Proteccion de datos

CCTV and data protection compliance

Installing surveillance cameras without complying with the GDPR and LOPDGDD 3/2018 exposes your business to sanctions from the Spanish Data Protection Authority (AEPD). We guide you through full compliance: mandatory signage, activity register, legal basis, retention periods and procedures for handling the rights of recorded individuals.

Applicable lawGDPR (EU) 2016/679 · LOPDGDD 3/2018 (arts. 22 and 89)
ProfileHospitality, retail, residential communities, SMEs and companies
DeliveryOn-site and remote · Castilla y León and Canary Islands

CCTV footage captures images of identified or identifiable individuals: it constitutes personal data processing from the moment the camera records. Article 22 of LOPDGDD 3/2018 specifically regulates processing for security and surveillance purposes and imposes concrete obligations: displaying mandatory informative signage in a visible location before entering the recorded space, limiting the retention of recordings to a maximum of one month as a general rule (unless they constitute evidence of an unlawful act), and ensuring that only those with proper authorisation can access the footage.

In the workplace context, Article 89 of LOPDGDD adds an additional layer: employers may install CCTV systems to monitor compliance with employment obligations, but must inform employees in advance and, where one exists, the trade union representation. Cameras may not be placed in rest areas, changing rooms or bathrooms. Failure to meet these requirements invalidates recordings as evidence in disciplinary proceedings and constitutes an independent infringement before the AEPD.

Summum Consultoria supports hospitality operators, retailers, residential communities and businesses of all sizes in bringing their surveillance systems into compliance. We do not substitute for the AEPD or guarantee the outcome of any sanctioning procedure, but we work with you to build the documentation, processes and organisational measures that demonstrate diligent and proactive accountability in the face of any regulatory enquiry.

The CCTV and data protection compliance process.

The process · four stages
01

Assessment of the existing system

We review the installed cameras, their location, the type of images they capture, who accesses the recordings, how long they are retained and whether any prior documentation exists. We identify gaps with respect to Article 22 LOPDGDD, Article 89 LOPDGDD where employees are recorded, and AEPD guidance.

02

Legal basis and activity register

We determine the applicable legal basis — in most cases the legitimate interest of the controller under Article 6.1(f) GDPR — and create or update the CCTV processing entry in the Record of Processing Activities (RPA) required by Article 30 GDPR.

03

Documentary measures

We draft the standardised informative sign in accordance with the AEPD model, indicating the identity of the controller, the purpose of processing and how data subjects may exercise their rights. In employment settings, we draft the advance communication to employees and, where applicable, to trade union representatives, in accordance with Article 89 LOPDGDD.

04

Rights and breach protocol

We establish the internal procedure for handling access, rectification and erasure requests submitted by recorded individuals. We define the security breach notification protocol to the AEPD within the 72-hour maximum deadline (Article 33 GDPR) and communication to affected individuals when the risk is high (Article 34 GDPR).

What is included

What CCTV and data protection compliance includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Standardised informative signage

    Preparation of the mandatory sign in accordance with Article 22 LOPDGDD and the AEPD model: controller identity, purpose, retention period, data subject rights and how to exercise them. We verify placement in a visible location before the recorded area is entered.

  • Record of Processing Activities — CCTV entry

    Specific processing record entry for CCTV under Article 30 GDPR: description of cameras, data captured, legal basis, retention periods, recipients and security measures applied.

  • Cameras in the workplace (Art. 89 LOPDGDD)

    Review of camera placement to verify that rest areas, changing rooms and bathrooms are not filmed. Drafting of the advance notice to employees and, where applicable, to trade union representatives. Adaptation of employment contracts or internal regulations where required.

  • Recording retention periods

    Implementation of the automatic deletion procedure under Article 22.3 LOPDGDD: maximum one month as a general rule. Documentation of the exception procedure when images must be retained as evidence of an unlawful act, with notification to law enforcement or the competent judicial authority.

