Did you know CCTV images are considered to be personal data under the GDPR?

CCTV Services London

As of 25 May 2018, organisations that use CCTV to capture images of individuals are processing personal data as defined by the GDPR (General Data Protection Regulation) and must comply with the Regulation’s requirements.

If your business uses CCTV – whether for security or employee monitoring purposes – and you’re unsure about your obligations under the new law and how they differ from those of the DPA (Data Protection Act) 1998, this blog outlines some of the areas you need to consider.

Data processing principles (Article 5)

Whether you operate a surveillance system yourself or contract a third-party CCTV company to do it on your behalf, you are a data controller under the GDPR and, in accordance with Article 5, must ensure that personal data is:

  • Processed lawfully, fairly and transparently.
  • Collected for specified, explicit and legitimate purposes, and not further processed for other purposes.
  • Adequate, relevant and limited to what is necessary.
  • Accurate and, where necessary, kept up to date.
  • Kept in a form that allows data subjects to be identified for no longer than is necessary.
  • Processed securely.

Meeting these six data processing principles will require you to implement a number of technical and organisational measures, as will meeting data subjects’ rights:

  • To be informed of access.
  • To rectification.
  • To erasure.
  • To restrict processing.
  • To data portability.
  • To object.
  • In relation to automated decision-making and profiling.

Third-party organisations that process data for you, such as CCTV companies, are data processors. It is your responsibility as a data controller to ensure that you use only data processors that provide sufficient guarantees that they meet the GDPR’s requirements, including for the security of processing.

Last year,  the ICO prosecuted a company operating CCTV in properties in Sheffield for failing to alert people to its use of CCTV, for failing to register with the ICO and for failing to comply with an Information Notice. This is likely to come as a shock to many organisations that aren’t aware that CCTV images are covered by the General Data Protection Regulation (GDPR). We take a look at what steps need to be taken for CCTV usage to be compliant with the new data protection legislation.

If your CCTV system monitors or records the activities of individuals, this will constitute the processing of personal data under the General Data Protection Regulations (GDPR) and be caught by the data protection legislation.

Unlike other technology and security service providers, at Oyatech we know CCTV inside out. We use cutting edge technology like screen masking to only record segment of the coverage area.

If you think your CCTV is not compliant, simply give us a call or fill this form to book your complimentary systems review.

Scroll to Top


We have received your message and one of our directors will personally get in touch with you.