AI Video Analytics Under GDPR: What Operators Actually Need to Document

The GDPR does not prohibit AI video analytics on commercial sites. It requires that the operator can explain, in writing, why the system exists, what it does, and what it does not do.

That sentence offends two camps at once. It offends the camp that treats every camera as a privacy violation, and it offends the camp that treats data protection as paperwork to be outsourced to a junior consultant. Both camps share the same defect. They have not read Article 6 of Regulation (EU) 2016/679 with the patience the text deserves. The result is a market in which a German Bauleiter is told by one advisor that AI cameras are illegal, by another that a sticker on the fence is sufficient, and by a third that consent forms must be signed by every delivery driver. None of these positions survives a serious examination.

The operator's task is narrower than the discourse suggests, and the documentation that actually holds up under a supervisory authority's inquiry is shorter than most templates claim. What follows describes that documentation, the reasoning behind it, and the operational steps that connect the legal text to a working system. The reference point is the manufacturer's perspective, derived from the manuscript BOSWAU + KNAUER. From Building to Security Technology, and from the practice of building, deploying and defending video systems on construction sites, industrial estates and logistics yards across the European Union.

The legal frame that operators keep getting wrong

Most disputes over AI video analytics on commercial property collapse to a single question. Under which legal basis does the controller process personal data captured in the video stream. The candidates from Article 6 paragraph 1 are consent, contract, legal obligation, vital interest, public task and legitimate interest. For a private operator securing a site against theft, vandalism and unauthorised access, only one of these is realistic in practice, and that is Article 6 paragraph 1 letter f. Legitimate interest.

This is not an exotic reading. It is the standard position of the European Data Protection Board in its Guidelines 3/2019 on processing of personal data through video devices, and it is the position consistently applied by German supervisory authorities in the DSK orientation paper on video surveillance of non-public spaces. The reason consent fails is structural. A delivery driver entering a yard cannot meaningfully refuse, and a refusal at the gate would defeat the purpose of the surveillance. The reason contract fails is that the data subject is rarely the contracting party. The reason legal obligation fails is that no statute commands the operator to install AI analytics. Legitimate interest is the only basis that fits the operational reality, and it is the basis the regulator expects.

What legitimate interest demands in return is not a sticker. It is a documented three-step assessment. First, the controller identifies the specific interest pursued, in concrete terms, not as a generic appeal to security. Second, the controller demonstrates that the processing is necessary, meaning that less intrusive means have been considered and found insufficient. Third, the controller balances the interest against the rights and reasonable expectations of the data subjects affected. This is the balancing test. It is the document that decides whether the system holds under audit. Operators who have only the first step on paper, or who have all three steps but written by someone who has never seen the site, lose this argument the moment a complainant arrives.

The misconception that AI analytics requires a separate, stricter basis than ordinary CCTV does not follow from the GDPR. Recital 47 explicitly contemplates legitimate interest for the prevention of fraud and the protection of property. What changes with AI analytics is the granularity of the necessity test, because automated decision-making and profiling under Article 22 may be implicated, and because Article 35 may require a data protection impact assessment. Both are manageable. Neither is a prohibition.

What the balancing test actually contains

A balancing test that survives scrutiny has a structure. It is not an essay. It is a record of reasoning, organised so that any successor controller, supervisory authority or court can follow the logic without consulting the author. The structure has six sections, each of which corresponds to a real operational fact rather than a rhetorical flourish.

The first section names the controller and the specific site. Not the company in the abstract. The fenced yard at the addressed location, with the dimensions, the access points and the operating hours stated. Generality is the enemy of the legitimate interest test, because rights and reasonable expectations differ between a construction site at night, an industrial yard during shift change, and a logistics gate during continuous operation.

The second section states the interest. The acceptable formulations are concrete. Protection of materials and machinery against theft, prevention of unauthorised access during non-working hours, deterrence of vandalism on perimeter installations, documentation of incidents for insurance and law enforcement purposes. Each interest is tied to evidence. Loss history over the previous twenty-four months, insurance correspondence, police reports, claims data from the GDV, regional crime statistics. An interest asserted without evidence is an interest the regulator will discount.

The third section establishes necessity. Here the operator demonstrates that the chosen system is the least intrusive effective measure. Fencing has been considered and is insufficient because the perimeter is too long. Static guards have been considered and are insufficient because cost per incident prevented exceeds the value at risk by a factor that is named, not waved at. Conventional CCTV without analytics has been considered and is insufficient because review of stored footage after an incident does not prevent the incident, whereas real-time analytics permits response within the window in which the loss is recoverable. The necessity step is where most balancing tests collapse, because operators write what they want rather than what they have tested.

The fourth section addresses the data subjects. Who is captured, in what numbers, at what times, with what reasonable expectation of privacy. A perimeter camera covering a fenced industrial yard captures employees, contractors, visitors, delivery personnel and occasional trespassers. Each category has different rights and different reasonable expectations. A camera that incidentally captures a public footpath captures pedestrians who never accepted the operator's terms. The DPIA must address each category separately.

