What Is School CCTV and GDPR?

Legal Basis for CCTV in Educational Institutions
The School Principal’s Duties as Data Controller Representative
Informing Pupils and Parents About CCTV
Anonymisation of School CCTV Footage and Photos
Key Parameters and Risks in Video Processing
Practical Use Case: When a School Should Anonymise Footage
Normative and Interpretative References

School CCTV and GDPR refers to the set of legal, organisational, and technical rules governing video recording on school premises and the further processing of footage in line with personal data protection law. In practice, this means determining when a school may use cameras, what legitimate purpose it must have, how long recordings may be stored, who may access them, and how to reduce the risk of excessive identification of people visible in the video material.

Under Polish law, the main legal basis for video surveillance in schools is Article 108a of the Education Law Act of 14 December 2016. This provision defines the permitted purpose of CCTV monitoring, namely ensuring the safety of pupils and staff and protecting property. At the same time, the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) apply, in particular the principles of lawfulness, data minimisation, purpose limitation, integrity and confidentiality, and accountability.

In the context of anonymising photos and video recordings, the term also covers the obligation to prepare material in a way that any further use of the footage—for example for incident analysis, transfer to an external party, staff training, or publication of part of the recording—does not lead to unjustified disclosure of the image of pupils, teachers, or third parties. In such cases, anonymisation usually involves face blurring and, where necessary, blurring licence plates visible near entrances, car parks, and access roads.

Legal Basis for CCTV in Educational Institutions

A school cannot implement CCTV simply because it is technically easy to do so. It must demonstrate a legal basis, a justified and specific purpose, and the proportionality of the measure. In the case of schools, these requirements are defined more precisely than in many other sectors.

The key legal and regulatory sources are:

the Education Law Act of 14 December 2016, Article 108a – rules for the use of CCTV in schools and educational institutions,
the GDPR – Regulation (EU) 2016/679, applicable since 25 May 2018,
the Polish Personal Data Protection Act of 10 May 2018,
EDPB Guidelines 3/2019 on processing personal data through video devices, adopted on 29 January 2020,
guidance issued by the President of the Polish Data Protection Office (UODO) concerning CCTV in schools and the controller’s information obligations.

Article 108a of the Education Law shows that CCTV in schools may cover the school premises and the surrounding area if this is necessary to achieve the statutory purposes. The provision also introduces location-based restrictions. As a rule, cameras should not cover rooms where the risk of infringing dignity and other personal rights would be particularly high, unless the law provides for exceptions and additional safeguards are met.

The School Principal’s Duties as Data Controller Representative

In practice, the school principal is responsible for the lawful implementation of CCTV as the person managing the institution, while the data controller is generally the school or educational establishment as an organisational unit. Buying cameras alone is not enough. The entire decision-making process and the rules for access to recordings must be documented.

The principal’s key duties include:

defining the purpose of CCTV and demonstrating that its use is necessary,
designating camera-covered areas in line with the data minimisation principle,
setting the footage retention period—generally no longer than 3 months, unless the recording constitutes evidence in proceedings or the school becomes aware that it may serve as evidence, as provided in Article 108a(4) of the Education Law,
implementing the technical and organisational measures required by Articles 24, 25, and 32 GDPR,
ensuring compliance with the information obligation toward pupils, parents, staff, and other people entering the school premises,
establishing rules for disclosing recordings, copying footage, and documenting operations,
carrying out a risk assessment and, in high-risk cases, conducting or considering a DPIA, i.e. a data protection impact assessment under Article 35 GDPR.

If the school uses an external provider to maintain the CCTV system or process video footage, the data processing arrangement must also be regulated in accordance with Article 28 GDPR.

Informing Pupils and Parents About CCTV

School CCTV cannot be hidden. Data subjects must know that images are being recorded, who is responsible for processing the data, and for what purpose the system operates. In the school environment, the information obligation is especially important because it also concerns minors.

Information should be provided in layers. This means the school should use both signage at entrances and in monitored areas, as well as a fuller privacy notice available to parents, pupils, and staff. In practice, this includes:

clear marking of areas covered by CCTV,
identification of the data controller and contact details,
a description of the purpose and legal basis for processing,
the retention period for recordings,
information about data recipients, where applicable,
a description of data subjects’ rights, taking into account the limitations arising from the nature of CCTV monitoring.

