Individuals are increasingly asking businesses to provide access to CCTV footage containing their image. This is often triggered by workplace incidents, disputes, and increased awareness of GDPR access rights -prompting businesses to consider if, and when, they can and should disclose CCTV footage to individuals. Privacy teams need to consider crucially: 

  • Is the requested CCTV footage legally accessible under a data subject access request (DSAR)? 

  • What steps are legally necessary before hitting “send”? 

In this blog, we break down why CCTV counts as personal data, when footage can and should be disclosed, and how businesses can prepare for these increasingly common requests.  

When is CCTV personal data, and when can you discloseit? 

Under UK and EU GDPR, CCTV footage qualifies as personal data whenever it captures identifiable individuals - whether directly (e.g., faces or clothing) or indirectly (e.g., through timestamps or contexts), or when there are audio recordings available. The key threshold is “identifiability” - which is fulfilled whenever a person can be singled out. 

The most frequent basis for disclosing CCTV footage is a DSAR under Article 15 of the EU GDPR. However, any personal data of third parties in the footage should be blurred or redacted, and the data subject’s identity should be properly verified.  

There are cases where CCTV footages may not be shared, such as if the personal data of third parties in the footage cannot be blurred or redacted without disproportionate effort, if the footage relates to ongoing legal investigations, or if the disclosure would infringe on another person’s rights. Businesses may also legally reject DSARs that are manifestly unfounded or excessive. This must, however, be justified and documented carefully to demonstrate compliance. 

Key steps for handling CCTV DSARs 

These are the steps privacy teamsshould follow when responding to access requests involving CCTV footage: 

  • Verify identity to ensure the right data subject is making the request 

  • Narrow the scope by asking for details, such as time, location and dates 

  • Locate and review the footage   

  • Redact or blur third parties where possible using reliable methods 

  • Respond to the DSAR within the applicable timeline and document all steps taken 

Even if the disclosure is not possible, entities should maintain clear records of their reasoning and decision-making process to demonstrate compliance. 

Privacy teams often manage DSARs on a day-to-day basis, but the guidance of a Data Protection Officer (DPO) is crucial for navigating the most complex CCTV DSAR scenarios. A DPO can provide authoritative oversight on interpreting nuanced legal thresholds, such as determining ‘disproportionate effort’ for redaction or assessing whether a request is 'manifestly unfounded' or 'excessive.' They offer objective advice for tricky cases involving third-party rights, concurrent legal holds, or potential regulator liaison, ensuring consistency and defensibility in the organisation’s disclosure policies and practices. Leveraging a DPO’s expertise also helps confirm that all procedural steps are legally sound and that compliance obligations are met consistently. 

Practical steps to stay prepared 

As CCTV requests increase, the following proactive steps can help organisations to be prepared: 

  • Define and enforce clear CCTV retention policies  

  • Deploy redaction or blurring tools/services to streamline footage processing 

  • Train staff and raise internal awareness about what qualifies as personal data and how to respond in a compliant manner 

  • Maintain a clear audit trail for all CCTV-related requests and decisions 

Planning and acting proactively reduces compliance risks, improves response times, and ensures outcomes that are more likely to survive regulatory scrutiny. 

More than a legal obligation 

Responding appropriately to a CCTV DSAR isnot just a box-ticking exercise; it reflects whether an entity is transparent and values individual rights. Mishandling footage or a request case may damage reputationsand lead to legal consequences. Responding robustly helps build trust, demonstratea ccountabilityand maintain confidence. 

How HewardMills can help 

As a DPO, we support organisations in building scalable DSAR workflowsincluding those involving CCTV and visual data. In doing so, we provide expert support on developing disclosure policies, training staff to respond effectively to visual data access requests, redacting footage,and balancing access rights with third-party privacyultimately enabling businesses to confidently respond to requests and ensure compliance.  If you need DSAR support, contact us today.