Video surveillance using security cameras is common practice in shops, offices, residential communities, industrial premises and public spaces. However, installing cameras without properly informing the people who will be captured constitutes an infringement of the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and of Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD). The main instrument for that information is the CCTV information notice, whose minimum content, placement and conditions of use are specifically regulated. This article systematically answers the most frequent questions we receive at Summum Consultoría about this element — seemingly simple, but frequently poorly implemented.
What is the legal basis governing the CCTV notice?
The obligation to provide information via a notice derives from the combined application of several rules:
- Article 13 GDPR: establishes the information that the data controller must provide to data subjects at the time their data is collected. Images captured by cameras are personal data when they allow a natural person to be identified.
- Article 22 LOPDGDD (video surveillance): specifically regulates the processing of images in public spaces and privately owned spaces with public access, establishing the obligation of an information device in a visible and accessible area, and fixing the maximum retention period for images at one month as a general rule.
- Article 89 LOPDGDD (video surveillance in the workplace): recognises the employer's right to install image capture systems for monitoring work activity, subject to the condition that workers and their representatives have been informed in advance.
These rules are supplemented by Instruction 1/2006 of 8 November of the AEPD, which, although pre-GDPR, remains the technical reference for notice design, and the model notice published by the AEPD on its electronic office.
What information must the CCTV notice contain?
The notice must fulfil the function of a basic or condensed information layer — what the AEPD calls «layered information» — so that the data subject can immediately access the essential details and, if they wish, obtain more complete information at a second level (full privacy policy, form, extended notice, etc.).
The minimum elements the notice must include are:
| Element | Required content | Legal basis |
|---|---|---|
| Camera pictogram or icon | Recognisable symbol identifying the existence of video surveillance. The AEPD model uses a standardised camera icon. | Instruction 1/2006 AEPD; Art. 22 LOPDGDD |
| Basic information text | Indication that the area is under video surveillance and that images are being processed. | Art. 13 GDPR; Art. 22 LOPDGDD |
| Identity of the data controller | Name or company name of the controller. Inclusion of the tax number on the notice is not mandatory, but it must appear in the full privacy information. | Art. 13.1.a GDPR |
| Purpose of the processing | Security and access control, workplace monitoring, intrusion prevention or other specific purposes. The declared purpose binds the controller: images may not be used for different purposes. | Art. 13.1.c GDPR |
| Reference to data subjects' rights | Indication that the data subject may exercise their rights of access, rectification, erasure, restriction and objection. | Arts. 15-21 GDPR |
| Means to exercise rights or access full information | Physical address, email address or link to the full privacy policy where additional information can be obtained and rights exercised. | Art. 13.2 GDPR |
The model notice published by the AEPD includes all these elements and can be used as a basis, adapted to the specific controller's details. The AEPD does not require its specific model to be used, but does warn that omitting any of the minimum elements may constitute an infringement of the transparency obligation.
Where must the notice be placed?
The placement of the notice is as important as its content. Article 22 of the LOPDGDD requires that the information device be visible and accessible. The AEPD has interpreted this requirement in numerous resolutions:
- The notice must be placed in a location prior to entry into the monitored area, so that the data subject receives the information before entering, not after they have already been captured.
- It must be legible from the normal approach distance to the area. Notices of excessively small size or placed at an invisible height have been the subject of enforcement proceedings.
- In areas with multiple access points, a notice must be placed at each relevant access.
- When the monitored area is the interior of a premises accessed from the street, a notice on the door or shopfront is common practice and generally sufficient, provided it is visible from outside before entering.
In the workplace, the prior information obligation under Article 89 LOPDGDD is normally met through an information clause incorporated into the employment contract or via a specific document delivered to the employee. The notice in the monitored area complements that information but does not replace it: the AEPD has stated that the information given to workers must be prior and individualised, not merely environmental.
How long can images be retained?
The retention period is one of the aspects that most frequently leads to non-compliance. The general rule set out in Article 22.3 of the LOPDGDD is clear:
«Images shall be erased within a maximum period of one month from their capture, unless they need to be preserved to record the commission of acts that threaten the integrity of persons, property or installations.»
In practice, this means:
- Standard period: one month. After that period, images must be securely and irreversibly deleted if no incident has occurred that justifies retention.
- Incident exception: if during the recording period an event occurs that requires making the images available to law enforcement or judicial bodies, the controller may retain them until the relevant proceedings conclude. The AEPD recommends documenting the reason for exceptional retention.
- Workplace context: there is no explicit differentiated period for workplace monitoring cameras, but the GDPR's minimisation principle and AEPD doctrine indicate that images should not be kept beyond what is necessary for the declared purpose, which generally does not exceed one month unless disciplinary or judicial proceedings are underway.
Failure to comply with the retention period is one of the most frequent causes of CCTV enforcement proceedings. Configuring automatic deletion — a standard function in digital recording systems (DVR/NVR) — is the simplest technical measure to meet this requirement.
