GDPR For Video Surveillance Guide

By: Charles Rollet, Published on Apr 12, 2018

The European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, but there is much confusion and no clear guidelines on exactly how these new regulations will impact the video surveillance industry.

We have compiled the following guide, based on our own research into the primary sources for the regulation as well as numerous discussions, covering the following:

  • GDPR basics
  • Surveillance industry concerns
  • New regulations / no legal precedent
  • GDPR terms defined
  • Public signage requirements
  • Design concerns
  • Impact on recording video
  • Usage of biometrics / facial recognition / gender / age recognition
  • Dealing with data requests from people
  • Dealing with cybersecurity / vulnerabilities
  • Who has 'exceptions' to the GDPR
  • Do I need to get certified?
  • Do I need to hire a Data Protection Officer?
  • Do DPOs need a certification or some sort of qualification?

When finishing this guide, you should be able to answer our 10 question quiz on GDPR.

GDPR Basics And Industry Concerns

The GDPR regulates all companies processing the personal data of people in the EU, regardless of where the company might be based. Because video footage of someone is considered their data, the video surveillance industry is directly impacted by the GDPR.

The GDPR gives data subjects in the EU significant new rights to access and remove their data while imposing restrictions on how this data can be collected. But the GDPR itself makes no mention of how it applies to video surveillance and threatens tough penalties on misconduct.

Surveillance Industry Concerns

That has led to a significant amount of uncertainty and fear for video surveillance, an industry where unprepared companies could find themselves subject to big fines. GDPR provisions like the right of people to request their data be removed or the need to obtain consent from data subjects also raise significant logistical hurdles in video surveillance, especially in areas like Artificial Intelligence / AI / Deep Learning where attempts are made at categorizing people by face, age, gender and ethnicity.

Warning  - Regulations New / Imprecise / No Legal Precedent

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Before reading this guide, you should be aware of the following factors:

  1. GDPR regulations are imprecise and can be interpreted in a number of ways. Most importantly, the GDPR makes no explicit mention of video surveillance, so we have yet to see exactly how GDPR regulations will be applied to the security industry.
  2. The GDPR only goes into effect on May 25th, so there are no legal precedents we can refer to in order to interpret its regulations.
  3. Despite 1 and 2, manufacturers, consultants, and many others often claim to provide fully accurate insights GDPR compliance, something which can require paying them substantial fees. Taking their advice at face value may present risks, so we have compiled our guide using primary EU documents to the fullest extent possible rather than the opinions of third parties.

GDPR Terms

First, to get a better idea of how the GDPR affects video surveillance, here are some key GDPR terms, discussed in more detail below:

  • Data controllers
  • Data processors
  • Data subjects
  • Biometric data

Data Controllers - Video Surveillance End Users

Data controllers are the companies most directly affected by the GDPR; most of the GDPR’s compliance burden falls on data controllers. But what is a data controller? According to the GDPR, they “determine the purposes and means of the processing of personal data.” In the video surveillance context, data controllers are end users: a shopping mall equipped with a security camera system, for example, is the controller of the video surveillance data it collects. (Note: Companies that keep personal data on their employees are also considered data controllers of this specific data too, so many if not all companies are “data controllers” in this narrow respect.)

Data Processors - Cloud / VSaaS, Possibly Integrators

Data processors are the companies that process personal data on behalf of data controllers. In video surveillance, cloud providers storing personal data on behalf of an end user are likely to be considered data processors. Integrators or manufacturers could also be considered data processors if they directly handle video recording data on behalf of the end user. For example, if an integrator accesses an end user’s video recording data for maintenance purposes, the integrator may be considered a data processor under the GDPR.

Data Subjects - People

These are the people being recorded on camera. The GDPR creates a host of new rights for data subjects.

Biometric Data Defined

Any techniques which “uniquely [identifies] a natural person”. Video analytics techniques like facial or age recognition fall under this category.

Surveillance Design / Technology Considerations

Below, we outline the GDPR's likely impact on these key areas:

  • Public signage
  • Data Protection Impact Assessments
  • Storage durations
  • Use of biometric data (face/gender/age)
  • Data requests
  • Cyber security/vulnerability reporting
  • Anonymization/privacy masking
  • Encryption requirements

Public Signage More Important

Because the GDPR strengthens existing EU privacy laws regarding transparency guidelines mainly in Articles 12 and 13, it is more important than ever for surveillance companies to inform the public if they are recording video of them. This can be done with a sign telling people that they are being watched by cameras with any relevant contact information so data subjects can follow up.

