Module 8 · CCTV / video surveillance & Guidelines 3/2019
CCTV footage contains personal data and images may be biometric data. Compliance turns on lawfulness (often legitimate interest; consent is usually not feasible), a DPIA (needed in almost all cases, especially large-scale systematic monitoring of a publicly accessible area), prior checking in some countries (e.g. France), proportionality, information provision (signage) and individual rights. The reference text is EDPB Guidelines 3/2019 on video devices.
CCTV footage contains personal data, and images may be biometric data. The lawful basis is usually legitimate interest or a public-interest task; consent is usually not feasible. A DPIA is required in almost all cases, especially systematic monitoring of a publicly accessible area on a large scale - consider less-intrusive alternatives first.
- Prior checking - some countries (e.g. France) require notifying or getting authorisation from the regulator.
- Proportionality - avoid unnecessary zoom, facial recognition or sound; minimise irrelevant areas; limit retention; respect areas of high privacy expectation.
- Information provision - signage, with full information available on request.
- Individual rights - e.g. access to footage, though short retention usually narrows access.
- Protective measures - training, a CCTV policy, and reviews.
The data-protection considerations include prior checking, lawfulness, proportionality, individuals' rights and information provision - the raw duration of the clip itself is not one of them (retention is, but not clip length). See EDPB Guidelines 3/2019.