The fifth section describes the safeguards. Field of view limited to the protected area, with public space masked. Retention period set to the shortest interval consistent with the purpose, in most cases between seventy-two hours and fourteen days. Access restricted to a named group of operators, logged and auditable. Analytics configured to detect events rather than identities, with face recognition disabled unless a separate basis exists. Encryption at rest and in transit. Deletion routines automated and verifiable. The technical and organisational measures from Article 32 are documented here, with reference where appropriate to ISO 27001 controls and to IEC 62443 for the OT components.

The sixth section is the conclusion. The controller, having weighed the interests against the rights, finds the processing lawful under Article 6 paragraph 1 letter f. The conclusion is dated, signed by a named individual within the controller's organisation, and reviewed annually. A balancing test without a review cycle ages out of validity within twelve to eighteen months, because either the threat picture or the technology changes.

Retention periods and the question of what is short enough

Retention is the single most litigated question in commercial video systems. The GDPR does not name a number. Article 5 paragraph 1 letter e requires that personal data be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes. This is a principle, not a clock. The clock comes from the purpose, from the supervisory practice in the relevant jurisdiction, and from the documented experience of the operator.

For ordinary perimeter surveillance with no specific incident pending, German and Austrian supervisory authorities have consistently treated forty-eight to seventy-two hours as the default, with anything beyond that requiring justification. The justification is straightforward when it exists. Construction sites typically discover losses on the Monday following a weekend, which sets a minimum retention floor of seventy-two hours simply to permit detection. Logistics operators with weekly cycle counts may justify seven days. Industrial operators with quarterly inventories cannot justify ninety days on inventory grounds alone, because the disproportion between retention and detection cycle is too great.

When an incident occurs, the retention rules change. Footage relevant to a specific incident may be preserved beyond the routine retention period under Article 17 paragraph 3 letter e, for the establishment, exercise or defence of legal claims. This preservation is not automatic. It requires a documented decision, taken by a named individual, with the segment identified by camera, date and time, and with the rest of the footage from the same period deleted on schedule. Operators who preserve everything because an incident occurred somewhere on the site convert a lawful surveillance system into an unlawful archive within days.

The retention question also intersects with the rights of data subjects under Articles 15 to 22. A request for access requires the controller to provide the data subject with a copy of the personal data processed. For video this is operationally difficult, because a single camera frame typically contains multiple individuals, and the controller cannot deliver footage of one data subject without redacting the others. The retention period interacts directly with this obligation. Shorter retention reduces the volume of access requests that can succeed, which is one of the reasons supervisory authorities prefer short retention. It is not the only reason, but it is a real one.

Information obligations toward employees, visitors and third parties

Articles 13 and 14 of the GDPR require that data subjects receive specific information at the moment their data is collected. For video surveillance, this is operationalised through a two-layer model that the EDPB endorses and that most national authorities have adopted. The first layer is the sign at the perimeter, visible before entry, with the essential information in compressed form. The second layer is the full notice, available on request and published on the operator's website or in a written notice accessible at the gate.

The first-layer sign contains, at minimum, the icon indicating video surveillance, the identity of the controller with contact details, the purposes of the processing, the legal basis, the data protection officer's contact where one is appointed, the data subject's rights with a reference to where the full notice can be obtained, and a notice that AI-based analytics is used where this is the case. The sign must be readable from outside the area before the data subject enters. A sign inside the gate is not a sign for purposes of Article 13.

The full notice contains the full Article 13 information. The purposes detailed, the legitimate interests asserted, the categories of recipients including any processors and service providers, the retention periods, the rights of access, rectification, erasure, restriction, objection and complaint to the supervisory authority, the source of the data, the existence of automated decision-making with meaningful information about the logic involved where Article 22 applies. The last point matters for AI analytics. If the system makes decisions with legal or similarly significant effects on the data subject, Article 22 engages and the information obligation expands.

Employees deserve a separate channel. The general signage at the gate satisfies Article 13 for visitors and third parties, but employees are subject to the works council co-determination regime under section 87 paragraph 1 number 6 of the German Works Constitution Act, and equivalent provisions in other Member States. Video surveillance of employees, including the analytics applied to footage in which they appear, requires a works agreement or its functional equivalent. Operators who install analytics first and negotiate later create labour law exposure that no GDPR document can cure. The two regimes operate in parallel, and both must be satisfied.

The DPIA and when it is actually required

Article 35 requires a data protection impact assessment when a processing operation is likely to result in a high risk to the rights and freedoms of natural persons. Systematic monitoring of a publicly accessible area on a large scale triggers the obligation directly. So does the use of new technologies, which in the practice of European supervisory authorities includes AI-based video analytics as a default. The CNIL, the BfDI and the Garante have all published lists identifying video analytics on commercial premises as a category for which a DPIA is required.

