Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

1. Video surveillance in the workplace: intrusive data processing

Video surveillance in businesses is now widespread, whether in the service, healthcare, industrial, or commercial sectors. Securing premises, preventing theft, controlling access, protecting valuable assets, or deterring malicious behavior: video surveillance cameras in businesses have become a common risk management tool.

However, their implementation should never be considered trivial. Installing a video surveillance system in the workplace constitutes, within the meaning of the General Data Protection Regulation (GDPR), the processing of personal data. And this processing is one of the most intrusive, as it potentially captures images of identifiable individuals—employees, visitors, contractors, etc.—on a continuous basis.

Why? Because an image, when it allowsa person to be identified directly or indirectly, falls under the definition of personal data. The recording, viewing, Data retention transmission of these images are therefore subject to GDPR.

It should be added that this system is governed not only by the GDPR, but also by the CNIL (National Commission for Information Technology and Civil Liberties), the Labor Code, and the fundamental rights of employees, such as the right to privacy. Surveillance must never be permanent, unjustified, or disproportionate to the objectives pursued.

In this article, we provide step-by-step guidance to help you understand the rules governing video surveillance in the workplace, avoid common mistakes, and ensure your company's compliance. The goal is to ensure safety without compromising employee rights.

Video surveillance in the workplace: viewing CCTV cameras on computers and smartphones

1.1 A highly intrusive surveillance measure

Video surveillance in the workplace is considered one of the most intrusive forms of privacy monitoring. It can be carried out continuously, capturing behavior, movements, and interactions, sometimes without the knowledge of the individuals concerned. It therefore affects freedom of movement, the right to privacy, and the internal social climate.

This is why the CNIL (National Commission for Information Technology and Civil Liberties) that this processing can only be implemented if it is necessary, proportionate, and if no less intrusive solution can achieve the same Purpose

1.2 Video surveillance in the workplace must remain a measure of last resort.

Before installing surveillance cameras, employers must ask themselves the following question:

Can the same objective be achieved by means that are less intrusive for employees?

Examples of alternative solutions:

  • Secure access badge
  • Human presence
  • Alarm system without image capture
  • Remote monitoring triggered on an ad hoc basis

This principle of proportionality is essential. It is systematically examined by the CNIL (National Commission for Information Technology and Civil Liberties) in the event of an inspection or complaint.

2. Video surveillance in the workplace: what you can film and what is prohibited

Not all areas of a company can be monitored by cameras. Regulations governing video surveillance in the workplace impose strict limits to ensure a balance between security, protection of property, and respect for employee rights.

2.1 Areas that may be subject to video surveillance in the workplace

The installation of a video surveillance system is possible in certain specific workplaces, provided that the objective pursued is clearly justified:

  • employee safety, preventing theft, monitoring storage areas for valuable goods, etc.

The areas concerned may be:

  • Building entrances and exits (main access, service doors)
  • Emergency exits (for safety and access control purposes)
  • Internal traffic routes (corridors, halls, elevators)
  • Sensitive technical or IT rooms
  • Storage areas for valuable or high-risk items (pharmaceutical stock, sensitive equipment, etc.)

The Purpose video surveillance in the workplace must always be explicit, relevant, and proportionate. You don't film "just for the sake of filming": there must be an identified risk to prevent.

2.2 Prohibited or sensitive areas

Certain areas, considered to be part of employees' private lives or rest periods, cannot under any circumstances be subject to video surveillance in the workplace, even for security reasons:

  • Workstations under continuous surveillance: it is strictly prohibited to film an employee at their workstation without exceptional justification.
    Example: in a store where an employee handles money, a camera may monitor the cash register, but may never directly and continuously film the employee. The camera angle must be aimed solely at the valuable object (the cash register), not the person.
  • Restrooms, changing rooms, showers: these areas are completely protected. Any surveillance is illegal.
  • Cafeterias, break rooms, and rest areas: even though they are communal spaces, these areas are considered to be part of employees' rest and private life.
    The only exception is that a camera may be aimed at a vending machine that is regularly vandalized, without filming the entire room.
  • Union premises and staff representative offices: these locations enjoy enhanced protection under union freedoms.
    It is prohibited to film the entrances to these areas, even indirectly.

3. Installing video surveillance in the workplace: 5 key rules to follow

Installing a video surveillance system in a company is not just a matter of placing cameras in the right places. It involves regulated data processing, which requires employers to implement a series of legal, technical, and organizational measures to ensure compliance with the GDPR, labor law, and the recommendations of the CNIL (National Commission for Information Technology and Civil Liberties).

