and (for legitimate interests) the interest pursued, the retention period, who the footage may be shared with, whether it leaves the EU, and how to exercise rights. It must be easy to reach without entering the monitored zone: at a reception desk, on a clearly signposted web page, or behind a QR code on the sign itself.

	First layer — the sign	Second layer — the full notice
Where	Eye level, before entering the area	Reception, website, or QR code on the sign
Carries	Purpose, controller identity, that rights exist, where to find more	Full Article 13 set: basis, interest, retention, recipients, transfers, how to exercise rights
Job	Let people decide before they walk in	Give the complete, mandated detail on demand

This article covers signage as a GDPR obligation; the deeper mechanics of notice and the rare cases where consent is the right tool are in consent and notice for surveillance and biometrics.

Figure 4. Transparency in two layers. The entrance sign (first layer) carries the essentials and points to the full Article 13 notice (second layer) at reception or via a QR code — the EDPB's recommended way to meet Articles 12–13 for cameras.

Honouring people's rights — which the system has to be built to do

GDPR gives the people in your footage enforceable rights, and several of them land directly on how the VMS is built. The right of access (Article 15) lets someone ask whether you hold footage of them and obtain a copy. The catch the EDPB flags: when you hand over footage of the requester, you must protect the rights of other people who appear in the same frames — in practice, blurring or masking third parties before release. A system that cannot redact cannot safely fulfil an access request, which is why the masking and redaction tooling in face masking, redaction, and privacy-preserving analytics is a compliance feature, not a nicety.

The right to erasure (Article 17) and the right to object (Article 21) let people ask you to delete their data or stop processing it; the rights to rectification (16) and restriction (18) round out the set. You generally have one month to respond (Article 12(3)). There is a humane limit the EDPB makes explicit: if your footage auto-deletes after, say, two days and a request arrives later, the data is simply gone, and you tell the requester so. Short retention, in other words, quietly shrinks your rights-handling burden — another reason the storage clock matters. The lawful-deletion mechanics sit in retention limits and lawful deletion.

Common mistake: a system that records but cannot search, export, or redact. The right of access is not optional, and "we can't easily pull that" is not an answer a regulator accepts. If the VMS cannot locate footage by time and camera, export a clip, and blur the other people in it within the deadline, the deployment is non-compliant the day it goes live — no matter how good the picture is.

Storage limitation: days, not months — and the math that proves it

Article 5(1)(e) — storage limitation — says personal data must be kept "no longer than is necessary" for the purpose. For surveillance the EDPB is unusually concrete: because most incidents (vandalism, theft, an accident) come to light within a day or two, "a storage period of a few days" is often all that is justified, after which footage should be deleted, ideally automatically. Some member states set specific sector minimums, but the default posture is short.

This is where retention stops being an abstract principle and becomes the dominant lever on both your storage bill and your legal exposure. Take a modest system — 24 cameras, each recording continuously at a 4 Mbps bitrate. Using the rule that 1 Mbps of continuous video is about 10.8 GB per day (derived in how surveillance storage works: the retention math):

Per camera:   4 Mbps × 10.8 GB/day  = 43.2 GB/day
All 24:       43.2 GB/day × 24       ≈ 1.04 TB/day

Keep 3 days:  1.04 TB/day × 3   ≈ 3.1 TB
Keep 90 days: 1.04 TB/day × 90  ≈ 93 TB

The 90-day setting costs roughly 30 times the storage of the 3-day setting — but the legal point is sharper than the cost. Unless a specific purpose or law justifies it, those extra 87 days are 30× the window during which you hold identifiable footage of thousands of people for no additional reason. Under storage limitation, the long retention is not a neutral default you can leave running; it is a choice you must justify, and "the disk was big enough" is not a justification. We separate the engineering retention policy in retention policy: how long to keep footage from the legal maximum it must honour in retention limits and lawful deletion.

Cloud, processors, and crossing borders

The moment your footage leaves your own walls — to a cloud VMS, an off-site recorder, or a managed-service provider — three more GDPR duties switch on, and they are exactly the ones build-vs-buy decisions tend to skip.