In schools, pupils, staff, and their parents or legal guardians should be informed no later than 14 days before CCTV becomes operational. If monitoring is already in place, the school should ensure that the information obligation is fulfilled continuously and clearly. In relation to staff, employment law and the institution’s internal rules must also be taken into account.

Anonymisation of School CCTV Footage and Photos

Not every use of CCTV footage requires anonymisation. If the material is reviewed internally by authorised persons in connection with a security incident, the school will usually work with the original file. Video anonymisation becomes important when the material is to be used more broadly than the original purpose of securing the incident, or when the scope of disclosed data needs to be limited.

In school practice, anonymisation of video material most often includes the faces of pupils, teachers, parents, and third parties. If a camera covers a drop-off area or car park, licence plate blurring may also be justified. In Western European countries, the requirement to reduce identifiability in this way is usually interpreted strictly. In Poland, the issue of licence plates remains context-dependent. On the one hand, UODO, the EDPB, and CJEU case law tend toward a broad approach, treating a registration number as information that can enable identification when combined with additional data. On the other hand, some administrative court rulings have indicated that a licence plate alone does not always constitute personal data.

From a technical perspective, automatic face blurring requires detection models based on deep learning. First, an AI model is created and trained on properly prepared datasets. The model is then used to locate faces in successive video frames, track objects, and apply a blur or masking layer. The same mechanism, using a different detection model, is applied to licence plates.

An important practical limitation is that Gallio PRO automatically detects and blurs faces and licence plates, but does not automatically detect company logos, tattoos, name badges, documents, or content visible on monitor screens. Such elements can be concealed manually in the editor. The software does not anonymise entire body silhouettes and does not perform real-time anonymisation or live video stream anonymisation.

Key Parameters and Risks in Video Processing

Assessing whether school CCTV complies with GDPR should cover not only formal issues, but also the technical parameters of the system and the anonymisation process. These factors determine whether the school actually reduces the risk of excessive identification.

Parameter	Practical significance	Risk when quality is low
Footage retention	Typically up to 3 months, unless the material is evidence	Excessive data storage
Face detection accuracy	Affects how effectively third parties are blurred	Missed faces and disclosure of identity
False positives	Blurring objects that are not faces or licence plates	Excessive interference with footage readability
Access control	Limits the number of people who can view recordings	Unauthorised disclosure of data
Audit trail of operations	Shows who used the material and when	Lack of controller accountability

In anonymisation systems, metrics such as precision, recall, and intersection over union are typically used for object detection, but acceptable values depend on the quality of the source recording, camera angle, lighting, compression, and movement. That is why effectiveness should be assessed on footage that reflects the real school environment, rather than relying solely on the manufacturer’s test data.

Practical Use Case: When a School Should Anonymise Footage

A typical case involves a peer violence incident in a corridor. The school secures footage from several cameras, reviews it internally, and determines the course of events. At this stage, access should be limited strictly to authorised persons. If the material is then to be shared with an external party for technical analysis, used for staff training, or shown beyond what is strictly necessary, the identifiability of people unrelated to the case should be reduced.

In this scenario, the correct process includes:

securing the original file as source material,
creating a working copy for anonymisation,
automatically blurring faces and, where appropriate, licence plates,
manually verifying that no identifiers have been missed,
sharing only the anonymised version if the purpose does not require full identification of individuals.

This model supports the data minimisation principle under Article 5(1)(c) GDPR and the privacy by design principle under Article 25 GDPR.

Normative and Interpretative References

In the area of CCTV in schools, it is worth referring to primary sources, because practice is not always uniform. This is particularly true for camera scope, retention periods, and the processing of footage for secondary purposes.

Regulation (EU) 2016/679 of 27 April 2016 – GDPR,
the Education Law Act of 14 December 2016, as amended, Article 108a,
EDPB Guidelines 3/2019 on processing personal data through video devices, final version of 29 January 2020,
guidance from the President of UODO on CCTV in schools and the information obligation,
CJEU case law on the broad understanding of personal data and identifiability through the use of additional information,
administrative court rulings indicating in some cases that a licence plate alone does not necessarily constitute personal data.

Where interpretations conflict, the safer compliance approach is to adopt the more protective option, especially when the recording is to be disclosed outside the school.