HomeBlogWorkplace Video Surveillance — GDPR

Workplace Video Surveillance — GDPR Rules and CPDP Decisions (2026)

Published: 11 April 2026 | Last updated: 11 April 2026

CCTV in offices and production facilities has long been standard practice — but it is also one of the most frequent subjects of complaints and inspections before the Bulgarian Commission for Personal Data Protection (CPDP). In this guide we review the legal framework, lawful bases, mandatory DPIA and the Commission’s case-law. For in-depth analysis see our sister publication on gdprbg.com.

Legal Framework

Workplace video surveillance in Bulgaria is governed by several overlapping statutes that the employer must comply with simultaneously:

  • Regulation (EU) 2016/679 (GDPR) — video recordings of identifiable individuals constitute personal data processing under Art. 4(1) and (2) and fall squarely within the regulation’s scope. The employer is the controller.
  • Personal Data Protection Act (PDPA) — the national statute supplementing the GDPR with specific requirements and powers of the CPDP.
  • Labour Code — Article 126 obliges employees to perform duties in good faith, but also imposes on the employer a duty to respect dignity and protect the personal data of the employee.
  • Private Security Activity Act — applicable to security firms managing CCTV on client premises.

The supervisory authority for all these rules is the Commission for Personal Data Protection (CPDP / KZLD), which handles complaints, conducts inspections, and imposes sanctions.

For a detailed practical analysis see our article on gdprbg.com on CCTV and GDPR — our dedicated data protection team maintains in-depth resources on this topic.

Lawful Bases for CCTV (Art. 6 GDPR)

Before installing cameras, the employer must identify a specific lawful basis under Art. 6(1) GDPR. Choosing the wrong basis is one of the most frequent causes of fines during CPDP inspections.

Basis Applicability in the employment context
Legitimate interest (Art. 6(1)(f))Most common basis — protection of property, security of employees and visitors, theft prevention. Requires a balancing test.
Compliance with legal obligation (Art. 6(1)(c))Banks, casinos, security firms, airports — where statute mandates CCTV.
Vital interests (Art. 6(1)(d))Exceptional cases — hazardous production, laboratories handling high-risk materials.
Consent (Art. 6(1)(a))NOT appropriate in the workplace — due to the power imbalance between employer and employee, consent is deemed not freely given.

Legitimate interest requires a documented Legitimate Interest Assessment (LIA), in which the employer assesses whether the purpose can be achieved by less intrusive means and whether the employees’ reasonable expectations are respected. When choosing a basis, we recommend consulting our GDPR team at gdprbg.com.

CPDP Case-Law — Key Decisions

The Commission’s practice over recent years has defined clear boundaries of acceptable workplace CCTV:

  • Ban on facial recognition in retail outlets (2025) — the CPDP held that biometric identification of customers or employees without a firm legal basis is inadmissible and constitutes processing of special categories of data under Art. 9 GDPR.
  • Football clubs — mandatory DPO — because of large-scale CCTV of stadiums and facilities, the CPDP requires these entities to appoint a Data Protection Officer.
  • Employee CCTV — NOT for performance evaluation — the Commission has consistently held that cameras cannot be used to measure productivity, break frequency or task execution speed.
  • Drivers with dash-cams — where an individual uses a dash-cam in a commercial vehicle and records third parties, they become a controller and assume the full GDPR obligations.
  • Public places and schools — the CPDP is critical of expanding CCTV into sensitive areas and requires rigorous proportionality justification.

We monitor CPDP practice closely — current decisions and commentary are available on gdprbg.com.

