The European General Data Protection Regulations (GDPR) do not identify specific retention times for personal data, including video recording.
The German Bundesdatenschutzgesetz (BDSG), the German federal data protection act do not have specific retention times for personal data, including video recording.
Both the EU GDPR and BDSG say that:
- Personal data, including video recording, must be deleted as soon as it is no longer required for its intended use or purpose.
- The retention time of personal data and video recordings may be extended due to various industry requirements. Art. 17 GDPR and § 24 para. 1 no. 2 BDSG.
This means that a company that collects personal data and makes video recording must have a valid reason for the collection of the data and, the company must be able to justify the duration of retention.
It is recognized by the GDPR and BDSG that different industries have different retention times necessary to be effective for their stated purposes.
To say that the retention times for CCTV video recordings is 30 days in order to meet the requirements of TAPA certification is not a valid reason.
To say that the retention time for CCTV video recordings is 30 days based on the needs in the logistics industry is justifiable. This is because CCTV retention in the logistics industry is normally 30 days or longer in order to investigate potential incidents like theft, damages, claims, losses, disputes, and other type events.
Where in processing data or initial application data collection may be retained for a few minutes or hours, personal employment history data will be retained for the duration of employment. In addition, some personal data retained for tax purposes, for example, will be retained for years.
It is important that companies can justify the retention periods of recorded data in their GDPR program.
So long as the company can justify the retention time for various personal data and video recordings, those retention times will have a greater chance to be regarded as legal.
Disclaimer:
This article is for informational purposes. Companies should address GDPR questions and concerns to a competent professional, such as a lawyer.