A CCTV footage request is a demand from an employee or contractor to access video recordings in which they appear. The core risk is over-disclosing personal data of bystanders captured in the same frames. Visual data anonymization is the practice of removing or masking identifying elements within images and videos, typically through face blurring and license plate blurring, so footage can be shared while respecting privacy obligations and limiting unnecessary exposure.
Workplace cameras usually cover shared spaces such as entrances, corridors, production floors, and car parks. A single clip commonly contains multiple individuals and vehicles. Unredacted disclosure to a requester can unintentionally reveal colleagues’ identities, movements, or vehicle data, escalating compliance risk and exposing the organization to complaints, disputes, or claims. In EU and UK settings, this is closely tied to protecting third-party rights and freedoms when responding to access requests. In the US, even without a single federal GDPR-style law, “least disclosure” and redaction are widely used to reduce privacy complaints, employee relations issues, and litigation risk.
Visual data anonymization applies face blurring and license plate blurring to reduce identifiability before providing a copy. This is especially important when the requester is not the only person visible or when footage could later be reused for disciplinary processes, insurance matters, PR, or training.
The steps below are designed to keep disclosures narrow, defensible, and repeatable across HR, security, and legal teams.
If your team needs an on-premise tool for face blurring and license plate blurring, check out Gallio PRO. It is designed for redacting faces and plates in images and pre-recorded video files without sending footage to cloud services.
To keep this article focused and aligned with Gallio PRO capabilities, the guidance below covers faces and license plates as primary identifiers and addresses secondary identifiers as a manual layer.
Whether you must anonymize faces depends on the disclosure purpose and legal or policy basis. In EU and UK contexts, if disclosure would reveal personal data of third parties, organizations commonly redact bystanders to protect third-party rights and freedoms. In the US, the “must” test varies widely, but redaction is still a strong operational safeguard when an export contains non-requesters. This is particularly important in shared workplace areas where employees have heightened expectations of appropriate internal handling.
In many European contexts, vehicle registration marks can be personal data when they allow a natural person to be identified directly or indirectly. In Western Europe, plate blurring is commonly expected and in some jurisdictions treated as effectively mandatory for publication or broad disclosure. In Poland, views have not been fully uniform in case law and practice; however, under the identifiability test, plates may still be personal data depending on who can realistically link the plate to a person. US approaches are more fragmented: there is no single nationwide rule, but blurring bystander plates in workplace disclosures is a practical way to reduce risks of harassment, stalking, or employee disputes, and it supports “least disclosure” across state variability [1][2][3].
Instead of a recurring EU GDPR versus UK GDPR table, the matrix below is structured by request scenario. It helps teams decide what to export, what to blur, and what to document. It also introduces US handling so that US readers do not see only EU and UK references.
Request scenario | EU and UK: typical approach | USA: typical approach | Redaction focus (Gallio PRO fit) |
Employee asks for footage where only they appear | Provide narrow export or stills if sufficient; document purpose and scope; protect any incidental third-party data [1][2][3] | Policy-based disclosure or employment practice handling; keep scope narrow; document rationale | Usually minimal blurring; verify no incidental bystanders |
Employee asks for footage with multiple colleagues visible | Redact third parties where needed to protect others’ rights and freedoms; consider extracting only relevant frames [1][2] | Strongly prefer least disclosure; redact bystanders to reduce disputes and privacy complaints | Auto blur faces; manual masks for other identifiers |
Car park footage with multiple vehicles | Consider plate blurring for bystander vehicles; document identifiability reasoning; cross-border consistency helps [1][3] | Blur bystander plates as best practice; reduces harassment and complaint risk | Auto blur license plates; QA around motion/angles |
Footage later reused for investigation, insurance, or external counsel | Minimize before sharing; restrict access; document recipients and necessity [1][3] | Minimize before third-party sharing; contractual controls; document recipients and purpose | Export a redacted master to prevent inconsistent edits later |
Sensitive scenes (medical, injuries, discipline) | Higher-risk handling, narrower disclosure, stronger redaction where feasible [1][2] | Higher employee relations and litigation risk; narrow scope; stronger redaction | Blur faces and plates consistently; manual redaction for visible screens/docs |
Automation reduces manual workload, but understanding tool boundaries is essential for compliance-grade exports. Gallio PRO is on-premise software focused on visual data anonymization for still images and pre-recorded videos. It does not perform real-time anonymization or video stream anonymization. The software automatically detects and blurs faces and license plates only. It does not automatically detect company logos, tattoos, name tags, documents, or content on monitor screens. These can be covered in manual mode with the built-in editor. Gallio PRO does not blur entire silhouettes, only faces and license plates.
For many organizations, an on-premise approach reduces transfer and confidentiality risks and simplifies security reviews. Gallio PRO does not collect logs containing face or plate detection events and does not gather logs with personal or sensitive data. To explore capabilities hands-on, download a demo. For requirement-specific questions, contact us.
Start with the smallest footage slice that answers the request. Apply automated face blurring and license plate blurring, then add manual masks for residual identifiers that could reveal a person indirectly, such as name badges or screens. Validate exports on key frames and around scene transitions. When in doubt about whether disclosure could adversely affect third parties, teams often choose a more protective export variant and document the rationale, without storing any biometric or detection metadata.
In many cases, organizations should protect third-party personal data when fulfilling requests. A common approach is to provide footage that is limited in scope and/or redacted, for example by blurring faces of bystanders, where necessary to safeguard others’ rights and freedoms.
Often yes for bystander vehicles. In many European contexts, plates can be personal data depending on identifiability. In Poland, practice and rulings have not been fully uniform, so many organizations blur plates to reduce risk and ensure consistent handling. In the USA, blurring bystander plates is a practical best practice that reduces complaint and harassment risk.
Often not. Automation typically covers faces and plates. Manual redaction may still be needed for other identifiers like name badges, documents, or screens that can identify people.
Only if re-identification is not reasonably possible taking into account means likely to be used. This is context-dependent and should be evaluated case by case [1][3].
Organizations commonly restrict, redact, or otherwise limit disclosure of third-party data where needed to protect other individuals’ rights and freedoms while still fulfilling the requester’s request in a reasonable, documented way.
It depends on security requirements, processor arrangements, and where relevant, international transfer considerations. Some teams prefer on-premise software to reduce external data flows and simplify security review.
