CCTV design in Ireland has never been a purely technical exercise. Since GDPR came into force in May 2018 and the Data Protection Commission (DPC) Ireland began actively enforcing it, every camera placement decision, every retention period choice and every analytics feature enabled carries a legal dimension that the security designer — and ultimately the building owner — must be able to justify. In 2025, the EU AI Act adds a further layer of prohibition and compliance obligation that makes CCTV GDPR compliance in Ireland more demanding than at any previous point.
This guide is written for security design consultants, M&E engineers, architects and facilities managers commissioning or reviewing CCTV systems in Irish commercial buildings, healthcare facilities, data centres and hospitality venues. It covers the DPC's current enforcement position, the proportionality and retention requirements that govern system design, the DPIA trigger conditions, and the specific impact of the EU AI Act on AI-powered video analytics in Ireland in 2025.
Why GDPR Makes CCTV Design Different in Ireland
CCTV is personal data processing under GDPR. Every frame that captures an identifiable individual is personal data — and unlike most personal data, video surveillance is continuous, ambient and typically captures data subjects without their active knowledge. This creates a set of GDPR obligations that directly constrain design decisions: where cameras can be pointed, how long footage is retained, who can access it, when AI analytics can be applied, and what signage must be displayed.
The DPC Ireland has jurisdiction over all CCTV processing by Irish-established data controllers and has exercised that jurisdiction actively since 2018. Its guidance document on the use of CCTV, updated in 2023, sets out clear expectations for Irish organisations. Designing a CCTV system without reference to DPC guidance is not a technical oversight — it is a legal risk.
The DPC's Key Requirements for CCTV Systems in Ireland
The DPC Ireland's CCTV guidance establishes six core requirements that every CCTV design consultant in Ireland should build into every system specification.
Legitimate Interest Assessment (LIA) for Irish CCTV Deployments
Most Irish commercial CCTV relies on Article 6(1)(f) GDPR — legitimate interests — as its lawful basis. This requires a three-part test: the interest pursued must be legitimate; the processing must be necessary for that purpose; and the organisation's interests must not be overridden by the data subjects' interests. An LIA must be documented before the system is designed and must identify specifically what harm is being prevented or what legitimate business interest is being served. Deploying CCTV without a documented LIA is the most common GDPR compliance failure identified in DPC investigations of Irish organisations.
Retention Periods — What the DPC Expects
The DPC Ireland's guidance indicates that CCTV footage should typically be retained for no more than 30 days for general commercial premises, unless there is documented justification for a longer period. Higher-risk environments — Dublin financial services offices, Cork data centres, security-critical infrastructure — may justify up to 90 days with appropriate documentation. Footage must be automatically overwritten when the retention period expires; a system that retains indefinitely by default is not compliant regardless of what the CCTV policy states.
Privacy Impact Assessment (DPIA) — When Is One Required?
Article 35 GDPR requires a Data Protection Impact Assessment before deploying CCTV systems that are likely to result in a high risk to individuals. The DPC Ireland's list of processing requiring a mandatory DPIA includes systematic monitoring of publicly accessible areas and biometric data processing. In practice, a DPIA should be conducted for any CCTV system covering public-facing areas of an Irish premises, any AI-enhanced system, and any system in a sensitive environment (healthcare, education, social care). The DPIA must be documented and, in cases of high residual risk, submitted to the DPC for prior consultation.
CCTV Design Principles for GDPR Compliance
GDPR-compliant CCTV design in Ireland starts with the privacy-by-design principle — integrating data protection requirements into the technical design from the outset, not retrofitting compliance onto a completed system. Three design decisions drive most GDPR compliance outcomes.
Camera Coverage Proportionality — The Design Standard
Every camera's field of view must be justified by the specific risk or legitimate interest being addressed at that location. A camera that captures a staff toilet entrance, a private office, or a public pavement outside the premises boundary is disproportionate. The CCTV design package for an Irish building should include a coverage justification for each camera — not a blanket statement that "the system is for security purposes" — mapping each camera to a specific risk scenario identified in the LIA. On Dublin city-centre commercial projects, where building proximity creates risk of capturing adjacent properties or public areas, this justification is scrutinised by both the DPC and planning authorities.
Privacy Masking, Zones of Exclusion and Signage Requirements
Where a camera's optimal coverage position captures areas that cannot be justified — neighbouring properties, public footpaths, visible-through windows — privacy masks must be configured in the VMS to permanently obscure those zones. Privacy masks cannot be toggled off by operators; they must be fixed at commissioning stage and documented in the system's configuration records. The design specification must include a privacy masking schedule as a standard deliverable.
AI Video Analytics & the EU AI Act — What Irish Designers Must Know in 2025
The EU AI Act came into force on 1 August 2024, with the prohibited AI provisions applying from 2 February 2025. For CCTV GDPR compliance in Ireland, the AI Act creates three critical constraints on video analytics features that many VMS platforms now offer as standard.
Prohibited AI Systems — What Cannot Be Deployed in Irish CCTV
The following AI systems are prohibited in Ireland under the EU AI Act regardless of the specific use case or technical safeguards applied:
- Real-time remote biometric identification in publicly accessible spaces — real-time facial recognition in any public-facing area is prohibited. This includes retail entrances, building lobbies accessible to the public, transport hubs and car parks open to the public.
