Video surveillance in the workplace is one of the areas where compliance questions arise most frequently. Employers have a legitimate interest in protecting their facilities and assets, but workers retain fundamental rights — in particular the right to privacy and to the protection of their personal data — even during working hours. Article 89 of Organic Law 3/2018 on Personal Data Protection and the Guarantee of Digital Rights (LOPDGDD) regulates this balance specifically for the employment context, complementing the general obligations of Regulation (EU) 2016/679 (GDPR).
Below we answer, one by one, the questions that companies in Castile and León and the Canary Islands most often raise when installing or reviewing their camera systems.
Can an employer install cameras in the workplace?
Yes, but with conditions. Article 89 LOPDGDD recognises that employers may process images obtained through video surveillance cameras for the purpose of monitoring the employment relationship, provided they comply with the safeguards set out in the GDPR. The usual legal basis is the employer's legitimate interest (Article 6(1)(f) GDPR) or, where applicable, compliance with a legal obligation (Article 6(1)(c) GDPR), such as those arising from private security legislation.
For that legal basis to be robust, the processing must pass the proportionality test: the measure must be suitable for the declared purpose, necessary (no less intrusive alternative must be equally effective) and proportionate in the strict sense (the benefit to the employer must not be disproportionate to the restriction it imposes on the employee's rights). Installing cameras without having assessed these three conditions is a genuine legal risk.
What information must be given to employees?
This is where one of the most common mistakes occurs. Article 89 LOPDGDD establishes an obligation to provide information through two channels:
- Basic information via a notice sign: a clearly visible sign must be posted informing employees of the existence of cameras and that the images are processed for employment control purposes. The AEPD has published a model sign indicating, as a minimum, the identity of the data controller and the possibility of exercising the rights recognised under the GDPR.
- Full information made accessible: regardless of the sign, the employee has the right to access the detailed information required by Article 13 GDPR (purpose, legal basis, retention period, recipients, data subjects' rights, and contact details of the controller or the Data Protection Officer if one has been appointed).
Posting the notice sign does not require the employee's explicit consent for the processing: information is sufficient. But if the sign is absent or inadequate, the processing may be unlawful even if the cameras are technically well configured.
Where may cameras be placed, and where is it prohibited?
The law does not prohibit video surveillance in working areas, but requires that the placement be proportionate to the declared purpose. In practice, the AEPD has consistently stated that it is prohibited to install cameras in:
- Toilets, changing rooms, rest areas and other areas intended for personal hygiene or rest.
- Spaces where employees exercise their right to trade union freedom or assembly.
- Any area where constant surveillance bears no relation to the legitimate purpose alleged.
Nor is it proportionate to orient cameras so that they systematically capture computer screens or personal conversations, even if the camera is technically located in a permitted area.
How long may images be retained?
Article 22(3) LOPDGDD — also applicable by reference in the employment context — sets the maximum retention period for images at one month from capture, unless they must be kept to establish the commission of unlawful acts by employees or third parties. In that case, the images shall be retained for as long as necessary to bring the facts to the attention of the law enforcement authorities or the competent court.
This one-month period is mandatory: retaining images beyond that time without justification constitutes excessive and unlawful processing. It is advisable to verify that recording systems automatically delete files once that period has elapsed.
Must the company carry out a Data Protection Impact Assessment (DPIA)?
Depending on the scope of the system, a DPIA may be mandatory. Article 35 GDPR requires a Data Protection Impact Assessment (DPIA) where the processing is likely to result in a high risk to the rights and freedoms of natural persons. The list of activities presumed to entail high risk published by the European Data Protection Board includes large-scale monitoring of publicly accessible areas. In the employment context, a camera system covering an entire production floor, incorporating facial recognition or continuously recording workspaces is likely to require a DPIA.
If you need to assess whether your system requires a DPIA, at Summum Consultoria we support companies in bringing their video surveillance systems into compliance with the GDPR and the LOPDGDD.
What happens if a security incident involving the images occurs?
If the images captured by the cameras suffer a security breach — for example, unauthorised access, loss or theft of recording media, or improper disclosure — the data controller must act in accordance with Articles 33 and 34 GDPR:
- Article 33 GDPR: notification to the Spanish Data Protection Agency (AEPD) within 72 hours of becoming aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons.
- Article 34 GDPR: communication to the affected data subjects — in this case, the employees whose images have been compromised — when the breach is likely to result in a high risk to their rights and freedoms.
In practice, a leak of workplace surveillance footage usually involves high risk (it may reveal lifestyle habits, personal relationships or other sensitive data), so the dual obligation to notify the AEPD and communicate with those affected is the rule rather than the exception.
Is it necessary to appoint a Data Protection Officer (DPO)?
Designation of a DPO is mandatory in the cases set out in Article 37 GDPR: public authorities, and controllers or processors whose core activities require large-scale, regular and systematic monitoring of data subjects, or large-scale processing of special categories of data. For a private company with an ordinary internal video surveillance system, the obligation is not automatically triggered by the mere existence of cameras.
Nevertheless, the functions of the DPO (Articles 38 and 39 GDPR) — informing, monitoring compliance and acting as a point of contact with the supervisory authority — are particularly valuable in high-risk activities such as workplace surveillance. For companies not required to appoint an internal DPO, the figure of the external Data Protection Officer provides the same safeguards with a more flexible cost structure.
What consequences may non-compliance entail?
The AEPD is the competent supervisory authority in Spain and has sanctioning powers. The sanctioning framework of Article 83 GDPR distinguishes two levels:
- Higher-tier infringements: up to EUR 20,000,000 or, if higher, 4% of total worldwide annual turnover for the preceding financial year.
- Lower-tier infringements: up to EUR 10,000,000 or 2% of total worldwide annual turnover.
Breaches of the duty to provide information (absent or inadequate notice sign), excessive retention periods or installation in prohibited areas may give rise to enforcement proceedings. In addition, employees may exercise their rights before the AEPD and, where applicable, claim damages before the courts.
At Summum Consultoria we do not guarantee compliance on behalf of any company — that responsibility always rests with the data controller — but we do support the adaptation process so that the company has the required technical and organisational measures in place. If you wish to review your current system, our data protection team provides a no-obligation initial assessment.
Frequently asked questions
Can the company use the footage to discipline an employee?
Yes, provided the video surveillance system has been correctly implemented (notice sign, valid legal basis, proportionality) and the images were obtained lawfully. Article 89 LOPDGDD expressly permits the use of images for disciplinary purposes. However, if the processing is unlawful at source — for example, the camera was in a changing room or no notice sign was posted — the images cannot be used as evidence and the company may face an additional penalty for the unlawful collection of data.
Does the video surveillance system have to be registered with any official body?
There is no mandatory register of video surveillance systems with the AEPD in Spain. What is mandatory is to include the processing in the Record of Processing Activities that every controller must maintain under Article 30 GDPR, describing the purposes, legal basis, categories of data subjects concerned and erasure time limits.
What about cameras in company vehicles?
Cameras installed in company vehicles (dashcams) that capture images of the driver or passengers are subject to the same GDPR principles and Article 89 LOPDGDD. The usual purpose — road safety and monitoring of work activity — may justify the processing, but requires prior information to the driver and proportionality in the scope of the capture. Images of public roads captured incidentally may additionally be subject to private security legislation.