CCTV and Data Protection Legislation – Here’s What you Need to Know

The General Data Protection Regulation (GDPR) applies from 25th May 2018. It has general application to the processing of personal data in the EU, setting out more extensive obligations on data controllers and processors, and providing strengthened protections for data subjects

CCTV Footage, dashcams, drones and videos leaves the area of data protection fraught with complexity. Article 4 of the GDPR defines personal data as any information related to an ‘identified or identifiable natural person’. So if a person is identifiable from a piece of footage, it is deemed personal data. The person or company that holds that information is considered the ‘Controller’ of that data and is bound by legal obligation as to the security and retention of that data. In other words, how are you storing that information and for what purpose.

Using CCTV in a commercial environment is perfectly legal and few businesses now operate without one, however, the public must be made aware that they are being recorded, the reason for the recording and who is recording them. Any individual has the right to access the recording as the data subject.

So if you are the owner or manager of a commercial premises or building and you have CCTV installed, the following applies:

1. You are the legal entity which controls the data.

2. You have extensive obligations as a controller under the Data Protection Act.

3. You should have a CCTV Policy.

4. Clearly state why you have CCTV installed. Having stated why you have it installed, you cannot then use it for another purpose. For example if you have CCTV installed for security reasons, you cannot use it in an employee disciplinary issue.

5. Clearly notify the public and your employees as to the existence of CCTV and its use.

6. Cleary state how long you retain footage. If an accident occurs be clear that you will isolate that footage and keep it for a longer period.

7. Clearly state who is the controller of the data and how they can be contacted.

8. CCTV should not be installed where employees legitimately expect that their privacy will not be impacted e.g. rest rooms, bathrooms, changing rooms etc.

9. CCTV can be used in a case of employee gross misconduct, but for this purpose only and on a case by case basis and only for a legitimate purpose greater than the data subject.

10. Should a third party or legal entity request footage from your CCTV, it should be in writing and such written requests should be kept and recorded.

11. If a data subject requests footage of themselves they should receive it without delay, no later than one month. If the material is deleted they should be informed and no such footage should be deleted until the subject has received their data, detailing why is was kept and if it was shared with a third party. If other subjects appear in the footage, it is the responsibility of the controller to redact other subjects so they are not identifiable.

12. Biometric and facial recognition processing and accordingly the data processed is categorised as “special category” of personal data subject to the requirements of the GDPR, which, sets out further conditions to provide for the lawful processing of the data. Any processing of biometric data should be considered as separate to the regular usage of the CCTV system and a data controller engaging in such processing must take all steps to ensure that it is compliant with the data protection legislative frameworks.

If you would like further information on TICCbox please contact Bridget at