Video surveillance can effectively protect locations, goods and sensitive areas. At the same time, every camera affects the personal rights of those affected, e.g. employees, visitors and suppliers. Legal certainty is therefore only created by carefully weighing up interests, clearly defined purposes, short storage periods, transparent information and clean processes from planning to evaluation.
Legal framework and planning requirements
The data protection law basis for video surveillance in companies is regularly the legitimate interest (Art. 6 para. 1 lit. f GDPR). Section 26 BDSG also applies to constellations with employees and, in addition, Section 4 BDSG also regulates publicly accessible rooms.
In all cases, the following applies: the specific purpose must be legitimate, the measure must be suitable and necessary, and it must not be possible to replace it with equally effective milder means. The measure only remains permissible if the interests of the data subjects worthy of protection do not outweigh it.
Before each installation, companies should determine which risks need to be addressed, which areas actually need to be monitored and whether less intrusive alternatives are sufficient (e.g. access concepts, lighting, mechanics, guard tours).
Where cameras are permitted – and where they are not
It is legally unproblematic to monitor entrances, access roads, delivery areas and infrastructure zones that require special protection – but only to the depth and width of the image that is absolutely necessary. Rooms that are used for private living, such as sanitary facilities, changing rooms and classic social areas, remain taboo. In publicly accessible areas and at property boundaries, public space must be omitted or technically hidden (e.g. pixelation or masks).
In the case of workplaces, preventive continuous monitoring is generally not permitted; covert monitoring is reserved for narrow exceptions with documented suspicion and requires a strict proportionality test. In co-determined companies, the works council must be involved; a works agreement creates legal certainty regarding purposes, zones, evaluation, storage duration, roles/rights and control mechanisms.
Implementation: Documentation and information for affected parties
Transparency is the highest legislative requirement for implementation. As soon as you enter the monitored area, signs must draw attention to the monitoring and provide mandatory information: Information on the controller, purpose, legal basis, storage period, data subject rights, at best with reference to further explanations in detailed data protection information.
Data subjects have rights of access, erasure and objection. A practicable process for identifying relevant sequences, redacting third-party data and responding in a timely manner prevents legal and reputational risks. A consistent approach is important: if you have a short retention period and clear exception logic, you can handle requests efficiently and in a legally compliant manner.
The internal mirror image of the data subject information is a processing directory. All of the aforementioned information about video surveillance must be documented in this.
As a rule, a data protection impact assessment (DPIA) must also be carried out. It documents the risk, purpose, necessity, protective measures and the result of the final assessment.
Technical and organizational measures in operation
Parallel to the implementation of transparency requirements, technical and organizational measures must be taken to ensure data security. The core measures include restrictive assignment of rights with individual accounts, logging of every inspection and every data transmission, encryption in transmission and storage, secure networks, regular updates and an effective deletion concept. Equally important: the technical limitation of fields of vision, fixed masks/privacy zones for public areas, automatic schedules instead of permanent monitoring and a procedure for incidents (viewing, preservation of evidence, forwarding to authorities). Training for authorized personnel and regular audits complete the circle.
Records may only be retained for as long as is necessary for the intended purpose. In practice, short retention periods of 72 hours have proven effective. Automatic deletion, a documented exception logic for events and logs of each evaluation are then recommended.
Order processing, roles and responsibilities
If external service providers access the system or the records, typically security services (live view) or maintenance service providers, an order processing contract is required in accordance with Art. 28 GDPR. Among other things, it regulates the subject matter, purposes and scope of data processing.
Conclusion
Legally compliant video surveillance is successful if the need for protection and the intensity of the intrusion are weighed up honestly, cameras are placed in a measured manner, storage periods are kept short and transparency, co-determination and TOMs are implemented consistently. Companies that adhere to these documented guidelines gain security in practice – and the trust of the people on the premises.
