Video surveillance in homeowners' associations: AEPD rules

·

CCTV cameras have become one of the most common security features in residential buildings. However, their installation in a homeowners' association is not a decision that can be taken unilaterally or on the spur of the moment. Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018, of 5 December, on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD — Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales) impose a framework of obligations that the Spanish Data Protection Agency (AEPD — Agencia Española de Protección de Datos) has set out in its Guide on the use of video cameras for security and other purposes. Understanding this framework is the first step towards avoiding penalties and, above all, towards treating the images of residents with the respect they deserve.

Is a general meeting resolution required to install cameras?

Yes. Installing a video surveillance system in the common areas of a homeowners' association affects all co-owners and requires, as a prior step, a resolution adopted at a general meeting. Article 17.3 of Law 49/1960, of 21 July, on Horizontal Property (LPH — Ley de Propiedad Horizontal), in its current wording, requires a three-fifths majority of the total number of owners who, in turn, represent three-fifths of the participation quotas, in order to install or remove common services of general interest — a category that case law and legal doctrine include security and video surveillance systems within.

The general meeting resolution must include, at a minimum: a description of the system to be installed (number of cameras, areas to be covered, installation company), the cost and its apportionment among owners, and the designation of the data controller for the image data. In the case of homeowners' associations, the data controller is the association itself, typically represented by the chairperson or the property manager.

Acting without a prior resolution or with an insufficient one not only risks invalidating the system from a civil law perspective, but also renders the processing of images unlawful under the GDPR, with the resulting sanctions. If your association is considering taking this step, Summum Consultoría can support you in achieving GDPR compliance for homeowners' associations, including drafting the information clause and a model general meeting minutes template.

Which common areas may be recorded?

The data minimisation principle under Article 5.1(c) of the GDPR requires that cameras capture only what is strictly necessary for the stated security purpose. The AEPD has been very clear on this point in its video surveillance guide: cameras installed by a homeowners' association may only cover the common areas of the building itself.

Areas that may be recorded:

Areas that may not be recorded under any circumstances:

Before installing any camera, it is advisable to prepare a coverage plan certifying that the field of view is limited to the permitted areas. That document forms part of the record of processing activities that the data controller must maintain pursuant to Article 30 of the GDPR.

The information notice: a requirement that cannot be omitted

Article 22.4 of the LOPDGDD establishes the obligation to inform persons who pass through video-monitored areas by means of an information device in a sufficiently visible location. The AEPD has published a model notice that must include:

The notice does not replace the full information required under Article 13 of the GDPR, which must be available at a second level: typically, a document accessible on the association's notice board, on the association's website (if one exists) or upon request to the property manager. This second level of information must detail the legal basis for the processing, the retention period, the recipients (if the images are shared with a private security company) and the right to lodge a complaint with the AEPD.

Installing cameras without a visible notice, or with a notice that omits mandatory information, is one of the most frequent infringements that the AEPD detects during inspections of homeowners' associations.

How long may images be retained?

Article 22.3 of the LOPDGDD sets the maximum retention period for images captured by video surveillance systems at one month (thirty calendar days), after which they must be deleted. The only exceptions are images related to criminal acts or subject to a police or judicial request, in which case they must be retained until the competent authority decides otherwise.

This thirty-day period is a maximum, not a minimum. Homeowners' associations that opt for shorter periods (seven or fourteen days, for example) equally comply with the regulations and reduce the volume of stored data, which facilitates compliance with the minimisation principle. The decision on the specific period must be reflected in the record of processing activities and in the information provided to residents and visitors.

It is essential that the technical system be configured for the automatic deletion of recordings upon expiry of the agreed period. Relying on the property manager or chairperson to manually delete images on a regular basis is a risky practice: if images more than thirty days old are found during an AEPD audit or investigation, the association will have breached Article 22.3 of the LOPDGDD.

Who may access the recorded images?

Access to recordings must be strictly limited. The AEPD indicates that only the following should have access:

Residents do not have an automatic right to view recordings. They may exercise the right of access under Article 15 of the GDPR to find out whether they appear in the images, but the association must weigh that right against the rights of other residents who may also appear in the recordings. In practice, the AEPD accepts providing images in which the applicant appears, provided that any other individuals captured are anonymised or pixelated, where technically feasible.

Sharing or showing images to owners who do not hold the status of data controller, or publishing screenshots in messaging groups on the pretext of identifying those responsible for damage, constitutes a serious infringement of the GDPR.

