A retention limit is the legal maximum on how long surveillance footage may be kept — distinct from, and often in tension with, the operational minimum a business wants. Privacy law treats keeping personal data longer than necessary as a violation in itself: under GDPR Article 5(1)(e) (storage limitation), footage must not be retained beyond what the purpose requires, and the EDPB Guidelines 3/2019 point to a few days as typical for ordinary CCTV, with longer periods needing specific justification.
The crucial idea is that retention has two clocks running in opposite directions. Operational and sector rules set a floor (some sectors mandate weeks or months); privacy law sets a ceiling. A lawful policy lives between them, and where a sector minimum and a privacy maximum genuinely conflict, that tension must be resolved deliberately and documented, not ignored. Biometric data carries its own harder limits — BIPA, for instance, requires destruction of biometric identifiers within a set period (no later than three years after the last interaction, or when the purpose ends).
The pitfall is letting capacity decide retention and forgetting deletion must actually happen. "We keep 30 days" because the disks fill at 30 days is not a defensible limit — it is an accident, and it may be unlawful if 30 days exceeds what the purpose justifies. Deletion must be policy-driven and verifiable, and exports, backups, and cloud copies escape the schedule unless they are tracked, so the data outlives its limit in places no one is watching. Set retention by purpose, enforce automatic logged deletion, and account for every copy. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
