EDPB finalizes GDPR guidelines for video device surveillance

The European Data Protection Board adopted Guidelines 3/2019 Version 2.0 on processing personal data through video devices on 29 January 2020, establishing definitive GDPR compliance requirements for video surveillance deployments. The guidelines clarify legal basis requirements, transparency obligations, data minimization principles, and retention limitations applicable to CCTV systems, dashcams, doorbell cameras, drones, and any device systematically capturing images of identifiable individuals. Organizations operating video surveillance systems must review deployments against these guidelines and implement necessary compliance measures.

Scope and Applicability

The guidelines apply comprehensively to video processing by any controller subject to GDPR, regardless of the technology or device type used. Traditional CCTV installations, body-worn cameras, vehicle dashcams, video doorbells, drones with cameras, and retail analytics systems all fall within scope when they capture images of identifiable individuals. The guidance confirms that even brief or incidental video capture is personal data processing requiring full GDPR compliance.

The household exemption receives detailed analysis, with the EDPB clarifying its narrow applicability for consumer video devices. Doorbell cameras and similar devices capturing public spaces, neighboring properties, or areas beyond the household's private domain may exceed household exemption boundaries. Individuals using such devices without recognizing their controller obligations face potential regulatory action and private claims from affected neighbors or passersby.

The territorial scope extends to video devices capturing individuals within the EU regardless of where the controller is established. Cloud-connected cameras uploading footage to servers outside the EU must comply with GDPR requirements including international transfer safeguards. Smart home device manufacturers and cloud service providers enabling video processing share accountability for compliance.

Legal Basis Requirements

The guidelines examine available legal bases for video surveillance, establishing that legitimate interests typically serves as the primary basis for commercial and organizational deployments. Controllers must conduct and document legitimate interest assessments (LIAs) demonstrating necessity for the processing, balancing against data subject interests and rights, and setup of appropriate safeguards. The LIA must be completed before surveillance begins and documented for regulatory review.

Consent faces significant limitations as a legal basis for video surveillance. In public areas where individuals cannot meaningfully choose to enter monitored spaces without significant detriment, consent cannot be freely given. Similarly, employment contexts involve power imbalances that undermine consent validity for workplace monitoring. Controllers should not rely on consent for surveillance where alternative routes or genuine choice are unavailable to data subjects.

Legal obligation may serve as a basis where specific national laws mandate video surveillance for particular contexts such as banking premises or critical infrastructure. However, controllers must verify that national requirements comply with GDPR proportionality principles even when surveillance is legally required. Mandatory surveillance does not exempt controllers from other GDPR obligations including transparency and data minimization.

Public interest bases apply primarily to public authorities exercising official functions, with limited applicability for private sector surveillance. The guidelines emphasize that public interest cannot be unilaterally asserted by private controllers seeking to justify surveillance for general security purposes.

Proportionality and Data Minimization

Controllers must justify surveillance scope against legitimate purposes, demonstrating that video monitoring is necessary and proportionate to achieve stated objectives. Alternative measures that could achieve the same purposes with less privacy intrusion should be considered and documented in the legitimate interest assessment. Surveillance should represent the least intrusive effective measure rather than a default security approach.

Continuous 24-hour recording requires stronger justification than event-triggered or time-limited capture. Controllers should evaluate whether round-the-clock monitoring is necessary or whether scheduled recording during high-risk periods would adequately address security concerns. Technical capabilities enabling continuous recording do not justify their use without documented necessity.

Camera positioning and configuration should minimize capture of non-essential areas. Cameras should be directed to cover areas requiring monitoring while excluding adjacent spaces not relevant to surveillance purposes. Technical measures such as privacy masking can obscure windows, neighboring properties, and public sidewalks that fall within camera view but are not legitimate monitoring targets.

Audio capture faces heightened scrutiny as particularly intrusive processing. Video systems with audio capability should disable audio recording by default, enabling sound capture only where specifically justified by documented security or safety requirements. Audio monitoring of conversations in workplaces or public spaces raises significant proportionality concerns that most organizations will struggle to justify.

Transparency and Data Subject Rights

Layered transparency approaches address the practical challenges of providing full privacy information at monitoring locations. First-layer notices should appear at points of entry to monitored areas, identifying the controller, stating surveillance purposes, and directing individuals to complete privacy information. These notices must be clearly visible before individuals enter monitored zones.

