How does GDPR affect CCTV Surveillance?

The General Data Protection Regulation (GDPR) is a legislation that sets rules and regulations for the accumulation and refinement of personal information from people who reside in the European Union (EU). On May 25, 2018, the time limit for carrying these guidelines materialised profoundly. All companies gathering and handling the personal data of employees will be greatly impacted by these guidelines. Let’s find out how they will be impacted by GDPR.

Fundamentals of Workplace Surveillance

Here are some of the fundamentals of workplace surveillance:

  1. Authority to Monitor Activity – As per GDPR specifications, the employers of an organisation are authorised to monitor employee activity if they have lawful reasoning for such action. The motive of their supervision should be distinctly conveyed to employees in precedence.

    Due to the absence of balance in power between the associations of business owners with their employees, one can no longer bank on an agreement to refine employee data. Therefore, for companies, the most suitable rationale will probably be the valid interest of the employer who appoints the data auditor for surveillance.
  2. Bonafide Basis of Surveillance – As a business owner, you will need to possess justifiable and legitimate reasoning behind the necessity of keeping a check on employee activities by using CCTV. Legitimate justification of monitoring includes safeguarding and securing employees’ safety by impeding crime, keeping employee misconduct in check, ensuring compliance with health and safety protocols. It also entails controlling and boosting productivity and also acting in accordance with regulatory prerequisites in certain cases, such as the financial services section.
  3. Legitimacy of Interest – Employers typically depend on lawful interests as a relevant legal basis for processing personal data. This entails organisational liability and allows the accountable use of personal details while safeguarding the privacy of an employee’s private data.

    You will also be obligated to consider the lawfulness of their asserted interest (and also probably the interests of third unbiased parties) and must strike a balance between these interests and the privileges and freedom of your employees. Additionally, business owners need to corroborate and take intended and necessary steps so that employees’ rights are not influenced at all times. 

    Should an employee oppose the use of CCTV cameras in a specific location, the new GDPR guidelines hold the company responsible to offer a “plausible legitimate premise” for installing it. This premise should be properly justified in case it involves overruling the employees’ rights, or for the formation, exercise, or refutation of any legal claims thereafter.
  4. Confining Areas– The monitored CCTV surveillance should be confined to locations where the likelihood of violating employees’ privacy rights is less probable. The utilisation of CCTV cameras that continuously scan and keep a track of a certain group of working individuals in a specific location are more likely to be considered invasive than those that keep a track of all employees in a common entrance zone.

    In line with the GDPR requirements, you should properly communicate the intention of setting up CCTV surveillance to your employees through the medium of Privacy Notice. The typical supposition for CCTV usage in organisations is for security reasons, but the use for keeping a track of employee performance or demeanour is not an apparent reason. Therefore, employees must be distinctly notified before having their personal data recorded. The same protocol needs to be followed for CCTV surveillance used for health and safety purposes.

What Are Some of the Risks of CCTV Profiling?

Any extravagant utilisation of CCTV surveillance to portray employees is considered “high risk” profiling under Article 35, GDPR. This process has a requirement of a Data Protection Impact Assessment (“DPIA”). DPIA examines whether the surveillance is imperative and consistent with what an employer is attempting to achieve in view of the risks of jeopardising the privileges of the specific subjects. It should also consider any safety precautions that the auditor will have to put in place.

Importance of Responsible Handling of Personal Data

It is important to note that as an employer, any personal information collated must be used and stored only to achieve its actual purpose, and GDPR-compliant notice must be conspicuously exhibited. A highly recommended suggestion would be to create a sequence of data protection policies associated with proper usage of CCTV cameras. 

These policies should convey clear reasons for which the CCTV surveillance is being conducted, the nature and set-up in which recording will take place, the usage and procurement of employees’ personal data, the length of footage that will be preserved, as well as the effect on their individual privileges.

What to Know About Signage and Restricted Access?

It is also important to place recognisable and appropriate signage in locations where CCTV cameras are positioned.  One should also place necessary technical and organisational procedures to alleviate any potential risk caused to an employee’s privacy rights in the occurrence of a data infringement, as per GDPR guidelines. CCTV systems are intrinsically endangered by cyber-attacks when linked to the Internet, and the safety and data privacy contained is best safeguarded by restricting access and possessing powerful systems to avoid internet-borne ambush like malware.


An organisation’s utilisation of CCTV can raise and involve complicated legal problems in view of the new GDPR guidelines, heavily relying on the motive behind the surveillance. Where the equation of the refining is not clear, expert legal advice is suggested to ensure that the usage is in compliance with GDPR regulations.

The GDPR does not cast down the use of CCTV but stimulates a proper balance and transparency & clarity for all parties in terms of its handling. While in the past, the distress of data volunteers may have been negated in favour of the overruling interests of the auditor, this will no longer be the case and may demonstrate to be the vanquishing of many.

Whether it be huge administrative penalties or humiliation and shame, it will always be the small things that contribute to making the difference. This definitely depicts that GDPR is being actively imposed; and the imposition of directives exhibits its value. This, in turn, means enhanced safety and security of personal data, which is great news for every individual.

Leave a Reply

Your email address will not be published. Required fields are marked *