CCTV Monitoring and the GDPR — How to Operate Video Surveillance in Compliance With the Law

CCTV cameras are standard equipment in offices, shops, warehouses, car parks, and residential estates today. For many organisations, video surveillance seems so obvious that they forget one thing — a CCTV recording is personal data. A person’s image captured on a recording enables identification, which means video surveillance is fully subject to the GDPR.

In Poland, workplace monitoring is additionally regulated by the Labour Code (Article 22²), creating a dual legal framework — the GDPR as the general regulation and the Labour Code as the specific regulation for the employer-employee relationship.

UODO has intervened on multiple occasions regarding CCTV — in both public entities (schools, government offices) and private ones (companies, residential communities). Mistakes in operating CCTV are common and easy to detect — one only needs to enter a building and check whether cameras are marked, whether controller information is displayed, and whether the scope of monitoring is proportionate.

This article explains how to operate CCTV in compliance with the GDPR and the Labour Code — from defining the purpose, through signage and retention, to DPIA and data subject rights.

CCTV as Personal Data Processing

A CCTV recording constitutes personal data within the meaning of Article 4(1) GDPR if it enables identification of an individual — directly (facial recognition) or indirectly (in combination with other data, e.g., entry time and access card).

This means the CCTV operator is a data controller and must fulfil all GDPR obligations: define the purpose and legal basis, inform individuals (privacy notice), ensure the security of recordings, define retention periods, fulfil data subject rights, and maintain a ROPA.

The EDPB in Guidelines 3/2019 on the processing of personal data through video devices discussed in detail the principles for operating CCTV in the GDPR context.

Purposes of Monitoring — What Is Permissible?

Workplace Monitoring (Article 22² of the Labour Code)

The Labour Code permits workplace CCTV exclusively for four purposes:

1. Ensuring employee safety — protecting the life and health of employees, e.g., monitoring production halls, hazard zones.

2. Protecting property — prevention of theft, vandalism, break-ins. This covers both employer property and employee property (e.g., changing rooms, car parks — with restrictions).

3. Production control — monitoring production processes to ensure quality. This does not mean monitoring employee productivity — it concerns the technological process.

4. Safeguarding confidential information — protecting confidential information, trade secrets, sensitive data. E.g., monitoring server rooms, archives, laboratories.

What is NOT permitted: Workplace CCTV must not be used to monitor employee productivity (how much time they spend at their desk, how often they take breaks). Such use violates the proportionality principle and employee dignity.

Monitoring Outside the Workplace

For CCTV unrelated to the employment relationship (e.g., shop, car park, residential estate monitoring), the legal basis is typically the controller’s legitimate interest (Article 6(1)(f) GDPR) — e.g., property protection, ensuring personal safety. This requires a Legitimate Interest Assessment (LIA).

Public entities (government offices, schools) rely on Article 6(1)(e) GDPR (task carried out in the public interest) in conjunction with the relevant statutory provisions.

Location Restrictions — Where Cameras Must NOT Be Placed

The Labour Code (Article 22² § 2) prohibits monitoring the following premises:

Sanitary facilities — toilets, bathrooms, showers.

Changing rooms — cloakrooms, locker rooms.

Canteens — dining areas, employee kitchens.

Smoking rooms — designated smoking areas.

Trade union premises — offices of trade union organisations.

Exception: Monitoring of these premises is permitted only if it is necessary to achieve one of the four permitted purposes and does not violate employee dignity — e.g., through image anonymisation techniques (face masking, blurring). In practice, this exception is applied extremely rarely and requires particularly careful justification.

Outside the workplace — analogous restrictions arise from the GDPR’s proportionality principle. Areas where individuals have a reasonable expectation of privacy (shop fitting rooms, public toilets) must not be monitored.

Recording Retention Period

Workplace (Labour Code)

Article 22² § 3 of the Labour Code provides that monitoring recordings shall be retained for a period not exceeding 3 months from the date of recording.

