A video surveillance privacy notice is a set of information provided to individuals who are subject to CCTV monitoring about the processing of their personal data. In practice, this mainly concerns a person’s image captured in video footage and, in certain cases, other identifiers visible in the material, such as vehicle registration plates. This transparency obligation arises from Articles 12 and 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council, namely the GDPR, which has applied since 25 May 2018.
In a CCTV environment, the privacy notice usually follows a layered structure. The first layer is a short notice displayed at the entrance to the area covered by cameras. The second layer contains the full set of information required under Article 13 GDPR and should be easily accessible, for example at reception, on the controller’s website, or via a QR code. This approach is consistent with the European Data Protection Board’s guidance set out in Guidelines 3/2019 on processing of personal data through video devices, adopted in final version on 29 January 2020.
In the context of photo and video anonymization, a video surveillance privacy notice does not replace the obligation to implement appropriate technical and organizational measures. It informs data subjects about the processing itself, its purposes, legal basis, storage period, recipients, and the rights of recorded individuals. If video footage is used further, exported, published, shared with a processor, or anonymized by blurring faces or license plates, the information provided should reflect the actual processing operations.
How to provide a privacy notice near CCTV cameras
For CCTV monitoring, simply placing a camera pictogram is not enough. The individual must receive the information in a concise, transparent, and easily accessible way before entering the monitored area or, at the latest, when recording begins. This follows from the transparency principle under Article 12 GDPR and from the EDPB guidelines on video devices.
A two-layer model is most commonly used. The first layer is physically placed at the entrance, gate, barrier, reception desk, or within the field of view of a person approaching the camera. The second layer contains the full privacy notice and must be available without excessive effort.
- Layer 1 – short notice: identity of the controller, purpose of the CCTV monitoring, information about data subject rights, and where to access the full privacy notice.
- Layer 2 – full notice: all elements required by Article 13 GDPR, including the storage period, data recipients, contact details of the Data Protection Officer, and information on the right to lodge a complaint with a supervisory authority.
- Format: sign, sticker, policy, website, reception document, or QR code. The channel should match the installation location and the profile of the individuals being recorded.
For vehicle monitoring and parking areas, it is important that the notice is legible from an appropriate distance. The EDPB indicates that the first layer must enable the person to understand who is processing their data and for what purpose. It cannot be limited to a vague reference to security without identifying the controller.
Required content of a CCTV privacy notice
The content of the privacy notice must reflect the actual flow of personal data processing in the CCTV system, IP cameras, recording devices, and related downstream operations such as footage selection, video export, data masking, or disclosure of recordings to authorized authorities. In the case of photo and video anonymization, the notice should describe not the algorithm itself, but the purpose and scope of the further processing.
Notice element | Legal basis | Practical importance
|
|---|---|---|
Controller details | Article 13(1)(a) GDPR | The recorded person must know who is responsible for the CCTV monitoring. |
DPO contact details | Article 13(1)(b) GDPR | Helps individuals exercise their rights and ask questions. |
Purposes of processing | Article 13(1)(c) GDPR | For example, property protection, personal safety, or access control. |
Legal basis | Article 13(1)(c) GDPR | Most often Article 6(1)(c) or 6(1)(f) GDPR, depending on the context. |
Legitimate interest | Article 13(1)(d) GDPR | Required where the legal basis is Article 6(1)(f) GDPR. |
Data recipients | Article 13(1)(e) GDPR | For example, a security company, maintenance provider, or public authorities. |
Storage period | Article 13(2)(a) GDPR | It should be specific or based on a clear criterion. |
Data subject rights | Article 13(2)(b)–(d) GDPR | Access, erasure, restriction, objection, and complaint. |
Privacy notice and photo/video anonymization
From a compliance perspective, it is essential to distinguish between the source recording and material prepared for further use. If the controller intends to use excerpts from photos or recordings beyond the original security purpose, for example for publication, training materials, sharing with a partner, or presenting an incident, they should assess whether face blurring and license plate blurring are necessary.
In systems such as Gallio PRO, automated processing applies to faces and license plates. The software does not anonymize full body silhouettes, does not anonymize live video streams, and does not operate in real time. It also does not automatically detect logos, tattoos, name tags, documents, or images displayed on monitor screens. These elements may be blurred manually in the editor. This distinction matters for the wording of the privacy notice, because the controller should describe the actual scope of data operations and the recipients of the anonymized material.
If an AI model is used for face blurring, its operation usually involves two stages: object detection within the frame and the application of a mask or blur filter. Models of this kind are built using deep learning techniques, but the privacy notice itself does not need to disclose the model architecture. It should, however, indicate that the material may undergo technical anonymization in order to reduce the risk of infringing the rights and freedoms of natural persons.
Key parameters and compliance criteria
Assessing whether a video surveillance privacy notice is compliant should not be based on marketing claims, but on verifiable formal and operational attributes. For the DPO and the controller, the key issue is whether the notice is complete, accessible, and aligned with the actual lifecycle of the recording.
- Completeness: covers all elements required by Article 13 GDPR.
- Accessibility: information is visible before entering the monitored area.
- Readability: plain language, sufficient contrast, and a font size appropriate to the viewing distance.
- Process consistency: the notice is consistent with retention periods, camera scope, video export, and anonymization procedures.
- Accountability: ability to demonstrate since when and in what form the transparency obligation has been fulfilled.
A practical indicator is also the maximum retention period for recordings. Under Polish sector-specific regulations, there may be limits for certain industries, but as a rule the storage period should be limited to the strict minimum necessary and justified by the purpose. An arbitrary period should not be stated unless it is linked to a risk assessment and incident-handling procedures.
Most common mistakes in CCTV privacy notices
The most common errors concern not so much the presence of a sign itself, but its content and its relationship to the actual functioning of the system. Another issue is the omission of later operations on the footage, including anonymization or sharing recordings with external entities.
- No identification of the data controller or incomplete contact details.
- No indication of the full privacy notice or difficult access to it.
- An overly general purpose, for example just the word “security.”
- No information about data recipients and processors.
- An outdated retention period or no criterion for determining it.
- A description that does not match practice, for example no mention of exporting footage for anonymization.
Legal references and sources
The definition and practical application of a video surveillance privacy notice should be based on primary legal sources. Where there is a discrepancy between national practice and European positions, EU law and its interpretation take precedence.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – Articles 12, 13, and Article 5(1)(a) and (c).
- EDPB, Guidelines 3/2019 on processing of personal data through video devices, final version of 29 January 2020.
- Polish Act of 10 May 2018 on the protection of personal data.
- Sector-specific CCTV monitoring regulations, where applicable, for example the Labour Code or rules on monitoring in educational institutions.