CCTVPLANNER.IO · COMPLIANCE

    CCTV Compliance — Country Guide

    Data-protection laws and CCTV standards in every country we have customers. Each section links to the canonical regulator and to native-language city design pages.

    🇪🇺European Union (all member states)

    GDPR requires every CCTV system to have: a documented lawful basis (typically Article 6(1)(f) legitimate interest), data subject notification (Article 13 signage at every entrance with controller name + purpose + DPO contact + retention), a Data Protection Impact Assessment when systematic monitoring of public spaces (Article 35), and 30-day max retention unless a longer period is justified by the same DPIA. Member state laws add country-specific obligations (BDSG, LOPDGDD, RODO, Codice Privacy etc.).

    🇩🇪Germany — BDSG + DSGVO

    BDSG §4 is the strictest national CCTV regime in the EU: video observation of public spaces requires either (a) the consent of every person observed (impractical) or (b) a documented legitimate purpose served BY video and only video (legitimate-purpose threshold is higher than other GDPR jurisdictions). VdS-zertifizierte alarm + camera systems are mandatory for insurance discounts on most commercial properties; DIN VDE 0833-3 governs the cabling and reliability.

    10 deutsche Städte mit Sicherheitsplanung

    🇵🇱Poland — RODO + Kodeks Pracy

    Poland combines GDPR/RODO with workplace-specific rules: art. 22² of the Labour Code limits employee monitoring to specific lawful purposes (safety, property protection, work organisation, secrecy of information). 3-month max retention for workplace footage unless used in disciplinary or legal proceedings. UODO publishes detailed guidance on signage (pictogram + extended notice), DPIA triggers, and lawful camera placement vs neighbouring property.

    30 miast w Polsce — strony lokalne

    🇮🇹Italy — Codice Privacy + Garante

    Garante per la Protezione dei Dati Personali issues binding sector-specific provvedimenti on top of GDPR. Key rules: 24-hour default retention (can extend to 7 days with justification, up to 30 days only after DPIA + supervisory notification), specific signage with controller, purpose, retention, and Garante reference. Bank installations (banche commerciali) require additional compliance under Provvedimento 27 ottobre 2005.

    6 città italiane con design CCTV locale

    🇪🇸Spain — LOPDGDD + AEPD

    AEPD (Agencia Española de Protección de Datos) and autonomous-region regulators (APDCAT in Catalonia, AVPD in Basque Country) enforce LOPDGDD plus GDPR. Videovigilancia rules require: maximum 30-day retention, signage with controller + Spanish data-subject-rights pictogram, no recording of public road unless strictly necessary, and Registro de Actividades de Tratamiento entry for every installation > 6 cameras.

    6 ciudades españolas — diseño local

    🇨🇿Czech Republic — ÚOOÚ

    ÚOOÚ (Úřad pro ochranu osobních údajů) issues binding guidance on CCTV: 7-day default retention (extend with DPIA only), prominent signage with controller + purpose + retention + ÚOOÚ contact, prohibition of recording neighbouring private property without consent. Workplace CCTV requires consultation with employee representatives.

    5 českých měst s lokálním návrhem

    🇳🇱Netherlands — AVG + AP

    Autoriteit Persoonsgegevens (AP) is Europe's most active CCTV regulator with regular enforcement fines. Cameratoezicht in openbare ruimte requires municipal permit (gemeente) PLUS GDPR compliance. Retention: 24 hours default for private installations, 28 days for public-area monitoring with permit. Strict prohibition on workplace cameras without works council (OR) approval.

    5 Nederlandse steden — lokaal ontwerp

    🇧🇷Brazil — LGPD + ANPD

    LGPD applies to every CCTV installation processing personal data of natural persons in Brazil. ANPD (Autoridade Nacional de Proteção de Dados) is the federal regulator. Required: lawful basis (Art. 7), signage with controller identity + purpose, Relatório de Impacto à Proteção de Dados (RIPD) for high-risk projects (public-area monitoring, biometric recognition, large-scale systems > 50 cameras), and incident notification to ANPD within 48 hours.

