Video surveillance is one of the most widespread personal data processing activities and, at the same time, one that generates the most practical questions. Any company, residents' association or establishment that installs security cameras is collecting images of natural persons and is therefore subject to Regulation (EU) 2016/679 (GDPR) and to Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD). One of the most visible obligations — and one of the most frequently breached — is the requirement to display an information sign for the video surveillance zone. This article explains what that sign must contain, how to structure the information in layers and where to place it physically, following the model and guidelines of the Agencia Española de Protección de Datos (AEPD — Spanish Data Protection Agency).
Why is the video surveillance zone sign mandatory?
Article 13 of the GDPR establishes the obligation to inform data subjects when personal data are collected directly from them. Images captured by a security camera are personal data insofar as they allow a natural person to be identified, so the data controller must inform people in advance, clearly and accessibly about that processing. In the context of video surveillance, compliance with art. 13 GDPR is achieved through the information sign, which acts as the information mechanism at the moment a person enters the area captured by the cameras.
Article 22 of the LOPDGDD specifically regulates the processing of data through video surveillance systems and requires that captured areas be duly signposted. This requirement predates the GDPR — it already existed under the AEPD's Instruction 1/2006 — but the current framework gives it greater substance: a camera pictogram alone is not enough; the sign must include specific information or refer to it.
If your organisation needs a review of its camera system and related documentation, at Summum Consultoría we support the adaptation of video surveillance systems to the GDPR for companies in Castilla y León and the Canary Islands.
The AEPD sign model: layered information
The AEPD published the so-called video surveillance zone sign model, which incorporates the layered information system developed under the GDPR. This system divides information into two levels:
- First layer (physical sign): basic and essential information, visible at a glance at the entrance to the surveillance zone.
- Second layer (full information): detailed information available in an accessible location (for example, at reception, on the premises or via a QR code linking to the privacy policy).
This approach reflects the transparency principle set out in art. 5.1.a) GDPR, under which personal data must be processed in a transparent manner in relation to the data subject, and Recital 60 of the same Regulation, which acknowledges that when the volume of information to be provided is large, layered formats may be used.
Minimum content of the sign (first layer)
The first layer of the video surveillance zone sign must include, at a minimum, the following elements:
- A video surveillance camera pictogram, recognisable and identifiable.
- An express statement that "This area is under video surveillance" or an equivalent phrase.
- The identity of the data controller: the name or company name of the organisation managing the cameras.
- The purpose of the processing: in general terms, that images are captured for security, access control or other duly determined legitimate purposes.
- The possibility of exercising GDPR rights (access, erasure and others), with an indication of how to do so or where to obtain further information.
- A reference to the full privacy policy or to the place where the detailed information can be consulted (second layer), which may be provided via a QR code, a URL or an indication of the physical location where it is available.
Content of the second layer (full information)
The detailed information that must be available in the second layer includes all the elements of art. 13 GDPR that cannot reasonably fit on the physical sign:
- Full identity and contact details of the data controller.
- Contact details of the data protection officer (DPO), if one has been appointed.
- Specific purposes of the processing and the legal basis on which it relies (typically, the controller's legitimate interest under art. 6.1.f) GDPR, or compliance with a legal obligation).
- Retention period for the images (art. 22.3 LOPDGDD sets a maximum retention period of one month in standard security installations, unless the images need to be retained to prove acts that threaten the physical integrity of persons, property or other purposes that justify their retention).
- Whether images are shared with third parties (Law Enforcement, for example) and in what circumstances.
- The data subject's rights: access, rectification, erasure, restriction of processing, portability and objection, along with the right to lodge a complaint with the AEPD.
