Understanding GDPR and Video Surveillance GDPR-compliant video surveillance is no longer a paperwork exercise — it is an architectural choice about what your cameras and analytics capture in the first place. The General Data Protection Regulation governs any organisation that handles personal data belonging to EU residents, and any footage that shows a face, gait, licence plate, or other identifying trait counts as personal data. If the system records it, GDPR applies. The territorial scope is wider than many operators assume. Even companies based outside the EU fall under GDPR if their goods, services, or monitoring reach EU residents. Retailers with EU customers, transport operators with EU routes, and SaaS platforms whose cameras stream into EU data centres all sit inside the regime. The question is not whether GDPR applies — it usually does — but how to design a pipeline that satisfies it without crippling the operational value of the system. In our experience advising security architects, the teams that struggle are the ones who treat GDPR as a compliance overlay added after the cameras are installed. The teams that succeed treat it as a constraint on system design from day one: which streams exist, which pixels are kept, who sees what, and for how long. What does GDPR-compliant video surveillance require in 2026? Regulator guidance across EU supervisory authorities — including the EDPB Guidelines 3/2019 on processing through video devices and subsequent national updates — converges on six operational requirements. We summarise them below as a decision rubric rather than a narrative, because each one is independently auditable. Requirement What it means in practice Where it fails Lawful basis Legitimate interest, public task, or consent documented before deployment Retro-fitted justifications after a DSAR or breach DPIA Data Protection Impact Assessment for any high-risk processing — almost all CCTV with AI analytics qualifies “We did a DPIA” without a register entry or sign-off Data minimisation Anonymous-by-default analytics; no biometric processing unless justified Storing full-resolution colour video when blurred low-res would meet the need Retention Typically 30 days unless a specific operational or legal need extends it 90-day defaults left in the VMS because nobody changed them Transparency Clear signage with controller identity, purpose, retention, and DPO contact A pictogram with no text Subject rights Documented process for access, deletion, and objection requests DSARs answered ad-hoc by whoever opens the email The EU AI Act adds a second compliance layer on top of this for AI-based video systems. We return to that in the final section. Lawful basis and the DPIA: the work that has to happen before the camera goes up Article 6 GDPR requires a lawful basis for every act of processing. For workplace and commercial CCTV the practical options are legitimate interest, public task (for public bodies), and — rarely — consent. Legitimate interest is the most common, but it carries a three-part test: the interest must be specific, the processing must be necessary to achieve it, and the controller’s interest must not be overridden by the data subjects’ rights. A generic “security” justification rarely survives scrutiny. A documented interest such as “preventing theft at the loading bay after a series of incidents in 2025” does. The Data Protection Impact Assessment is where that justification becomes a controlled document. For AI-driven video — anything doing detection, classification, re-identification, or behavioural analytics — a DPIA is effectively mandatory under Article 35. The DPIA names the system, the camera positions, the analytics applied, the retention schedule, the access matrix, and the residual risks. It is the artifact regulators ask for first when something goes wrong. The CJEU’s Österreichischer Rundfunk line of reasoning and several national rulings on workplace surveillance make the proportionality test concrete: cameras pointed at break rooms, smoking areas, or staff lockers fail. Cameras pointed at till areas, loading bays, or restricted-access doors with documented justification generally pass. Which technologies help with GDPR-compliant video surveillance? The 2026 default in EU deployments is anonymous-by-default, with identification enabled only on a documented lawful basis. Several categories of technology make this practical: On-the-fly anonymisation at the edge. Face and licence-plate blurring applied before the stream leaves the camera or recorder — vendors include Brighter AI, Pimloc, and Genetec Privacy Protector. The unredacted stream may exist transiently but is never written to disk. Privacy-preserving analytics. People counting, queue-length estimation, and dwell-time analysis that work on silhouettes, bounding boxes, or anonymised embeddings rather than identifiable features. VMS access control and audit trails. Modern VMS platforms (Milestone, Genetec, Axis) support role-based access to redacted versus unredacted footage and produce audit logs of every export and playback action. Encryption. TLS for streams in transit, AES-256 for footage at rest, with key management separated from the operator role. Edge inference on observable pipelines. Running detection and classification on NVIDIA Jetson or comparable hardware via TensorRT keeps raw video local; only structured events leave the camera site. This is one of the structural reasons we advocate observable CV pipelines for CCTV — observability and minimisation reinforce each other. This is an observed-pattern across our surveillance engagements: deployments that anonymise at the edge consistently produce smaller compliance surfaces, simpler DSARs, and easier DPO sign-off than deployments that anonymise in post-processing. It is not a benchmarked rate — the gain depends on how aggressive the edge processing is — but the directional effect is consistent. Retention, storage, and the 72-hour breach clock GDPR Article 5(1)(e) requires that personal data be kept no longer than necessary. For CCTV that translates, in most regulator guidance we have seen, to a default retention of around 30 days. Longer retention requires a specific justification — an open investigation, a contractual obligation, a legal hold. The retention policy must be documented, enforced automatically by the VMS, and reviewed periodically. Storage must be secure end-to-end. Encryption at rest is table stakes; access must be role-based and logged; cloud providers must be GDPR-compliant data processors with a signed Article 28 contract. If the recorder lives on a network the corporate firewall can reach, network segmentation and authenticated access are non-negotiable. The 72-hour breach notification clock under Article 33 is where many operators get caught. From the moment the controller becomes aware of a personal data breach, they have 