Video Data Minimisation – Definition
Video data minimisation means applying the data minimisation principle to video footage and images containing people, vehicles, or other elements that make identification possible. Under data protection law, this principle follows from Article 5(1)(c) GDPR, which requires personal data to be adequate, relevant, and limited to what is necessary for the purposes of processing. In the context of CCTV and audiovisual data processing, this means the controller should limit both the scope of recording and the scope of any further disclosure, export, analysis, and retention of the footage.
In practice, this is not just about shorter video retention periods. Data minimisation applies to the entire lifecycle of video data: the camera’s field of view, resolution, number of cameras, recording frequency, audio range, the selection of frames disclosed to third parties, and anonymisation techniques. If the purpose can be achieved without identifying everyone visible in the footage, the material should be limited to the necessary excerpt or anonymised, in particular by blurring faces and license plates. This approach follows from the GDPR, the European Data Protection Board’s 2020 guidelines on the processing of personal data through video devices, and the practice of supervisory authorities.
How the Data Minimisation Principle Works in CCTV
In CCTV systems, data minimisation means limiting data both at the system design stage and when using recorded footage. This approach is consistent with Article 25 GDPR, namely the principles of privacy by design and privacy by default. The controller should assess what information is genuinely necessary for the purpose, for example protecting property, investigating an incident, or meeting a legal obligation.
In practice, data minimisation applies across several layers at the same time:
- scene scope – the camera should not cover a wider area than necessary, especially public spaces or third-party property without justification,
- identification scope – if the purpose does not require identification of all individuals, the visibility of identifying features should be limited,
- time scope – recordings should be stored only for as long as needed to fulfil the purpose,
- disclosure scope – an authorised person should receive only the necessary extract of the footage, not the entire archive.
For requests to secure or release video footage, a key rule is that the material should be prepared in a minimised version. If unrelated individuals or vehicles appear in the footage, their faces and license plates should be blurred unless identification of those persons or vehicles is necessary.
When Video Anonymisation Is Mandatory
Video anonymisation is not mandatory in every case of video processing, but it becomes necessary where further use of the footage goes beyond the original, necessary scope or where the material is to be disclosed to a party that does not need full identification of everyone visible in the frame. This applies, for example, to publishing footage, sharing recordings with third parties, using material for training or presentation purposes, and responding to data subject rights requests where the footage also includes other people.
As regards faces, the obligation to protect them generally follows from the GDPR, but also from laws protecting personal rights and image rights. In practice, three main exceptions are usually recognised where consent to publish an image may not be required:
- where the person is publicly known and the image was captured in connection with performing a public function,
- where the person is only a detail within a larger whole, such as a gathering, landscape, or public event,
- where the person received agreed payment for posing, unless they expressly reserved otherwise.
With license plates, the situation in Poland is not entirely consistent. On the one hand, guidance from the Polish Data Protection Authority, EDPB positions, and CJEU case law indicate that a registration number may lead to the identification of an individual and should therefore be treated with caution. On the other hand, some administrative court rulings have taken the view that a license plate alone does not always constitute personal data. In practice, blurring license plates before publishing or disclosing footage is a precautionary measure consistent with the approach adopted by many supervisory authorities.
Technologies Used for Video Data Minimisation
In photographic and video materials, data minimisation is achieved through selection, cropping, shortening, and anonymisation. In operational use, face detection and license plate detection algorithms are most commonly used, followed by masking filters. Where the process must be automated at scale, machine learning models are typically used, often based on deep learning. Such a model is first trained on labelled datasets and then used to detect objects in new footage.
It is useful to distinguish the technical stages:
- detection – identifying the location of a face or license plate in the image,
- tracking – maintaining identification of the object across consecutive frames,
- masking – applying blur, pixelation, or another mask,
- verification – checking whether the object remains visible after exporting the material.
Gallio PRO automatically blurs only faces and license plates. The software does not automatically detect logos, tattoos, ID badges, documents, or content displayed on monitor screens. These elements can be blurred manually in the editor. It is also important to note that Gallio PRO does not perform real-time anonymisation or live video stream anonymisation. It processes files after recording in an on-premises deployment model. Depending on the environment configuration and implementation method, the software may, however, generate technical logs.
Key Parameters and Metrics for Video Data Minimisation
Assessing whether a data minimisation process is working properly requires measurable parameters. In video anonymisation systems, what matters is not only detection accuracy, but also the number of missed objects and the impact on the evidential usefulness of the footage.
Parameter | Practical Meaning | Typical Interpretation
|
|---|---|---|
Detection recall | The percentage of actual faces or license plates detected by the system | Low recall increases the risk of data disclosure |
Detection precision | The percentage of correct detections among all model outputs | Low precision increases the number of incorrect masks |
False negative rate | The percentage of undetected objects | A key compliance risk indicator |
Processing time | The time needed to analyse and export the material | Affects operational efficiency |
Video retention period | The length of time footage is stored | Should be linked to the purpose and retention policy |
A simple operational formula can be used for risk assessment:
Disclosure risk = number of undetected objects / total number of identifying objects
In a compliance environment, keeping the false negative rate low is especially important, because even a single undetected face or license plate may result in unauthorised disclosure of personal data.
Practical Uses of Video Data Minimisation
The data minimisation principle is particularly important where footage leaves the original CCTV environment or is reviewed by people who do not need a complete view of the event. In such cases, anonymisation becomes a tool for reducing the scope of data without undermining the purpose of processing.
- responding to video access requests – only the segment concerning the requesting person is disclosed, with third parties blurred,
- sharing footage with legal representatives, insurers, or subcontractors – only to the extent necessary for the matter,
- training and audit materials – after anonymising faces and license plates,
- publishing photos or videos from semi-public spaces – after first limiting identifying elements.
Normative and Interpretative References
The legal basis for video data minimisation consists primarily of laws and guidelines on data protection and privacy in surveillance. Where there are inconsistencies, the assessment should focus on the purpose of processing, the possibility of identification, and the local practice of the relevant supervisory authority.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – Article 5(1)(c) and Article 25,
- EDPB Guidelines 3/2019 on processing personal data through video devices, version adopted on 29 January 2020,
- CJEU case law concerning the broad interpretation of data enabling indirect identification,
- national positions of supervisory authorities, including the Polish Data Protection Authority, on publishing recordings and protecting images and license plates.