PATRONUM
Provoz a údržba

General information on camera-system operation (GDPR)

Operating a camera system is subject to GDPR rules. Find out what duties the data controller has and how to handle recordings correctly.

Operating a camera system and GDPR

Operating a camera system that captures identifiable persons is processing of personal data within the meaning of the GDPR Regulation (EU) 2016/679. This means the operator (the data controller) has a number of duties.

1. Legitimate purpose

The system can only be operated for a clearly defined purpose:

  • Property protection (most common)
  • Health and life of persons
  • Crime prevention
  • Other legitimate interest of the controller

The purpose must be documented in writing and the camera placement (field of view) must be proportionate to it.

2. Information signs

Visitors must be informed before entering the monitored area. Place signs at all entries with:

  • "This area is monitored by camera"
  • Camera/eye symbol
  • Controller's identification (name, address, contact)
  • Where to find more details (link to website / privacy policy)

3. Records of processing

Maintain a record of processing under Article 30 GDPR including: purpose, categories of data subjects, types of data, recipients, retention period, security measures.

4. Retention period

Recordings should not be kept indefinitely. Common practice:

  • Living areas: 7 days
  • Commercial premises: 14 days
  • Critical infrastructure: 30 days (with justification)

After expiry the recording must be deleted (overwritten by recorder loop = OK, exported recordings must be deleted manually).

5. Rights of data subjects

Anyone caught on the recording can:

  • Request information about the processing
  • Request access (a copy of the recording featuring them)
  • Request erasure
  • Lodge a complaint with the supervisory authority (Office for Personal Data Protection in the Czech Republic)

The controller must respond within 30 days.

6. Security

  • Strong device password (12+ characters)
  • Up-to-date firmware
  • VLAN isolation from internet
  • Two-factor authentication for remote access
  • Encrypted streams (P2P + HTTPS)
  • Limited number of administrators

7. Restricted areas

You must NOT monitor:

  • Toilets, changing rooms
  • Private rooms of family members
  • Other people's property without consent
  • Public space (street) without permission from the municipality

8. Sanctions

For breaches, the supervisory authority can impose fines up to EUR 20 million or 4% of annual turnover. Even smaller breaches typically incur fines of EUR 4,000–40,000.

For more on practical GDPR for camera systems see GDPR and camera system — what you must comply with.

Need detailed help?

This article is part of our Czech support center. For full assistance with PATRONUM camera systems, installation in Czech Republic / Slovakia, or technical questions, contact us directly.

Contact our team