Prohibited Practices

Regardless of the chosen basis, the following practices are expressly prohibited or carry serious sanction risk:

  • CCTV in toilets, changing rooms, break rooms and dining areas — an absolute prohibition, as it violates the right to privacy which the employee retains even in the workplace.
  • Surveillance solely for employee control — if the sole purpose is work control, the purpose is not legitimate; the CPDP requires another substantial purpose (security, property protection).
  • Facial recognition without strong grounds — processing of biometric data requires an explicit exception under Art. 9(2) GDPR, which an employer can rarely justify.
  • Continuous targeted surveillance of specific individuals — targeted surveillance of a particular employee is disproportionate and grounds for complaint.
  • Audio recording — combining video and audio dramatically increases the risk to data subjects’ rights and requires significantly stronger grounds; CPDP practice generally does not permit it.
  • Using recordings for performance evaluation — even where cameras are lawfully installed for security, using recordings in disciplinary proceedings, evaluations and promotions outside of a specific incident is incompatible with the original processing purpose.

DPIA — Is It Mandatory?

A Data Protection Impact Assessment under Art. 35 GDPR is mandatory where processing “is likely to result in a high risk to the rights and freedoms” of natural persons. The CPDP has published a list of operations for which a DPIA is mandatory, and systematic workplace video surveillance falls within the scope of that list.

In practice, this means you must perform and document a DPIA with the following elements before installing CCTV:

  • Description of the processing — number and location of cameras, coverage zones, technical characteristics, number of potentially affected individuals, retention period.
  • Necessity and proportionality assessment — why the purpose cannot be achieved with less intrusive measures (guards, access cards, alarms).
  • Risk assessment — identification of potential harms to employees and visitors, likelihood and severity.
  • Mitigation measures — technical and organisational measures to reduce risk (restricted access, encryption, retention limits).

Where residual risk is high, the employer must consult the CPDP in advance under Art. 36 GDPR before processing begins. Our team at gdprbg.com performs DPIAs for CCTV using ready-made templates adapted to the Bulgarian context.

Transparency Obligations

Article 13 GDPR requires the controller to provide data subjects with comprehensive information before processing begins. In the context of workplace CCTV this means:

  • Notify employees BEFORE activation — written notice (by email, signed acknowledgment, or embedded in internal rules).
  • Information signs in visible locations — at every entrance and before entering any CCTV zone; signs form the “first layer” of information.
  • Zones covered by the cameras — a diagram or map of coverage, accessible to employees.
  • Purpose of processing — clearly articulated (property protection, security), without generic phrasing.
  • Lawful basis — legitimate interest, legal obligation, etc.
  • Retention period — a specific duration, not “as necessary”.
  • Data subject rights — access, objection, complaint to the CPDP.
  • Controller and DPO contacts — where a DPO has been appointed.

We recommend structuring this information in two layers — short pictogram sign + QR code to the full privacy notice — in line with EDPB guidelines.

Retention Period

GDPR sets no fixed minimum or maximum, but the storage limitation principle (Art. 5(1)(e)) requires the period to be the minimum necessary to achieve the purpose. CPDP practice and recommendations are as follows:

  • 14–30 days — the standard recommendation for routine CCTV in offices and retail; sufficient to detect an incident and trigger an investigation.
  • Until conclusion of investigation — in case of a specific incident, recordings may be kept longer, but only the relevant fragments, not the entire archive.
  • Archiving = new processing — transferring recordings into long-term archive is processing for a new purpose and requires its own Art. 6 GDPR basis.

The employer must document a retention and automatic deletion policy — technical measures guaranteeing that recordings are not retained “by inertia” past the end of the period.

Technical Measures

Art. 32 GDPR requires “appropriate technical and organisational measures” for the security of processing. For CCTV this includes:

  • Restricted access to recordings — only a defined group of personnel (security, facility manager, DPO) with documented roles and responsibilities.
  • Encryption of storage — at-rest encryption of drives and servers storing recordings.
  • Access logging — every viewing, copy or export of a recording is logged, and the log itself is a record for audit purposes.
  • Protection against unauthorised access — strong passwords, multi-factor authentication, protected networks segregated from public internet.
  • Backup and deletion plan — automatic overwrite after the retention period; verification that backups are also deleted.
  • Cloud provider security — where cloud CCTV is used, an Art. 28 GDPR processing agreement and verification of the storage jurisdiction.

We cover the technical aspects in our GDPR audits on gdprbg.com — including assessment of existing systems and improvement recommendations.