  • Access control to recordings

    Definition of who may access recorded footage, under what conditions and with what audit trail. Review of contracts with private security companies or recording system providers as data processors under Article 28 GDPR.

  • Security breach protocol

    Internal procedure for detection, containment and notification to the AEPD within 72 hours (Article 33 GDPR). Where the breach poses a high risk to recorded individuals, a direct communication protocol in accordance with Article 34 GDPR.

Summum cluster

How it connects with its sisters.

CCTV compliance under the GDPR is part of a broader personal data protection system. When the recording system is connected to networks or cloud platforms, cybersecurity and technical access management are equally critical, and Summum Sistemas can support you on that front.

Frequently asked questions about CCTV and data protection compliance.

Is it mandatory to display an informative sign if I have security cameras?

Yes. Article 22 of LOPDGDD 3/2018 requires placing a sufficiently visible sign, before entering the recorded space, indicating that CCTV is in operation, who the data controller is, and how the rights of access, rectification, erasure and objection may be exercised. The AEPD provides a model template, but the sign must be adapted to the specific details of the controller. Absence of the required sign is one of the most common infringements detected during inspections.

How long can I keep CCTV recordings?

Article 22.3 of LOPDGDD sets a general maximum retention period of one month from the date the images were captured. After that period, they must be erased or, as appropriate, blocked. The only exception is where recordings must be preserved to evidence an unlawful act: in that case, they must be made available to law enforcement or the competent judicial authority within the timeframe indicated by those bodies. Retaining recordings beyond one month without justification constitutes a GDPR infringement.

Can I install cameras to monitor employees at work?

Yes, within the limits set by Article 89 of LOPDGDD. Employers may install CCTV to monitor compliance with employment obligations, but subject to two prior conditions: informing employees of the existence and essential characteristics of the devices, and informing trade union representatives where they exist. Cameras may not be placed in rest areas, changing rooms, canteens or bathrooms. If these requirements are not met, recordings lose their validity as evidence in disciplinary proceedings and the installation constitutes an independent infringement.

What legal basis supports CCTV image processing?

The most common legal basis is the legitimate interest of the controller under Article 6.1(f) GDPR, where the purpose is the security of persons, property and premises and there is a genuine and proportionate need. A proportionality test must be carried out: the measure must be adequate, necessary and balanced against the rights of those recorded. In the employment context, Article 89 LOPDGDD adds the employment contract as an additional legal basis. Consent is not the usual legal basis for CCTV, precisely because conditioning access to premises on giving consent rarely meets the requirement of freely given consent.

What happens if someone asks for access to footage in which they appear?

Recorded individuals are entitled to the rights recognised under the GDPR: access, rectification, erasure and objection. They must be able to exercise those rights by contacting the controller through the channels indicated on the informative sign. The controller has one month to respond (Article 12 GDPR), with the possibility of a two-month extension in complex cases. If the footage has already been deleted because the retention period elapsed, the controller must communicate this. Any refusal must be legally justified.

Does a residential community that installs cameras need to comply with the GDPR?

Yes. A residential community that installs cameras in communal areas — entrance lobby, car park, swimming pool, lift — is a data controller for all GDPR purposes. It must display informative signage, include the processing in its record of processing activities, define retention periods and establish access controls for recordings. The decision of the residents' meeting authorising the installation does not equate to GDPR compliance; documentary compliance is an additional and mandatory step.

Am I required to notify the AEPD if my recording system is hacked?

If the security breach affects stored recordings and is likely to result in a risk to the rights of recorded individuals, yes: Article 33 GDPR requires notification to the AEPD within a maximum of 72 hours from the moment the controller becomes aware of the breach. If the risk is high — for example, if images could be used for tracking or blackmailing identifiable individuals — Article 34 GDPR also requires direct communication to the affected individuals. Having a breach management protocol prepared in advance is the only practical way to meet the 72-hour deadline.