- Emotion recognition systems — AI systems that infer emotional states from facial expressions, voice or physiological signals are prohibited in workplace and educational contexts.
- Biometric categorisation systems — systems that categorise individuals by sensitive characteristics (race, political opinion, religious belief, sexual orientation) from biometric data are prohibited.
- Social scoring systems — systems that evaluate individuals' trustworthiness based on behaviour over time are prohibited.
High-Risk AI Systems Requiring Conformity Assessment
Biometric identification systems that are not real-time (i.e., searching against databases after the fact) are classified as high-risk AI under the EU AI Act. They require a conformity assessment, EU registration and ongoing monitoring before deployment. For Irish data centres, airports and critical infrastructure operators who may wish to use post-event biometric search, this creates a significant compliance burden that must be factored into the CCTV system specification from design stage.
AI Analytics That Are Currently Permitted in Irish CCTV
Not all AI video analytics are prohibited or high-risk. The following remain permissible in Irish CCTV systems subject to GDPR compliance and proportionality:
- Vehicle detection and licence plate recognition (not biometric, not prohibited)
- Object detection (unattended bags, vehicles in prohibited zones)
- Perimeter intrusion detection — triggering an alert when a defined zone boundary is crossed
- Crowd density analytics in aggregate (not identifying individuals)
- Camera health monitoring and image quality analysis
Technical Design Requirements for GDPR-Compliant CCTV in Ireland
Translating GDPR and EU AI Act requirements into technical design specifications requires the following standard deliverables from a CCTV design consultant in Ireland:
- Camera coverage plan with field-of-view studies and per-camera justification
- Privacy masking schedule identifying permanently masked zones for each camera
- Storage and bandwidth calculation for the specified retention period
- VMS specification confirming prohibited AI features are excluded
- Data flow diagram showing who can access footage and under what conditions
- Signage schedule — location, size, content and specification for each entry point
- DPIA input document (design team contribution to the DPC-mandated assessment)
- Retention auto-deletion configuration specification
Sector-Specific Guidance — Dublin, Cork and Galway
CCTV design in Dublin financial services buildings (IFSC) and tech campuses requires particular attention to data subject access rights, as employees in high-security roles may request access to footage in the context of workplace disputes. In Cork data centres, the physical security CCTV scope must demonstrate to Tier III/IV certification bodies that coverage is maintained without GDPR compromise — a requirement that can conflict if not designed carefully from the outset. In Galway healthcare facilities (UHG, Merlin Park), the processing of footage involving patients creates Article 9 special category data processing obligations beyond standard commercial CCTV requirements.
How ASDV Designs GDPR-Compliant CCTV for Irish Projects
ASDV delivers CCTV design consultant services for Ireland as part of the broader physical security design scope. Every CCTV package includes a coverage justification per camera, a privacy masking schedule, a VMS specification confirming EU AI Act prohibited feature exclusion, and a DPIA input document. Our overnight turnaround model ensures that GDPR compliance documentation is issued alongside the technical drawings — not as a retrofit addition — keeping Irish projects on programme and on the right side of the DPC.
Frequently Asked Questions — CCTV GDPR Ireland
Not necessarily consent, but a lawful basis. Most Irish workplace CCTV relies on legitimate interests (Article 6(1)(f) GDPR). The DPC Ireland recommends informing employees through a clear CCTV policy rather than obtaining consent, as consent gives employees the right to withdraw it at any time — which would make surveillance legally uncertain. A documented legitimate interest assessment is the standard approach for Irish commercial buildings.
The DPC Ireland's guidance indicates no more than 30 days for general commercial premises. Higher-risk environments such as data centres or financial institutions may justify up to 90 days with documented justification. Footage must be automatically overwritten at retention expiry. Longer retention without justification is a common finding in DPC investigations of Irish organisations.
A DPIA is required for: systematic monitoring of publicly accessible areas; biometric data processing; large-scale surveillance; AI-powered analytics; and covert surveillance. The DPC Ireland's list of processing requiring a DPIA specifically includes video surveillance systems covering public-facing areas. The DPIA must be completed before the system goes live.
No. Real-time AI facial recognition in publicly accessible spaces is prohibited under the EU AI Act (prohibited provisions applied from 2 February 2025). Even outside public spaces, biometric identification systems are classified as high-risk AI requiring conformity assessment. The DPC Ireland also treats facial recognition as biometric special-category data under GDPR Article 9.
The DPC Ireland has issued enforcement decisions against Irish organisations for: excessive coverage capturing unjustified areas; inadequate CCTV signage; retention periods exceeding 30 days without justification; and failure to conduct a DPIA. Irish retail, hospitality and financial services organisations have been most frequently the subject of CCTV-related DPC complaints and investigations.
🇮🇪 Ireland Security Enquiry
Request a Free GDPR-Compliant CCTV Design Assessment
Tell us your building type and location — we will confirm the DPC requirements and deliver a GDPR-compliant CCTV design package within your programme.
Request Free AssessmentOr: +91-8800334308 · WhatsApp Us