What are the differences between private premises, public-facing areas and the workplace?
| Scenario | Applicable legal basis | Specific requirements |
|---|---|---|
| Privately owned space with public access (shop, hotel, restaurant, private car park) | Art. 22 LOPDGDD + Art. 13 GDPR | Notice mandatory at access points. Purpose: security. Maximum retention: 1 month. Cameras may not capture the public highway except for the minimum fringe strictly necessary for access control. |
| Privately owned space without public access (company interior, warehouse, restricted area) | Art. 22 LOPDGDD + Art. 13 GDPR | Notice equally mandatory. If workers are in the area, Art. 89 LOPDGDD also applies and prior individualised information is required. |
| Workplace (monitoring of employee activity) | Art. 89 LOPDGDD + Art. 13 GDPR | Prior information to workers and their legal representatives is mandatory. Purpose: workplace monitoring (not generic security). The notice in the monitored area complements but does not replace prior individualised information. |
| Capture of the public highway | Permitted only for law enforcement and public administrations under LO 4/1997 and sector-specific regulations | A private individual or company may not install cameras continuously directed at the public highway. Only the minimum fringe strictly necessary at the building entrance is permitted. |
What happens if the notice is missing or inadequate?
The absence of an information notice or the omission of essential elements may lead to enforcement proceedings by the AEPD. Infringements related to failure to fulfil the information obligation are classified as serious infringements under Article 83.4 GDPR — with fines of up to €10 million or 2% of annual turnover — or as very serious infringements under Article 83.5 if the absence of information is linked to the lack of a lawful basis for the processing.
The general sanctions framework of the GDPR (Article 83) sets ceilings of up to €20 million or 4% of total worldwide annual turnover for the most serious infringements, although the specific amount in each case depends on the modulating criteria in Article 83.2 (intentionality, measures taken to mitigate harm, level of cooperation with the authority, etc.).
In AEPD practice, sanctions for CCTV without a notice in medium-sized commercial premises have typically been in the range of thousands to tens of thousands of euros, with higher amounts when other infringements are present, such as capture of the public highway, excessive image retention, or complete absence of a Record of Processing Activities.
The most frequent complaints come from employees or customers who detect cameras without signage. The AEPD accepts complaints through its electronic office and via physical correspondence, and opens preliminary investigation proceedings in most cases, requiring the controller to demonstrate compliance or rectify the situation.
When must a security breach involving CCTV footage be reported?
If a security incident affects recorded images — unauthorised access to recordings, theft of the storage system, remote hacking of the NVR, unauthorised dissemination of images, etc. — the data controller is required to notify the AEPD within a maximum of 72 hours of becoming aware of the incident, in accordance with Article 33 GDPR.
If the breach is likely to result in a high risk to the rights and freedoms of the individuals affected — for example, images of an intimate nature, images revealing sensitive behavioural information, or mass dissemination — the controller must also communicate the breach to the affected individuals without undue delay, in accordance with Article 34 GDPR. The communication must describe in plain terms the nature of the breach, the likely consequences and the measures taken or proposed.
Failure to fulfil the breach notification obligation gives rise to independent sanctions, which reinforces the importance of having an internal incident management procedure in place, even for small organisations.
Compliance checklist: GDPR-compliant CCTV notice
- The notice includes the standardised camera pictogram.
- The data controller is identified (name or company name).
- The purpose of the processing is stated (security, access control, workplace monitoring).
- Data subjects' right to access full information and exercise their rights is mentioned.
- A contact channel or reference to the full privacy policy is provided.
- The notice is placed in a visible location before entering the monitored area.
- The size and placement allow it to be read under normal access conditions.
- The recording system is configured for automatic deletion within one month or less.
- Cameras do not capture the public highway beyond the minimum strictly necessary fringe.
- In a workplace context, workers have received prior, individualised information.
- The CCTV processing activity is documented in the controller's Record of Processing Activities (RPA).
- An internal procedure exists for managing security breaches and notifying the AEPD within 72 hours where required.
If you have questions about whether your CCTV system complies with the GDPR and the LOPDGDD, Summum Consultoría provides a video surveillance compliance review covering the notice, the RPA, retention periods and, where applicable, drafting of supporting documentation. We accompany businesses in Castilla y León and the Canary Islands through the process of adapting to data protection regulations, without ever replacing the AEPD's role as supervisory authority.
Frequently asked questions
Is a single notice at the door of a shop with several interior cameras sufficient?
In principle, yes, provided the notice is visible from outside before entering and the space is open-plan or the access leads directly to the monitored area. If the premises has separate areas with cameras accessible through different entrances — for example, a loading bay with its own independent access — a notice must be placed at each relevant entrance. The rule is that no person should be captured without having had the opportunity to see the notice beforehand.
Can a homeowners' association install cameras in communal areas?
Yes, provided the general meeting approves it with the majorities required by the Horizontal Property Act and the requirements of the GDPR and the LOPDGDD are met: an information notice at accesses to monitored areas, a maximum retention period of one month, a prohibition on directing cameras at the public highway or at owners' private areas, and documentation of the processing in the community's RPA. The community acts as data controller and must designate a representative to fulfil that role.
Is it necessary to register a CCTV system with any authority?
There is no general public register of CCTV systems in Spain to which installations must be notified. What is mandatory is including the CCTV processing activity in the controller's Record of Processing Activities (RPA), in accordance with Article 30 GDPR. The RPA is an internal document that the AEPD may request in any supervisory action.
Can employers use CCTV footage as evidence in disciplinary proceedings?
Spanish case law — including rulings of the Supreme Court and the Constitutional Court — has accepted the use of workplace CCTV footage as evidence in disciplinary proceedings, provided that workers were informed in advance of the existence of the cameras and of the possibility of using the images for that purpose. The Supreme Court ruling of 21 July 2021 (rcud 4877/2018) consolidated this doctrine in the framework of Article 89 LOPDGDD. If prior information was not provided, the evidence may be unlawful and inadmissible in employment or criminal proceedings.