While consultants are advising that end users at the very least put up signs indicating that video surveillance is taking place, in Article 13 the GDPR actually goes further and says the following details should also be included (“Information to be provided where personal data are collected from the data subject”):

  • The identity and contact details of the data controller
  • “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing”
  • “The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”
  • Informing data subjects of their “right to lodge a complaint with a supervisory authority”
  • The existence of the right to request access, rectification, and removal of the data

And, if applicable, also state:

  • The contact details of DPO, if you have one
  • If the data will be transferred to another country, the relevant safeguards in place
  • Recipients of the personal data (if other than the end user)
  • “the existence of automated decision-making, including profiling... and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.” (this would likely apply to things like facial recognition or other biometric techniques)

End users should also ensure all this is all clearly visible and in plainly written.

Additional Design Requirement / Data Protection Impact Assessment

The GDPR imposes new design requirements as well. In the case of “systematic monitoring of a publicly accessible area on a large scale,” Article 35 of the GDPR requires that a “data protection impact assessment” (DPIA)  to be conducted before any system is installed, including:

  • “a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller”
  • “an assessment of the necessity and proportionality of the processing operations in relation to the purposes”
  • “an assessment of the risks to the rights and freedoms of data subjects”
  • “the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”

DPIAs must be conducted by data controllers prior to any processing operation takes place. The EU’s Article 29 Working Group has specified that although there is no requirement for DPIAs to be published by data controllers publicly, it recommends publishing at least a summary of the DPIA as a best practice. Exactly where it should be published is undefined (publicly posted, website, local newspaper, etc).

Additionally, “where a DPIA reveals high residual risks, the data controller will be required to seek prior consultation for the processing from the supervisory authority”.

No Defined Storage Durations

The GDPR has no set limits on how long data should be stored but states that data should not be kept any longer than is necessary for its original purposes. The GDPR only allows longer storage periods for “public interest, scientific, or historical research purposes” (Article 5) An end user that indefinitely stores its video recordings is likely in violation of the GDPR unless it can prove it is acting according to these reasons.


Usage Of Biometric Data Generally Prohibited (Face/Gender/Age)

All of these are considered highly sensitive data gathering techniques and are prohibited by Article 9 of the GDPR.

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. [emphasis added]

The Exception to Biometric Prohibition

However, the GDPR recognizes a number of exceptions to this prohibition. For video surveillance, the relevant exception is the vaguely-termed “reasons of substantial public interest.” Individual EU member states are currently defining what these public interest reasons actually mean. So far they are mostly related to law enforcement and crime prevention.

For example, under the GDPR, a shopping mall would likely be prohibited from using facial recognition on its cameras to identify ever shopper walking through their mall. A shopping mall could conceivably use facial recognition technology installed generally as long as it is deemed by the EU member state to be:

  • “necessary for reasons of substantial public interest”
  • “proportionate to the aim pursued”
  • respectful of the “the essence of the right to data protection”
  • provides “suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”

So a shopping mall using face recognition to catch shoplifters only may or may not be deemed to be within GDPR constraints depending on the EU state’s interpretation of the aforementioned points. However, a mall using face recognition on all shoppers with no particular public interest goal would likely be in breach of the GDPR. (All quotes are from section 2(g) of Article 9)

Dealing With Data Requests From Subjects

Articles 12-22 of the GDPR gives data subjects extensive rights to their own data, including the right to obtain all personal data collected about them and the right to request that this data be deleted (“the right to be forgotten”) These services must be provided by companies free of charge. Video surveillance companies, in particular, must be careful not give away others' personal data when they comply with such requests, for example by providing video to a data subject that identifies other people as well.

Given the huge scope of video recording, there are understandable concerns from the surveillance industry that these rights will be impossible to comply with in practice.

However, these rights have important qualifications that would likely apply in the case of video surveillance, explains Jon Baines, chair of the National Association of Data Protection and Freedom of Information Officers and Data Protection Advisor at Mishcon de Reya LLP. For one, the GDPR states that if the request is too vague and the end user “is not in a position to identify the data subject” it is not obligated to comply. Companies can also deny or charge fees for requests that are “manifestly unfounded or excessive.” End users are also not obligated to comply if the data was collected in the public interest, something likely to apply to video surveillance of public places. Any denial of a request to a data subject must be explained.

