Data minimisation is the principle of collecting and keeping only the personal data you actually need for a stated purpose — no more. It is one of the core GDPR principles (Article 5(1)(c)), and in surveillance it is the antidote to the default temptation to record everything, everywhere, forever, just in case. The minimised system captures the necessary scenes, at the necessary quality, for the necessary time, and nothing beyond.
It turns into concrete engineering choices at every layer. Point cameras only where there is a justified need and use privacy zones to exclude the rest; choose recording modes (motion or event rather than continuous) where full-time recording is not required; set frame rate and resolution to the task rather than the maximum; keep retention to the purpose; and avoid enabling identifying analytics (face recognition) where simple detection or anonymous counting would do. Each of these reduces the personal data held, which reduces both privacy risk and cost.
The pitfall is "collect it all in case it's useful". More data is more risk, more storage cost, and more to expose in a breach or a subject-access request — and it is precisely the posture privacy law rejects. Over-collection also undermines the lawful basis (you cannot justify recording what you do not need) and the proportionality the EDPB expects. Design for the minimum that meets the purpose, revisit it as needs change, and treat every extra camera, higher resolution, or longer retention as something that must be justified, not assumed. This is engineering guidance, not legal advice.