First, the processor contract. A cloud VMS vendor that stores and processes your footage on your instruction is a processor, and Article 28 requires a written data-processing agreement (DPA) between you and them before they touch the data. Article 28(3) lists what it must contain — the subject and duration, the controller's instructions, confidentiality, security, sub-processor rules, and deletion or return of data at the end. No DPA, no lawful arrangement.

Second, security. Article 32 requires appropriate technical and organisational measures — encryption of footage in transit and at rest, access control, and the organisational policies and training behind them — proportionate to the risk. Surveillance footage is sensitive by nature, so the bar is not low.

Third, international transfers. If footage is stored or viewed outside the European Economic Area — a US-region cloud bucket, an overseas monitoring centre — Chapter V (Articles 44–49) requires a transfer mechanism: an adequacy decision for the destination country, or Standard Contractual Clauses, or another listed safeguard. For US providers the relevant route is currently the EU–US Data Privacy Framework, whose status has been litigated and should be re-checked when you choose a region. A point teams miss: picking an EU data-centre region does not by itself eliminate a transfer if the provider's support staff can access the data from outside the EEA. The cloud and cross-border storage tradeoffs are detailed in cloud and hybrid storage for surveillance.

Common mistake: spinning up a cloud VMS in a convenient region with no DPA and no transfer check. It is two clicks to send 24 cameras' worth of identifiable footage to a US-region bucket. Without a signed Article 28 processor agreement and a valid Chapter V transfer mechanism, that convenience is two GDPR violations — unlawful processor use and an unlawful transfer — both in the top fine tier.

The DPIA and proving you did the work

For higher-risk processing GDPR adds a forcing function: the Data Protection Impact Assessment (DPIA), a written assessment of how the planned processing affects people and what you will do about it, completed before you deploy (Article 35). Surveillance walks into the triggers the law lists — "systematic monitoring of a publicly accessible area on a large scale" (Article 35(3)(c)) and "large-scale processing of special categories of data" such as biometrics (Article 35(3)(b)). Many national regulators also publish lists of operations that always require one. We covered the DPIA as a design habit in privacy by design for surveillance; the GDPR point here is that for a large camera deployment it is usually mandatory, not optional.

Underneath all of it runs accountability (Article 5(2)): you must be able to show you comply. In practice that means a record of processing activities (Article 30) — purpose, basis, categories of data and recipients, retention, transfers — plus your LIA, your DPIA, your DPA with the cloud vendor, and your access-request log. The CNIL fine below turned partly on a company that had a system but no register and no prior analysis. The documentation is not bureaucracy; it is the difference between a defensible system and an indefensible one.

Figure 5. The GDPR duties mapped onto the footage lifecycle. Capture (lawful basis, signage), store (security, short retention), access (rights, redaction), share (processor DPA, transfer mechanism), delete (storage limitation) — all wrapped in accountability and, where triggered, a DPIA done before launch.

What it costs to get wrong

GDPR's penalties are tiered (Article 83). The most serious breaches — no lawful basis, ignoring data-subject rights, unlawful transfers, breaching the core principles — sit in the upper band: up to €20 million or 4% of total worldwide annual turnover, whichever is higher. The number is large enough to be a board-level risk, but the more instructive fact is how ordinary the surveillance cases are.

In October 2025 the French regulator, the CNIL, fined a company €100,000 over a video-surveillance system that, among other failings, used hidden cameras, was never entered in the GDPR processing register, and had no prior privacy analysis — a textbook accountability and transparency failure. In an earlier CNIL case a translation firm, Uniontrad, was fined €20,000 for filming employees more or less continuously and failing to inform them properly. The Spanish authority (AEPD) has fined operators for fitting cameras with microphones that captured an employee's voice — a minimisation failure under Article 6, since the audio was not necessary for the security purpose. Through 2025 and into 2026 the CNIL issued a wave of simplified sanctions, totalling over €200,000, against disproportionate workplace and public-space filming.

The pattern is the point. These penalties did not fall on exotic AI systems; they fell on ordinary cameras run without a documented basis, without proper notice, recording too much for too long, or undocumented. Every one of them maps to a duty in the sections above.