The DPIA is not a formality. It is the document that operationalises the balancing test, adds the technical risk assessment, and produces concrete mitigation measures with named owners. A DPIA without owners is a wishlist. A DPIA without a review cycle is a snapshot. The supervisory authority that requests a DPIA expects to see the assessment, the consultation with the data protection officer, the consideration of data subjects' views where appropriate, and the residual risk that the controller has accepted with reasons.

The structure that holds in practice tracks the NIST AI Risk Management Framework alongside the GDPR requirements. Govern, map, measure, manage. Each AI component is mapped to a use case, the use case to a data subject category, the category to a risk profile, the risk profile to a control set. The control set is then tested before deployment, with the test results filed in the DPIA. This is what an audit looks for. Not the existence of a DPIA, but its operational connection to the system that is actually running.

What manufacturers and integrators owe the operator

The compliance burden falls on the controller, but the controller's ability to satisfy it depends on what the manufacturer and integrator deliver. A camera system documented only in marketing language cannot be defended. A manufacturer who refuses to disclose the analytics models, their training data provenance, their error rates and their update cadence forces the controller to accept residual risk that the controller cannot quantify. This is increasingly indefensible.

The serious manufacturer publishes, at minimum, a technical specification covering the data flow architecture, the categories of data processed locally versus in the cloud, the cryptographic standards applied, the access control model, the logging and audit capabilities, and the procedure for security updates. The serious manufacturer accepts contractual data processing terms under Article 28 where the manufacturer acts as processor, and acknowledges joint controllership under Article 26 where the configuration warrants it. The serious manufacturer cooperates with the controller's DPIA rather than treating it as the controller's problem.

This is the standard described in the manuscript BOSWAU + KNAUER. From Building to Security Technology, and it is the standard against which manufacturers are increasingly being measured by professional operators. CISA's secure-by-design principles, NIST 800-53 control families, IEC 62443 for industrial automation security, ISO 27001 for the broader information security management system. These frameworks do not replace the GDPR. They populate the technical and organisational measures the GDPR requires, and they make the operator's documentation defensible rather than aspirational.

What holds

The GDPR is not the obstacle to AI video analytics on commercial property. The obstacle is the gap between what operators have installed and what they can prove they have installed. The legal basis is available, the balancing test is doable, the information obligations are manageable, the retention periods are negotiable within reason, and the DPIA is a document that any competent integrator should be able to prepare with the operator's input. What does not survive is the practice of treating compliance as a binder that lives in a filing cabinet and the system as a separate question that lives in the operations centre.

The operator who can produce, on twenty minutes' notice, the current balancing test, the current DPIA, the current signage photograph, the current retention configuration screenshot, the current works agreement and the current access log, has done the work. The operator who has to call three different consultants to assemble these documents has not. The supervisory authority does not distinguish between these two operators by intent. It distinguishes by what they can show.

For operators who recognise that their current documentation would not survive a serious inquiry, the path forward is short. A Path II audit, three to five days on site, produces the six deliverables that close the gap. A specific site description with vulnerability catalogue, a documented vulnerability history, an economic assessment, a prioritisation matrix, an implementation plan, and an assumptions appendix. The report is the operator's property. It is usable with or without the manufacturer. That is the point.

Frequently asked questions

Is AI video analytics legal under GDPR?

Yes, when the processing rests on a valid legal basis, the operator has performed and documented the balancing test under Article 6 paragraph 1 letter f, a data protection impact assessment under Article 35 has been completed where the processing is likely to result in a high risk, and the information obligations under Articles 13 and 14 have been satisfied through two-layer signage and an accessible full notice. The technology itself is not prohibited. What is prohibited is processing without the documentation that demonstrates lawfulness, and that gap is where most operators lose.

What balancing test does Article 6(1)(f) require?

The balancing test has three steps. First, identification of a specific legitimate interest, named concretely with evidence rather than as a generic appeal to security. Second, demonstration of necessity, meaning that less intrusive measures have been considered and found insufficient, with the reasoning documented. Third, weighing of the interest against the rights and reasonable expectations of the data subjects affected, distinguishing between employees, contractors, visitors and incidental third parties. The test must be in writing, dated, signed by a named individual within the controller's organisation, and reviewed at least annually.

How long can footage be retained legally?

The GDPR sets a principle, not a number. Retention must not exceed what is necessary for the stated purpose. In supervisory practice across Germany, Austria and most EU Member States, forty-eight to seventy-two hours is the default for routine perimeter surveillance, with longer retention requiring documented justification tied to the operator's detection cycle. Footage relating to a specific incident may be preserved beyond the routine period under Article 17 paragraph 3 letter e, but only by documented decision and only for the affected segments. Blanket extended retention converts a lawful system into an unlawful archive.

What information must employees and visitors receive?

Both groups must receive the information specified in Article 13. Operationally this is delivered through a two-layer model. The first layer is signage at the perimeter, visible before entry, containing the controller's identity and contact, the purposes, the legal basis, the data protection officer's contact where appointed, a reference to data subject rights, and notice of AI analytics where used. The second layer is the full notice with all Article 13 information, available on request and published online. Employees additionally require a works agreement or functional equivalent under national labour law.