Companies also have one month to respond to such requests from data subjects. Since most video surveillance data is kept for less than a month, this means many requests for video surveillance data will likely be impossible. The one month period is also a potential loophole that end users can exploit to deny information requests. Exploiting such a loophole may be risky since it could be interpreted as violating the spirit of the GDPR, but that has not stopped some we have spoken to from saying they plan on using it.

Dealing With Cyber Security / Vulnerabilities

The GDPR strictly regulates data breaches. Breaches must be reported if they “pose a risk to an individual’s rights and freedoms." It does not matter if those freedoms are actually breached or not, the risk just needs to be there.

Data controllers have 72 hours to inform their country’s data protection authority about the breach and if the breach directly affects certain data subjects, it must inform them as well. However, if the data controller has effective encryption measures in place or ensures the risk is no longer likely to materialize, it is not obligated to inform data subjects of any risk to their personal data. If informing every data subject of a breach is logistically difficult, the GDPR also allows “a public communication or similar measure” to be issued.

Data processors also must report data breaches to their data controllers, although the GDPR does not specify a time limit in those cases.

It is unclear if manufacturers that have suffered data breaches before would be affected by these provisions of the GDPR. The breach regulations only apply to data controllers and processors, and we do not know yet if manufacturers (who do not directly handle the personal data of people in the EU) will fall under those categories, except for cloud providers, which is likely considered data processing. 

The GDPR has no provisions stating whether data breaches will be publicly announced by supervisory authorities or not. At the very least, this information will likely be available for people to request according to EU freedom of information guidelines. 

When Is Anonymization/Privacy Masking Required?

The GDPR’s Article 25 mandates the “pseudonymisation and encryption” of data to ensure that data protection is “by design and by default.” Because of these caveats, it seems the GDPR more encourages than mandates this. In video surveillance, pseudonymisation (i.e. anonymization) would most likely mean masking or blurring the faces of data subjects.

The GDPR does not explicitly state when anonymization is required. However, as explained in Article 25, the goal of the GDPR is that “only personal data which are necessary for each specific purpose of the processing are processed”. This means that subjects outside of the specific, original intent of the camera should not be recorded (e.g., subjects walking in the background of a scene) or should be anonymized. 

What Encryption Is Required?

The GDPR describes effective encryption methods as “those that render the personal data unintelligible to any person who is not authorized to access it.” However, it is unclear exactly what this means in video surveillance. It likely implies users should employ very basic security methods, such as complex passwords, account lock out, etc, to avoid unauthorized access. More advanced methods such as streaming video via HTTPS or TLS tunnels are likely not required, but applicable.

Do I Need To Hire A Data Protection Officer?

There is some concern that every company which processes the data of people in the EU will need to hire a full-time Data Protection Officer to independently ensure the company’s data policies are GDPR-compliant.

The EU Commission has stated that if a company’s “core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals” it should have a DPO. A DPO is mandatory, for example, for “a security company responsible for monitoring shopping centres and public spaces,” the EU Commission states.

It thus seems quite likely that end users which monitor large public spaces will need DPOs. However, neither the EU Commission nor the GDPR defines what “large scale” actually means. Additionally, DPOs can be outsourced from other companies and can even be a staff member from the firm’s own ranks; they can work part-time as well.

Do DPOs Need Certification Or Other Qualifications?

Nowhere in the GDPR is it stated that DPOs need any sort of formal certification or qualification.

The EU's Article 29 Working Party (an official EU advisory body) published some guidelines on DPOs in December and stated that "DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.” It also notes that "the required level of expertise [of a DPO] is not strictly defined but it must be commensurate with the sensitivity, complexity and amount of data an organisation processes."

So far, Spain’s Data Protection Authority is the first and only EU country to release a detailed DPO certification scheme which includes a four-hour exam and a minimum amount of work experience (or, if the DPO has no work experience, at least 180 hours of training.)

Do I Need To Get Certified?