The layer arriving above GDPR: the AI Act

GDPR governs the personal data; a newer law governs the AI that some surveillance systems run on top of it. The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) bans certain real-time remote biometric identification in publicly accessible spaces under Article 5 — a prohibition in force since 2 February 2025, with narrow law-enforcement exceptions. Many other biometric and surveillance analytics are classified "high-risk," carrying obligations such as risk management, logging, and human oversight. Those high-risk obligations are scheduled to apply from 2 December 2027 under the political agreement of 7 May 2026 (the "Digital Omnibus," adopted 19 November 2025), with the Act's transparency duties arriving in August 2026. The timeline is still moving, so confirm the current dates when you plan; whatever the AI Act adds, GDPR continues to govern the personal data underneath it.

Where Fora Soft fits in

GDPR compliance is where a surveillance demo and a deployable product part ways, because the demo never has to produce a Legitimate Interests Assessment, satisfy a subject-access request, or prove that footage left the EU lawfully. Fora Soft has built video streaming, real-time video, and computer-vision systems since 2005 — more than 625 shipped projects for 400+ clients — and the surveillance work sits exactly where video, storage, and EU privacy law meet. When we design or integrate a video management system, we treat the lawful basis and the biometric decision as explicit, documented choices; we build the compliance-critical mechanics — searchable footage, clip export, third-party redaction, role-scoped access, and short automatic retention — into the pipeline rather than bolting them on; and we keep the processor and transfer questions on the table from the first architecture review. The accuracy-vs-performance habit carries straight across: we lead with how the system behaves and what it exposes under real load, then the capability — because a feature that creates unmanaged personal data is a liability no demo score can offset.

What to read next

• BIPA and US biometric privacy law
• Retention limits and lawful deletion
• The surveillance compliance checklist

Download the GDPR for video surveillance compliance starter (PDF) — the lawful-basis quick-pick and the legitimate-interests three-part test, the Article 9 biometric gate, the two-layer signage contents, a data-subject-rights response checklist, the storage-limitation note, the cloud processor/transfer requirements, and the accountability records to keep — each tied to its GDPR article.

Call to action

• Talk to a surveillance engineer — book a 30-minute scoping call to talk through your gdpr video surveillance plan.
• See our case studies — 250+ shipped projects across video streaming, WebRTC, OTT, telemedicine, e-learning, surveillance, and AR/VR.
• Download the GDPR for Video Surveillance — Compliance Starter — One-page printable starter for framing a GDPR-compliant surveillance deployment: the lawful-basis quick-pick (Art.

