Data minimization in video surveillance: how many cameras, which areas, and for how long?

Data minimization in video surveillance means designing a camera system so that it records only the footage that is genuinely necessary for a specific purpose, within the smallest possible spatial, functional, and time scope. In practice, Article 5(1)(c) GDPR requires answers to three questions: is this camera necessary, does it cover the right area, and does the system architecture avoid excessive recording of images [1]? When photos and recordings may later be published, there is one more requirement: it is worth planning for visual data anonymization at the design stage, so the material is technically prepared for safe use outside the surveillance system.

For compliance teams, IT, and management, the key point is that minimization does not begin when finished recordings are deleted. It begins earlier, when deciding how many cameras to install, which framing to use, which zones to exclude from observation, and whether the footage may later require face blurring or license plate blurring before publication. This approach reflects the privacy by design logic set out in Article 25 GDPR [1].

Data minimization in video surveillance is not just about having fewer cameras

The most common mistake is to reduce minimization to the simple slogan “the fewer cameras, the better.” That is too simplistic. Organizations should usually assess not the number of devices alone, but the relationship between the purpose and the scope of the footage. One wide-angle camera may be more intrusive than three cameras with a narrow, precisely adjusted field of view. In its guidelines on processing personal data through video devices, the EDPB stresses that surveillance must be adequate, relevant, and limited to what is necessary [2].

In practice, this means the justification for the scope of surveillance should be prepared like a design decision. A generic reference to security is not enough. What is needed is a description of the purpose, the risk, and the specific area. If the goal is to protect the entrance to a server room, it is usually difficult to justify covering the entire staff corridor. If the goal is to document access to a car park, it should be considered whether a full frame of passers-by and neighboring properties goes beyond what is needed.

Is every camera necessary? The necessity test in practice

A sensible compliance approach starts with a simple test. First, the purpose of each camera should be defined separately. Second, it should be explained why the footage is necessary rather than merely convenient. Third, it should be described whether the same purpose could be achieved with tighter framing, a different mounting location, or without recording certain individuals. Fourth, it is worth checking whether the footage is intended purely as evidence or also for operational use, because this affects the architecture of the entire system [1][2].

This also matters when an organization plans to use recordings or stills later in external communications. The broader and less controlled the source material, the greater the need for anonymization before publication. In such scenarios, Gallio PRO can be part of process design, as it makes it possible to prepare photos and recordings for sharing through automatic detection and blurring of faces and license plates rather than entire silhouettes.

How to justify the scope of surveillance: documentation should describe the frame, not just the purpose

In many organizations, the justification for surveillance ends with the formula “ensuring the safety of people and property.” That is not enough. Good design documentation should answer the following questions: why is the camera in this location, what area does it cover, which zones have been deliberately excluded from observation, who appears in the frame, and is there a risk of secondary use of the material, for example for publication or training? This is exactly where minimization meets visual data anonymization.

If the organization expects that some materials may be used in marketing, PR, crisis communications, or responses to public access to information requests, it is worth designing the architecture so that the source material is as clean as possible. This is helped by limiting unnecessary zones and then preparing a face blurring and license plate blurring procedure. That workflow can be assessed in practice by trying the demo and checking whether footage from a specific location can be prepared for publication without excessive manual work.

Problematic areas: changing rooms, restrooms, and break rooms

These spaces most clearly show whether an organization is truly applying the data minimization principle. The EDPB guidelines indicate that surveillance in places where people expect a particularly high level of privacy requires a very strong justification and will often simply be impermissible [2]. This applies in particular to restrooms, changing rooms, and similar areas.

For restrooms, the practical answer is usually straightforward: as a rule, a camera should not be installed inside the room. Any observation may concern the entrance only, if this is genuinely justified and the frame does not show the interior. The same applies to changing rooms. Recording employees, visitors, or customers while changing is difficult to reconcile with the principles of proportionality and minimization [2][3].

Break rooms require a more nuanced assessment, but they also belong to high-risk privacy zones. These are places for rest, private conversations, and activities not directly related to access control or asset protection. Organizations often conclude that monitoring such a space is too intrusive unless it concerns a very narrow section, for example the entrance to a separated storage area with valuable equipment. In that case, the camera should not cover the entire break room, but only the specific access point.

Table: assessing camera necessity by type of location

For how long? An architectural question, not just a retention issue

The “for how long” in the title does not have to mean only a deletion policy for recordings. At the system design stage, it is above all a question of whether the architecture forces continuous, full recording of footage or allows the time and scope of recording to be limited. Minimization may mean choosing event-triggered cameras, defining motion detection zones, narrowing operating hours, or giving up unnecessary continuous recording. These are technical decisions that affect compliance even before the first archive is created [1][2].

