Skip to main content
Warning sticker for premises monitored by CCTV

Camera supervision and GDPR: what the controller needs to think through

T
AuthorTomas Hozak
DateNovember 1, 2024
Reading on13 min read
UpdatedJune 1, 2026

Rules for camera systems, GDPR, balancing test, information duty and mistakes that can create problems for a company.

Next step

Do you want to convert a topic to a specific action, object or operation? Send a brief assignment and we will follow up with a practical procedure.

Describe the site

What we need to know about traffic

For buildings and premises, it makes sense to start with how the place functions on a normal day and off-peak.

entrances, entrances, detour points and risky places

shifts, operational peaks, suppliers and rules for the movement of people

cameras, access system, records of visits or vehicles

what should be reported, to whom the incident should be forwarded and what the report should look like

Summary of the article

camera system needs a clear purpose, reasonable scope and access rules

notification of persons and record retention must correspond to the specific operation

records are not to be used outside of their intended security or operational purpose

Camera system can be a useful tool for protecting property, people and traffic. But at the same time, it interferes with the privacy of people who move in the monitored area. Therefore, it is not enough to install the camera and hope that the legal part will be solved by itself.

The administrator needs to know why the cameras are being used, what area they are recording, who has access to the footage, how long the footage is kept and how people are notified. It is these practical questions that decide whether the camera regime makes sense and is defensible.

1. Purpose is the foundation

Every camera system should start with a clearly described purpose. Typically this can be for property protection, personal safety, vandalism prevention, access control or incident documentation. If the purpose is not specific, it is difficult to assess whether the scope of monitoring is adequate.

It's not enough to say "just in case". The camera should only intervene where there is a reasonable reason to do so and where the same objective cannot be achieved by less invasive measures, such as better lighting, a lock, mode of entry or physical control.

2. Balance test and reasonableness

Security cameras often work with the administrator's legitimate interest. But it is not an automatic pass for any kind of monitoring. The administrator must be able to demonstrate that it has a legitimate goal, that the camera is appropriate for that goal, and that the invasion of privacy is not unreasonable.

Question What the administrator should clarify Typical error
Why do we monitor? What specific problem is the camera supposed to solve. General rationale without risk description.
What does the camera capture? Does the shot extend to places where people expect more privacy. Too wide shot with no masking or limiting settings.
Who can see the recording? Who has authorized access and for what purpose. Shared accesses, missing records or uncontrolled exports.
How long is it stored? Retention period according to purpose, risk and operation. Unnecessarily long retention without justification.

3. Workplace and employee privacy

Employee monitoring is one of the most sensitive areas. The camera system is not intended to be used for routine control of work pace, rest monitoring or replacing human management. If the camera occupies the workplace, the reason must be particularly well described and reasonable.

For workplaces, it is important to separate the safety purpose from performance control. The camera at the entrance to the warehouse may have a different mode than the camera pointing at the workbench. In places where people have a legitimate expectation of privacy, you need to be very careful and usually look for other solutions.

4. Information obligation

People must know they are entering a monitored area. In practice, brief information is used at the entrance and more detailed information available, for example, on the website, reception or in internal documentation. A brief sign without further explanation is usually not enough.

The information should contain the purpose of the monitoring, the identification of the administrator, the basic rights of the data subject and the way to get to the details. For employees, it is advisable to add internal rules that describe the operation of the camera system clearly and without legal fog.

5. Retention and Access to Records

The retention period should correspond to the purpose. A shorter period of time is easier to justify for routine security supervision, a longer period of time needs a specific reason. If an incident occurs, the relevant part of the record can be isolated and retained for incident resolution.

Only a limited group of people should have access to the records. Exports, handing over to the police, service access or work of an external security agency are to be treated contractually and procedurally. Camera footage is not material for social media or informal chat sharing.

6. Apartment buildings and common areas

In apartment buildings, the goal is to protect common property, entrances, cellars or bike sheds. At the same time, it is an environment where people live and have a legitimate expectation of privacy. The administrator or SVJ must therefore assess the scope of footage, informing residents, the decision-making process according to the statutes and access to records.

A typical mistake is scanning an unnecessarily wide area or places that show the movement of specific residents more than is necessary for the safety of common areas. The technical setting of the shot is therefore just as important as the legal documentation.

7. Checklist for administrators

  • [ ] Purpose: Describe the specific reason for camera surveillance.
  • [ ] Adequacy: Verify that the camera does not take up more than necessary.
  • [ ] Informace: Mark the monitored space and access the details.
  • [ ] Retence: Adjust the retention period according to purpose and risk.
  • [ ] Approaches: Specify who can view, export and to whom the recording is forwarded.
  • [ ] Smlouvy: Take care of the service, external security and other processors.
  • [ ] Revize: Periodically verify that the original purpose and scope still apply.

Conclusion

GDPR does not ban cameras per se. But it does require the administrator to think about purpose, adequacy, informing people, retention period and access to records. A well-set camera mode protects both traffic and privacy and is understandable to the people it affects.

Portrait of Tomas Hozak, managing director and founder of Bravion Group

Tomas Hozak

Jednatel a zakladatel

Founder and CEO of Bravion Group s.r.o. He personally oversees the company's key engagements, partnerships and operational standards.

Jednatel a zakladatel Bravion Group s.r.o.Oversee key projects and business partnershipsResponsibility for service quality and content direction
Where to continue

When you want to address the topic specifically

Select the nearest service or price list. If you're not sure, send a brief brief and we'll suggest the next step.