What is GDPR? Camera + Access Control Implications for US Companies

What is GDPR?

The General Data Protection Regulation (GDPR) is the European Union data protection law that applies to any organization processing personal data of EU residents, regardless of where the organization is based. For commercial security, GDPR governs camera footage, access-control logs, and biometric data. Lawful basis (legitimate interest), data minimization, purpose limitation, retention limits (typically 30 days for general surveillance), and Data Subject Access Requests (DSARs) all apply. US-based multi-site retailers, manufacturers, and hospitality groups with EU locations must comply at those sites. Penalties reach 4 percent of global annual revenue or EUR 20M, whichever is higher.

The short definition

Effective May 2018, GDPR replaced the 1995 Data Protection Directive and harmonized data protection across the EU. The regulation applies to any organization processing personal data of EU residents, regardless of where the organization is based (extraterritorial scope under Article 3). Each EU member state has a Supervisory Authority (CNIL in France, ICO in UK pre-Brexit and now also under UK GDPR, Garante in Italy, BfDI and state-level DPAs in Germany) that enforces the regulation locally.

For commercial security, GDPR matters in three ways: cameras capture personal data (faces are personal data); access control logs are personal data; biometric data is special-category personal data with stricter rules.

The seven principles

Article 5 lists the principles that govern all processing. For surveillance:

Lawfulness, fairness, transparency. Document the legal basis. Post visible signage at every camera location. Update privacy notice.
Purpose limitation. Collect data only for specified, explicit purposes. Footage collected for theft prevention can't be repurposed for employee productivity monitoring without separate basis.
Data minimization. Collect the least data needed. Don't capture audio if you don't need audio. Don't deploy facial recognition if a generic person-detection meets the goal.
Accuracy. Footage and access logs should be accurate. Drift in clocks and timestamps can break this.
Storage limitation. Retention only as long as necessary. 30 to 90 days for general surveillance.
Integrity and confidentiality. Security against unauthorized access. Encryption at rest and in transit. Access controls on the VMS.
Accountability. Document compliance. Maintain a record of processing activities (Article 30).

DSARs in practice

Data Subject Access Requests are the most operationally challenging part of GDPR for camera-heavy commercial sites. The process at most enterprise sites:

Receipt and verification. Verify the requester's identity. Reasonable verification methods (photo ID, account confirmation).
Search. Search the VMS for footage between the requester's claimed dates and locations. Tools like Briefcam, Genetec KiwiVision, and Avigilon ACC search-by-appearance speed this up dramatically.
Redact. Blur faces of others, mute audio of others, redact license plates. The data subject sees only their own footage.
Deliver. Provide footage in a common format (MP4) within the 30-day window.

At sites with high DSAR volume (large retail, hospitality), VMS automation and trained DSAR staff are operationally critical. Manual DSAR handling at scale produces compliance gaps.

Penalties and recent enforcement

GDPR penalties run two tiers under Article 83:

Lower tier: up to EUR 10M or 2 percent of global annual revenue. Procedural violations (record-keeping, breach notification, DPO appointment).
Upper tier: up to EUR 20M or 4 percent of global annual revenue. Substantive violations (unlawful processing, denial of data subject rights).

Major surveillance-related fines: French CNIL fined Carrefour EUR 2.25M in 2020 for excessive video retention and inadequate signage. Spanish AEPD fined Mercadona EUR 2.5M in 2021 for facial recognition deployed without lawful basis. Italian Garante fined Foodinho EUR 2.6M in 2021 for excessive monitoring. Sub-EUR-1M fines for surveillance non-compliance are routine across member states.

When to ask Tec-Tel about GDPR-compliant security

US-based multi-site customers with EU footprint need GDPR-aware camera, access, and analytics designs at those sites. We'll scope the deployment, document the lawful basis, configure retention and DSAR workflows, and pair with EU local-counsel review where needed.

Frequent buyer questions

Does GDPR apply to cameras at a US store with no EU operations?

Generally no. GDPR's territorial scope (Article 3) applies to organizations established in the EU and to processing of EU resident data even when the controller is outside the EU. A US store with no EU operations and no EU-resident customers isn't subject to GDPR. But a US-based multi-site retailer with stores in Paris, a US manufacturer with a factory in Germany, or a US hospitality group with hotels across Europe must comply at those sites and at any system that processes EU resident data.

What's a lawful basis for camera deployment under GDPR?

GDPR Article 6 lists six lawful bases. For commercial cameras, 'legitimate interest' (Article 6(1)(f)) is the most common. The data controller (the organization) must perform a Legitimate Interest Assessment (LIA) documenting why the surveillance is necessary, what alternatives were considered, and how data subject rights are protected. Other bases (legal obligation, consent) apply less commonly. Document the basis before deployment, not after.

How long can I retain camera footage under GDPR?

Retention must be limited to what's necessary for the stated purpose. There's no GDPR-mandated number, but supervisory authorities (CNIL in France, ICO in UK, Datatilsynet in Denmark) have published guidance. Common retention: 30 days for general surveillance, 90 days where justified by incident review patterns. Anything over 90 days requires documented justification. Incidents under investigation can be retained on a separate clip-store outside the bulk retention window.

What's a DSAR and how do I respond?

A Data Subject Access Request (DSAR) is a request by an individual (typically a customer or employee) to see what personal data the organization holds about them. For cameras, that means footage clips that show the requester. The organization has 30 days to respond (extendable to 60 in complex cases). Practical considerations: the response must redact other people in the same footage (faces blurred), audio of others muted, and the supplied footage must be reasonable in scope (not unlimited).

What about GDPR plus biometrics?

Biometric data is special-category personal data under GDPR Article 9. Processing requires explicit consent or one of the narrow Article 9(2) exceptions. Most commercial biometric deployments at EU sites need a Data Protection Impact Assessment (DPIA) under Article 35, written employee consent (for employee biometric access), and a documented retention and deletion policy. Some EU member states (France, Germany) impose stricter rules than the GDPR baseline. Always check national supervisory authority guidance.

Start with a free consultation.

Tell us what you're protecting and what's already in place. The Tec-Tel team reviews it and comes back with a written plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Book a free consultation 855-577-0400

What is GDPR?

The short definition

The seven principles

DSARs in practice

Penalties and recent enforcement

When to ask Tec-Tel about GDPR-compliant security

Frequent buyer questions

HIPAA

Biometric authentication

Face recognition

Industries

Start with a free consultation.

How can we help?