Under the GDPR, any seal or certification schemes are entirely voluntary (Article 42, section 3). Companies like Genetec are currently touting that some of their products are certified as GDPR compliant by third party schemes like EuroPriSe, but such certifications are not mandatory. These certifications are carried out chiefly to reassure clients and for PR purposes. Do not be fooled into thinking any kind of certification is mandatory to be considered GDPR compliant, for end users, integrators, or manufacturers.

Are There Exceptions To The GDPR?

Article 23 of the GDPR grants EU member states the right to restrict many of core GDPR provisions, including the right to be forgotten, the right to obtain information gathered on a data subject, and the need to give detailed and transparent information about what sort of processing is going on. These exceptions include national security, defense, public security, ongoing legal cases, and crime prevention.

It is possible that monitoring of public spaces will be considered as providing public security, exempting surveillance providers from significant burdens. However, we just do not know yet to what extent “public security” applies to video surveillance.

What is clear from Article 23 is that, for example, someone charged with robbing a bank cannot request that the bank remove all video surveillance footage of him under the right to be forgotten, and an individual cannot request counter-terrorism agencies to obtain any video recordings they have of her.


Answer IPVM's 10 question quiz on GDPR.

20 reports cite this report:

Milestone "GDPR-ready" Certification Claim Critiqued on Aug 12, 2019
Milestone is touting that its latest XProtect VMS is "GDPR-ready" with a 'European Privacy Seal'. However, our investigation raises significant...
New GDPR Guidelines for Video Surveillance Examined on Jul 18, 2019
The highest-level EU data protection authority has issued a new series of provisional video surveillance guidelines. While GDPR has been in...
First Video Surveillance GDPR Fine In France on Jul 08, 2019
The French government has imposed a sizeable fine on a small business for violating the GDPR after it constantly filmed employees without informing...
Axis Live Privacy Shield Analytics Tested on Jun 25, 2019
Privacy is becoming a bigger factor in video surveillance, driven both by increased public awareness and by GDPR. Now, Axis has released Live...
Sighthound Transforms Into Enterprise AI Provider Profile on Jun 14, 2019
Sighthound is now rapidly expanding its R&D team, building an enterprise AI service. This may come as a surprise given their origins 6 years...
Security / Privacy Journalist Sam Pfeifle Interview on May 24, 2019
Sam Pfeifle is best known as the outspoken former Editor of Security Systems News. After that, he was publications director at the International...
UK Camera Commissioner Calls for Regulating Facial Recognition on Apr 15, 2019
IPVM interviewed Tony Porter, the UK’s surveillance camera commissioner after he recently called for regulations on facial recognition in the...
How China's Pay By Facial Recognition Works on Apr 02, 2019
Many social media posts have variously celebrated or warned about the growing use of facial recognition for payments in China. An example of one...
Massive Leak Of Chinese VMS Provider Exposes Xinjiang Surveillance on Feb 20, 2019
A subsidiary of China’s claimed largest VMS provider is tracking the precise location and ethnicity of millions in China’s Xinjiang region,...
UK Fines Security Firms For Illegal Direct Marketing on Jan 16, 2019
Two UK security firms have paid over $200,000 in fines for illegally making hundreds of thousands of calls to people registered on a government...
UK: Private Video Surveillance Complaints Down Since GDPR on Jan 09, 2019
The arrival of the GDPR on May 25, 2018, brought fears the law would spark a massive increase in privacy complaints about security camera use....
No GDPR Penalties For UK Swann 'Spying Hack' on Nov 20, 2018
The UK’s data protection agency has closed its investigation into Infinova-owned Swann Security UK, the ICO confirmed to IPVM, deciding to take “no...
French Government Threatens School with $1.7M Fine For “Excessive Video Surveillance” on Nov 14, 2018
The French government has notified a high-profile Paris coding academy that it risks a fine of up to 1.5 million euros (about $1.7m) if it...
Genetec Privacy Protector Tested on Nov 12, 2018
Genetec has built Kiwi Security's Privacy Protector into Security Center, an analytic which anonymizes individuals in cameras' fields of view...
France Political Scandal Reveals Video Surveillance Problems on Aug 22, 2018
In what French media describes as "the most damaging crisis yet for" French President Macron, a political scandal has revealed major gaps in the...
RealNetworks Free School Facial Recognition on Aug 03, 2018
The company that created RealPlayer is moving beyond media delivery and into the security space with a new facial recognition platform they have...
Belgium Bans Private Facial Surveillance on Jul 06, 2018
Belgium has effectively banned the use of facial recognition and other biometrics-based video analytics in surveillance cameras for private,...
GDPR For Access Control Guide on Jul 03, 2018
Electronic access control is common in businesses plus organizations are increasingly considering biometrics for access control. With GDPR coming...
Dahua Products Are Not GDPR Compliant, No Products Can Be on May 29, 2018
Dahua products are neither GDPR-compliant nor certified, contrary to their marketing. The reason is that no products can be, as the EU does not...
Genetec Clearance Face Detection / Redaction Test on May 14, 2018
Privacy regulations such as GDPR (EU Public Privacy), HIPAA (US Medical Privacy), and FERPA (US Student Privacy) are driving video surveillance...
Comments (70) : PRO Members only. Login. or Join.

