Compliance Briefing — EDPB finalizes GDPR guidelines for video device surveillance
The European Data Protection Board adopted Version 2.0 of its Guidelines 3/2019 on processing personal data through video devices on 29 January 2020, clarifying GDPR legal bases, transparency, and retention expectations for CCTV and similar deployments.
Executive briefing: The European Data Protection Board adopted guidance (Version 2.0) on processing personal data through video devices, confirming how GDPR principles apply to CCTV, dashcams, smart doorbells, and workplace monitoring.
What changed
- Clarified acceptable lawful bases, emphasizing legitimate interests assessments and the limited use of consent for public-area surveillance.
- Expanded examples of proportionality, minimization, and retention, including masking/blacklisting and short default storage periods.
- Reinforced transparency duties: layered notices near cameras, controller identification, contact details, and links to full privacy information.
- Outlined DPIA triggers such as large-scale monitoring of publicly accessible areas or systematic observation of employees.
Why it matters
- Sets EU-wide expectations for signage, retention, and access controls that many local regulators already enforce in CCTV investigations.
- Highlights high-risk monitoring scenarios that require DPIAs and possibly prior consultation with supervisory authorities.
- Guidance applies beyond fixed CCTV to doorbells, drones, and vehicle cameras that capture bystanders.
Action items for operators
- Review existing camera deployments against the guidelines; shorten default retention windows and document minimization controls such as masking and restricted viewing.
- Refresh on-site notices to include controller identity, contact, purpose, and links/QR codes to full privacy information.
- Conduct DPIAs for high-risk monitoring (public areas, workplaces, biometric features) and record legitimate interest assessments for each deployment.