Retention period for CCTV recordings: what the law requires

·

One of the most frequent errors we identify in data-protection audits is the indefinite—or multi-year—retention of footage obtained by CCTV systems. Companies often believe that the longer they keep the images, the better protected they are against potential claims. The legal reality is the opposite: retaining recordings beyond the legally permitted period constitutes a breach of data-protection rules, regardless of intent.

Article 22 of Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD — Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales) specifically regulates CCTV systems and sets out, with precision, how long images may be kept, under what circumstances they must be blocked rather than deleted, and what exceptions are permitted. This article analyses that framework with regulatory rigour.

If you would like to know in detail how a GDPR-compliant CCTV system should be configured and managed, the Summum Consultoría team can guide you through the entire compliance process.

The general rule: maximum one-month retention

Article 22.3 of the LOPDGDD states expressly that "data shall be deleted within a maximum period of one month from their capture". This one-month limit is the absolute ceiling under ordinary circumstances — that is, when the images are not linked to any incident, claim or legal requirement.

The wording leaves no room for interpretation: the data controller — the company, residents' association, self-employed person or public body operating the system — is obliged to delete recordings before that period expires. It is not enough to have automatic overwriting configured; it must be verified periodically that the overwriting is actually working and that no backup copies are extending the real retention period beyond one month.

Regulation (EU) 2016/679 (GDPR — General Data Protection Regulation), in Article 5.1(e), enshrines the principle of storage limitation: personal data must not be kept longer than necessary for the purposes for which they were collected. CCTV has a specific purpose — the security of persons and property or access control — and that purpose is met without any need to retain images indefinitely. One month is the period the Spanish legislature has considered proportionate and sufficient.

What happens when an incident is detected? Blocking of recordings

Article 22.3 of the LOPDGDD itself recognises an exception of great practical significance: images must be retained — and not deleted — when they have captured acts that threaten the integrity of persons, property or other purposes for which the system was installed.

In practice, this translates into the concept of blocking: when an incident is detected — a theft, an assault, an unauthorised entry, a workplace accident — the recordings related to that incident must not follow the ordinary overwriting or deletion cycle. They must be blocked, meaning preserved in a controlled manner until judicial, administrative or other proceedings requiring those images as evidence have concluded.

This blocking does not extend retention indefinitely: the images remain available exclusively to judges and courts, to the State Security Forces and Bodies with jurisdiction over the investigation, and, where applicable, to the company for the purpose of asserting or defending its rights before the competent authorities. The controller may not continue to view them freely or use them for purposes other than those that justified the blocking.

The Spanish Data Protection Agency (AEPD — Agencia Española de Protección de Datos) has clarified in various resolutions and in its Guide on CCTV that blocking must be proportionate: only recordings directly related to the incident should be preserved, not the entirety of the system's records for that period.

Exceptions to the one-month period

In addition to incident-based blocking, there are other scenarios in which the one-month period may be exceeded:

Outside these defined exceptions, it is not valid to extend the period by citing convenience ("just in case a problem arises"), internal security policies or the scale of the investment in the recording system. The GDPR's minimisation and storage-limitation principles do not accept those justifications.

Comparative table: retention periods by scenario

Scenario Retention period Legal basis Conditions
Ordinary recording with no incident Maximum 1 month Art. 22.3 LOPDGDD Deletion or automatic overwriting when the period expires
Images related to an incident (theft, assault, accident) For the duration of the relevant proceedings Art. 22.3 LOPDGDD (final clause) Immediate blocking; access restricted to competent authorities and exercise of rights
Judicial or police request received before the month expires As set by the requesting authority Art. 22.3 LOPDGDD + judicial order Complete unmodified copy must be preserved; blocking documented
Special sector legislation (gambling establishments, critical installations, etc.) As set by the applicable sector regulation Specific sector legislation The legal basis justifying the extended period must be documented
Images without personal data (areas with no possible human presence) LOPDGDD does not apply; technical discretion of the controller GDPR art. 2 (material scope) Assess case by case; the AEPD may consider that personal data do exist if identification is possible

Obligation of secure erasure

Deleting recordings when the retention period expires cannot consist merely of marking them as "archived" or moving them to a discard folder. Article 5.1(e) of the GDPR requires that data cease to be available and cannot be reasonably recovered. In practical terms, secure erasure entails:

This last point — documentation of erasure — is not optional. The accountability principle in Article 5.2 of the GDPR requires the controller to demonstrate compliance with the storage-limitation principle. If the AEPD opens an investigation, the company must prove not only that it has automatic deletion configured, but that deletion is actually taking place.

