Yes, you are allowed to install a CCTV camera on your private property.  Under the GDPR this falls within the category of the so-called household exemption.  As considered by the European Court of Justice, the so called “household exemption” must “be interpreted as relating only to activities which are carried out in the course of private or family life of individuals”.

It is important therefore that each camera that is installed is pointed solely to the private premises of the household.

A video surveillance system involves the constant recording and storage of personal data.  Therefore, if a camera is pointing even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity for the purposes of the second indent of Article 2(2)(c) of Regulation 2016/679.

Besides the above-mentioned elements, the user of video surveillance at home needs to perform an overall assessment before choosing the location of each camera to be installed.

Video surveillance based on the mere purpose of “safety” or “for your safety” is not sufficiently specific (Article 5 (1) (b)). Video surveillance is lawful if it is necessary in order to meet the purpose of a legitimate interest. Given a real and hazardous situation, the purpose to protect property against burglary, theft or vandalism may constitute a legitimate interest for video surveillance.

Personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). 

Before installing a video surveillance system a person should always critically examine if this measure is firstly suitable to attain the desired goal, and secondly adequate and necessary for its purposes. Video surveillance measures should only be chosen if the purpose of the processing could not reasonably be fulfilled by other means which are less intrusive.

Article 5(1) of the GDPR stipulates the general principle that personal data should not be retained for no longer that is necessary for the purposes for which the personal information is processed (‘storage limitation’).  In general, CCTV recordings should not be kept for more than a few days, unless the controller is able to justify a longer retention period based on justifiable grounds.

It depends. The GDPR applies to the use of CCTV cameras whenever the CCTV footage captures identifiable individuals beyond the boundaries of one’s private property. In such cases, the CCTV footage in which identifiable individuals are captured is considered “personal data” within the meaning of article 4(1) of the GDPR, and as a result, the GDPR will apply to that footage.

However, if your CCTV camera records only within the confines of your own private property, and it is not being used for any professional or commercial purpose, but for a purely personal or domestic purpose, then the GDPR will not apply to that CCTV camera use.

Generally, no. Unlike CCTV cameras, doorbell cameras generally do not record on a continuous basis. Rather, they are activated only for short intervals, in circumstances where an individual has actually rung the doorbell or has approached the immediate area of one’s front door.

Depending on the specifications, such cameras typically stop recording automatically after a few seconds, which significantly limits the scope of what is captured. As a result, the risks to the data protection rights of the individuals who may be recorded are considered to be negligible and not warranting intervention from a data protection perspective.

No. Certain types of CCTV cameras are automatically considered not to be GDPR-compliant.

CCTV cameras having pan-tilt-zoom (PTZ) capabilities are generally considered not to be compliant with the data protection principles under the GDPR, including in particular the principles of transparency and data minimization. Given the capabilities of these models, the user is able to remotely adjust the angle of view, covertly, and at any time, making it impossible to verify which areas are actually being monitored at a given time. As a result, these cameras are considered to be intrusive by default and not GDPR-compliant. 

If you determine that it is necessary to install a CCTV camera, you should opt for a ‘fixed-position’ model. The angle of view of these CCTV cameras records only one fixed area and cannot be adjusted covertly to capture additional areas. This provides an important safeguard for individuals who may be captured by the camera, as they can immediately identify the area being recorded at any given time.

CCTV cameras having pan-tilt-zoom (PTZ) capabilities are generally considered not to be compliant with the data protection principles under the GDPR, including in particular the principles of transparency and data minimisation.

Given the capabilities of these models, the user is able to remotely adjust the angle of view, covertly, and at any time, making it impossible to verify which areas are actually being monitored at a given time. As a result, these cameras are considered to be intrusive by default and not GDPR-compliant. 

Generally, no. CCTV cameras which also have audio recording capabilities are considered to be far more intrusive on the data protection rights of the data subject, and are therefore rarely justifiable under the GDPR.

The moment your CCTV camera’s field of view extends beyond the boundaries of your private property, such that it is capturing any neighboring properties, roads, pavements, or any other part of the public space where there could be passersby, then the GDPR would apply.

Consequently, you would have to treat that CCTV footage like any other personal data, and you would be considered a ‘controller’ with respect to that footage, as defined in article 4(7) of the GDPR and would therefore be subject to the various obligations applicable to controllers under the GDPR. 

Generally no, unless you are able to demonstrate that you have a valid legal basis under article 6(1) of the GDPR to justify the processing activity, for example, if you are able to demonstrate that you have a legitimate interest (article 6(1)(f) of the Regulation) which makes the monitoring a necessary and proportionate measure in the circumstances, e.g., because of burglary or other serious threats to your safety.

Yes. The data subjects should be informed before entering or passing through the monitored area by means of a visible warning sign displayed in close proximity to the CCTV camera(s). This should provide a brief yet meaningful overview about the processing. It should include the most important information, including the purposes of the processing, the identity of the controller, and the existence of the data subjects’ rights, together with information about the impact of the processing, and instructions on how the data subjects can access more detailed information about the processing of their personal data.  

CCTV footage should not be kept for any longer than is strictly necessary. In most cases, it should not be kept for any longer than a few days and should ideally be automatically deleted thereafter. You should be mindful that the longer the period of retention of the footage, especially when it is beyond 72 hours, the more difficult it will be to successfully argue that the continued storage is actually necessary and compliant with the GDPR.