Employee Rights (Data Subjects)

Employees whose images are processed through CCTV hold the full catalogue of rights under GDPR Chapter III:

  • Right of access (Art. 15) — the employee may request access to recordings in which they appear. The employer must provide a copy, blurring images of third parties.
  • Right to object (Art. 21) — where processing is based on legitimate interest, the employee may object on grounds relating to their particular situation.
  • Right to erasure (Art. 17) — where recordings are processed without a basis or are no longer necessary.
  • Complaint to CPDP — independent of the employment relationship, without risk of retaliation.
  • Compensation (Art. 82) — right to material and non-material compensation for established breaches.

Sanctions for Breaches

Art. 83 GDPR provides for maximum fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher. This is the theoretical maximum and is rarely applied in Bulgaria.

In practice, the CPDP imposes significantly smaller fines for CCTV-related violations — typically between EUR 510 and EUR 2,556 — for improper notification, missing signage or incorrect legal basis. However, the trend is towards stricter penalties for repeat offences and for processing without a DPIA where one is mandatory.

In addition to fines, the CPDP may order processing to stop — i.e. removal or deactivation of cameras — which is usually the more significant operational consequence for the business.

Employer Checklist

The following sequence ensures compliance when implementing workplace CCTV:

  1. Identify the legitimate purpose — documented property protection, safety, etc.; never solely “control”.
  2. DPIA — recommended (and mandatory for systematic monitoring per the CPDP list).
  3. Select the technical system — camera orientation, avoidance of sensitive areas, access, encryption.
  4. Draft a policy — internal CCTV rules, retention period, access.
  5. Notify employees BEFORE deployment — in writing, with opportunity for questions and objections.
  6. Install signage — at every entrance and within the covered zone.
  7. Train the restricted access group — instructions for handling recordings and access documentation.
  8. Processing agreement with external providers — Art. 28 GDPR for cloud CCTV or external security.
  9. Register in the record of processing activities — Art. 30 GDPR, as a separate processing activity.
  10. Annual review — reassess necessity, retention, access and effectiveness of measures.

The complete document package and turnkey implementation are available through gdprbg.com — our specialised GDPR team.

Frequently Asked Questions

Must I notify employees before installing cameras?
Yes, mandatorily. Art. 13 GDPR requires information to be provided to data subjects “at the time the data is collected”, which in the CCTV context means before the system is activated. The notice must be written and contain purpose, basis, retention and rights. For templates see gdprbg.com.
Can I keep recordings longer than 30 days?
As a rule, no, unless you are in a specific incident investigation or have an explicit statutory requirement for a longer period. The CPDP standard recommendation is 14–30 days for routine surveillance. Our team at gdprbg.com helps draft retention policies.
Can I use CCTV recordings in disciplinary dismissals?
Only for a specific, proven violation, where the purpose of use is compatible with the original processing purpose (security, property protection). Systematic use of recordings for performance evaluation is incompatible with GDPR and is grounds for a CPDP complaint.
Do I need a DPO for office CCTV?
Not always. A DPO is mandatory for “regular and systematic large-scale monitoring” — i.e. large premises, shopping centres, stadiums, hospitals. For an average office it is not mandatory but is recommended. More on gdprbg.com — DPO.
Is a DPIA mandatory for workplace CCTV?
In most cases — yes. Systematic monitoring of employees is on the CPDP list of operations for which DPIA is mandatory. Exceptions apply only to small, limited installations with single cameras at minimal risk.
Can an employee request a copy of recordings in which they appear?
Yes, under Art. 15 GDPR. The employer must provide a copy, blurring or masking images of third parties. Refusal is grounds for a complaint to the CPDP and for compensation.
Can we record audio along with video?
Generally no. Audio recording is significantly more intrusive than video and requires materially stronger grounds, which are rarely present in employment relations. CPDP practice is explicitly critical. For analysis — gdprbg.com.

Need a DPIA or GDPR audit for your CCTV?

Visit gdprbg.com — our specialised GDPR team — or fill in the form below and we will get in touch.