    5 cidades brasileiras — projeto local

    🇦🇺Australia — Privacy Act + AS 4806

    Federal Privacy Act 1988 applies to organisations turning over AU$3M+ (small business exemption below). State Surveillance Devices Acts add jurisdiction-specific rules: NSW Workplace Surveillance Act 2005 requires 14-day employee notice before installation, VIC Surveillance Devices Act 1999 prohibits private listening devices without consent. AS 4806.x is the technical standard for design, installation, commissioning.

    5 Australian cities — local security design

    🇿🇦South Africa — POPIA

    POPIA fully effective July 2021. CCTV operators must register as Responsible Parties with the Information Regulator if processing > 5,000 data subjects. Required: signage at every entrance (POPIA Information Notice format), maximum 7-day retention for incident-only recording (extend with documented business case), data subject access right (Section 23) — operator must provide footage on request within 30 days unless legal exemption.

    3 South African cities — local design

    🇺🇸United States — federal + state patchwork

    No federal CCTV law; instead: NDAA Section 889 (FAR 52.204-25) bans Hikvision, Dahua, Huawei, Hytera, ZTE from US federal contracts and federally-funded projects. State laws: California CCPA + Illinois BIPA (biometric face capture) + Texas SB 5 (school surveillance) + state-specific workplace recording acts (some states require two-party consent for audio). HIPAA applies to hospitals; FERPA to schools.

    14 US cities — local security design

    Frequently asked

    Which regulations apply to my CCTV installation?

    Every CCTV installation in the EU falls under GDPR. Add country-specific national CCTV codes (BDSG in Germany, LOPDGDD in Spain, RODO in Poland, Codice Privacy + Garante provvedimenti in Italy, AVG + AP guidance in Netherlands, ÚOOÚ guidance in Czechia). Outside the EU: Brazil (LGPD + ANPD), Mexico (LFPDPPP), Australia (Privacy Act 1988 + state Surveillance Devices Acts + AS 4806), South Africa (POPIA), US (NDAA Section 889 + state laws).

    What is the default CCTV retention period under GDPR?

    30 days is the de facto default across most EU jurisdictions, but several national regulators set stricter starting points: Italy 24h (Garante), Netherlands 24h-28 days depending on permit, Czech Republic 7 days (ÚOOÚ), Spain 30 days (AEPD). Longer retention requires a documented DPIA (Article 35 GDPR) and proportionality justification.

    Do I need a permit to install CCTV?

    Private property: typically no, but GDPR/local-law compliance is automatic. Public space monitoring: most EU jurisdictions require municipal or police permit (Netherlands gemeente, Spain ayuntamiento, France préfecture). Workplace monitoring: most countries require employee consultation (Poland art. 22² Kodeks Pracy, Netherlands works council, France CSE). South Africa POPIA: registration with Information Regulator if > 5,000 subjects.

    What does CCTV signage need to contain?

    GDPR Article 13 minimum: controller identity, purpose, lawful basis, retention period, contact for data subject rights (DPO if appointed). Germany BDSG adds specific pictogram requirements. Spain AEPD has a standardised pictogram template. Italy Garante requires reference to Provvedimento 8 aprile 2010. Netherlands AP requires retention + purpose + controller in plain Dutch. Poland UODO requires bilingual signage in tourist areas.

    Are Hikvision and Dahua cameras legal in the EU?

    Yes — there is no EU-wide ban as of 2026, though several member states have advisory guidance against them in critical infrastructure (Germany BSI advisory, Netherlands NCTV review). For US federal-funded projects (including federally-funded research, EU+US cooperation), NDAA Section 889 / FAR 52.204-25 prohibits both brands. UK has phased them out of central government estates since 2022.

    Plan a compliance-ready system

    CCTVplanner computes DORI / OODPCVS pixel densities per EN 62676-4, generates GDPR-grade signage placeholders, and exports per-floor reports installer-ready. Compliance is baked in — pick the city/country closest to yours below to start with the right defaults.

    Open the designer →