Here are the four essential pillars to consider when setting up a video surveillance system.

3.1 Restricting access to images: mandatory system security and traceability

Images captured by a video surveillance system in a company cannot be freely viewed by anyone.

Who can access the recordings?

Only persons expressly authorized, strictly within the scope of their professional duties, may have access to the recorded images. These are generally the following persons:

  • The safety officer,
  • Senior management (where justified),
  • The IT manager.

The number of authorized users must remain strictly limited.
Access to videos must never be generalized or granted to the entire HR department, management, or IT staff. The more people who have access, the greater the risk of misuse, leaks, or unauthorized viewing, which the CNIL (National Commission for Information Technology and Civil Liberties) systematically CNIL (National Commission for Information Technology and Civil Liberties) .

What technical safeguards must be implemented?

  • Access protected by personal ID and strong password,
  • Connection logging (complete traceability of who accessed what, and when),
  • Immediate removal of access rights in the event of a change in position or departure of an employee,
  • Access from a secure network, with geographic or time restrictions if necessary.

In the event of an inspection, the CNIL (National Commission for Information Technology and Civil Liberties) that authorized persons be identified by name, that their access rights be justified, and that the access management policy be formalized in writing.

3.2 Not recording sound: a strictly regulated practice

Audio recording is prohibited in the workplace as a matter of principle.
According to the CNIL (National Commission for Information Technology and Civil Liberties), sound is even more intrusive than images, as it captures verbal exchanges, confidential discussions, and even private conversations.

Only very rare exceptions allow audio recording, for example:

  • Manual activation during a security alert (verbal assault in a reception area);
  • Device connected to an emergency button, in a high-risk environment (jewelry store, bank counter).

In 99% of cases, particularly for workplace surveillance, the sound must be disabled on all devices.
A camera system with the microphone enabled without clear justification constitutes a clear violation of GDPR.

3.3 Comply with the Data retention period Data retention video surveillance images: 30 days maximum.

The Data retention period Data retention recorded Data retention is clearly regulated by the CNIL (National Commission for Information Technology and Civil Liberties) regularly monitored.

How long can images be stored?

  • A maximum of 30 days, except in duly justified exceptional cases (e.g., ongoing internal investigation, disciplinary or criminal proceedings).

How do you apply this rule?

  • The video surveillance system must provide for automatic deletion of recordings beyond the authorized period (deletion or overwriting).
  • The deletion date must be set in the software.
  • In the event of an extension for legitimate reasons, this must be documented in an internal memo or HR report.

Data retention or ill-defined Data retention periods constitute a serious breach. Several companies have been penalized for retaining images for several months without justification or legal basis.

3.4 Consult the BSC installing video surveillance in your company

The Social and Economic Committee (BSC) must be consulted prior to any installation of surveillance cameras, even if these cameras are not directly aimed at employees.

Why is this consultation mandatory?

Because such a device can have an impact on:

  • Working conditions (stress, pressure, feeling of being monitored);
  • The social climate and employer/employee relations;
  • Freedom of expression and union life.

What should the consultation include?

The BSC information BSC be complete and documented:

  • Specific purposes of the system, locations filmed (with map if possible), methods of accessing images, Data retention period, etc.
Business and Social Council video surveillance in the workplace.

Cameras facing public roads: please note that prefectural authorization is required.

When a company's video surveillance system films all or part of a public thoroughfare (sidewalk, street, square, entrance to a building open to the public), the regulations change.

Filming public roads is subject to specific regulations under the Internal Security Code. In this case, installing the system is no longer solely governed by GDPR, but also requires authorization from the prefecture.

This applies to you if, for example:

  • A camera filming a parking lot also captures a sidewalk;
  • The entrance to your business is on a busy street and the camera extends beyond the building's footprint;
  • Images capture people coming and going in a place open to the public.

3.5 Informing the persons being filmed: a key obligation

Anyone filmed at their workplace must be clearly informed of the presence of a surveillance system.

Signs near surveillance cameras in the workplace

A visible and legible sign must be installed at the entrance to each filmed area. It must contain:

  • The existence of the video surveillance system,
  • The Purpose of processing (e.g., safety of property and persons),
  • The identity of the data controller (usually the employer),
  • A reference to the rights of the persons concerned (access, objection, restriction, etc.),
  • The procedures for exercising these rights (email or postal address, telephone number).

It must be legible, understandable, and located at eye level at the entrance to the filmed area.