References

1. Regulation (EU) 2016/679 (GDPR), Art. 6 — Lawfulness of processing, European Union. Sets the six lawful bases; for surveillance the realistic grounds are legitimate interests (6(1)(f)), public task (6(1)(e)), legal obligation (6(1)(c)), and — rarely — consent (6(1)(a)). The first design decision for any camera system. Tier 1. https://gdpr-info.eu/art-6-gdpr/ (accessed 2026-06-09)
2. Regulation (EU) 2016/679 (GDPR), Art. 9 — Processing of special categories of personal data, European Union. Biometric data processed to uniquely identify a person is prohibited (9(1)) unless an Art. 9(2) exception (e.g. explicit consent) applies — the legal step-change between recording video and running facial recognition. Tier 1. https://gdpr-info.eu/art-9-gdpr/ (accessed 2026-06-09)
3. Regulation (EU) 2016/679 (GDPR), Art. 5 — Principles relating to processing of personal data, European Union. The seven principles: lawfulness/fairness/transparency, purpose limitation, data minimisation (5(1)(c)), accuracy, storage limitation (5(1)(e)), integrity and confidentiality, and accountability (5(2)). The backbone of every surveillance duty. Tier 1. https://gdpr-info.eu/art-5-gdpr/ (accessed 2026-06-09)
4. Regulation (EU) 2016/679 (GDPR), Art. 4 — Definitions (esp. 4(1) personal data, 4(7) controller, 4(8) processor, 4(14) biometric data), European Union. Establishes that identifiable video is personal data, who carries the duties (controller vs processor), and what biometric data is. Tier 1. https://gdpr-info.eu/art-4-gdpr/ (accessed 2026-06-09)
5. Regulation (EU) 2016/679 (GDPR), Arts. 12–15, 17, 21 — Transparency and data-subject rights, European Union. The information duties (12–13) behind the two-layer sign, and the rights of access (15, including protecting third parties in shared footage), erasure (17), and objection (21) the VMS must be built to satisfy within one month (12(3)). Tier 1. https://gdpr-info.eu/art-13-gdpr/ (accessed 2026-06-09)
6. Regulation (EU) 2016/679 (GDPR), Arts. 28, 30, 32, 35 and Chapter V (44–49) — processor agreements, records, security, DPIA, transfers, European Union. The written DPA a cloud VMS provider requires (28), the record of processing (30), the security duty (32), the pre-deployment DPIA and its triggers (35(3)(b)/(c)), and the rules for moving footage outside the EEA (Chapter V). Tier 1. https://gdpr-info.eu/art-28-gdpr/ (accessed 2026-06-09)
7. EDPB Guidelines 3/2019 on processing of personal data through video devices (Version 2.0, 2020), European Data Protection Board. The controlling video-specific interpretation of GDPR: lawful basis and the legitimate-interests balancing test, the narrow household exemption, the two-layer transparency model, the "few days" retention norm, biometric processing as special-category data, and access requests with third-party redaction. Tier 2 (issuing-body guidance). https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en (accessed 2026-06-09)
8. EDPB, "Video devices & data protection: when to act and what to do" (summary of Guidelines 3/2019, April 2026), European Data Protection Board. The current plain-language summary: the three-question legitimate-interests test, consent as exceptional for surveillance, the first-/second-layer signage contents, a "few days" storage period, the facial-recognition (hotel VIP) example, the security and rights duties, and the disclosure rules — used throughout this article. Tier 2 (issuing-body guidance). https://www.edpb.europa.eu/system/files/2026-04/summary_edpb_guidelines_201903_video_devices_en.pdf (accessed 2026-06-09)
9. Regulation (EU) 2016/679 (GDPR), Art. 83 — General conditions for imposing administrative fines, European Union. The two-tier fine structure, with the upper band (no lawful basis, rights breaches, unlawful transfers, breach of principles) at up to €20 million or 4% of total worldwide annual turnover, whichever is higher. Tier 1. https://gdpr-info.eu/art-83-gdpr/ (accessed 2026-06-09)
10. CNIL fines for non-compliant video surveillance (2025): €100,000 decision (October 2025) and the Uniontrad €20,000 decision, Commission Nationale de l'Informatique et des Libertés (France). Real enforcement: a €100,000 fine over hidden cameras, an unregistered system, and no prior analysis; a €20,000 fine for continuous employee filming and inadequate information; plus a 2025–2026 wave of simplified sanctions for disproportionate monitoring (>€200,000). Tier 5 (regulator enforcement record). https://www.cnil.fr/en/investigation-powers-cnil/sanctions-issued-cnil (accessed 2026-06-09)
11. EU Artificial Intelligence Act (Regulation (EU) 2024/1689), Art. 5 and high-risk biometric provisions, European Union / European Commission. Bans certain real-time remote biometric identification in publicly accessible spaces (Art. 5, applicable since 2 February 2025); high-risk obligations apply from 2 December 2027 per the 7 May 2026 Digital Omnibus political agreement (transparency duties from August 2026). The AI layer above GDPR — re-verify dates at publish. Tier 1 (statute) + Tier 5 (news for the amended dates). https://artificialintelligenceact.eu/article/5/ (accessed 2026-06-09)

Where sources differ in emphasis, the regulation text controls and the EDPB guidance supplies the video-specific reading. The lawful-basis, balancing-test, two-layer-signage, retention, and biometric points are taken from GDPR Articles 5, 6, 9, 12–13, and 28–35 and from EDPB Guidelines 3/2019 and its April 2026 summary; the enforcement figures are from the CNIL's published sanctions record and reputable reporting; the EU AI Act high-risk timeline reflects the May 2026 Digital Omnibus political agreement and should be re-verified against the Official Journal at publish.