Exception: If a recording constitutes or may constitute evidence in proceedings conducted under law, the retention period is extended until the proceedings are finally concluded.

Important: 3 months is the maximum period. If the monitoring purposes do not require such lengthy retention, the controller should set a shorter period. The storage limitation principle in Article 5(1)(e) GDPR requires that data not be stored longer than necessary.

Outside the Workplace

For monitoring unrelated to the employment relationship, the GDPR does not specify a particular period — the controller determines it based on the monitoring purpose and proportionality. In practice, periods range from 7 days to 3 months, depending on the nature of the premises and the risk.

The EDPB in Guidelines 3/2019 indicates that the retention period should be as short as possible — a maximum of a few days, unless there is a justified need for longer retention (e.g., premises with elevated theft risk). A longer period requires documented justification.

Information Obligation for CCTV

Individuals entering a monitored area must be informed about the monitoring. The GDPR and the Labour Code require information at two levels:

Level 1: Signage Marking the Monitored Area

Visible signs must be placed before entry into the monitored area. The EDPB recommends that signs include:

A camera pictogram — a clear symbol indicating monitoring.

Controller information — who operates the monitoring (company/institution name).

Monitoring purpose — e.g., “Monitoring operated for property protection purposes.”

DPO contact details — if designated.

Reference to full information — e.g., “Full privacy notice available at reception / on the website.”

Signs must be placed before entry into the monitored area — not inside, when the person is already being recorded.

Level 2: Full Privacy Notice (Article 13 GDPR)

A full privacy notice — containing all elements required by Article 13 GDPR — must be easily accessible. It may be displayed: at reception, at the building entrance, on the website, or in the premises’ regulations.

The notice must include: the controller’s identity and contact details, DPO details, the purpose and legal basis of monitoring, the recording retention period, recipients of recordings, data subject rights (access, erasure, restriction, objection), and the right to lodge a complaint with the supervisory authority.

Informing Employees (Labour Code)

Article 22² §§ 6–9 of the Labour Code imposes additional information obligations towards employees:

The employer informs employees about the introduction of monitoring at least 2 weeks before it is launched.

New employees are informed before being admitted to work.

The information must be provided in writing.

The purposes, scope, and method of monitoring must be specified in a collective bargaining agreement, work regulations, or a notice.

DPIA for CCTV

CCTV often requires a DPIA (Data Protection Impact Assessment) under Article 35 GDPR:

When a DPIA is required:

Large-scale monitoring of publicly accessible areas — Article 35(3)(c) GDPR expressly mentions this scenario.

Monitoring with advanced features — facial recognition, behaviour detection, person tracking, video analytics. These functions go far beyond traditional CCTV and generate significantly higher risk.

Monitoring covering a large number of individuals — e.g., shopping centres, railway stations, stadiums.

Employee monitoring combined with other forms of monitoring — e.g., cameras + access cards + computer monitoring.

When a DPIA may not be required:

Monitoring of a small office covering only the entrance and car park — with a low number of monitored individuals and no advanced features.

Even in such cases, UODO recommends conducting a simplified risk analysis, even if a formal DPIA is not mandatory.

Sharing Recordings — To Whom and When

CCTV recordings may be shared only on the basis of law or a legitimate interest:

Law enforcement — at the request of the police, prosecutor, or court. Basis: legal obligation or execution of a public authority request.

Victims — individuals who were victims of an event captured on the recording (e.g., theft, accident). Sharing on the basis of legitimate interest — but requires a proportionality assessment (whether the recording shows other individuals whose privacy would be violated).

Insurance companies — in connection with a claim. Requires a legal basis (e.g., victim’s consent, legitimate interest).

Employees (right of access) — an employee has the right of access to their personal data (Article 15 GDPR), which includes recordings on which they appear. However, exercising this right must not violate the rights of other individuals visible on the recording — anonymisation (blurring) of other people’s faces may be necessary.

