A CCTV sign is a notice placed at the entrance to an area covered by video surveillance. Its purpose is to provide the recorded person with key information about the processing of personal data before they enter the camera’s field of view. In practice, it forms the first layer of the transparency obligation under Articles 12 and 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council, namely the GDPR. In the context of photos and video recordings, the sign is not a technical component of the camera system, but part of the organisational and legal compliance framework for the entire image-processing operation.
For a Data Protection Officer, the role of a CCTV sign is practical. The notice must be visible, clear, and placed in the right location. It should also direct people to the full privacy notice. Simply displaying a camera pictogram without the required information will usually not meet the standard of transparency. This is confirmed by guidance from the Polish Data Protection Office (UODO) and the European Data Protection Board (EDPB) on layered privacy information for video surveillance.
CCTV Sign – Definition
From a compliance perspective, a CCTV sign is a physical or digital information medium placed before a monitored area, informing people that image recording is taking place, identifying the data controller, and providing access to more detailed information about the processing. Its use follows from the GDPR principle of lawfulness, fairness, and transparency under Article 5(1)(a), as well as the obligation to provide information to the data subject under Article 13.
In video surveillance, personal data primarily includes a person’s facial image and other elements that make identification possible. In certain cases, it may also include a vehicle registration number if, in the given circumstances, it enables the identification of a natural person. That is why a CCTV sign remains important even where video material is later anonymised—for example, through automatic face blurring and license plate blurring in video files or photographs. Anonymising footage after recording does not automatically remove the obligation to inform people that image capture is taking place.
What Information Should a CCTV Sign Include?
UODO and EDPB guidance adopts a layered approach. This means that the sign should contain the most important information, while the full privacy notice should be made available as a second layer—on a website, at reception, in internal rules, or in a separate paper document. The first layer should be brief, but specific.
- information that the area is covered by CCTV or video surveillance,
- the identity of the data controller,
- the purposes of the surveillance,
- an indication of where the full privacy notice is available,
- at least one easily accessible contact channel for the controller or the DPO, if one has been appointed.
In practice, the sign should be written in plain language. Abbreviations that may be unclear to visitors should be avoided. A camera pictogram is helpful, but it does not replace text. In Guidelines 3/2019 on processing personal data through video devices, the EDPB stresses that first-layer information must allow people to quickly identify the controller, the purpose of the processing, and how to obtain further information.
Size, Readability, and Placement of a CCTV Sign
Polish law does not prescribe one fixed CCTV sign template or one mandatory format in centimetres. However, UODO emphasises the requirement that the signage must be effective. This means the sign must be visible before a person enters the camera’s field of view. A notice placed only behind a door or in an obscured location may be considered insufficient.
In practice, the following assessment criteria should be used:
- the sign should be placed before entering the monitored area, not only once someone is already inside it,
- the mounting height should allow an average user to read it easily,
- colour contrast and font size should match the expected reading distance,
- the notice should be repeated at multiple entrances and across large sites,
- additional signs should be used where surveillance covers car parks, gates, reception areas, and circulation routes.
If a site manager wants to adopt an internal technical standard, a simple design rule based on sign readability can be used:
Parameter | Practical Meaning
|
|---|---|
Reading distance | The greater the distance, the larger the pictogram and font should be |
Contrast | High contrast improves visibility in poor lighting conditions |
Number of entrances | Each entrance to the monitored area should be marked separately |
Outdoor conditions | Outdoor signs should be resistant to UV, moisture, and dirt |
The absence of a statutory size requirement does not mean full discretion. In the event of an inspection, the key question is whether a person could realistically read the information before entering the surveillance area.
CCTV Sign and Photo or Video Anonymisation
In image-processing environments, a CCTV sign and anonymisation serve different purposes. The sign fulfils the transparency obligation at the data collection stage. Anonymisation or pseudonymisation reduces risk at a later stage of using the material—for example, before sharing a recording with a third party, publishing footage, or using it for training or evidential purposes.
If footage is to be exported or disclosed, a practice consistent with the data minimisation principle is to blur faces and—depending on the purpose and legal context—also blur license plates. These tasks typically use object detection and object tracking models across frames. In the case of faces, systems usually rely on deep learning models trained on large image datasets and then used for face detection in the source material. Only after detection does the system apply a blur or pixelation mask. However, this process does not affect the legal obligation to properly mark the location where the image was originally recorded.
It is also worth distinguishing the scope of functions. Gallio PRO automatically detects and blurs faces and license plates in photos and recordings saved in files. It does not perform real-time anonymisation or live video stream anonymisation. Nor does it automatically detect logos, tattoos, ID badges, documents, or content displayed on monitor screens. These elements can be masked manually in the editor. From a compliance perspective, this means that a CCTV sign remains mandatory regardless of the extent of later masking applied to the footage.
Key Compliance Risks and Assessment Criteria
A CCTV sign can be assessed in the same way as a spot check of a compliance process. The issue is not aesthetics, but measurable effectiveness of communication. For a DPO, simple audit criteria are especially useful.
Criterion | Control Question | Risk if Missing
|
|---|---|---|
Visibility | Is the information available before a person enters the surveillance area? | Breach of the transparency principle |
Minimum content | Does the sign identify the controller, the purpose, and the source of the full privacy notice? | Incomplete transparency obligation |
Readability | Can an average person read the sign without effort? | Merely formal compliance |
Consistency | Does the sign reflect the actual scope of the surveillance? | Misleading information about processing |
Currency | Are the controller details and purposes still up to date? | Documentary non-compliance |
Legal and Interpretative References
The legal basis for a CCTV sign is found primarily in EU law and in guidance issued by data protection authorities. Any analysis should rely on primary sources and official interpretations.
- GDPR – Regulation (EU) 2016/679, in particular Articles 5, 12, and 13, applicable since 25 May 2018.
- EDPB Guidelines 3/2019 on processing personal data through video devices – final version adopted on 29 January 2020.
- Materials and guidance issued by the President of UODO concerning the marking of monitored areas and layered privacy information.
There are differing interpretations when it comes to vehicle registration numbers. In Poland, some case law has held that a registration plate does not always constitute personal data on its own. On the other hand, the approach of data protection authorities and European practice is more cautious and often treats a registration number as information capable of identifying a person in a specific context. Therefore, for video material, a safer compliance approach is to assess the purpose and risk and, where justified, mask license plates before any further disclosure.