14 min readGDPR & Compliance
Legal & Compliance

GDPR Compliance for Images & Videos: The Complete 2025 Guide

Images and videos containing identifiable faces are personal data under GDPR. Publishing, storing, or sharing them without a lawful basis can result in fines up to €20 million. This guide covers exactly when you need to blur faces, how to handle data subject requests, and how to automate compliance at scale.

Disclaimer: This guide is for informational purposes and does not constitute legal advice. Consult a qualified data protection officer or legal counsel for your specific situation.

Are Images and Videos Personal Data Under GDPR?

Yes — unambiguously. GDPR Article 4(1) defines personal data as "any information relating to an identified or identifiable natural person."A photograph or video that allows someone to be identified directly (by recognizing their face) or indirectly (by combining the image with other data) is personal data.

Visual content that IS personal data under GDPR:

  • ✅ Photos and videos showing a person's face
  • ✅ CCTV footage where individuals can be identified
  • ✅ Dashcam footage capturing recognizable people
  • ✅ Body cam footage (police, security)
  • ✅ Medical imagery identifying a patient
  • ✅ Social media videos with identifiable individuals
  • ✅ Drone footage capturing people in public spaces

Visual content that is NOT personal data:

  • ✅ Fully anonymized footage (all faces blurred or removed)
  • ✅ Images with no identifiable individuals
  • ✅ Aggregated statistical visualizations
  • ✅ Crowd shots where no individual is distinguishable

Key point: Once faces are properly blurred or anonymized, the footage no longer constitutes personal data under GDPR. This is why face blurring is the primary compliance mechanism for visual content.

Lawful Basis for Processing Visual Content

Under GDPR Article 6, every processing activity needs a lawful basis. For visual content containing identifiable faces, the relevant bases are:

Consent (Article 6(1)(a))

Strong

When: The individual explicitly agreed to being filmed and their footage being used

Must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count.

Legitimate Interests (Article 6(1)(f))

Moderate

When: Your interest in processing the footage outweighs the individual's privacy interests

Must pass a Legitimate Interests Assessment (LIA). Commonly used for workplace CCTV.

Legal Obligation (Article 6(1)(c))

Moderate

When: You are legally required to collect or retain the footage

E.g., police body cam footage required by law, financial services recording obligations.

Vital Interests (Article 6(1)(d))

Narrow

When: Processing is necessary to protect life

Very narrow. Applies in emergency situations only.

If you have no lawful basis — or your original basis no longer applies (e.g., someone withdraws consent) — you must either delete the footage or anonymize it by blurring all identifiable faces.

When Must You Blur Faces Under GDPR?

⚠️

Publishing video on social media or YouTube

No consent from bystanders. Applies even in public spaces under GDPR.

BLUR REQUIRED
⚠️

Sharing CCTV footage in response to a DSAR

Must blur third parties — you cannot share their data with the requesting subject.

BLUR REQUIRED

News footage of public interest events

Journalism exemption may apply (Article 85). Get legal advice for your specific case.

CASE BY CASE
⚠️

Medical training videos with patient footage

Sensitive health data — requires explicit consent or full anonymization.

BLUR REQUIRED

Employee training videos showing staff

Covered under employment contract and legitimate interests — but check your policy.

CASE BY CASE
⚠️

Dashcam footage shared publicly online

Identifiable pedestrians and drivers are data subjects. Blur before posting.

BLUR REQUIRED
⚠️

Research datasets containing faces

Unless you have explicit research consent from all participants.

BLUR REQUIRED

DSAR and CCTV Footage: Your Obligations

A Data Subject Access Request (DSAR) under GDPR Article 15 gives individuals the right to access footage in which they appear. This is particularly common with CCTV systems.

Your DSAR timeline for CCTV footage:

Day 0DSAR received — clock starts
Day 1–5Verify the identity of the requesting data subject
Day 5–20Locate the relevant footage from your archive
Day 20–28Blur all third-party faces in the footage using AI tools
Day 30Deadline: provide the footage (or written explanation if unavailable)

Why the 30-day window is tight for CCTV:

A single day of CCTV from a multi-camera system can contain dozens of hours of footage. Manually blurring third-party faces in all that footage before the deadline is practically impossible. This is exactly why organizations use AI tools like Guardiavision — process hours of footage in minutes, not weeks.

Sector-Specific GDPR Visual Data Rules

Healthcare

GDPR Art. 9 + HIPAA (US)

Patient images and videos are special category data under Article 9. Requires explicit consent or specific exemptions. Full anonymization (including face blur) for research and training.

