Legitimate interest is the lawful basis most ordinary CCTV relies on under GDPR Article 6(1)(f): a private operator may process personal data where it is necessary for a real interest of theirs — protecting property, staff safety, deterring and investigating crime — provided that interest is not overridden by the rights and freedoms of the people captured. It is the workable basis for public-facing cameras precisely because consent from every passer-by is impossible.
Relying on it is not a free pass; it requires a documented balancing test, often called a legitimate interest assessment (LIA). The operator must identify the specific interest, show the surveillance is necessary and proportionate to it (could a less intrusive measure achieve the same?), and weigh it against the intrusion on the people recorded. The assessment is what makes the basis defensible, and the people captured retain the right to object and to be informed. The EDPB Guidelines 3/2019 walk through how this balancing applies to video.
The pitfalls are skipping the balancing test and over-reaching the interest. Asserting "legitimate interest" without a documented LIA leaves the basis indefensible if challenged; and the basis stretches only as far as the proportionate need — it justifies a camera over the till far more easily than continuous high-resolution recording of a whole street, and it does not cover biometric face recognition, which needs a separate Article 9 condition. Do the LIA, keep it proportionate, document it, and don't lean on legitimate interest to carry special-category processing. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
