The GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) is the European Union's data-protection law, and it governs video surveillance whenever the footage can identify a person — which is almost always. Recognisable faces, licence plates, and even a distinctive gait make video "personal data", so an ordinary CCTV system is processing personal data and falls squarely under the regulation. The EDPB's Guidelines 3/2019 on processing personal data through video devices are the authoritative interpretation for this exact context.
Several articles shape how a compliant system is built. You need a lawful basis to record at all (Article 6 — for most CCTV this is legitimate interest or a public task); the principles in Article 5 require data minimisation and storage limitation (keep only what you need, only as long as you need it); biometric data such as face templates is special-category data needing the stricter conditions of Article 9; a Data Protection Impact Assessment is required under Article 35 for systematic large-scale or public-area monitoring; and people have rights — notice, access, and erasure — that the system must be able to honour.
The pitfall is treating cameras as outside data-protection law because "it's just security footage". It is personal data, and the common failures are real exposure: recording more than necessary, keeping footage indefinitely because the disk allows it, no posted notice, no lawful-basis analysis, and deploying face recognition without satisfying Article 9. Build to the principles from the start, document the lawful basis and retention, and treat biometrics as a separate, higher bar. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
