Resource Centre

Informative and Helpful Queries

Answers to common user questions that provide valuable information and assistance

This guidance is intended to assist owners and occupiers of premises, in particular those that are workplaces or are otherwise accessible to the public, to understand their responsibilities and obligations regarding data protection when using CCTV.
Any person or organisation that collects and processes the personal data of individuals is considered a ‘data controller. For this reason, any usage of a CCTV system must be considered in light of the obligations imposed by data protection legislation on data controllers, and implemented in accordance with the principles of data protection.
The use of CCTV systems has expanded significantly in recent years, due to the increased sophistication of the technology and its affordability. CCTV systems have legitimate uses in securing premises, supporting workplace safety management, and aiding in the prevention and detection of crime. However, unless CCTV is used proportionately, it can give rise to legitimate concerns of unreasonable and unlawful intrusion into the data protection and privacy rights of individuals and that excessive monitoring or surveillance may be taking place.
Data controllers should be aware that footage or images containing identifiable individuals captured by CCTV systems are personal data for the purposes of data protection law. Where processes are used to obscure or de-identify individuals from CCTV footage, the footage or images are still considered personal data if it is possible to re-identify the individuals. Further, if footage or images are initially captured in an identifiable form and then irreversibly de-identified, data protection law will still cover the processing up to the point of anonymisation.

Read full report here

The majority of the complaints and queries the Data Protection Commission (DPC) receives concern individuals seeking to exercise their ‘right of access’. The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to request a copy of any of their personal data which are being ‘processed’ (i.e. used in any way) by ‘controllers’ (i.e. those who decide how and why data are processed), as well as other relevant information (as detailed below). These requests are often referred to as ‘data subject access requests’, or ‘access requests’.
These requests must be responded to free of charge and in an accessible form, and controllers should seek to facilitate access requests being both made and responded to easily, including electronically where appropriate and where the individual wishes.
The following guidance should answer some of the most frequently asked questions by both individuals who are seeking copies of their personal data, as well as controllers who are struggling to deal with the access requests they are receiving.

Data Subject Access Request FAQ - Full Guidance Note
Subject Access Requests: A Data Controller’s Guide

In a decision of the High Court in November 2020 (Dudgeon v Supermacs Ireland Ltd., [2020] IEHC 600), Mr Justice Barr ruled that a restaurant was not obliged to disclose CCTV recordings of an incident to a person identifiable on the recording and who claimed damages for injuries resulting from that incident. The decision has prompted discussion of how it may affect access requests under Article 15 of the GDPR and Section 91 of the Data Protection Act 2018, specifically where the request encompasses CCTV recordings. It is important to bear in mind that Mr Justice Barr’s decision relates specifically to discovery in litigation in Ireland and in relation to the specific circumstances surrounding this case. The DPC considers it important to highlight distinctions between access requests and discovery in civil (that is, non-criminal) litigation.
The purpose of discovery is to give parties to a case access to documents and materials that are necessary for the fair disposal of the issues being brought before the court. Discovery has some similarities to access requests, if only because it can require a person who controls documents or information that match particular criteria to disclose their existence and give another person access to them.
The right to access one’s own personal data is founded on Article 8(2) of the Charter of Fundamental Rights of the European Union, “Everyone has the right of access to data which has been collected concerning him or her”. This right is also set down in Article 15 GDPR. It applies in a wide variety of circumstances affecting the lives of EU citizens and residents, and not necessarily where a court case is contemplated or in being.
This highlights an important difference between discovery and access requests. As mentioned above, discovery is an issue only in civil litigation and the law concerning it is closely related to the rules and processes that govern how courts handle cases. In contrast, an individual’s right under data protection laws such as the GDPR to request access to their personal data does not depend on whether they are engaged in a court case.
In summary, Mr Justice Barr’s decision in this case is focussed on the law concerning discovery and is not in reference to or related to data protection rights. The right to request access to personal data applies whether an individual is involved in litigation or not. For that reason, unless a restriction under the GDPR or relevant data protection legislation can be relied upon, a data controller is still required to fulfil access requests in relation to CCTV footage.
The DPC will continue to support data subjects and controllers in giving effect to all aspects of data protection law in this respect.

CCTV redaction refers to the process of selectively obscuring or blurring certain parts of video footage captured by CCTV cameras. This technique is used for GDPR compliance purposes and to protect the right to privacy of third parties within the footage. Redaction enables companies to meet their legislative obligations while still retaining the overall usefulness of the footage. Here are some benefits of CCTV redaction:
Risk Mitigation: Companies who are proactive in redating footage can help to mitigate risk and reduce costs associated with legal or insurance proceedings. If there is any question around the cause of an incident or any dispute around responsibility, having redacted footage prepared at the earliest opportunity can help to definitively answer these questions, thus saving the data controller time and money in the process.
When footage is redacted in a proactive manner, companies can ensure that the data is not lost due to retention periods. Furthermore, redacted footage of an incident can legitimately be retained “ for as long as is necessary” as set out under the EU GDPR.
Privacy Protection: CCTV redaction helps safeguard the privacy of individuals captured in the video footage. By blurring or obscuring faces, identifiable features, or sensitive information such as license plates, personal identification numbers, or financial details, redaction ensures that the privacy rights of individuals are respected.
Compliance with Regulations: Within the EU, the use of CCTV and the processing of data collected by camera networks is governed by the EU GDPR. CCTV redaction assists organizations in complying with the regulation by providing a method to anonymise sensitive information and facilitate the compliant use of the data in question.
Data Security: Redaction can help to minimise the use or value of data which falls into the wrong hands. By obscuring or blurring sensitive information in the footage, organisations can help to prevent unauthorised access and potential misuse of the data.
Assisting Data Subjects: Redaction of CCTV helps organisations to facilitate Data Subject Access Requests submitted by members of the public. Alongside meeting their legal obligations, companies who proactively engage with data subjects and are transparent in their data processing activities have been shown to have reaped reputational benefits amongst their target market.

Please contact Komply today to discuss our cost effective redaction packages which are tailored to the specific needs of each organisation.

Save The Above Queries Here

Answers to common user questions that provide valuable information and assistance

Topic 01
CCTV Guidelines for Data Controllers

Download Now

Topic 02
Data Subject Access Request FAQs

Download Now

Topic 03
CCTV, Discovery and Access Request

Download Now

Topic 04
Why Should We Redact CCTV?

Donwload Now

Komply Home