Related Reports

Security Integrators Outlook On Remaining Integrators In 2025 on Aug 22, 2019
The industry has changed substantially in the last decade, with the rise of IP cameras and the race to the bottom. Indeed, more changes may be...
First GDPR Facial Recognition Fine For Sweden School on Aug 22, 2019
A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is...
Anyvision Facial Recognition Tested on Aug 21, 2019
Anyvision is aiming for $1 billion in revenue by 2022, backed by $74 million in funding. But does their performance live up to the hype they have...
Suprema Biometric Mass Leak Examined on Aug 19, 2019
While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past...
Installation Course - Register Now on Aug 15, 2019
Register Now for the September 2019 Video Surveillance Install Course. This is a unique installation course in a market where little practical...
Biometrics Usage Statistics 2019 on Aug 13, 2019
Biometrics are commonly used in phones, but how frequently are they used for access? 150+ integrators told us how often they use biometrics,...
US Government Ban of Dahua, Hikvision, Huawei Takes Effect Now on Aug 13, 2019
The 'prohibition on use or procurement' of Dahua, Hikvision and Huawei products and 'essential components' take effect today, August 13, 2019, one...
Proactive CCTV "Only Affordable Video Archiving Solution" Profile on Aug 12, 2019
Proactive CCTV is claiming to offer "the only affordable video archiving solution on the market", reducing the storage typically required for H.265...
Milestone "GDPR-ready" Certification Claim Critiqued on Aug 12, 2019
Milestone is touting that its latest XProtect VMS is "GDPR-ready" with a 'European Privacy Seal'. However, our investigation raises significant...
Razberi Technologies Company Profile on Aug 06, 2019
Razberi says they have doubled their revenue in the first half of 2019, citing their proprietary camera hardening and cybersecurity capabilities...

Most Recent Industry Reports

TMA Apologizes to Amazon / Ring on Aug 23, 2019
Not only is Amazon / Ring making major incursions into the residential security market, the organization representing the biggest incumbents, The...
China Dahua Replaces Their Software With US Pepper on Aug 22, 2019
What does a US government banned company do to improve its security positioning in the US? Well, Dahua is unveiling a novel solution, partnering...
Security Integrators Outlook On Remaining Integrators In 2025 on Aug 22, 2019
The industry has changed substantially in the last decade, with the rise of IP cameras and the race to the bottom. Indeed, more changes may be...
First GDPR Facial Recognition Fine For Sweden School on Aug 22, 2019
A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is...
Anyvision Facial Recognition Tested on Aug 21, 2019
Anyvision is aiming for $1 billion in revenue by 2022, backed by $74 million in funding. But does their performance live up to the hype they have...
JCI Sues Wyze on Aug 21, 2019
The mega manufacturer / integrator JCI has sued the fast-growing $20 camera Seattle startup Wyze. Inside this note: Share the court...
Dahua 4K Camera Shootout on Aug 20, 2019
Dahua's new Pro Series 4K N85CL5Z claims to "deliver superior images in all lighting and environmental conditions", but how does this compare to...
ZK Teco Atlas Access Control Tested on Aug 20, 2019
Who needs access specialists? China-based ZKTeco claims its newest access panel 'makes it very easy for anyone to learn and install access control...
Uniview Beats Intel In Trademark Lawsuit on Aug 19, 2019
Uniview has won a long-running trademark lawsuit brought by Intel, with Beijing's highest court reversing an earlier Intel win, centered on...
Suprema Biometric Mass Leak Examined on Aug 19, 2019
While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact