Sharing CCTV footage and GDPR – definition
Sharing CCTV footage under GDPR refers to the set of rules that determine when a controller may disclose video recordings or still images from a surveillance system to another party, and what safeguards must be applied to avoid infringing the rights of the individuals visible in the footage. In practice, this is a personal data processing operation within the meaning of Article 4(2) of Regulation (EU) 2016/679, because a recording that contains a person’s facial image, body features, behaviour, location and time context, and sometimes also vehicle registration plates, may make it possible to identify a natural person.
In the context of photos and video recordings, simply transferring a file is not a technically neutral act. It is a disclosure of data to an external recipient. It therefore requires a legal basis under Article 6(1) GDPR, purpose limitation, data minimisation under Article 5(1)(b) and (c) GDPR, and the implementation of security measures under Article 32 GDPR. If the footage is to be provided to a third party that does not need a full, unredacted image, the controller should consider blurring faces and licence plates in advance or preparing a copy limited to the necessary segment only.
For CCTV, it is also important to distinguish between disclosure and processing on behalf of the controller. If an external entity acts for its own purposes, for example the police conducting an investigation, it is a separate data recipient. If, however, a company servicing the CCTV system acts solely on the controller’s instructions, it is generally a processor and requires a data processing agreement compliant with Article 28 GDPR.
When sharing CCTV footage is lawful
Whether disclosure is lawful depends on the purpose of the transfer, the recipient’s status, and the scope of the footage. There is no single legal basis that covers every case. The assessment must be documented and linked to a specific request or legal obligation.
The most common legal bases are summarised below.
Recipient | Typical legal basis | Condition | Scope of disclosure
|
|---|---|---|---|
Police, public prosecutor, court | Article 6(1)(c) GDPR or Article 6(1)(f) GDPR | request based on a legal provision or other procedural power | footage necessary for the proceedings |
Insurer | Article 6(1)(f) GDPR or a specific legal provision | demonstration of a legitimate interest or legal obligation | segment related to the loss or damage claim |
Party to civil proceedings | case-by-case assessment – usually Article 6(1)(f) or compliance with a legal obligation | necessity for establishing, exercising or defending legal claims | limited scope, often after anonymising bystanders |
Data subject | Article 15 GDPR | exercise of the right of access, taking into account the rights of others | copy of the data or access for viewing, usually after anonymising other individuals |
It is not GDPR-compliant to hand over entire recordings “just in case” without verifying the purpose and without limiting the scope. It may also amount to a breach to provide footage to a private individual merely because they claim that they “appear in the recording” if the controller has not verified their identity and has not protected the personal data of other individuals.
Anonymisation and blurring before sharing CCTV footage
In compliance practice, it is crucial to prepare a version of the footage that is appropriate for the intended purpose. If the recipient does not need full identification of all individuals and vehicles, the data should be limited. In video recordings, this usually means blurring faces and licence plates and cutting out unnecessary time segments.
Automatic face blurring and licence plate blurring are usually based on object detection models trained using deep learning methods. An AI model does not “anonymise” footage in the legal sense; rather, it supports the technical implementation of data minimisation or pseudonymisation before disclosure. For such a model to work, it must first be trained on datasets containing properly labelled faces or licence plates. It is then used to detect objects in image frames and apply a blur mask or cover. The effectiveness of the process depends on footage quality, lighting, camera angle, compression, and the number of missed detections.
In the Gallio PRO environment, automatic processing applies only to faces and vehicle registration plates. The software does not blur entire bodies, does not anonymise the full video stream, and does not provide real-time anonymisation. It also does not automatically detect logos, tattoos, name badges, documents, or content displayed on monitor screens. Such elements can be hidden manually in the editor. This is important when sharing CCTV footage, because the controller should verify whether the material contains identifiers other than faces and licence plates that require manual redaction.
Police, insurers and parties to proceedings – practical rules
The highest number of mistakes occurs when a controller treats all requests in the same way. In reality, the permissible scope of disclosure depends on the recipient’s status and the legal basis.
In practice, it is worth applying the following rules:
- the police or public prosecutor should receive footage corresponding to the request, with the date, legal basis and scope of disclosure recorded,
- an insurer should receive only the footage needed to handle a specific claim, not a full archive from multiple cameras,
- a party to civil proceedings can often be provided with a copy after anonymising bystanders if their identification is not necessary for evidential purposes,
- a recorded individual should not automatically be given the raw file, because the exercise of the right of access under Article 15 GDPR must take into account the rights and freedoms of others.
A breach would in particular include publishing footage online, sending it through an uncontrolled messaging app, disclosing material without verifying the recipient’s identity, or without removing the data of bystanders. In its Guidelines 3/2019 on the processing of personal data through video devices, the European Data Protection Board indicates that the rights of other individuals appearing in the footage may justify restricting access or applying technical measures such as image masking.
Key parameters and risk control when sharing CCTV footage
When assessing the process, it is advisable to use measurable criteria. Not all of them arise directly from legislation, but they are necessary to demonstrate due diligence and the effectiveness of safeguards.
Parameter | Practical significance | Typical control objective
|
|---|---|---|
recording time range | data minimisation | only the period connected to the incident |
number of cameras included in the export | limiting excess data | only cameras relevant to the case |
percentage of frames with correctly blurred faces or licence plates | assessment of masking effectiveness | quality control before disclosure |
retention period for the working copy | operational security | deletion once the purpose has been fulfilled |
transfer method | confidentiality and integrity | encrypted storage device or secure channel |
If automatic blurring is used, the controller should account for false negatives, meaning undetected faces or licence plates. With low-quality footage, automation alone may be insufficient and manual validation may be necessary. This matters both from an evidential and compliance perspective, because a single missed face may result in the disclosure of personal data to an unauthorised person.
Legal references and interpretative differences
The main sources are the GDPR – Regulation (EU) 2016/679 of 27 April 2016, the EDPB Guidelines 3/2019 on processing personal data through video devices, and in Poland also sector-specific provisions governing monitoring, for example the Labour Code as amended in 2018 and the Act of 10 May 2018 on the Protection of Personal Data. In civil and criminal matters, procedural rules on securing and producing evidence are also relevant.
With regard to licence plates, there is an interpretative divergence. In European practice and in the positions of data protection authorities, a registration number is often treated as personal data if, in a specific context, it enables the identification of the owner or user of the vehicle. The EDPB favours a cautious approach, as does the case law of the Court of Justice of the European Union concerning a broad understanding of identifiability. On the other hand, Polish administrative case law includes views according to which a vehicle registration plate does not always in itself constitute personal data. From a risk management perspective when sharing CCTV footage, it is therefore safer to treat licence plates as identifiers requiring assessment and often blurring.
With regard to faces, the position is more clear-cut. As a rule, a person’s image recorded in footage constitutes personal data, and its dissemination is also subject to restrictions under the Civil Code and the Copyright and Related Rights Act. Exceptions usually concern a well-known person in connection with the performance of public functions, a detail of a larger whole, and situations where the person received agreed remuneration for posing.