[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7QwRLc3P6iYI-e9LNYv44xXyM82KpWF_MsmCebucByE":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":22,"created_at":23,"published_at":24,"article":25,"tags":29,"podcasts":48},"4d4ee237-4fb5-4048-880a-877becc56425","home-cctv-monitoring-public-spaces-triggers-data-protection-law","98f350fe-da30-467e-b5af-4e0426f83971","Home CCTV Monitoring Public Spaces Triggers Data Protection Law","The CJEU ruling in Ryneš established that home camera systems capturing individuals in public spaces constitute personal data processing under EU data protection law, not merely a private household activity. The 'household exception' is narrowly interpreted — once surveillance extends beyond purely domestic boundaries (e.g., onto a street or neighbour's property), full data protection obligations apply. This matters because many individuals and small businesses unknowingly violate privacy law by assuming personal or security-motivated surveillance is exempt from regulation. Failing to comply can result in enforcement action, fines, and reputational harm even for well-intentioned deployments.","**Immediate actions:**\n- Audit all existing camera systems to determine whether their field of view captures public spaces or areas beyond private property boundaries.\n- Document a lawful basis for any surveillance that extends beyond purely domestic use, such as legitimate interest or legal obligation.\n\n**Compliance measures:**\n- Display clear signage notifying individuals that CCTV recording is in operation and identify the data controller responsible.\n- Establish a data retention policy limiting how long footage is stored and ensure access is restricted to authorised personnel only.\n- Register or notify the relevant data protection authority if required under applicable national law.\n\n**Long-term improvements:**\n- Train staff and household operators on the legal boundaries of surveillance and the narrow scope of the household activities exemption.\n- Conduct periodic privacy impact assessments (PIAs) whenever surveillance infrastructure is expanded or repositioned.\n- Review camera placement annually to ensure fields of view remain compliant with evolving regulatory guidance.",[12,13,14,15,16,17,18,19,20,21],"EU Directive 95\u002F46\u002FEC Article 3(2) — household activities exception","GDPR Article 2(2)(c) — personal or household activity exemption","GDPR Article 5 — principles relating to processing of personal data","GDPR Article 6 — lawfulness of processing","GDPR Article 13\u002F14 — transparency and information obligations","GDPR Article 35 — Data Protection Impact Assessment (DPIA)","NIST Privacy Framework PR.DS-P1 — data management policies","CIS Control 3 — Data Protection","ISO\u002FIEC 27001:2022 Annex A 5.34 — Privacy and protection of personally identifiable information","EDPB Guidelines 3\u002F2019 on processing of personal data through video devices","published","2026-07-09T14:21:07.781399+00:00","2026-07-09T14:21:07.648+00:00",{"id":7,"url":26,"slug":27,"title":28},"https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CJEU_-_C-212\u002F13_-_Ryne%C5%A1&diff=52154&oldid=43615","cjeu-c-212-13-rynes-9410c4","CJEU - C-212\u002F13 - Ryneš",[30,36,42],{"id":31,"name":32,"slug":33,"description":34,"color":35},"7261eb8f-acd4-4d93-a489-7fdd652ec0ea","Security Awareness","security-awareness","Phishing, social engineering, human error","#22c55e",{"id":37,"name":38,"slug":39,"description":40,"color":41},"c0dcc566-3654-4d70-8ede-262a198e732f","Regulatory Compliance","regulatory-compliance","GDPR, NIS2, DORA, sector-specific violations","#ec4899",{"id":43,"name":44,"slug":45,"description":46,"color":47},"c8b843a5-d5a7-41d1-8d3b-cabded09d2ef","Data Protection","data-protection","Unencrypted data, missing DLP, poor classification","#3b82f6",[]]