Do I need to register my home CCTV system with the data protection authority?

Not if the cameras strictly cover only your own property — the GDPR household exemption applies and no registration is needed. The moment any camera reaches public space, a neighbor's garden, a shared driveway or a footpath, the exemption is lost and the operator becomes a data controller. UK ICO and most EU DPAs do not require pre-registration even then, but you take on the seven core controller duties (lawful basis, transparency, retention, signage, subject access, security, minimisation).

How long can I keep recordings from my home CCTV?

If the system stays inside the household exemption (covers only own property), there is no statutory limit — you set retention based on your own security need. Once the exemption is lost (any external coverage), DPAs across the EU treat 30 days as the soft default, with 7 days being the conservative best practice for residential security where no specific incident has occurred.

Do I have to put up signs for my home CCTV?

If the system stays within household exemption, signage is optional but recommended — visible cameras have a measurable deterrent effect and the signs make the deterrent explicit. Once the exemption is lost (any FOV reaching public space or a neighbor's property), signage becomes mandatory: a CCTV pictogram with the controller's name, contact, lawful basis (typically legitimate interest), retention period, and how to make a subject-access request. Some jurisdictions also require a DPO contact even for residential operators.

Can I install audio recording with my home CCTV?

Audio recording of public space is treated more strictly than video in most EU jurisdictions and is often unlawful absent a specific lawful basis beyond legitimate interest. UK ICO discourages audio capture in residential CCTV. Polish UODO and German Länder DPAs treat audio capture as disproportionate by default. The minimisation principle (Article 5(1)(c)) usually rules audio out — switch it off unless you have a specific, documented security reason that video alone cannot address.

Compliance · Residential · Updated 2026-05-05

Home CCTV installation — the 2026 legal checklist

Most homeowners install CCTV without realising they've crossed into GDPR controller territory. The household exemption that keeps domestic CCTV out of regulation has a sharp edge: any FOV reaching past your boundary triggers the full obligations. This checklist runs through every step before the first cable is pulled.

Step 1 — The household exemption test

Run the FOV test for every planned camera position. Map the camera location, lens focal length and sensor format onto your property's satellite imagery. The FOV cone projected onto the ground must remain entirely within your own boundary. If any portion of the cone reaches public space, a neighbor's land, a shared driveway or a footpath, the household exemption is lost and the system becomes a GDPR-regulated installation with the full controller duties.

Most domestic doorbell cameras use 2.8–4 mm lenses with 70–110° HFOV. At a typical 2.5 m porch mount, the FOV almost always reaches into public space — most installations are technically GDPR-regulated even when the homeowner is unaware. The household-exemption test is the single most common compliance failure in residential CCTV.

Two ways to keep the exemption: (1) reduce camera angle so the FOV stops at your boundary; (2) use privacy masking (most cameras support this in firmware) to permanently black out the parts of the frame that fall outside your land. Privacy masking on a doorbell camera takes 2 minutes in the app and resolves most household-exemption issues.

Step 2 — Signage (mandatory once exemption is lost)

A CCTV pictogram alone is not sufficient under GDPR. The compliant signage package includes: (1) the CCTV pictogram, (2) controller name (your name or your household), (3) contact email or phone, (4) lawful basis (typically "legitimate interest under Article 6(1)(f) GDPR"), (5) retention period in days, (6) link to a privacy notice with subject-access instructions.

Position at every entry point to your property visible from public space. For a standard suburban home, that's typically the front gate or driveway entry. The sign must be readable from the angle a person would normally approach — not behind a hedge, not high above eye line.

For a privacy notice, a printed A5 card next to the front door pointing visitors to your home email is sufficient. You don't need a website. The privacy notice itself fits on one A4 page — DPAs publish templates for residential operators.

Step 3 — Retention configuration

If household exemption applies (FOV stays inside boundary), there's no retention cap. Set whatever feels useful — typically 7–30 days on the NVR, longer if you have specific reasons.

If household exemption is lost, retention must be the minimum necessary. EU DPAs converge on 7 days as conservative and 30 days as the upper end for residential. Anything beyond 30 days needs documented justification linked to a specific incident or risk profile. Indefinite retention is unlawful.

Configure retention as a hard delete on the NVR, not a soft archive. Subject-access requests will ask whether older footage exists — "we delete after 7 days" is the answer that closes the question.

Step 4 — Subject access workflow

Once the system is GDPR-regulated, anyone visible in the footage can request a copy. The 30-day response window is statutory. The workflow doesn't have to be complex — a logged email folder, the NVR's export-clip function, and an outbound email with the clip suffices. What matters is consistency.

Keep a log of every subject-access request — date received, requestor, response date, what was provided. The log demonstrates accountability if the DPA ever audits.

Step 5 — Neighbor notification (optional but recommended)

If your installation is on a shared boundary, a courtesy note to the neighbor — what is being installed, what FOV it will have, when, and your contact for any concerns — pre-empts the most common dispute trigger. The note is not a legal requirement but it converts a hostile complaint into a constructive conversation in 90% of cases.

Include a printed FOV map showing exactly what your camera will see. A neighbor who has the map is dramatically less likely to file a DPA complaint than one who has to guess.

Step 6 — Audio off (default)

Most EU DPAs treat audio capture in residential CCTV as disproportionate by default and rule it out under the minimisation principle. Disable audio recording in firmware unless you have a specific documented reason that video alone cannot address. UK ICO, Polish UODO and Italian Garante all publish guidance against domestic audio capture.

Run the household-exemption FOV test for free

Drop your camera at the install address, set the lens, see the cone footprint on your boundary. If any cone reaches over the line, you'll know before you mount.

Can my neighbor record me? →

The legal background for the household exemption.

Home security CCTV guide →

Camera placement, lens choice and DORI for residential.