Summary of obligations: comparative table

Obligation Applicable rule Deadline / condition Consequence of non-compliance
General meeting resolution (3/5 of total owners) Art. 17.3 LPH Prior to installation Nullity of resolution; unlawful processing
Record of processing activities Art. 30 GDPR From the start of processing Sanctionable infringement (art. 83 GDPR)
Visible information notice Art. 22.4 LOPDGDD / Art. 13 GDPR From the time of commissioning Infringement; possible financial penalty
Extended information (level 2) Art. 13 GDPR Available at all times Breach of the right to information
Maximum retention 30 days Art. 22.3 LOPDGDD Automatic deletion on expiry Infringement; possible financial penalty
Restricted access to images Art. 5.1(f) GDPR (integrity and confidentiality) At all times Breach of data subjects' rights
Processing agreement if security company involved Art. 28 GDPR Before granting provider access Serious infringement; joint liability

Legal basis for processing: which is the correct one?

One of the most frequent mistakes in homeowners' associations is relying on the consent of residents as the legal basis for processing image data. Consent is not the appropriate basis for community video surveillance for a practical reason: it could be withdrawn at any time by any individual resident, which would make the system unworkable.

The correct legal basis, pursuant to Article 6.1(f) of the GDPR, is the legitimate interest of the data controller (the homeowners' association) in the security of the common areas and the protection of the property and persons using them, provided that this legitimate interest is not overridden by the rights and interests of the data subjects. The AEPD consistently accepts this legal basis for video surveillance systems aimed exclusively at security, provided that the system is proportionate (no more cameras than necessary are installed) and that all other information and retention obligations are met.

However, if the video surveillance system is also used to monitor non-compliance with internal community rules (incorrect parking in private areas, conduct contrary to the by-laws), the legal basis and the balancing of interests must be reviewed, as the purpose goes beyond security and proportionality becomes harder to demonstrate.

What happens if a camera points at the public highway?

The AEPD distinguishes between incidental and unavoidable capture of a small strip of the public highway (for example, the pavement immediately in front of the entrance door) and deliberate capture of the street or of third parties' premises or dwellings. The former may be permissible if the camera angle cannot be technically reduced without losing coverage of the access area. The latter is unlawful, regardless of the reason given.

Where the capture of the public highway is significant, the association may be engaging in processing that exceeds its remit as a data controller: video surveillance of public spaces is subject to specific regulation reserved for law enforcement agencies. Any installation with doubts about the angle of its cameras and the capture of external areas should consult a data protection specialist before commissioning the system.

Applicable penalty framework

Failure to comply with video surveillance obligations may give rise to penalties under Article 83 of the GDPR, whose framework distinguishes two tiers:

The LOPDGDD (art. 77) establishes that public authorities and bodies, as well as certain private entities, are excluded from the GDPR's fines regime but may receive reprimands. Homeowners' associations, as private entities, are subject to the ordinary penalty regime under Article 83 of the GDPR.

To support you in bringing your association into compliance and reducing exposure to these penalties, the data protection team at Summum Consultoría offers a comprehensive GDPR compliance service for homeowners' associations that includes auditing the existing system, drawing up the record of processing activities and drafting the information documentation.

Frequently asked questions

Can an owner install a camera on the landing outside their door?

Not without authorisation from the association. The landing is a common area and, even though an individual owner pays for and manages the camera, the processing of images captured in common areas — including those of other residents who pass through that landing — must have the general meeting resolution required by Article 17.3 of the LPH and comply with all GDPR obligations as if it were a communal system. A camera unilaterally installed by an owner in a common area may be the subject of a complaint to the AEPD by other residents.

What majority is required at the general meeting to install video surveillance?

The Horizontal Property Act requires, for the installation of common services of general interest, the affirmative vote of three-fifths of the total number of owners who, in turn, represent three-fifths of the participation quotas (art. 17.3 LPH). Owners absent from the meeting have thirty calendar days to express their disagreement; failing that, their vote is counted as in favour. If the installation already existed and the purpose is to renew or expand the system, the required majority may vary according to the association's by-laws, so these should be reviewed before the meeting is convened.

May the property manager view recordings independently?

Only if that function has been expressly assigned to them by the association (by virtue of the general meeting resolution or the management contract) and they are acting as a data processor under the corresponding agreement pursuant to Article 28 of the GDPR. Without that documentary support, the property manager may not access recordings autonomously. In practice, the most common arrangement is for access to be reserved for the chairperson, with the property manager providing technical support or managing the contract with the security company, but without direct access to the images except when strictly necessary to resolve a specific incident.

What should the association do if a resident asks to see recordings because their car was stolen from the car park?

The association must respond to the request diligently, but not automatically. The resident may exercise the right of access under Article 15 of the GDPR to obtain the images in which they or their vehicle appear. However, the association must ensure that the images provided do not infringe the privacy of other residents who also appear in the recording: in that case, it must pixelate or anonymise those individuals before providing the images to the applicant. If the incident constitutes a criminal offence, the most appropriate course of action is for the resident to file a police report, which will enable the police to request the images through the proper legal channels and with the appropriate procedural safeguards.