Publishing recordings online — generally impermissible without the consent of the individuals visible in the recording. Even publishing a theft recording on social media “to identify the perpetrator” is legally risky.

CCTV in Residential Buildings — Communities and Cooperatives

CCTV in residential estates, stairwells, and underground car parks is a frequent source of disputes and complaints to UODO. Key rules:

The controller is the residential community or housing cooperative.

Legal basis — legitimate interest (protection of common property) or a community/cooperative resolution.

Monitoring must not cover apartment entrances — this would violate residents’ privacy.

Retention period — a maximum of 30 days (UODO recommendation for residential communities, though no statutory provision specifies the exact period).

Privacy notice — must be accessible to residents and visitors.

DPIA — generally not required for small communities, but recommended for large estates.

CCTV in Schools

CCTV in schools is subject to special rules because it involves children — a group requiring particular protection:

Legal basis — Article 108a of the Education Law Act regulates monitoring in schools.

Purposes — exclusively ensuring the safety of pupils and staff, and property protection.

Restrictions — monitoring must not cover classrooms (unless necessary for safety and does not violate dignity), changing rooms, toilets, canteens, or psychologist/counsellor offices.

Retention period — a maximum of 3 months (analogous to the Labour Code).

Decision — the school principal in agreement with the governing body and after consultation with the teaching council, parents’ council, and student council.

Most Common CCTV Mistakes

No signage marking the monitored area — cameras are installed but there are no information signs. The most common and most easily detectable mistake.

No privacy notice — a camera pictogram sign exists but there is no full information about the controller, purpose, legal basis, and data subject rights.

Monitoring in prohibited premises — cameras in toilets, changing rooms, or social areas.

No defined retention period — recordings stored indefinitely, with no automatic deletion procedure.

Monitoring for employee control purposes — cameras used to assess work productivity rather than to protect property or safety.

No regulation in work rules — monitoring operated without formal regulation in work regulations or a notice.

No DPIA — large-scale monitoring without conducting an impact assessment.

Sharing recordings without a legal basis — e.g., publishing recordings on social media.

Excessively broad monitoring — cameras covering areas that do not require monitoring (e.g., building surroundings monitoring capturing a public pavement or a neighbouring property).

Unsecured recordings — too many people have access to recordings, no access logging, no encryption.

Checklist — GDPR-Compliant CCTV

1. Define the monitoring purpose — does it fall within permitted purposes (safety, property protection, production control, information protection)?
2. Select the legal basis — Labour Code (for employees), legitimate interest (Art. 6(1)(f)), or public interest (for public entities).
3. Conduct a LIA (if legitimate interest) or DPIA (if large scale / public areas / advanced features).
4. Mark the monitored area with signs — before entry, with a pictogram, controller information, and a reference to the full notice.
5. Prepare a full privacy notice (Art. 13 GDPR) — make it available at reception, the entrance, or the website.
6. Regulate monitoring in work regulations or a notice (if it concerns employees).
7. Inform employees in writing — 2 weeks before launch (existing) or before admission to work (new).
8. Check camera locations — ensure they do not cover prohibited premises.
9. Set the recording retention period — maximum 3 months (Labour Code) or a proportionate period (GDPR).
10. Implement automatic deletion of recordings after the retention period.
11. Restrict access to recordings — authorised persons only, access logging.
12. Secure recordings — encryption, access control, backups.
13. Include monitoring in the ROPA — as a separate processing activity.
14. Prepare a recording sharing procedure — who, to whom, on what basis.
15. Regularly review the monitoring scope — are all cameras still needed?

Need Support With CCTV Monitoring?

Proper implementation of CCTV requires simultaneously meeting the requirements of the GDPR, the Labour Code, and — depending on the sector — specific regulations. Mistakes are easily detectable and can result in both UODO fines and civil claims. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we help companies and institutions implement legally compliant monitoring — from purpose and proportionality analysis, through documentation preparation, to conducting DPIAs.