Does Your Dashcam or CCTV Create a GDPR Problem?

Written By Maeve Dunne

If you use a dashcam in your work vehicle, have CCTV outside your premises, or a video doorbell at your office, you may be a data controller under GDPR and that comes with real obligations.

Many business owners assume these devices are covered by a personal exemption. They're not, at least not in the way most people think.

The 'Personal Use' Exemption Is Very Narrow

GDPR does include an exemption for purely personal or household use. But a 2014 EU Court of Justice ruling, the Ryneš case made clear this doesn't stretch very far.

The Court found that a home CCTV camera capturing a public footpath was outside the exemption. The same logic applies to dashcams recording public roads, video doorbells pointing at the street, and any camera that captures people beyond your own private space.

Once your camera records people in public, even incidentally, you're likely a data controller.

Commercial Use? There's No Exemption at All

If you use a dashcam in a business, such as taxis, delivery vans, company cars, fleet vehicles, the Data Protection Commission (DPC) has been clear, the personal exemption does not apply.

The same goes for CCTV at your business premises. You need a lawful basis, you need to be transparent about recording, have the appropriate signage and you need to handle the footage responsibly.

What You Actually Need to Do

Signage. Put up a visible notice wherever recording is taking place on vehicles, at entrances, wherever people might be captured. This is the DPC's minimum expectation for transparency.

Lawful basis. For most business uses, legitimate interests is the appropriate basis, but you need to be able to justify it. Security and incident evidence are generally defensible. Vague "general monitoring" is not.

Retention limits. Don't keep footage indefinitely. Set a retention period that's proportionate to your purpose, for most businesses, a few weeks is sufficient. Many dashcams auto-overwrite on a loop, which actually helps with compliance.

Access rights. Anyone captured in your footage can make a Subject Access Request. You need a process to handle that.

Don't Post Footage Online

Sharing dashcam or CCTV footage on social media, even to highlight bad behaviour, almost certainly breaches GDPR, if people are identifiable. Once footage goes public, you need a strong lawful basis, and "they were being annoying" won't cut it.

If you have footage relevant to a road incident or criminal matter, and you share it with An Garda Síochána or your insurer, that's a protected disclosure under the Data Protection Act 2018, posting it to Facebook is not.

The Bottom Line for Business Owners

Smart surveillance devices are useful tools, but they create data protection obligations from the moment they're switched on. The DPC has published guidance on dashcams, and the rules for CCTV are well established.

If you're not sure whether your current setup is compliant, it's worth getting a quick review. A small amount of preparation now is far less costly than a complaint to the DPC later.

Need help reviewing your CCTV or dashcam policy?
Get in touch with the Privacy Path team.

Maeve Dunne
Next

Employee Data Protection Considerations