Is CCTV in the workplace legal under GDPR?

Yes, but only with a documented lawful basis (typically Article 6(1)(f) legitimate interest), a Data Protection Impact Assessment (DPIA) under Article 35 because workplace CCTV is systematic monitoring on a large scale, employee transparency under Articles 13–14, defined retention (typically 7–30 days), visible pictogram signage at every entry point, and — in jurisdictions with strong worker representation (Germany, France, Italy, the Netherlands) — formal consultation with the works council or trade union before deployment.

Where can workplace CCTV NOT be installed under EU law?

Toilets, locker rooms, changing areas, dedicated rest areas, designated breastfeeding rooms and any space where employees have a reasonable expectation of privacy. Multiple DPAs have fined employers six-figure sums for cameras in these zones, even when the recording was claimed to be 'mistakenly active'. The minimisation principle (Article 5(1)(c)) makes these installs unlawful by default, regardless of consent.

Do I need works council approval before installing workplace CCTV?

In Germany under BetrVG §87(1)(6), workplace surveillance technology requires the works council's co-determination — the employer cannot install or expand it without works council consent. France (Article L2312-38 Code du travail) requires consultation. Poland's RODO regime requires regulation in the workplace rules of order. The UK ICO Employment Practices Code recommends but does not legally require consultation. Failing to consult where required can void the entire deployment retroactively.

How long can I keep workplace CCTV recordings?

EU DPA guidance converges on 30 days as the default cap unless a specific incident triggers extended retention for investigation. Anything beyond 30 days requires explicit justification in the DPIA. Polish UODO has fined employers for indefinite retention; Italian Garante for 90-day defaults without specific basis. The German Länder DPAs treat 72 hours as the generic ceiling absent a documented stronger interest.

GDPR / Compliance · Updated 2026-05-05

CCTV workplace monitoring under GDPR / RODO / DSGVO

A 2026 compliance roadmap for HR, ops and security leads deploying workplace surveillance in the EU. The legal floor is GDPR; the ceiling is national labour law and works-council co-determination, which varies dramatically across member states.

The seven workplace-CCTV obligations under GDPR

Lawful basis. Article 6(1)(f) legitimate interest is the only realistic option — consent fails because employees cannot freely refuse, and Article 6(1)(b) (contract performance) is too narrow. The legitimate-interest balancing test must be documented and reviewed annually.
DPIA (Article 35). Workplace CCTV is "systematic monitoring on a large scale" and triggers a mandatory Data Protection Impact Assessment in every EU jurisdiction. The DPIA documents the purpose, the proportionality test, the alternatives considered (and why rejected), and the measures taken to minimise impact.
Transparency (Articles 13–14). Every employee must be told before deployment what is recorded, where, why, by whom, for how long, and how to exercise their rights. A privacy notice in the staff handbook plus signage at the perimeter satisfies this.
Retention. The minimum necessary, typically 7–30 days. Most DPAs treat 30 days as the soft default; longer requires specific justification.
Visible signage. Pictogram + controller name + contact + lawful basis + retention period + DPO contact. Position at every entry point and at every floor of multi-storey deployments.
Subject access. Any employee can request a copy of footage in which they appear. The 30-day response window applies.
Minimisation. Camera FOV must be the narrowest that achieves the security purpose. Cameras pointing at desks, into dedicated rest areas, or covering more public space than the security goal requires fail this test by default.

Country-specific add-ons

Germany (DSGVO + BDSG + BetrVG). Works council co-determination under BetrVG §87(1)(6) is mandatory for any employee-monitoring technology including CCTV. The employer cannot install, expand or modify the system without works council consent. State-level DPAs (16 Länder) regularly fine for non-consultation. BDSG §26 sets stricter retention defaults than generic GDPR — 72 hours is the typical ceiling.

Poland (RODO + Kodeks pracy). Article 22² of the Labour Code permits CCTV at work but only for ensuring safety, protecting property, monitoring production, or preserving confidentiality. The deployment must be regulated in the workplace rules of order (regulamin pracy) and announced to employees at least 14 days before activation. UODO is increasingly active — fines for inadequate signage and unjustified retention are frequent.

France (CNIL guidance + Code du travail). Works council consultation under Article L2312-38 is required. CNIL has published binding guidance limiting retention to 30 days absent specific incidents. Cameras must not film employee workstations continuously and must avoid breakroom areas entirely. CNIL fines for workplace CCTV breaches range from €1 000 to €600 000+.

Italy (Garante + Statuto dei Lavoratori Article 4). One of the strictest regimes. Article 4 of the workers' statute prohibits installing surveillance equipment for the direct monitoring of employees and requires a collective agreement (with the works council or, failing that, regional Labour Inspectorate authorisation) before any system that incidentally captures employee activity can be deployed.

UK (UK GDPR + Data Protection Act 2018 + ICO Employment Practices Code). Works council consultation is recommended but not mandatory. The ICO Employment Practices Code is treated as authoritative guidance and DPA enforcement frequently cites it. Retention defaults to 30 days; longer needs a documented incident.

Common compliance failures (and what they cost)

Cameras in toilets, locker rooms or rest areas — automatic six-figure fines across the EU.
Indefinite or 90+ day retention without documented justification — frequent low-five-figure fines.
No signage or signage in only one language at multilingual workplaces — €5 000 – €25 000 typical.
No DPIA on file — increasingly seen as an aggravating factor that multiplies the underlying penalty.
No works council consultation in DE / FR / IT — entire deployment may be voided retroactively.
Live stream accessible by managers without access logging — breaches both minimisation and accountability principles.
Audio capture without separate justification — audio of workplace conversations is treated more strictly than video.

A pre-deployment checklist that holds up

Before the first cable is pulled: (1) draft DPIA covering purpose, proportionality, alternatives, FOV minimisation, retention; (2) update the privacy notice and staff handbook with the new processing; (3) consult the works council / trade union where applicable and obtain written agreement; (4) design the FOV map showing exact coverage with the proportionality test annotated per camera; (5) produce signage in every workplace language; (6) define retention rules and the technical control that enforces them; (7) appoint the access-log custodian; (8) train the security team on subject-access workflow.

CCTVplanner produces (4) directly — drop the camera positions on the floor plan, lock the FOV cones, export a labelled PDF with the proportionality test annotation per camera, and attach to the DPIA appendix. The DPA reviewer reads the same artefact you reviewed.

Build the workplace FOV map for your DPIA

Drop cameras on your floor plan, lock the FOV cones, export the PDF that goes into the DPIA appendix. Free tier covers 1 site.

RODO / GDPR Reference →

Our full reference for CCTV operators in the EU.

Industrial CCTV use case →

Plant-level CCTV with works-council-aware FOV minimisation.