Comparison table: first and second layer of the sign
| Information element | First layer (sign) | Second layer (full policy) |
|---|---|---|
| Camera pictogram | Mandatory | Not applicable |
| "Video surveillance zone" indication | Mandatory | Not applicable |
| Identity of the controller | Name / company name | Full name, tax ID and address |
| DPO contact details | Optional (recommended if a DPO exists) | Mandatory if a DPO has been appointed |
| Purpose | Brief description (security, access control…) | Detailed description of each purpose |
| Legal basis | Not required on the sign | Mandatory (art. 13.1.c GDPR) |
| Retention period | Not required on the sign | Mandatory (max. 1 month as a general rule) |
| Sharing with third parties | Not required on the sign | Mandatory if it occurs |
| Rights and how to exercise them | General mention + referral | Full description of each right |
| Right to lodge a complaint with the AEPD | Not required on the sign | Mandatory (art. 13.2.d GDPR) |
Where must the sign be placed?
The placement of the sign is as important as its content. People must be able to see the sign before entering the area covered by the cameras, so that they can make an informed decision about whether to enter the zone. Some practical criteria the AEPD has repeatedly set out in its resolutions and guides:
- At the entrance to each video-surveilled zone, at a height and size sufficient to be readable without needing to approach closely.
- The number of signs must be proportionate to the size of the space and the arrangement of the cameras: if a premises has multiple entrances, each one must have a sign.
- In outdoor or high-traffic areas (car parks, loading zones), the sign must be larger and placed at eye level.
- If cameras cover distinct areas within the same premises (checkout area, warehouse area, etc.), each area must be signposted independently.
- The sign must not be placed inside the area already covered by the camera: it must be on the perimeter of access, not inside.
A common mistake is placing the sign in an inconspicuous or low-visibility location to avoid "spoiling" the aesthetics of the premises. This is not acceptable from a regulatory standpoint: signage must be easily noticeable by the public entering the zone.
Controller details that must appear on the sign
The identification of the controller is one of the elements most frequently omitted or included incompletely. Article 13.1.a) GDPR requires that the identity and contact details of the controller be provided. On the sign (first layer) the name or company name is sufficient; in the full information (second layer) the tax identification number, postal address and at least one electronic or telephone contact method must also be included.
Where the controller has appointed a data protection officer (DPO), art. 13.1.b) GDPR also requires the DPO's contact details to be included in the information provided to the data subject. This does not mean the DPO's name must appear on the physical sign, but it must appear in the second-layer privacy policy.
If the processing is carried out by a data processor (for example, a private security company that manages the camera system on behalf of the client company), the controller remains the company that commissioned the service; the sign must identify the latter, not the security company. The relationship with the processor must be governed by the corresponding data processing agreement provided for in art. 28 GDPR.
Legal basis for processing through video surveillance
The legal basis enabling the processing of images through security cameras varies depending on the purpose and the owner of the installation:
- Legitimate interest (art. 6.1.f GDPR): this is the usual basis for private companies that install cameras for security or access control purposes. It requires passing a balancing test: the controller's interest must outweigh the data subjects' rights and freedoms, taking into account those subjects' reasonable expectations.
- Compliance with a legal obligation (art. 6.1.c GDPR): when sector-specific regulations require video surveillance systems to be installed (gambling establishments, financial institutions, critical infrastructure, etc.).
- Public interest (art. 6.1.e GDPR): for public bodies that install cameras in the exercise of their public security or public order functions, with the additional framework of Organic Law 4/1997 and private security legislation.
The legal basis does not appear on the first-layer sign, but it must be stated in the full privacy policy and in the record of processing activities that the controller is required to maintain under art. 30 GDPR.
Retention period for images
Article 22.3 LOPDGDD provides that images captured by video surveillance cameras must be deleted within a maximum period of one month from capture, unless they need to be retained to prove acts that threaten the physical integrity of persons or property or for other purposes that justify their retention. In those cases, the images must be made available to the competent Law Enforcement authorities or courts.
This one-month limit was a significant development compared to the previous regime. Before the LOPDGDD, AEPD Instruction 1/2006 already set the maximum retention period at one month for private security cameras, a limit that now has the rank of an organic law. In practice, many video surveillance systems are configured with recording cycles of 7, 15 or 30 days: all of these are compliant, but the absolute limit is 30 days.
If you need to review the technical configuration of your camera system to ensure that the deletion cycles comply with the LOPDGDD, the video surveillance GDPR compliance team at Summum Consultoría can support you through that process without disrupting your operations.
