Video surveillance zone: AEPD sign requirements

·

Video surveillance is one of the most widespread personal data processing activities and, at the same time, one that generates the most practical questions. Any company, residents' association or establishment that installs security cameras is collecting images of natural persons and is therefore subject to Regulation (EU) 2016/679 (GDPR) and to Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD). One of the most visible obligations — and one of the most frequently breached — is the requirement to display an information sign for the video surveillance zone. This article explains what that sign must contain, how to structure the information in layers and where to place it physically, following the model and guidelines of the Agencia Española de Protección de Datos (AEPD — Spanish Data Protection Agency).

Why is the video surveillance zone sign mandatory?

Article 13 of the GDPR establishes the obligation to inform data subjects when personal data are collected directly from them. Images captured by a security camera are personal data insofar as they allow a natural person to be identified, so the data controller must inform people in advance, clearly and accessibly about that processing. In the context of video surveillance, compliance with art. 13 GDPR is achieved through the information sign, which acts as the information mechanism at the moment a person enters the area captured by the cameras.

Article 22 of the LOPDGDD specifically regulates the processing of data through video surveillance systems and requires that captured areas be duly signposted. This requirement predates the GDPR — it already existed under the AEPD's Instruction 1/2006 — but the current framework gives it greater substance: a camera pictogram alone is not enough; the sign must include specific information or refer to it.

If your organisation needs a review of its camera system and related documentation, at Summum Consultoría we support the adaptation of video surveillance systems to the GDPR for companies in Castilla y León and the Canary Islands.

The AEPD sign model: layered information

The AEPD published the so-called video surveillance zone sign model, which incorporates the layered information system developed under the GDPR. This system divides information into two levels:

This approach reflects the transparency principle set out in art. 5.1.a) GDPR, under which personal data must be processed in a transparent manner in relation to the data subject, and Recital 60 of the same Regulation, which acknowledges that when the volume of information to be provided is large, layered formats may be used.

Minimum content of the sign (first layer)

The first layer of the video surveillance zone sign must include, at a minimum, the following elements:

  1. A video surveillance camera pictogram, recognisable and identifiable.
  2. An express statement that "This area is under video surveillance" or an equivalent phrase.
  3. The identity of the data controller: the name or company name of the organisation managing the cameras.
  4. The purpose of the processing: in general terms, that images are captured for security, access control or other duly determined legitimate purposes.
  5. The possibility of exercising GDPR rights (access, erasure and others), with an indication of how to do so or where to obtain further information.
  6. A reference to the full privacy policy or to the place where the detailed information can be consulted (second layer), which may be provided via a QR code, a URL or an indication of the physical location where it is available.

Content of the second layer (full information)

The detailed information that must be available in the second layer includes all the elements of art. 13 GDPR that cannot reasonably fit on the physical sign:

Comparison table: first and second layer of the sign

Information element First layer (sign) Second layer (full policy)
Camera pictogram Mandatory Not applicable
"Video surveillance zone" indication Mandatory Not applicable
Identity of the controller Name / company name Full name, tax ID and address
DPO contact details Optional (recommended if a DPO exists) Mandatory if a DPO has been appointed
Purpose Brief description (security, access control…) Detailed description of each purpose
Legal basis Not required on the sign Mandatory (art. 13.1.c GDPR)
Retention period Not required on the sign Mandatory (max. 1 month as a general rule)
Sharing with third parties Not required on the sign Mandatory if it occurs
Rights and how to exercise them General mention + referral Full description of each right
Right to lodge a complaint with the AEPD Not required on the sign Mandatory (art. 13.2.d GDPR)

Where must the sign be placed?

The placement of the sign is as important as its content. People must be able to see the sign before entering the area covered by the cameras, so that they can make an informed decision about whether to enter the zone. Some practical criteria the AEPD has repeatedly set out in its resolutions and guides:

A common mistake is placing the sign in an inconspicuous or low-visibility location to avoid "spoiling" the aesthetics of the premises. This is not acceptable from a regulatory standpoint: signage must be easily noticeable by the public entering the zone.

Controller details that must appear on the sign

The identification of the controller is one of the elements most frequently omitted or included incompletely. Article 13.1.a) GDPR requires that the identity and contact details of the controller be provided. On the sign (first layer) the name or company name is sufficient; in the full information (second layer) the tax identification number, postal address and at least one electronic or telephone contact method must also be included.