Complete privacy information must be accessible through the contact details or references provided in first-layer notices. This second-layer information should include controller identity and contact details, data protection officer contact information where applicable, processing purposes and legal basis, legitimate interests where relied upon, categories of recipients, international transfer information, retention period, data subject rights, and supervisory authority complaint rights. QR codes linking to online notices can supplement physical signage efficiently.

Data subject rights including access, rectification, erasure, and objection apply to video surveillance footage. Controllers must establish processes for responding to data subject requests within GDPR timeframes. Access requests for video footage may require identity verification to prevent disclosure to unauthorized individuals, and may involve considerations of third-party data protection where footage includes other individuals.

Retention and Security Requirements

The guidelines establish expectations for short retention periods, typically suggesting maximum retention of days rather than weeks absent specific justifications. Extended retention requires documented necessity for particular purposes such as ongoing investigations, pending legal proceedings, or regulatory requirements. Default retention configurations should implement the shortest period consistent with processing purposes.

Automatic deletion mechanisms should enforce retention policies without relying on manual processes prone to oversight or inconsistent application. Technical controls must ensure footage is irreversibly deleted when retention periods expire. If you are affected, document retention period rationale for each surveillance deployment and implement technical architecture ensuring policy enforcement.

Security requirements under GDPR Article 32 apply to video surveillance systems including footage transmission, storage, and access. Encryption should protect footage both in transit and at rest. Access controls must limit footage viewing to authorized personnel with documented need. Audit logging should record who accessed footage, when, and for what purpose. Remote access to live feeds or recorded footage requires particular security attention given increased exposure risks.

Data Protection Impact Assessments

DPIAs are mandatory under GDPR Article 35 for large-scale monitoring of publicly accessible areas, systematic workplace monitoring, and video processing involving biometric identification such as facial recognition. The guidelines clarify DPIA triggers and emphasize that video surveillance of employees generally requires prior assessment given the systematic nature and power imbalances involved.

DPIA documentation should address surveillance necessity and proportionality, technical and organizational safeguards implemented, residual risk assessment after safeguards, and stakeholder consultation where appropriate. High residual risks identified through DPIA may require supervisory authority consultation under Article 36 before deployment proceeds.

DPIA review should occur when processing operations change significantly, when new risks emerge, or at regular intervals for ongoing surveillance. Changes in camera positioning, retention periods, access controls, or processing purposes should trigger DPIA reassessment to ensure continued compliance.

See also

Selected articles on related subjects.

Compliance · Credibility 73/100 · March 19, 2020

EDPB outlines GDPR rules for COVID-19 data processing

The European Data Protection Board issued a statement confirming GDPR permits processing health and location data for pandemic response under specific legal bases, while stressing necessity, proportionality, and…

Compliance · Credibility 84/100 · September 2, 2020

Compliance — United Kingdom

The UK's Age Appropriate Design Code was enforceable from September 2, 2020. If kids might use your service, you need default privacy settings, age verification, and data minimization. The ICO means business on this one.

Compliance · Credibility 71/100 · June 4, 2021

EU adopts new GDPR Standard Contractual Clauses

On 4 June 2021 the European Commission adopted modernized Standard Contractual Clauses for GDPR cross-border data transfers, adding Schrems II transfer-impact assessment obligations and modular terms for different roles.

Compliance · Credibility 91/100 · June 10, 2021

Compliance — China PIPL

China's PIPL passed in August 2021—their answer to GDPR. Consent requirements, data localization, cross-border transfer controls, and serious penalties. If you process data from Chinese users, this changed everything.

Compliance · Credibility 71/100 · March 31, 2023

Italy’s Garante orders temporary ChatGPT suspension

Italy's Garante suspended ChatGPT in March 2023 over GDPR concerns. The first major regulatory action against generative AI in Europe. OpenAI eventually resolved the issues, but it signaled regulatory scrutiny to come.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

January 29, 2020

Coverage pillar

Compliance

Source credibility

88/100 — high confidence

Topics

GDPR · Video surveillance · Data protection

Sources cited

3 sources (edpb.europa.eu, iso.org)

Reading time

6 min

Cited sources

1. Guidelines 3/2019 on processing of personal data through video devices (Version 2.0) — European Data Protection Board
2. EDPB Guidelines and Recommendations — EDPB
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization