CCTV in Elevators and Common Areas: Property Manager Responsibilities

CCTV in elevators, lobbies, and underground garages involves processing a person’s image, which often qualifies as personal data because it can make a specific individual identifiable. From a compliance perspective, the key question for a property manager is not “can we record?” but rather “what must we do to manage video footage lawfully and share it securely?” In practice, this mainly comes down to correctly identifying the controller, limiting the purpose of surveillance, controlling access to recordings, and anonymizing visual data before releasing copies to other individuals or entities.

In apartment buildings and office properties, this issue is especially practical. A camera in an elevator captures faces at close range. A camera in an underground garage will often also record license plates. A camera in the lobby shows not only residents or employees, but also visitors, couriers, and service technicians. Every disclosure of such footage therefore requires a separate assessment of risk and purpose.

Who is the controller for CCTV in a building’s common areas?

The controller is the entity that determines the purposes and means of processing video footage. In a residential building, this will usually be the homeowners’ association, housing cooperative, or the building owner acting through a property manager. In an office building, the controller may be the property owner, the management company, or the tenant, if the tenant independently installed the surveillance system in the leased space.

A property manager is not always the controller. If the manager acts solely under a contract and follows the instructions of the owner or the association, it will more often be a processor. However, if it independently decides where cameras are placed, how long footage is retained, how disclosures are handled, and what the system is used for, it may be considered a controller or joint controller. This assessment depends on the specific organizational model in place.

From a compliance perspective, the safest approach is to define that role in writing. Without this, it is difficult to properly respond to a resident’s request for access to footage, comply with transparency obligations, and describe the legal basis for processing under Articles 5, 6, 12, and 13 of the GDPR [1].

What the controller must do to ensure CCTV is lawful

The most common compliance approach includes five steps. First, the purpose of the CCTV system should be clearly described, for example the safety of people and property, access control to common areas, or investigating incidents. Second, the camera coverage should be limited to the minimum necessary for that purpose. A camera in an elevator should not capture space unrelated to security. Third, a retention period for recordings must be defined, and footage should not be kept longer than justified. Fourth, access to the footage should be restricted to a limited group of authorized persons. Fifth, there should be a procedure for releasing copies of recordings to third parties.

It is precisely at the disclosure stage that the need for video anonymization most often arises. If footage is to be provided to a resident, tenant, security company, insurer, or law firm handling a case, the controller should usually assess whether the recording shows the faces of other individuals or the license plates of vehicles unrelated to the request. If so, the standard practice is to blur faces and license plates before issuing a copy.

Images and license plates: what should be anonymized before footage is disclosed?

A person’s image in CCTV footage will very often constitute personal data. This follows from the broad GDPR understanding of identifiability and the established position of supervisory authorities regarding camera footage [1][2][3]. For that reason, when sharing footage with another resident or an external party, organizations often adopt the rule that all bystanders’ faces visible in the frame should be anonymized.

The obligation to anonymize faces before disclosing recordings follows primarily from GDPR principles, especially data minimization and the protection of the rights and freedoms of others. Civil law and copyright rules on image rights apply in a different context and do not provide a standalone legal basis governing the disclosure of CCTV recordings. Exceptions known from copyright law, such as public figures or an image being an incidental detail of a wider scene, generally do not determine the controller’s obligations when responding to a request for access to footage. In building surveillance scenarios, they will rarely apply in any event.

With license plates, the position in Poland is not entirely uniform. On the one hand, guidance from data protection authorities and a cautious compliance approach support blurring them when footage is disclosed to third parties. On the other hand, some administrative court decisions have suggested that a license plate alone is not always personal data. For a property manager, the practical conclusion is straightforward: when sharing recordings from a garage or driveway, it is safer to treat license plate blurring as the standard approach.

When can a resident obtain CCTV footage?

A resident whose image has been recorded may request access to personal data under the GDPR. However, this does not automatically mean they are entitled to receive the raw video file. The controller should first determine whether the requester is in fact the data subject, whether the request concerns a specific incident, and whether fulfilling it would infringe the rights and freedoms of others [1].

In practice, the following operating model is used most often. First, the relevant segment of footage relating to the event is identified. Next, it is assessed whether the frame shows third parties or vehicles belonging to other users. If it does, a copy is prepared after faces and license plates have been anonymized. Only then may the material be provided to the requester, provided there are no other legal or practical obstacles.

If a resident asks for footage “because they want to see who was walking down the corridor,” such a request will not always be justified. The controller should not disclose images of other residents without a clear legal basis. The same applies to requests from external companies, such as an insurer, cleaning contractor, or elevator maintenance provider. The purpose must be specific, and the scope of the data must be limited.

How to organize visual data anonymization in practice

In residential and office buildings, two types of anonymization are needed most often: face blurring and license plate blurring. This approach is consistent with the principle of data minimization. The controller should not disclose more visual information than is necessary to achieve a legitimate purpose [1].

Where requests are frequent, workflow organization also matters. Software such as Gallio PRO supports the preparation of footage for disclosure in an on-premise model, which is important for some property managers and homeowners’ associations when assessing operational security. However, the functional boundaries should be stated clearly. Gallio PRO automatically blurs only faces and license plates. It does not blur entire bodies, does not provide real-time anonymization, and does not anonymize a live video stream. It does not automatically detect company logos, tattoos, name badges, documents, or images displayed on monitor screens. Those elements can be manually obscured in the tool’s built-in editor.

This distinction matters from both a legal and organizational standpoint. If lobby footage shows a courier wearing an ID badge, a reception screen, or a document held in someone’s hand, automatic face and plate detection alone will not be enough. Before disclosure, the footage should be reviewed and, where needed, manual anonymization should be added.

A practical workflow may look like this:

• extract the segment of footage relating to the incident,
• automatically blur faces and license plates,
• review the material frame by frame,
• manually hide any other visible elements in the frame,
• export the final copy for disclosure.

You can try the demo on working footage before rolling out the procedure across your property portfolio.

Sharing footage with the police, insurers, and external companies

Not every recipient requires the same process. If footage is being preserved for law enforcement authorities under the applicable legal provisions, the required scope of anonymization may need a separate assessment. The situation is different where the material is to be shared with another resident, a commercial tenant, or a private company. In that case, the typical compliance approach assumes that before issuing a copy, the controller should remove bystanders’ personal data from the image, especially faces and license plates.

In practice, it is worth having a simple decision matrix.

In more complex environments, such as a multi-building portfolio, a centralized compliance team, or deployments requiring local infrastructure, it is worth reaching out to the team to define the workflow model, user permissions, and the operating principles of the on-premise solution.

Why the absence of excessive logs matters

With anonymization tools, not only the end result matters, but also the operational footprint. From a data minimization standpoint, it is beneficial when the system does not create additional datasets containing information about face and plate detection. According to Gallio PRO product information, the software does not store logs containing detection data, personal data, or special category data. For a property manager, this is an important part of the risk assessment because it limits the number of places where secondary data about residents or building users might be created.

The most common mistake property managers make: releasing raw footage

The riskiest model is to provide the full recording without selection and without anonymization. In an elevator, this means disclosing the faces of multiple people. In a garage, it may also mean disclosing license plates, entry and exit times, and movement patterns within the property. Such material may go beyond the purpose of the request and infringe the rights of others.

A much safer approach is one based on three questions. First, who is requesting the footage, and for what purpose? Second, which part of the recording is actually needed? Third, what must be hidden in the image before a copy is released? For a property manager, this is usually the shortest path to answering the real question: what do I need to do to stay compliant with the law?

FAQ - CCTV in elevators and common areas

Can a homeowners’ association install cameras in an elevator?

As a rule, yes, provided it can demonstrate a legitimate purpose, limit the scope of surveillance to the minimum necessary, and implement rules for access to recordings in line with the GDPR [1]. The assessment always depends on the circumstances of the particular building.

Does a resident have the right to receive a copy of CCTV footage?

They may have that right as a data subject, but this does not mean a right to receive the raw file. The controller should usually first assess the rights of others and prepare a version with faces and, where necessary, license plates anonymized.

Do the faces of other residents need to be blurred before footage is shared?

In practice, most often yes. Blurring the faces of bystanders is a standard measure to reduce the risk of infringing the rights and freedoms of others when handling an access request.

Do license plates in an underground garage always need to be blurred?

In Poland, the issue is not entirely clear-cut, but a cautious approach supports blurring license plates before disclosing a copy to private individuals or external companies.

Does Gallio PRO anonymize entire bodies?

No. Gallio PRO automatically blurs only faces and license plates. It does not blur entire bodies and does not perform real-time anonymization.

Does Gallio PRO automatically detect ID badges, tattoos, and documents visible in the frame?

No. The software does not automatically detect company logos, tattoos, name badges, documents, or images displayed on monitor screens. Such elements can be hidden manually in the editor.

Is on-premise software better for anonymizing CCTV footage?

For some controllers, yes, especially where footage relates to incidents in residential or office buildings and the organization wants to limit the circle of recipients. However, this depends on the system architecture, internal procedures, and risk assessment.