Data subjects' rights in relation to video surveillance
People captured by video surveillance cameras are data subjects for all GDPR purposes and may exercise their rights against the data controller. The most relevant rights in this context are:
- Right of access (art. 15 GDPR): the data subject may request a copy of the images in which they appear. The practical difficulty is that recordings generally include images of other people; the controller must provide access while respecting the privacy of those third parties (for example, by blurring other individuals).
- Right to erasure (art. 17 GDPR): the data subject may request the deletion of their images. Although it may not always be technically feasible to isolate images of a specific person, the controller must assess each request and respond with reasons.
- Right to object (art. 21 GDPR): if the legal basis is legitimate interest, the data subject may object to the processing on grounds relating to their particular situation. The controller may only continue processing if it can demonstrate compelling legitimate grounds that override the data subject's interests.
- Right to lodge a complaint with the AEPD: any data subject may file a complaint with the Spanish Data Protection Agency if they believe that the processing of their images infringes the GDPR or the LOPDGDD.
The controller must establish a clear procedure for handling these requests and respond within one month of receipt (art. 12.3 GDPR), extendable by a further two months in complex cases.
Most common errors in video surveillance signs
Based on AEPD resolutions and prior investigations, the most frequent breaches related to video surveillance signage are:
- Complete absence of the information sign.
- Sign displaying only the camera pictogram with no identifying details of the controller and no indication of how to exercise rights.
- Non-existent or inaccessible second-layer information (the privacy policy does not mention video surveillance).
- Sign placed inside the area already covered by the camera, rather than at the access point to the zone.
- Incorrect identification of the controller (the security company is listed as the controller instead of the owner of the installation).
- Omission of the image retention period in the second-layer information.
- Use of signs from the previous regulatory framework (Instruction 1/2006) that do not include the information required by the GDPR and the LOPDGDD.
The sanctioning regime under art. 83 GDPR may reach, for infringements relating to the principles of processing (art. 5) and the conditions for consent and information (art. 13), up to EUR 20,000,000 or 4% of the total worldwide annual turnover, whichever is higher, for the most serious infringements. Less serious infringements may be sanctioned by up to EUR 10,000,000 or 2% of annual turnover. The specific level depends on the circumstances of each case and the criteria of art. 83.2 GDPR (nature, severity, duration, degree of cooperation, categories of data concerned, etc.).
Frequently asked questions
Does the video surveillance zone sign need to be at every entrance to the premises?
Yes. The AEPD requires signage to be effective, meaning that anyone who may be captured by the cameras must have had the opportunity to see the sign before entering the surveilled area. If the premises has multiple entrances, or if the cameras cover distinct areas within the same space, each access point must have its own sign. A single sign at the main entrance is not sufficient if other areas of the premises have cameras and are accessible through different doors.
Is it enough to display only the camera pictogram without any other information?
No. A simple pictogram with no controller details and no indication of how to exercise rights is insufficient under the GDPR and the LOPDGDD. Article 13 GDPR requires information to be provided about the identity of the controller, the purpose of processing and the data subject's rights; in the context of video surveillance this is done through the layered information model, in which the physical sign must include at least the identity of the controller and a reference to the full information.
How long can security camera recordings be kept?
Article 22.3 LOPDGDD sets a maximum period of one month from the capture of the images. After that period, recordings must be deleted, unless they need to be retained to prove acts that threaten persons or property, in which case they must be made available to the competent authorities. Common systems with 7-, 15- or 30-day cycles are compliant with this requirement, provided that automatic overwriting or deletion occurs within the month.
What happens if the contracted security company manages the images?
When a company contracts a private security firm to manage the video surveillance system, that security firm acts as a data processor within the meaning of art. 28 GDPR. The data controller remains the contracting company, which determines the purposes and means of processing. The sign must identify the contracting company — not the security firm — as the controller, and the relationship between the two must be governed by a data processing agreement that includes the safeguards required by art. 28 GDPR: purposes, security measures, sub-processing, return or destruction of data at the end of the service, and an obligation to notify security breaches without undue delay.