The CCTV footage retention period is the predefined length of time for which video surveillance recordings are kept, calculated from the moment the image is captured until it is deleted, overwritten, or permanently anonymized. In compliance practice, this is not simply a technical setting chosen at will. It is the result of an assessment of the purpose of processing, the legal basis, the risk to individuals’ rights and freedoms, and any obligations arising from sector-specific laws. In the GDPR context, the key rule is the storage limitation principle under Article 5(1)(e) of Regulation (EU) 2016/679, which requires personal data to be kept in a form that permits identification of data subjects for no longer than necessary for the purposes of processing.
In relation to video surveillance, CCTV recordings will usually contain personal data because they may allow a person to be identified by their face, build, behaviour, location and time of the event, and sometimes also by a vehicle registration plate. For this reason, the CCTV retention period should be short, justified, and documented. If the footage is to be used further, for example to be handed over to the police, a court, an insurer, or for publication, a separate assessment should be made as to whether faces and licence plates need to be blurred first. In environments using tools such as Gallio PRO, footage retention applies not only to the source files, but also to anonymized files, working copies, and exports prepared for disclosure.
Legal basis and supervisory authorities’ position
The retention period for CCTV footage is not specified in the GDPR as one universal number of days. EU law follows a model based on necessity and accountability. This means the controller must be able to demonstrate why footage is retained for a given period and when and how it is deleted or anonymized.
The sources most commonly referred to in this area are the GDPR, the EDPB Guidelines on processing personal data through video devices, and national sector-specific regulations. In Poland, the position of the Personal Data Protection Office (UODO) and specific rules for schools, employers, or public transport are also important.
Source | Scope | Retention takeaway
|
|---|---|---|
GDPR, Article 5(1)(e), Regulation (EU) 2016/679 | Storage limitation principle | No fixed deadline; retention must be necessary and data must be deleted once the purpose has been fulfilled |
EDPB, Guidelines 3/2019 on processing of personal data through video devices, adopted on 29 January 2020 | Guidance for video surveillance | As a rule, the retention period should be short, often just a few days; a longer period requires specific justification |
UODO guidance and materials on video surveillance | National practice | The controller should limit retention to the minimum necessary for the purpose and delete footage promptly once the deadline has passed |
Polish Labour Code, Article 22² § 3 | Employee monitoring | Footage is generally stored for up to 3 months from the date of recording, unless it constitutes evidence in proceedings |
Polish Education Law, Article 108a(4) | Monitoring in schools and educational facilities | Footage is generally stored for up to 3 months, except where it serves as evidence |
The EDPB indicates that the longer the storage period, the stronger the justification should be. In the practice of supervisory authorities, a retention period of a few days up to a few weeks is generally considered typical for standard security monitoring. The 3-month period under employment and education law is not a general standard for every CCTV system, but a limit resulting from sector-specific rules.
Minimum and maximum CCTV retention period
There is no single statutory minimum CCTV footage retention period applicable to all controllers. The minimum period should reflect the actual operational need, for example the time needed to detect damage, report an incident, or secure evidence. If incidents are usually detected within 48 to 72 hours, a 30-day or 90-day CCTV retention period may be excessive unless the controller can justify it.
From the perspective of the UODO and the EDPB, the starting point is simple: CCTV footage should not be kept longer than necessary. In practice, the following assessment model can be used.
- 1–3 days – often sufficient for simple monitoring of entrances, receptions, or car parks with a low number of incidents.
- 7–14 days – a commonly justified range where incident reports tend to be made with some delay.
- 30 days or more – requires specific justification based on a risk assessment, the nature of the site, or a sector-specific legal provision.
- Up to 3 months – permissible where required by sector-specific laws, for example the Labour Code or Education Law.
If a recording has been secured as evidence, the standard overwrite schedule no longer applies. In such a case, the evidential material should be separated from the regular pool of recordings, access should be restricted, and a new retention deadline linked to the proceedings should be defined. This should be described in an internal procedure.
The importance of retention for photo and video anonymization
In image-processing systems, retention does not apply only to the raw CCTV file. It also covers processed files, exports for external parties, and versions prepared for publication. If the controller wants to use part of the recording for a purpose other than the original security purpose, for example for training, evidence, or information purposes, they should assess whether faces and vehicle registration plates need to be blurred.
Automatic face blurring and licence plate blurring usually rely on deep learning models that first detect an object in the frames and then apply an anonymization mask. However, such an AI model does not in itself change the retention rules. It merely reduces the exposure of identifying data in footage that is reused for a secondary purpose. In Gallio PRO, automatic anonymization applies only to faces and licence plates. Other elements, such as logos, tattoos, ID badges, or documents visible on screen, require manual work in the editor.
Key parameters and operational practice
For the DPO and the controller, what matters is not only the number of retention days, but also the parameters that can be monitored and demonstrated during an audit. The CCTV footage retention policy should be linked to system configuration, storage capacity, and the deletion procedure.
Parameter | Meaning | Control example
|
|---|---|---|
Nominal retention | Number of days set in the system | 7 days, 14 days, 90 days |
Actual retention | The real period for which footage remains available | Verification that overwriting takes place in line with the schedule |
Evidence preservation period | Retention period after the footage has been excluded from overwriting | Until the end of proceedings or until the statutory deadline expires |
Secondary anonymization time | Time needed to prepare a version for disclosure | Internal SLA, e.g. 24–72 hours from the request |
Audit trail | Evidence of who secured, copied, or deleted the material and when | Record of administrative actions appropriate to the purpose and scope of the processing |
A practical formula for a retention policy can be described as follows: retention period = the minimum time needed to detect an incident + the time needed to report it and secure the evidence. If the result exceeds the standard industry practice, the controller should have documented justification.
Challenges, inconsistencies, and GDPR compliance
The most common problem is copying retention periods from other organizations without analysing the purpose. A second issue is storing exports outside the central retention schedule. A third is failing to distinguish between source material and anonymized material. An anonymized copy may be stored longer than the source material only if it truly no longer allows a person to be identified or there is a separate legal basis for further processing.
In the area of vehicle registration plates, there is some interpretative inconsistency. In Poland, case law from the Supreme Administrative Court has indicated that a registration number does not always constitute personal data in itself. On the other hand, UODO practice and EDPB guidance support a precautionary approach under which a licence plate may identify a person indirectly, especially when combined with other data. For compliance purposes, it is therefore safer to treat licence plates as data requiring protection in material intended for disclosure.