Data residency is the question of where footage and its derived data physically live, and which laws follow it there. It matters most for cloud and hybrid surveillance, where video may be stored or processed in a data centre in another country. Under GDPR, personal data may flow freely within the EU/EEA, but moving it outside (a "transfer" to a third country) is restricted by Chapter V and needs a valid mechanism — an adequacy decision, standard contractual clauses, or another safeguard.
The practical reality is that residency is about more than the storage region. The EU-US Data Privacy Framework (adopted July 2023) provides one route for EU-to-US transfers, but the field is unsettled — frameworks have been struck down before and remain subject to legal challenge — so a design that depends on a specific transfer mechanism should treat it as something that can change. Crucially, the EDPB has clarified that even storing data in-region does not by itself end a "transfer" if the data can be accessed from outside, so remote access by support staff or a parent company abroad can itself be a transfer.
The pitfall is assuming "stored in an EU region" equals compliant. A cloud bucket in Frankfurt can still involve a transfer if it is administered or accessible from outside the EEA, and biometric or sensitive footage raises the stakes further. Map where data is stored, processed, and accessed from — not just where the bucket is — choose providers and regions deliberately, keep a documented transfer mechanism, and re-check it as the legal landscape shifts. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
