Case Study : A  Business operating CCTV 

The use of CCTV has long been regulated. The GPDR reaffirms the data protection guidelines around the use of CCTV and has raised awareness amongst the general public regarding its use. 


  1. The client did not have any CCTV signage in place and was concerned that signage would raise alarm amongst clients and employee. 
  2. The client did not have a clear and documented purpose for the CCTV. While the over riding purpose was safety and security it became apparent that footage may be used in an employer/employee dispute. This type of monitoring was not documented in any employee manuals. 
  3. Access to CCTV images and footage was not strictly controlled. 
  4. The business did not have a Subject Access Request policy or procedure in place therefore accessing CCTV footage may become difficult in these circumstances and ultimately may result in missed deadlines. 
  5. No CCTV policy or procedure in place. 


  1. Developed compliant CCTV signage and advised on appropriate placement. 
  2. Assisted in the creation of a CCTV policy. 
  3. Assisted in the completion of a DPIA with the Data Protection Manager.
  4. Access to CCTV footage was strictly controlled with clear criteria for review and downloading including how to handle requests from the Gardai. 
  5. A subject access request policy and procedure was created as part of the overall data protection framework. 
  6. Training was rolled out for all staff. 


  1. Compliant use of a surveillance system. 
  2. No confusion as to the purpose of the system and no further potential for employee disputes where CCTV was used inappropriately. 
  3. Full Transparency for data subjects.
  4. Appropriate security and regulation around CCTV monitoring, access and downloading.