Video surveillance (CCTV): lawful basis and proportionality
CCTV that captures images identifying people is processing personal data and must comply with the GDPR and, if applicable, the LED. The usual lawful basis is legitimate interests (Article 6(1)(f)), not consent, requiring a balancing test. Whether footage is biometric data depends on purpose - only if used to uniquely identify someone. ECtHR cases Antović and Mirković v Montenegro and López Ribalda v Spain show how the proportionality test plays out. The EDPB's Guidelines 3/2019 govern signage, retention and design.
For practical reasons a controller is unlikely to rely on consent for CCTV; lawfulness is typically based on legitimate interests (Article 6(1)(f)), or in specific cases a task in the public interest or official authority. When relying on legitimate interest, a balancing exercise must check the CCTV does not override the rights and freedoms of those captured.
An image is biometric data only when used to uniquely identify an individual - that depends on the purpose of processing. CCTV with biometric (facial) recognition installed by private entities for their own purposes (marketing, statistics, even security) will in most cases require explicit consent from all data subjects under Article 9.
- Use CCTV only if less-intrusive solutions (better lighting, alarms, armoured doors, access cards) are inapplicable or inadequate
- Proportionality extends to the choice of technology (is zoom, facial recognition or sound-recording necessary?)
- The legitimate interest must be real and existing - the mere possibility of vandalism with no demonstrable incidents may not suffice
- Consider data subjects' reasonable expectations - no monitoring of toilets or changing rooms; parking lots or malls are more expected
| Case | Facts | Outcome |
|---|---|---|
| Antović and Mirković v Montenegro | University CCTV in lecture theatres to protect property | Violation of right to private life (lecturers won), but only a 4:3 majority - showing how hard the proportionality test is |
| López Ribalda v Spain | Supermarket used visible and covert cameras at tills to investigate losses; staff told of visible cameras only | No violation of Article 8; failing to inform of hidden cameras breached Spanish law but a significant interest could justify it; informing is just one factor |
| Trigger |
|---|
| The video surveillance is considered high risk |
| Systematic monitoring of a publicly accessible area on a large scale |
| Processing special categories of data on a large scale |
| It is on the supervisory authority's list of operations requiring a DPIA |
The EDPB states the longer the retention period - especially beyond 72 hours - the more argumentation for the legitimacy of the purpose and necessity of the storage time is required. Damage is typically recognisable within one or two days.
For transparency, signage may be layered. The first-layer warning sign gives the purpose, controller identity, contact details, the existence of data subject rights and the greatest impacts (e.g. sharing with third parties). The second layer gives the full Article 13/14 details, made easily accessible - for example via a QR code link. CCTV footage is subject to the Article 15 right of access, with others' images blurred to protect their privacy.