How to Write a CCTV Footage Handling Procedure in Your Organization: a Document Template for DPOs

A CCTV footage handling procedure is an internal operational document that defines who can access recordings, in which situations they may be reviewed, how copies are issued, what deadlines apply to individual actions, and how image anonymization is carried out before footage is published or shared with third parties. In practice, this kind of document does not replace the record of processing activities, a risk assessment, or documentation prepared for an auditor. Its purpose is to support the day-to-day work of the team that actually handles photos and video files.

For a DPO, the key is to separate three layers of activity. The first concerns access to the source material. The second covers blurring faces and license plates before the recording is used further. The third governs the release or publication of only the version that has been reviewed and approved. This structure reduces the risk of accidentally disclosing the image of bystanders and makes it easier to demonstrate a consistent organizational practice.

Why does an organization need a separate operational procedure for CCTV footage?

Many organizations already have a CCTV policy, but they lack practical step-by-step instructions. The result is predictable. The operator knows how to replay a recording, but it is unclear whether a clip may be emailed, who must approve an export, whether faces and license plates of other individuals must be blurred before disclosure, and how much time the team has to respond to a request. A CCTV SOP organizes these issues without turning into yet another high-level compliance document.

In image anonymization scenarios, organizations often use tools such as Gallio PRO, especially when they need on-premise software and control over files within a local environment. From an operational perspective, what matters is that the software automatically blurs only faces and license plates. It does not blur entire bodies, does not perform real-time anonymization, and is not designed to anonymize a live video stream. It also does not automatically detect company logos, tattoos, name badges, documents, or content visible on screens. Those elements can be masked manually in the built-in editor. In addition, the system does not store logs containing detection data, personal data, or special category data.

How is an SOP different from auditor documentation and an implementation checklist?

Documentation prepared for an auditor usually answers the question of whether the organization has the necessary legal grounds, roles, and safeguards in place. An implementation checklist answers what needs to be set up and verified before launch. A CCTV footage handling procedure answers what exactly an employee does from the moment a request is received, or a publication decision is made, until the working file is deleted.

That is why the template below should include specifics: the responsible role, the required action, the deadline, the internal register entry that must be made, and the condition for moving to the next step. Only this level of detail works in practice.

Minimum scope of a CCTV footage handling procedure

The shortest useful procedure includes seven blocks. First, the purpose and scope of the document. Second, roles and permissions. Third, rules for receiving requests for access, copies, or publication. Fourth, rules for exporting footage and working on a copy. Fifth, image anonymization, including face blurring and license plate blurring. Sixth, approval of material for disclosure or publication. Seventh, retention and deletion of working versions.

It is worth defining from the outset that, by image anonymization, the organization means processing a photo or recording in such a way that third parties and identifiers visible in the image cannot be recognized in the ordinary course of using the material. For video, this usually means working on an exported copy rather than on the production source file.

CCTV footage handling procedure template - ready to copy

1. Purpose and scope

This procedure defines the rules for reviewing, exporting, anonymizing, and disclosing CCTV recordings and individual still frames taken from recordings. The procedure applies only to visual materials, in particular photos and video. It does not regulate separate documentation obligations related to audit, risk analysis, or the implementation of a CCTV system.

2. Roles and responsibilities

The CCTV system administrator is responsible for the technical export of material and for granting access only to authorized persons. The business owner of the process, for example the security manager or compliance manager, assesses the purpose for which the material will be used. The person performing anonymization prepares the working copy and applies face blurring and license plate blurring. The Data Protection Officer or another designated reviewer provides an opinion in higher-risk cases or in response to non-standard requests. The person approving publication or the release of a copy confirms that the material to be shared contains no unredacted faces or license plates of third parties.

3. Access to recordings

Only persons named individually in the appendix to this procedure may access full recordings. Access is granted by the system administrator following approval by the process owner. Recordings may be viewed only for a documented business purpose. Every case opened under this procedure requires an entry in the operational register containing the date, case number, relevant recording timeframe, requesting person, and responsible handler.

4. Operational deadlines

An internal request to preserve a recording must be registered immediately, no later than within 1 business day of receipt. The initial assessment of the intended use must be completed within 2 business days. Export of the working copy should take place within 3 business days, provided that the material is available and there are no technical obstacles. Anonymization is carried out without undue delay after export. Before publication or release of a copy, a four-eyes review is mandatory.

5. Export and preparation of a working copy

Work is performed exclusively on a working copy. The source material remains unchanged. The copy is stored in a separate repository with restricted access. The file name includes the case number and export date, without including data relating to persons visible in the footage. If the organization needs a predictable workflow for video and image files, it is worth testing it in advance, for example by choosing to download the free demo and checking how processing of a working copy looks in a local environment.

