~/ _
Your Camera Is Rolling. But Do You Have the Right to Film?

Image generated with AI (Leonardo.ai)

Your Camera Is Rolling. But Do You Have the Right to Film?

Risto Kasepuu
#cybersecurity #data protection #GDPR #surveillance cameras #privacy

We are living through a surveillance camera boom. They are everywhere — shops, offices, business buildings, car parks, apartment building corridors, city streets. And their numbers keep growing: cameras have become cheap, installation is easy, and it seems like everyone is doing it.

The problem that hasn’t gone away is that many people treat a camera like a light bulb. Just screw it somewhere and you’re done. What’s worse, recordings are sometimes shared on social media to justify a position or prove a point. This approach is wrong — not as a personal opinion, but because it conflicts with the requirements of the EU General Data Protection Regulation (GDPR).

In Estonia, data protection supervision is carried out by the Estonian Data Protection Inspectorate (AKI). AKI has the authority to conduct supervisory proceedings, issue precepts to stop violations, and impose fines — up to €20 million or 4% of an organisation’s global annual turnover, whichever is higher. AKI handles both complaints from individuals and proceedings initiated on its own motion.

A camera is not a technical tool. Using it is already data processing.

The moment your camera records identifiable people, you are a data controller under GDPR. All obligations that come with that role apply to you in exactly the same way as to any other organisation that processes personal data.

That means: you need a legal basis, people must be informed, recordings must be protected, and they may not be used for any purpose other than the one for which they were collected.

Sounds simple? Not in practice.

Ten questions you must answer before putting up a camera

1. What is the camera’s purpose?

Before the camera goes up, you must ask: can the same level of security be achieved another way? Better lighting, a door, an alarm system? A camera is a permitted tool — but not the first one you should reach for.

2. What will you use the recordings for?

This is where many people go wrong. A recording from a camera installed for property protection is not social media content. If a camera captures a theft, the recording goes to the police — not to Facebook, not to the company Instagram, not even to the staff group chat. The purpose was property protection. Anything else is a violation.

3. Who is the contact person?

Every person captured on camera has the right to ask: who is processing my data and what is being done with it? There must be a specific, named person to contact — not “the company in general.”

4. Who has access to the recordings?

Access must be restricted and documented. Not “everyone can watch when it’s a slow day.”

5. How long are recordings retained?

The typical retention period is 72 hours — the Estonian DPA’s recommended default for standard security purposes. Longer only with justification. Many organisations keep recordings indefinitely without reason — that is a violation.

6. Are the camera software and recordings stored securely?

Make sure surveillance camera software is configured so that recordings cannot be accessed from the open internet.

This point sounds technical, but the risk is very concrete — and publicly documented.

Some of the world’s most popular surveillance camera manufacturers have carried critical security vulnerabilities over the years that have been actively exploited.

Hikvision, 2021 — A new vulnerability was discovered (CVE-2021-36260). An attacker could gain complete control of the camera without entering any password, simply by sending a specially crafted network request. The number of affected devices exceeded 100 million, including many cameras sold under other brand names that use Hikvision internal components.

Dahua, 2025 — Bitdefender researchers disclosed two critical vulnerabilities affecting 126 Dahua camera models. A successful attack gave the attacker complete control of the device and allowed installing persistent malware — even surviving a reboot.

What does this mean in practice? A cheap camera is not necessarily a good deal when you factor in security risks. Cameras are installed and forgotten — systems run on years-old software in networks where other devices may be properly patched.

Good network hygiene:

  1. A separate network segment for cameras and the NVR (recorder) — not the same as employee computers
  2. Block all camera and NVR internet access at the firewall level — they have no need for it
  3. Regular software updates
  4. Strong, unique passwords for both the camera and the NVR
  5. Where possible, use a centralised management solution for cameras and recorders
  6. Named user accounts only — every person viewing recordings must log in with their own named account

7. What happens in the event of a data breach?

A plan must exist before something happens. Not when a journalist calls.

8. How do people find out what happens to their data?

The full lifecycle — from recording to deletion — must be described in a privacy notice. And that notice must be publicly accessible to everyone.

9. Is the monitored area minimised?

A camera does not film “just in case.” It films exactly the area that needs to be covered. Your neighbour should not fall within your camera’s field of view. The street should not appear in your shop’s indoor camera — unless you have a separate justification for that.

10. Is there a notification sign?

Before a person enters a camera zone, they must see a sign: who is filming, why, and where to go for more information. Data protection authorities in most EU countries provide templates for compliant notification signs.

Where cameras are absolutely prohibited

This list is not a recommendation — it is a prohibition.

Strictly forbidden:

Supervisory authorities are unequivocal: cameras in these locations are prohibited because people have a reasonable expectation of privacy in them. This applies in workplaces and in other buildings alike.

Also problematic:

Continuous monitoring of employees by camera is in itself a problem. Supervisory authorities have made clear that cameras may not be used to monitor employees 24/7 — this is a disproportionate interference with privacy. The purpose of a camera must be security, not control.

An important nuance here: the dependency relationship between employer and employee means that an employee cannot freely refuse to give consent to monitoring. For this reason, an employer cannot rely on employee “consent” as a legal basis — consent is not free when the other party is your manager.

Court practice speaks clearly

Courts across the EU have already dealt with surveillance camera questions. Here are two Estonian examples that illustrate principles applicable throughout the EU.

Supreme Court of Estonia, case no. 2-18-11279 — The court ordered a co-owner in an apartment building to remove a camera installed without authorisation. The court found that installing surveillance cameras so that they can film activity in common ownership areas cannot be regarded as appropriate use of co-owned property. In other words: even in your own building you cannot install cameras without the consent of other co-owners.

Supreme Court of Estonia, 2023 — A further ruling clarified the conditions for installing cameras in apartment buildings. The court found that the terms of camera use must clearly state contact details, the right to access data collected about oneself, and the purpose and legal basis for processing. A simple majority vote at a general meeting is not sufficient — substantive data protection terms are also required.

Estonian Data Protection Inspectorate enforcement against a school, 2021 — The authority ordered a school to remove cameras from classrooms.

These cases illustrate that the problem is not theoretical.

Summary

A surveillance camera is a permitted tool. But it is data processing — not a technical toy.

Before a camera goes up, answer the ten questions. Document the purpose, retention period, access rights and privacy terms. Put up a sign. Restrict the field of view. Segment the network. And do not put cameras where people do not expect to see them.

The camera is rolling. But responsibility rests with the person who put it there.


References