Information from the office of the Data Protection Commission
More and more of us are installing cameras in our homes – whether it’s a camera to keep an eye on your pet when you’re not there, or a camera on your doorbell so you can use your phone to check who is at the door.
A large volume of the queries we get in to the Data Protection Commission relate to CCTV and data protection, so here we answer some of the most common questions we get about CCTV in the home.
I have cameras inside my house that I can check in on using my smartphone – do I need signs to let visitors to my home know that I have cameras?
The scope of data protection legislation is set out in Article 2 of the GDPR, which states that the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.
This provision is commonly referred to as the household, or domestic, exemption.
What this means is if an internal security camera system is used solely in the course of the homeowner’s personal or household activity, then they will not be subject to the same obligations as a data controller would be under data protection law – so you don’t need to put up signs to make visitors aware, or provide access to the footage from the cameras.
However an important thing to note is that you may become a data controller for the purposes of data protection law depending on what you do with the recorded footage. What this means is if you, for example, publish the footage online or share it on social media then you may become subject to the obligations of a data controller. Read the DPC’s Guidance on the use of CCTV for data controllers.
But in general, the use of such systems does not fall within the scope of data protection.
I have a video doorbell that I can monitor on my smartphone – does that make me a data controller?
Similar to the cameras inside the home, a smart doorbell is likely to fall within the domestic exemption as its use will be connected purely with the homeowner’s personal or household activity.
Where this may differ from the previous scenario is if the camera on the doorbell is pointed towards a publicly accessible area and is capable of recording individuals in that area.
The Court of Justice of the European Union has established in the case of ‘Ryneš’ that the use of a domestic CCTV system that covers a public space falls within the scope of data protection law.
To avoid this, when installing a smart doorbell care should be taken to avoid taking in a publicly accessible area. If this can’t be avoided, a user should consult our guidance on CCTV systems to understand their transparency obligations.
Similarly, the definition of ‘personal data’ only covers information (in this case a video recording) where people are identified or identifiable.
What this means is any video footage which captures images of people where they can’t actually be identified wouldn’t be personal data at all. For example, the doorbell would probably capture a pretty clear picture of the person at the door, but might be designed or positioned so that any images of people on a public street are too obscured or low-quality to actually identify them.
I have CCTV cameras outside my house pointing to my driveway and garden – am I still exempt from data protection law?
This is similar to the situation for the smart doorbell. As long as your cameras are only capturing your garden or driveway and do not capture a public space, then the household exemption applies. However if the direction or angle the cameras are pointing in captures a public space – for example the footpath, a roadway or back alley – then it will likely fall within the scope of data protection law and you will be a data controller if it captures identifiable images of people on the public space. Care should also be taken to avoid capturing your neighbours’ properties (their house, garden etc…) as this would intrude upon their privacy.
Again, if this can’t be avoided, you should consult our CCTV systems guidance.