Security Camera Privacy and GDPR Compliance

Volume I  ·  May 2026  ·  487 words

The General Data Protection Regulation (GDPR) applies to security cameras operated by individuals in the EU and UK whenever the camera captures footage beyond the boundaries of the operator's private property — which is almost always the case for externally mounted cameras. The regulation does not exempt residential users, and the Information Commissioner's Office (ICO) in the UK has issued specific guidance on domestic CCTV. This clinical reference identifies the compliance obligations that apply to a residential security camera deployment and the camera features that support or undermine compliance.

Lawful basis: legitimate interest vs. consent. The GDPR requires a lawful basis for processing personal data. For a residential security camera, the operator must establish a "legitimate interest" in crime prevention or property protection that is not overridden by the privacy rights of neighbors and passersby. This requires a documented legitimate interest assessment (LIA) — a written analysis balancing the security need against the privacy intrusion — which the operator must retain. Consent is generally not a viable basis for domestic CCTV because passersby cannot meaningfully refuse. The ICO expects operators to exhaust less intrusive measures first: improved locks, lighting, or motion-activated lights before deploying continuous-recording cameras that capture public footpaths or neighboring properties.

Data minimization through camera features. The GDPR requires that only the minimum necessary personal data be collected. Cameras with physical privacy masking — the Reolink RLC-811A allows drawing opaque blackout zones in the camera's field of view — can exclude neighboring windows, gardens, or public footpaths from recording while retaining coverage of the operator's own property. The Eufy SoloCam S340 supports configurable activity zones that restrict motion-triggered recording to defined areas. A camera without privacy masking is effectively noncompliant if its field of view captures anything beyond the operator's property boundary. Geofencing-based recording can serve as an additional minimization measure: the Google Nest Cam (battery) can be set to record only when the operator is away, reducing the volume of data collected.

Transparency and signage. The transparency obligation requires the camera operator to inform data subjects that recording is occurring. A clearly visible sign at the property boundary — specifying the operator's identity, the purpose of recording, and contact information for data subject requests — is the minimum. The ICO provides template signage language. Cameras with built-in status LEDs visible from the outside, such as the Arlo Pro 5, provide a secondary notification but do not replace the signage requirement.

Data subject rights and storage. Data subjects — including neighbors, visitors, and delivery personnel — have the right to request access to footage that includes them (a Subject Access Request, or SAR), and the operator must respond within one month. Footage must be retrievable by date and time. The right to erasure applies: footage must be deleted once it is no longer necessary for the stated purpose, typically 30 days for general surveillance. A camera with local-only storage on a Synology NAS running Surveillance Station gives the operator full control over retention and deletion, while cloud-stored footage may be subject to the cloud provider's own retention policies, complicating the operator's ability to comply with erasure requests. For EU residents selecting a camera, local-only storage, privacy masking, and activity zone configurability are not optional features — they are compliance prerequisites.