Security / CCTV

GDPR + ICO CCTV Code (UK)

Must display signage, have a retention policy, and respond to DSARs by blurring third parties. Legitimate interests basis requires LIA.

Education

GDPR + local education law

Student images are personal data. Schools need parental consent for children under 16. Recorded lessons require policy covering all visible participants.

Journalism & Media

GDPR Art. 85

Article 85 exemption may apply for public interest journalism. Still requires proportionality — blur non-relevant bystanders even in journalism contexts.

Law Enforcement

LED Directive 2016/680

Police and public authority video processing falls under the Law Enforcement Directive (LED), not standard GDPR. Body cam and dashcam footage has specific rules.

HR & Workplace

GDPR + national employment law

Employee monitoring via video requires proportionality, transparency, and a legitimate business reason. Covert surveillance is almost never lawful under GDPR.

GDPR Penalties for Visual Data Breaches

Violation TypeMaximum Fine
Publishing video without consentUp to €20M or 4% global turnover
Failing to respond to a DSAR within 30 daysUp to €20M or 4% global turnover
Sharing CCTV footage without blurring third partiesUp to €20M or 4% global turnover
Inadequate security measures for stored footageUp to €10M or 2% global turnover
Missing required CCTV signageUp to €10M or 2% global turnover

Note: These are maximum fines. Actual enforcement actions vary significantly based on intent, scale, and remediation steps taken.

GDPR Visual Data Compliance Checklist

Identify all systems that capture video/images of individuals (CCTV, webcams, mobile devices, drones)
Document your lawful basis for each type of visual data processing
Display CCTV/recording signage where required
Establish a data retention policy and delete footage after the retention period
Set up a DSAR response process with a 30-day target including face blurring of third parties
Anonymize (blur) faces in footage before sharing externally or publishing
Use audit logs to track who accessed, processed, or shared visual data
Review third-party processors (cloud storage, video platforms) for GDPR compliance
Appoint or designate a Data Protection Officer (DPO) if required
Conduct Data Protection Impact Assessments (DPIA) for high-risk video processing

Tools for GDPR-Compliant Face Blurring

Manual face blurring is not scalable for GDPR compliance. Here are the tools available:

Guardiavision (Recommended)

AI-Powered

AI face detection + prompt-to-blur. Process DSAR footage, CCTV exports, and video content in seconds. GDPR-ready with auto-deletion after 24 hours and audit logs.

  • ✅ Automatic face detection (95%+ accuracy)
  • ✅ Handles video and images
  • ✅ Batch processing for large archives
  • ✅ Files auto-deleted after 24 hours
  • ✅ Audit logs for compliance documentation
  • ✅ EU server option (Enterprise)
Try Free — 50 Credits →

DaVinci Resolve (Free)

Manual face tracking and blur. Free but requires 2–4 hours per video. Not suitable for DSAR response at scale.

Adobe Premiere Pro

Professional video editing with tracking. $22.99/month, manual process, not scalable for compliance workflows.

Frequently Asked Questions

Does GDPR require face blurring in videos?

GDPR requires a lawful basis to process video containing identifiable individuals. If you don't have consent or another valid basis, you must anonymize the footage — typically by blurring faces — before storing or publishing.

What is the fine for sharing video with identifiable faces without consent?

Up to €20 million or 4% of global annual turnover. Actual fines vary based on severity, intent, and remediation. Regulators have issued significant fines for CCTV misuse and unauthorized publication of footage.

How do I respond to a DSAR for CCTV footage?

You must respond within 30 days, providing footage in which the requesting person appears. Before sharing, blur all other identifiable individuals (third parties) in the footage using face blurring tools like Guardiavision.

Is filming in public places legal under GDPR?

Filming in public is generally legal, but publishing footage where individuals are identifiable requires a lawful basis. GDPR applies to the processing (storage and publication) of the footage, not the act of filming itself — though member states may have additional national rules.

Does blurring a face make it GDPR compliant?

Proper face blurring (gaussian blur with sufficient intensity that the individual cannot be recognized) anonymizes the personal data. Once properly anonymized, the footage is no longer considered personal data under GDPR. However, the blur must be sufficient — weak blurring that can be reversed may not meet the standard.

Automate Your GDPR Face Blurring

Process CCTV footage, DSAR requests, and video content in seconds — not hours. Free trial included.

Start Free Trial →

Written by

Guardiavision Team

Experts in AI-powered privacy protection and GDPR compliance for visual content.

← AI face blur guideHow to blur faces in video →
Guardiavision Logo
Guardiavision
© Copyright 2026 Guardiavision