PATRONUM
Provoz a údržba

GDPR and the camera system — what you must comply with

Operating a camera system is processing of personal data under GDPR. The article summarises mandatory steps: signage, processing records, retention period, data subject rights and how to handle erasure requests.

Every camera system that records images of persons falls under the GDPR Regulation (the General Data Protection Regulation). Compliance is not optional — it is the operator's legal duty.

Disclaimer: This article is a practical overview, not legal advice. For a comprehensive GDPR audit we recommend consulting a DPO (Data Protection Officer) or a lawyer specialising in data protection.

When does GDPR apply

GDPR applies to camera operation if:

  • The camera monitors public space or space accessible to the public (reception, parking lot, building entrance)
  • The camera monitors a workplace — employees are data subjects
  • The recording is stored (not just live without recording)
  • The camera identifies specific persons (most HD cameras)

GDPR exception — cameras in a purely private household (interior of the house, own land without capturing public space) do not require GDPR compliance. Once the camera captures the pavement, street or a neighbour's land, GDPR applies.

1. Legal basis for processing

You must have a valid reason (legal basis) for processing. For a camera system this is typically:

  • Legitimate interest (Art. 6(1)(f)) — most common. Property protection, personal safety. You must perform a balancing test — operator's interest vs. data subjects' rights.
  • Compliance with legal obligation — for selected entities (banks, casinos, airports)
  • Consent — practically unusable for cameras in public space

2. Information signs

Every space monitored by a camera must be clearly marked before entry. The sign must contain:

  • 🎥 Camera pictogram
  • Text: "This area is monitored by a camera system"
  • Controller's name and contact
  • Purpose of processing (e.g. "property protection")
  • Reference to detailed information (website, reception, notice board)

Sample sign text:

🎥 This area is monitored by a camera system.
Controller: [Your company Ltd], Reg. No.: 12345678
Purpose: property protection and personal safety
Retention: 7 days
More info: www.yoursite.com/gdpr

3. Record of Processing Activities

The operator must keep an internal Record of Processing Activities (ROPA), which contains:

  • Purpose of processing
  • Categories of data subjects (employees, customers, public)
  • Categories of personal data (image, vehicle plate, audio if recorded)
  • Recipients (e.g. camera service, security agency, police)
  • Retention period
  • Technical and organisational measures (password, encryption, authorised access)

4. Recording retention period

Recordings must be automatically erased after a reasonable time. Common practice:

  • 3–7 days — standard for property protection
  • 14 days — acceptable for higher-risk premises (bank, petrol station)
  • 30+ days — requires specific justification (the supervisory authority often challenges this)

PATRONUM NVRs let you set automatic overwrite after the chosen period in Recording → Retention.

5. Rights of data subjects

Every person captured on the camera has the right to:

  • Information — what you process about them (you respond to a written request)
  • Access — get a copy of the recording where they appear (typically within 1 month of the request)
  • Erasure — if there is no legal reason for retention
  • Objection — to the processing (in case of legitimate interest)

When to refuse a request: if providing the recording would violate other people's rights (e.g. the frame contains other people too). Solution: anonymise (blur) the others.

6. Security measures

  • 🔐 Strong password on cameras and NVRs (at least 12 characters, not default "admin/admin")
  • 🔄 Regular firmware updates — see guide
  • 🔒 Restricted access — only authorised persons, separate user accounts
  • 📝 Access log — who watched the camera or exported recording when
  • 🛡️ Encrypted transmission — HTTPS for the web interface, encrypted P2P

7. Audio and biometrics — be careful!

If your camera records audio, you need explicit consent from all captured persons — legitimate interest is not enough. Recording calls without consent is a GDPR breach and may also break criminal law.

The AI feature face recognition (not just detection) is processing of biometric data — it requires a separate GDPR assessment and data subjects' consent.

Sanctions

The supervisory authority may impose fines up to EUR 20,000,000 or 4% of the company's global turnover. In practice fines for camera systems are typically in the order of thousands of euros, but they are by no means a negligible risk.

Final checklist

  • ☐ I have signs informing about monitoring
  • ☐ I keep an internal record (ROPA)
  • ☐ The recording is automatically erased after 7 days (or a justified period)
  • ☐ Cameras have strong passwords, not defaults
  • ☐ Firmware is updated
  • ☐ Camera access is restricted to authorised persons
  • ☐ I have a process for data-subject requests (who, how, by when)
  • ☐ If I record audio or use face recognition → I have consents

For specific retention period and user-management settings see NVR settings guides. For registering a camera system with the supervisory authority see your local authority website.

Need detailed help?

This article is part of our Czech support center. For full assistance with PATRONUM camera systems, installation in Czech Republic / Slovakia, or technical questions, contact us directly.

Contact our team