Camera surveillance and observation under the GDPR

  • Observation & Control
    April 01 2018

    In our previous blog post, ‘Your access management under control, even after May 25th’, we wrote that you are allowed to install cameras in and around your business location(s) in some situations, such as if this is necessary to protect your corporate interests. For example, you may need to protect the safety of the staff on site, keep unauthorised individuals from accessing restricted areas or prevent theft. Under the GDPR, the way in which these recordings are made, used and shown, has to meet several requirements. Which other aspects do you have to keep in mind as an organisation? 


    Is registration via camera footage really necessary?

    The most important question is also quite an easy one: what is the reason for your organisation to use camera surveillance? This question is essential in order to whether doing so is allowed. When you use camera surveillance, you process personal data. This requires a legitimate purpose and grounds. You must be able to demonstrate that installing security cameras is necessary for the intended purpose to be achieved. Camera surveillance may only be used if there is no other way to realise said purpose. Furthermore, camera surveillance must be one of several security measures; it cannot be used on its own. You are required to record these considerations in a Privacy Impact Assessment.

    Limit the breach of privacy

    You have to comply with the basic principles of the GDPR. That means you cannot install more cameras than strictly necessary and you must keep the area under surveillance as small as possible. For example, a camera intended to secure a parking lot that also captures footage of a large part of the surrounding area does not meet this requirement. Many types of cameras have software that enables you to blur certain areas so that these are not recorded.

    You also need to determine whether it is truly necessary to have the cameras recording 24/7. This is often not the case. It is also important to restrict the number of people with access to the camera footage. The relevant monitors are sometimes installed in a publicly accessible area, which means unauthorised individuals can also view the footage. Furthermore, you are not allowed to record audio along with the video footage, because this is not necessary for the purpose of camera surveillance. Lastly, you cannot use the footage for any other purpose than what it was recorded. For example, you are not permitted to call out an employee on the duration of their smoking breaks by using camera footage that was recorded to prevent shoplifting.

    Inform your employees, visitors and suppliers 

    Organisations are required to inform employees, visitors and suppliers about their use of camera surveillance. This usually involves more than just a notice at the entrance. It is important to refer to an employee manual or a webpage that contains more information, so you can properly inform those involved on their rights in this matter.

    Storage period of camera footage 

    You are obligated to define a set storage period for the storage of personal data, including camera footage. The legal limit is no more than four weeks. However, organisations are not permitted to store camera footage any longer than strictly necessary, so blind adherence to that legal limit is not allowed either. Once again, the purpose of the footage must be defined and recorded beforehand. If an incident, e.g. a theft, has been recorded, an organisation may store the footage in question until the theft has been fully resolved.

    Your camera surveillance managed by Nsecure

    When an organisation makes use of our observation services, which involve remote surveillance from a control room and the inspection and monitoring of several (client) locations, there are several conditions to keep in mind. Observation has a significant impact on people’s freedom of movement and privacy. Tracking a person as they move through a building or go for a walk, goes beyond merely registering information. Furthermore, this service is usually outsourced to a third party. In that case, you are required to draw up a processing agreement in which you record the agreements and purposes of the camera surveillance.

    Our people remotely monitor the security at our clients’ locations from the Nsecure Observation Room, both during the day and at night. This means that your access authorisation and camera surveillance are handled from one central location. Whereas traditional security solutions require constant management, Nsecure uses smart systems to take action without immediately incurring more costs – all in accordance with your compliancy requirements.

    Would you like to know more?

    Together with Privacy Management Partners, Nsecure works with you to find ways to become GDPR-compliant without disrupting your operations. Over the course of the next few weeks, we will be publishing a series of articles about the GDPR in relation to access control. If you want to stay up to date or learn more about this subject, please follow us on LinkedIn or Twitter or contact us via 

    Meer over dit onderwerp


    • Observation & Control

    Security Management moet hoger op de directieagenda

    Lees de blog van Hans van Driel (directeur Nsecure).

    Case studies

    S.B.V. Excelsior Rotterdam

    Slim gebruik van data dankzij efficiente toegangscontrole

    088 - 123 9000