The record of processing activities and CCTV

Every CCTV system that captures images of identified or identifiable individuals must be included in the record of processing activities required by Article 30 of the GDPR. That record must include, among other data, the envisaged erasure period. Stating a generic period such as "as necessary" or "until incidents are resolved" is not sufficient: the specific period must be indicated (one month, with documented exceptions) together with the erasure procedure.

Likewise, if the CCTV system involves large-scale processing, systematic monitoring of a publicly accessible area, or processing of special categories of data (for example, biometric data for facial recognition), it may be mandatory to carry out a Data Protection Impact Assessment (DPIA) before the system is put into operation, as provided for in Article 35 of the GDPR.

To check whether your company is correctly managing the retention periods for its recordings, you can consult our GDPR CCTV system compliance service, with presence in Castilla y León and the Canary Islands.

Active information: the CCTV notice sign

The LOPDGDD, in Article 22.4, requires that persons passing through monitored areas be informed clearly and visibly. The minimum content that must appear on the sign is the existence of the processing, the identity of the controller and the ability to exercise the rights recognised in Articles 15 to 22 of the GDPR, together with an indication of where further information can be obtained.

That further information is provided through the second information layer: a privacy policy, a form or any other accessible document that supplements what the sign cannot contain for space reasons. It is in that second layer — and not on the sign itself — that the retention period for the images and the contact details of the controller or, where applicable, the Data Protection Officer (DPO) must be provided, as reflected in the model published by the AEPD.

The omission or inadequacy of active information is one of the most frequent infringements in the area of CCTV and may give rise to sanctioning proceedings under Article 83 of the GDPR.

Applicable penalty regime

Infringements related to the improper retention of CCTV recordings fall within the penalty system of Article 83 of Regulation (EU) 2016/679 and of the LOPDGDD (LO 3/2018).

Article 83.5 of the GDPR classifies as a serious infringement the violation of the basic principles of processing, which include storage limitation (art. 5.1(e) GDPR). Penalties for this type of infringement can reach EUR 20,000,000 or 4% of total worldwide annual turnover for the preceding financial year, whichever is higher. For less serious infringements, the threshold is up to EUR 10,000,000 or 2% of turnover.

The AEPD takes into account factors such as the duration of the infringement, the number of persons affected, whether the controller took proactive measures to minimise harm, or whether, conversely, the excessive retention was negligent or deliberate. Having a documented deletion procedure in place — even if it failed on one occasion — significantly reduces exposure to sanctions.

It should be recalled that the LOPDGDD currently in force is LO 3/2018, which repealed the former LO 15/1999 (LOPD). Any reference to the "old LOPD" in documents or contracts should be updated to reflect the currently applicable regime.

Best practices recommended by the AEPD

The Guide on the use of video cameras for security and other purposes published by the AEPD sets out a series of operational recommendations that go beyond minimum compliance:

Frequently asked questions

Is the one-month period calculated from when each frame is recorded or from the start of the recording session?

Article 22.3 of the LOPDGDD provides that the period is calculated from the capture of each image. In practice, since CCTV systems record continuously, the month is understood to run from the moment each recording was made. A system configured to overwrite automatically after 30 days complies with this criterion. The key point is that no image may remain stored for more than one month from when it was captured, except in the blocking or legally provided exception scenarios.

What happens if the overwriting system fails and images are retained for more than a month without the controller's knowledge?

The controller is not absolved by a technical failure. The GDPR's accountability principle requires the controller to adopt appropriate technical and organisational measures to ensure compliance with retention periods. This includes periodically verifying that automatic overwriting is functioning correctly. If a failure is detected, it must be corrected immediately, documented, and — if it has affected a significant number of images or special category data — assessed to determine whether the excess retention constitutes a security breach that must be reported to the AEPD under Article 33 of the GDPR.

Can a residents' association retain recordings for more than a month if residents agree to do so at a general meeting?

No. The agreement of residents at a general meeting cannot extend the maximum period set by law. Article 22.3 of the LOPDGDD establishes a mandatory limit that cannot be waived by the parties. Residents' associations may set a period shorter than one month — which is perfectly valid and sometimes more proportionate — but not a longer one. For more information on the specific regime for residents' associations, see the article on CCTV in residents' associations.

When must recordings be blocked and who may access them during the blocking period?

Blocking is mandatory as soon as the controller becomes aware that the images have captured the commission of an unlawful act or may be relevant to ongoing judicial, police or administrative proceedings. Access during the blocking period is restricted to the competent judicial bodies and Security Forces and Bodies, as well as to the controller or its legal representatives when they need the images to assert or defend their rights. Any other access — including by company staff not directly involved in managing the incident — must be avoided and, if it occurs, must be documented.