72 hours to notify the supervisory authority. That means detection has to be fast, and the playbook has to exist before the breach. Logging who accessed what, when, and from where is not a nice-to-have — it is what makes the 72-hour window achievable. Real-time monitoring and workplace surveillance Real-time monitoring carries its own constraints. Even when footage is never stored, the live view shows personal data, so access must be restricted to trained staff in a controlled environment. Screens visible to visitors, contractors, or the general public are a recurring finding in regulator audits. Audio recording is held to a higher standard than video under most national interpretations of GDPR. The European Data Protection Board and several national regulators treat audio as more intrusive because it captures content as well as presence. Most commercial CCTV deployments cannot justify audio capture and should disable it by default. Workplace surveillance is the area where enforcement has been most consistent. The H&M employee-surveillance case (Hamburg, 2020, €35.3 million) and several follow-on cases established that monitoring employees outside narrowly defined operational purposes — entry control, asset protection, safety — is not proportionate. Performance monitoring through CCTV almost never survives the proportionality test. Cameras in private areas — toilets, changing rooms, prayer rooms, medical rooms — are categorically prohibited. What enforcement actions shape GDPR video-surveillance practice today? Several large actions between 2020 and 2026 have established the operational baseline. The Clearview AI fines across multiple EU regulators (CNIL in France, Garante in Italy, the Greek DPA, the Hellenic DPA) confirmed that scraping faces from the public web to build identification databases is not a lawful basis under any reading of GDPR. The H&M case set the workplace-monitoring proportionality bar. The Italian Garante’s actions on smart-city facial recognition deployments confirmed that public-space biometric identification requires explicit legal authorisation, not just a municipal decision. Several retailer fines have addressed excessive CCTV coverage in customer-facing areas. The pattern across these cases is consistent: regulators tolerate well-justified, narrowly scoped, transparent deployments. They penalise mass collection without specific purpose, biometric processing without authorisation, and workplace monitoring beyond defined operational needs. The question they ask is not “is this useful?” but “is this necessary, proportionate, and transparent?” How does the EU AI Act change GDPR-compliant video surveillance? The EU AI Act (Regulation 2024/1689) layers a second compliance regime on top of GDPR for AI-based video systems. Three provisions matter most for surveillance: Prohibition on real-time remote biometric identification in publicly accessible spaces by law enforcement, with narrow exceptions for specific serious crimes under judicial authorisation. This is a hard ban, not a documentation requirement. High-risk classification for many AI surveillance systems, triggering obligations on documentation, risk management, data governance, human oversight, accuracy, robustness, cybersecurity, and post-market monitoring. Annex III explicitly lists biometric identification and categorisation, critical infrastructure, and law enforcement use among the high-risk categories. Transparency and human-oversight requirements for emotion-recognition systems, biometric categorisation systems, and workplace monitoring. Some uses — emotion recognition in workplaces and educational institutions — are prohibited outright. For operators, this means a GDPR DPIA is no longer sufficient on its own. A high-risk AI system also requires conformity assessment, technical documentation under Annex IV, registration in the EU database, and ongoing post-market monitoring. The two regimes overlap but are not interchangeable: GDPR governs the personal data; the AI Act governs the AI system that processes it. We expand on the joint compliance picture in GDPR and AI in Surveillance, and on the engineering architecture that makes both regimes auditable in our hub article on observable CV pipelines for CCTV. FAQ How do you make video surveillance GDPR-compliant in 2026? Six requirements recur in regulator guidance: (1) lawful basis (legitimate interest, public task, consent) documented before deployment; (2) DPIA for any high-risk processing — almost all CCTV with AI analytics qualifies; (3) data minimisation in design (anonymous-by-default analytics, no biometric processing unless justified); (4) retention discipline (typically 30 days unless specific need); (5) signage and transparency for data subjects; (6) data-subject-rights handling (access, deletion, objection). The EU AI Act adds further obligations for AI-based video systems. Which technologies help with GDPR-compliant video surveillance? On-the-fly anonymisation (face and licence-plate blurring at the edge — Brighter AI, Pimloc, Genetec Privacy Protector); privacy-preserving analytics (people counting without identification); access-control and audit-trail features in modern VMS platforms; encryption at rest and in transit; role-based access to redacted versus unredacted footage. The 2026 default in EU deployments is anonymous-by-default with identification only on documented lawful basis. What enforcement actions and case law shape GDPR video-surveillance practice in 2026? Several large enforcement actions over 2022–2026 have established the operational baseline: Clearview AI fines across multiple EU regulators; the H&M employee-surveillance fine; various retailer fines for excessive CCTV coverage; CJEU rulings on workplace surveillance and proportionality; the Italian Garante actions on smart-city facial recognition. The pattern is consistent: regulators tolerate well-justified, narrowly-scoped, transparent deployments and penalise mass collection without specific purpose. How does the EU AI Act change GDPR-compliant video surveillance? It adds an overlay on top of GDPR for AI-based video systems: prohibits real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions); classifies many AI surveillance systems as high-risk, triggering documentation, risk-management, and post-market-monitoring obligations; requires transparency and human oversight for systems used for emotion recognition, biometric categorisation, or workplace monitoring. EU operators now need both GDPR and AI Act compliance work for the same deployment. The compliance question and the engineering question are the same question seen from two sides. A pipeline you cannot inspect is a pipeline you cannot defend to a regulator; a pipeline you can defend to a regulator is one where data minimisation, access control, and audit trails were design constraints rather than afterthoughts.