The CNIL (National Commission for Information Technology and Civil Liberties) that a simple camera pictogram without explanatory text is not sufficient.

Internal information via HR policy

In addition to the notice, employees must be informed in writing via an internal document.

This information is generally included in:

  • The HR privacy policy,
  • The employee welcome booklet,
  • Or a specific information note.

This documentation must specify in particular:

  • The detailed objectives of the scheme,
  • The legal basis (often legitimate interest),
  • Data retention period (maximum 30 days, except in exceptional circumstances),
  • The name and contact details of the DPO, if any,
  • etc.

In the event of an inspection or complaint, you must be able to prove that this information has been provided.

Information is a fundamental right of those filmed. It is also the company's first line of defense in the event of a dispute or inspection by the CNIL (National Commission for Information Technology and Civil Liberties).

4. Sanctions imposed by the CNIL (National Commission for Information Technology and Civil Liberties) the event of breaches

For several years now, the CNIL (National Commission for Information Technology and Civil Liberties) has been stepping up its monitoring of video surveillance systems in companies. And the figures speak for themselves: video surveillance is one of the most regularly sanctioned forms of data processing, particularly in the retail, healthcare, services, and hospitality sectors.

In 2025, several simplified penalty decisions were issued for surveillance camera systems that did not comply with GDPR, resulting in cumulative fines totaling more than €100,000.

4.1 Main breaches identified by the CNIL (National Commission for Information Technology and Civil Liberties)

  1. Workstations filmed without justification
  2. Data retention time Data retention (more than 30 days)
  3. Lack of information for employees (missing posters, HR memo)
  4. Unsecured access to images (no password, no traceability)

4.2 Consequences for the company

  • Formal notice
  • Financial penalty (up to tens of thousands of euros)
  • Breach of trust among employees and social partners

Any breach, even minor, may result in a full audit of all processing operations carried out within the company.

5. Risk of employee complaints: an often underestimated danger

If the sanctions imposed by the CNIL (National Commission for Information Technology and Civil Liberties) are feared, many employers underestimate the HR consequences of a poorly defined video surveillance system.

In reality, the first reports do not come from the CNIL (National Commission for Information Technology and Civil Liberties)... but from the employees themselves, via staff representatives, unions, or directly to the DPO or HR department.

5.1 Employees may file complaints in several situations:

  • He discovers that he is being filmed without having been clearly informed;
  • He feels like he's being watched at his workstation (poorly positioned camera);
  • He learns that the images can be viewed by a large number of people;
  • He notes that the cameras are continuously active, without justification;
  • He has no visibility on the duration of Data retention his access rights.

5.2 What can an employee do?

An employee who believes that their rights have been violated has the option of:

  • Submit a request for access or objection to processing;
  • Enter the BSC to ask questions or report misuse;
  • File a complaint directly with the CNIL (National Commission for Information Technology and Civil Liberties) ;
  • Challenge a disciplinary sanction based on non-compliant images;
  • Go as far as to take legal action for violation of one's rights.

5.3 What the case law says:

The courts have already overturned:

  • Dismissals based on images captured without prior notice;
  • Warnings related to incidents recorded in areas where surveillance was deemed excessive;
  • HR decisions HR on records obtained without consulting the BSC.

In such cases, the image becomes illegal, and therefore unusable, leaving the company in a vulnerable legal position.

A poorly perceived or misunderstood measure can quickly become a source of social tension, or even deadlock, even though its Purpose security, deterrence, flow management) is entirely legitimate.

By handling this issue in accordance with applicable data protection rules and labor laws, the company can avoid unnecessary complaints... and turn compliance into a lever for internal trust.

5.4 Processing to be documented in your processing register

Any remote surveillance system in a company must be included in the personal data processing register. This documentation must include:

  • The Purpose the Device
  • Categories of data collected
  • The duration of Data retention
  • The security measures put in place

This register constitutes the first proof of compliance in the event of an inspection by the CNIL (National Commission for Information Technology and Civil Liberties).

Need some help?

At Dipeeo, we support more than 450 companies, local authorities, and healthcare organizations in their GDPR compliance projects, including the implementation of video surveillance solutions.

Our outsourced DPOs help you to:

  • Framing your surveillance project
  • Assess risks
  • Prepare the required documents

Our mission: to make compliance a lever for trust and social dialogue, not a factor for obstruction or conflict.

Are you unsure whether your company's video surveillance system complies with regulations? Contact one of our GDPR HR experts.

Samia Rahammia
Samia Rahammia

IT and Data Lawyer and Marketing Project Manager