6. Rules for image anonymization

The person performing anonymization identifies all faces and license plates of third parties visible in the frame. They then apply face and license plate blurring throughout the entire material intended for disclosure or publication. If the material contains logos, tattoos, name identifiers, documents, or content shown on a monitor, hiding those elements requires manual editing, because automatic detection does not cover them.

The procedure should clearly state that automatic detection applies only to faces and license plates. This is particularly important when training operators. Assuming that the tool will recognize every element that could enable identification is an operational mistake.

7. Disclosure of recordings and still frames

Any transfer of a recording outside the team handling the case requires approval from the designated approver. If the material is to be provided to the person concerned by the incident, to an external entity, or for publication, the faces and license plates of other people and other vehicles visible in the material must be blurred before disclosure. The source version is not shared unless such disclosure is required by law or by a binding request from a competent authority. Every release of a copy is documented in the operational register, including the recipient, date, and scope of the material.

8. Quality control before publication

Quality control includes two stages. First, the operator checks whether blurring works throughout the full duration of the shot and whether there are any short fragments left unmasked. Second, the approving person confirms that the material contains no other elements requiring manual anonymization. Without a positive review, publication is blocked.

9. Retention and deletion of working versions

The working version is retained only for the period necessary to close the case. After publication, release of a copy, or closure of the request, the working file is deleted in line with the retention schedule defined by the organization. If you need an on-premise deployment or separate rules for different business units, it is worth to reach out to the team to adapt the process to the scale of the organization and its technical requirements.

Operational table - who does what and by when

How to describe image-related exceptions without creating false certainty

It is worth adding a short interpretive clause to the procedure. The obligation to anonymize faces does not arise directly from one specific provision of the GDPR, civil law, or copyright law, but from an assessment of whether publication or disclosure complies with personal data protection rules and the rules governing dissemination of a person’s image. In copyright law, exceptions are provided in particular for the dissemination of a person’s image where:

• the person received agreed payment for posing, unless expressly stated otherwise,
• the person is widely known and the image was captured in connection with the performance of public functions, in particular political, social, or professional functions,
• the image of the person constitutes only a detail of a whole such as a gathering, landscape, or public event.

These are not automatic exemptions from analysis. Organizations often treat them as a starting point for assessing a specific situation rather than as absolute rules. Where there is doubt, anonymization before publication remains the safer operational practice.

License plates in the procedure - how to address the issue without oversimplifying it

Across European countries, approaches to license plates vary depending on the context and national practice. In Poland, the situation is not entirely clear-cut either. As a rule, a single license plate number may or may not constitute personal data; it depends on whether, using means reasonably likely to be used, it allows identification of a natural person. It is therefore not accurate to claim in general that the obligation to blur license plates follows directly from EDPB guidance or from uniform CJEU case law.

For that reason, the procedure should avoid stating that license plates always are, or never are, personal data in every circumstance. A more practical operational rule is to adopt a precautionary approach: if material is to be published or disclosed outside a narrow circle of authorized persons, license plate blurring should be applied to third-party vehicles unless the organization has documented a different assessment for the specific case.

Most common mistakes in CCTV footage handling procedures

The first mistake is describing only the legal basis without specifying operational steps. The second is failing to distinguish between source material and a working copy. The third is assuming that an automated tool will catch everything. The fourth is not setting response deadlines and not requiring quality control. The fifth is overlooking the rule that, before a recording is shared, the need to blur the faces and license plates of other people should be assessed.

FAQ - CCTV footage handling procedure

Does a CCTV footage handling procedure need to be a separate document?

Not always, but in practice a separate SOP is usually the clearest option. It makes operator training easier and shortens decision time when publication or release of a copy is considered.

Can you work directly on the source material?

As an organizational practice, working on a copy is preferable. It reduces the risk of compromising the integrity of the original and makes change control easier.

Is blurring faces alone enough?

Not in every case. If the material shows license plates of other people or other elements that could enable identification, the need to hide them must be assessed. In publication scenarios, license plate blurring is also commonly used in practice.

Does Gallio PRO automatically detect all personal data visible in an image?

No. Automatic detection covers only faces and license plates. Logos, tattoos, name badges, documents, and content shown on screens require manual editing.

Does Gallio PRO keep logs containing detection data?

No. The software does not collect logs containing face and license plate detection data. It also does not collect logs containing personal data or special category data.

Should the procedure contain specific deadlines?

Yes. Without deadlines, the document remains a declaration rather than a working instruction. A DPO will usually aim to define deadlines for case registration, copy export, anonymization, quality control, and deletion of the working version.

Can footage from a public event be published without blurring every face?

It depends on the context. One potentially permissible case may be where a person’s image is only an incidental detail of a larger whole, such as a public event. Even then, the assessment requires caution and should not be applied automatically to every piece of footage.