Where the controller has appointed a data protection officer (DPO), art. 13.1.b) GDPR also requires the DPO's contact details to be included in the information provided to the data subject. This does not mean the DPO's name must appear on the physical sign, but it must appear in the second-layer privacy policy.

If the processing is carried out by a data processor (for example, a private security company that manages the camera system on behalf of the client company), the controller remains the company that commissioned the service; the sign must identify the latter, not the security company. The relationship with the processor must be governed by the corresponding data processing agreement provided for in art. 28 GDPR.

Legal basis for processing through video surveillance

The legal basis enabling the processing of images through security cameras varies depending on the purpose and the owner of the installation:

The legal basis does not appear on the first-layer sign, but it must be stated in the full privacy policy and in the record of processing activities that the controller is required to maintain under art. 30 GDPR.

Retention period for images

Article 22.3 LOPDGDD provides that images captured by video surveillance cameras must be deleted within a maximum period of one month from capture, unless they need to be retained to prove acts that threaten the physical integrity of persons or property or for other purposes that justify their retention. In those cases, the images must be made available to the competent Law Enforcement authorities or courts.

This one-month limit was a significant development compared to the previous regime. Before the LOPDGDD, AEPD Instruction 1/2006 already set the maximum retention period at one month for private security cameras, a limit that now has the rank of an organic law. In practice, many video surveillance systems are configured with recording cycles of 7, 15 or 30 days: all of these are compliant, but the absolute limit is 30 days.

If you need to review the technical configuration of your camera system to ensure that the deletion cycles comply with the LOPDGDD, the video surveillance GDPR compliance team at Summum Consultoría can support you through that process without disrupting your operations.

Data subjects' rights in relation to video surveillance

People captured by video surveillance cameras are data subjects for all GDPR purposes and may exercise their rights against the data controller. The most relevant rights in this context are:

The controller must establish a clear procedure for handling these requests and respond within one month of receipt (art. 12.3 GDPR), extendable by a further two months in complex cases.

Most common errors in video surveillance signs

Based on AEPD resolutions and prior investigations, the most frequent breaches related to video surveillance signage are:

The sanctioning regime under art. 83 GDPR may reach, for infringements relating to the principles of processing (art. 5) and the conditions for consent and information (art. 13), up to EUR 20,000,000 or 4% of the total worldwide annual turnover, whichever is higher, for the most serious infringements. Less serious infringements may be sanctioned by up to EUR 10,000,000 or 2% of annual turnover. The specific level depends on the circumstances of each case and the criteria of art. 83.2 GDPR (nature, severity, duration, degree of cooperation, categories of data concerned, etc.).

Frequently asked questions

Does the video surveillance zone sign need to be at every entrance to the premises?

Yes. The AEPD requires signage to be effective, meaning that anyone who may be captured by the cameras must have had the opportunity to see the sign before entering the surveilled area. If the premises has multiple entrances, or if the cameras cover distinct areas within the same space, each access point must have its own sign. A single sign at the main entrance is not sufficient if other areas of the premises have cameras and are accessible through different doors.

Is it enough to display only the camera pictogram without any other information?

No. A simple pictogram with no controller details and no indication of how to exercise rights is insufficient under the GDPR and the LOPDGDD. Article 13 GDPR requires information to be provided about the identity of the controller, the purpose of processing and the data subject's rights; in the context of video surveillance this is done through the layered information model, in which the physical sign must include at least the identity of the controller and a reference to the full information.

How long can security camera recordings be kept?

Article 22.3 LOPDGDD sets a maximum period of one month from the capture of the images. After that period, recordings must be deleted, unless they need to be retained to prove acts that threaten persons or property, in which case they must be made available to the competent authorities. Common systems with 7-, 15- or 30-day cycles are compliant with this requirement, provided that automatic overwriting or deletion occurs within the month.

What happens if the contracted security company manages the images?

When a company contracts a private security firm to manage the video surveillance system, that security firm acts as a data processor within the meaning of art. 28 GDPR. The data controller remains the contracting company, which determines the purposes and means of processing. The sign must identify the contracting company — not the security firm — as the controller, and the relationship between the two must be governed by a data processing agreement that includes the safeguards required by art. 28 GDPR: purposes, security measures, sub-processing, return or destruction of data at the end of the service, and an obligation to notify security breaches without undue delay.