How long can a business keep CCTV footage in the EU?

There is no single EU-wide statutory limit, but the GDPR minimisation principle (Article 5(1)(c)) requires that retention be no longer than necessary for the stated purpose. In practice, EU DPAs converge on 30 days as the soft default for general security, with 7–14 days being the conservative best practice for low-risk environments. Specific sectors have higher caps backed by sector law: banks 90+ days for AML purposes, casinos 6–12 months in some jurisdictions, ports/airports up to 12 months under critical-infrastructure rules.

What is the maximum CCTV retention in Poland (RODO)?

Polish law sets a soft cap at 3 months under Article 22² §3 of the Labour Code for workplace CCTV. UODO has clarified that the same period is the practical default for general business CCTV unless a specific incident or sector regulation extends it. Beyond 3 months, the controller must document why a shorter period would not achieve the security purpose.

How long can residential CCTV recordings be kept?

If the household exemption applies (FOV strictly within own property), there is no statutory cap. Once the exemption is lost (any FOV reaching public space or a neighbor's land), DPAs converge on 7–30 days as the lawful range. Indefinite retention by a private homeowner has been fined repeatedly across the EU when challenged via DPA complaint.

What retention does the UK ICO recommend?

ICO's CCTV code of practice and Employment Practices Code recommend 30 days as the default upper end for routine general-security footage and shorter where the security need is met by a tighter window. For workplace CCTV the Employment Practices Code suggests 14 days unless a specific incident triggers extended retention. Indefinite retention of routine footage is treated as a Article 5(1)(e) breach.

Compliance Reference · Updated 2026-05-05

CCTV recording retention period by country

There is no single EU-wide retention cap — GDPR sets a principle (minimisation under Article 5(1)(c)) and each member state's DPA fills in the operational defaults. This reference summarises the working values DPAs actually enforce in 2026, plus the storage planning implications for your NVR sizing.

EU member-state defaults

Country	Default cap	Workplace cap	Authority
Poland	3 months	3 months (KP §22²)	UODO
Germany	72 hours typical, 30 days max	48 hours (BfDI)	BfDI + Länder
France	30 days	30 days (CNIL)	CNIL
Italy	24 hours std, 7 days max	7 days (Garante)	Garante
Spain	30 days	30 days (AEPD)	AEPD
Netherlands	28 days	28 days	AP
Belgium	30 days (1 month)	30 days	APD/GBA
UK	30 days	14 days	ICO
Ireland	30 days	30 days	DPC

The "Default cap" is the working value DPAs enforce against general-security CCTV. The "Workplace cap" reflects the stricter retention DPAs apply to employee monitoring. Both are working values rather than statutory caps in most cases — exceeding them is possible only with documented specific justification.

Sector-specific extensions

Banks and ATMs — 90 days minimum across the EU under AML directives; some member states allow up to 12 months for cash-handling areas.
Casinos and gaming venues — 6 to 12 months in most jurisdictions under sector regulation.
Airports and ports — up to 12 months under critical-infrastructure rules; varies by country.
Public transport — typically 14–60 days depending on national transport authority rules.
Healthcare facilities — strict minimisation under additional health-data rules; 7–14 days typical, longer requires specific clinical-safety basis.
Schools — strictest retention regimes given the involvement of minors; 24–72 hours typical absent specific incident.

United States — state-level patchwork

The US has no federal CCTV retention law. State-level rules apply patchwork:

California (CCPA / CPRA) — minimisation principle similar to GDPR; no fixed cap but indefinite retention is treated as unreasonable.
Illinois (BIPA) — biometric processing (face recognition) requires specific consent and 3-year cap on retention; standard CCTV without biometric processing is unconstrained at state level.
New York — sector-specific rules (financial services, education) but no general retention cap.
Texas, Florida, most other states — no specific retention cap; industry standards (PCI-DSS for retail, HIPAA for healthcare) drive the practical defaults.

For multi-jurisdiction US operators, the safe default is 30 days at the federal level with state-specific extensions documented per site.

Storage planning implications

Retention drives storage cost linearly. A 16-camera system at 4 MP H.265 25 fps medium scene runs at about 50 GB per camera per 30 days, so 800 GB total at 30-day retention, 2.4 TB at 90-day retention. The CCTV storage calculator computes exact figures from your codec, frame rate, scene complexity and retention period.

For multi-jurisdiction deployments (e.g. retail chain across DE, FR, IT, ES), size NVRs to the longest applicable retention so the storage layer can accommodate any site. Polish 3-month workplace cap and Italian 7-day default differ by 12×. Don't size to the shortest then scramble when a site needs more.

Compute storage for your retention rules

Set retention in days, codec, frame rate — the calculator returns exact TB and HDD sizing. Free.

Storage Calculator →

Convert retention period to TB capacity for any codec and frame rate.

Workplace CCTV under GDPR →

DPIA, retention, signage and works council rules.