From the perspective of publishing visual materials, this has tangible consequences. The less unnecessary footage the system collects, the smaller the scope of later review and anonymization. This reduces risk, although the actual time and cost savings will always depend on the specific environment, the quality of the material, and the process adopted.

Visual data anonymization as part of surveillance system design

Visual data anonymization does not replace minimization. It complements it. If an organization already knows that footage from surveillance may be used beyond its original purpose, for example in media communications, training materials, or online publications, it should plan from the outset how to reduce the identifiability of people and vehicles. In practice, this usually means face blurring and license plate blurring.

It is also worth being technically precise. Gallio PRO automatically blurs only faces and license plates. It does not automatically detect company logos, tattoos, name badges, documents, or content shown on monitor screens. Such elements can be blurred manually in the editor built into the tool. The software does not perform real-time anonymization or video stream anonymization, so its role is to prepare material after recording rather than filter footage live.

For projects requiring greater infrastructure control, including local deployments and environments with increased security requirements, it is worth reaching out to the team to discuss the on-premise software model and how anonymization can be integrated into the existing surveillance architecture.

Faces and license plates: what is really worth planning at the design stage

In practice, when visual materials are published, a face will most often constitute personal data, and disclosing it requires a legal basis or the use of anonymization. The obligation to blur a person’s image before publication does not arise automatically from the GDPR alone. It depends on the legal basis for processing, the purpose of publication, and separate regulations concerning the dissemination of a person’s likeness, in particular the Civil Code and copyright-related rules. As a rule, consent is not required where the person received agreed payment for posing and did not reserve otherwise, or where the image concerns a widely known person photographed in connection with performing public, social, or professional functions, or where the image is merely a detail of a whole such as a gathering, landscape, or public event.

License plates are more complex. Under the GDPR, there is no universal rule that blurring them is always required across all of Western Europe, nor does this follow from any uniform “EU recommendation” as a single legal standard. The assessment depends on the context and on whether, in the circumstances, the plate makes it possible to identify a natural person. In Poland, too, the situation is not entirely clear-cut. As a result, cautious organizational practice often leans toward license plate blurring before publishing materials that are publicly available.

Minimization and logs or system traces

Although the article focuses on images, architectural decisions also include what technical information the anonymization tool itself leaves behind. From a privacy perspective, it makes sense to limit those traces as well if they could indirectly reveal visual data. In this context, it is important that Gallio PRO does not store logs containing detection data or personal data.

The key takeaway for management, the DPO, and the IT manager

A surveillance system that complies with the data minimization principle is not a system that is “large because it is safe,” but a system that is precise. Every camera should have its own separate justification. Every frame should be consciously limited. Every place with heightened expectations of privacy should be treated as an exception, not the default. If footage is expected to have a life beyond surveillance, visual data anonymization should be built into the architecture of the solution, not addressed only after an incident or immediately before publication.

FAQ - data minimization in video surveillance

Does data minimization simply mean installing fewer cameras?

No. What matters above all is whether the frame is proportionate to the purpose. One poorly positioned camera may infringe privacy more than several precisely designed devices [1][2].

Can a camera be installed in a changing room?

Usually not. Changing rooms are places where people have a very high expectation of privacy. An approach consistent with minimization will usually lead to excluding the interior of such an area from surveillance [2][3].

Can a restroom be monitored?

As a rule, no. In practice, organizations may consider monitoring only the entrance, provided the frame does not show the interior and there is a specific security justification [2].

Does a break room always rule out surveillance?

Not always, but it is a high-risk privacy area. Monitoring an entire break room is usually difficult to justify. Sometimes only a very narrow access point to a separated technical zone may be considered.

Does Gallio PRO anonymize the whole image or entire silhouettes?

No. Gallio PRO automatically blurs only faces and license plates. Other elements, such as documents, ID badges, logos, tattoos, or monitor screens, require manual work in the editor.

Does Gallio PRO work in real time on camera streams?

No. The software does not perform real-time anonymization or video stream anonymization. It is designed to prepare already recorded material for further use.

Do license plates always have to be blurred before publication?

Not always. The assessment depends on the context, the purpose of publication, and whether, in the circumstances, the plate could lead to the identification of a natural person. In cautious practice, many organizations still choose to blur them when publishing materials available to the public.