Ask a Question

CCTV Monitoring in Office Buildings and Coworking Spaces: Compliance for Building Managers and Tenants

Mateusz Zimoch
Published: 5/4/2026

Table of Contents

Visual data anonymization in office buildings and coworking spaces means preparing photos and video recordings so that, before they are shared or published, they do not identify individuals or vehicles beyond what is necessary for the intended purpose. In practice, this mainly involves face blurring and license plate blurring. In this area, the key question is not only whether CCTV monitoring is lawful, but also who is responsible for a specific recording and at what stage anonymization should take place.

In office buildings and coworking environments, at least two parties often operate in parallel: the building owner or property manager, and the tenant. Both may act as separate data controllers if they independently determine the purposes and means of using photos or recordings. This split governance model is often what determines who is required to anonymize the footage before disclosing it to the other party.

Two people working at a desk in an office, discussing something on a computer screen. Office supplies are visible on the desk.

Who Is the Data Controller for Recordings in an Office Building or Coworking Space?

The most common model looks like this: the building owner or property manager operates cameras in common areas such as entrances, lobbies, lifts, garages, and reception zones. The tenant controls its own cameras within the leased office, at the entrance to its unit, or in an event space used for its business activities. If each of these parties independently defines the purpose of monitoring, the retention period, and the rules for disclosure, then as a rule each acts as a separate data controller.

This distinction has practical consequences. The building owner does not automatically assume responsibility for every recording created by the tenant. Likewise, the tenant cannot assume that because the building has a shared security policy, raw video may be disclosed without first assessing the risk and the need for anonymization.

Shared organizational arrangements are necessary, but they do not replace a clear separation of roles. A good compliance practice is to describe at least four points in the lease agreement, CCTV policy, or an operational appendix:

  • who is the controller of a given camera system,
  • in which scenarios footage may be disclosed,
  • who performs visual data anonymization,
  • who documents the legal basis for that action.

Black and white image of an open-plan office with people working at desks, computers, and modern lighting overhead.

Why Visual Anonymization Is Central to Allocating Responsibility

Photos and recordings from office buildings almost always contain images of people. They may also include license plates in parking areas and driveways. If the material is to be used for more than internal security viewing, questions arise about data minimization under Article 5 GDPR and the lawfulness of any further use [1].

In practice, this means that disclosing an entire non-anonymized recording to another data controller should be the exception, not the default. If the purpose can be achieved after blurring faces and license plates, organizations often adopt that model as the safer operational approach.

At this point, it is useful to distinguish between two use cases. The first is evidentiary footage disclosed to public authorities or used in connection with an incident. The second is footage shared for business purposes between the owner and the tenant, for example to analyze an event, prepare communications, or support publication. In the second case, the need for anonymization arises much more often.

Black and white image of a spacious, modern office with rows of people working at desks equipped with computers and chairs.

Workflow: When a Tenant Must Anonymize Footage Before Sharing It with the Owner

The tenant should start by asking what the disclosure is for. If the building owner requests footage from the tenant’s reception area solely to confirm how a technical incident unfolded, raw facial images of bystanders are usually not necessary. In that scenario, a common compliance approach is to provide a version with face blurring and, if vehicles are visible in the frame, license plate blurring as well.

If the material is to be shared with another tenant, the need for anonymization is even stronger. Disclosing recordings between tenants without blurring faces and license plates should be treated as a high-risk solution. The first step should be to assess whether the purpose can be achieved with anonymized footage. In most operational disputes, the answer is yes.

A good workflow can be described in four steps:

  • First, the tenant identifies the purpose and the recipient.
  • Second, it assesses whether raw footage is truly necessary for that purpose.
  • Third, it prepares a working copy after visual anonymization.
  • Fourth, it documents the scope of the disclosure.

This model limits excessive disclosure of people’s images and better reflects the principle of data minimization [1].

If a tenant needs a tool for local processing of footage, Gallio PRO can be a practical on-premise software option. This matters especially where an organization does not want to move recordings to external services and wants to retain control over file circulation. According to the product materials, the software automatically blurs only faces and license plates, not whole silhouettes, does not operate in real time, and does not anonymize live video streams. It does not automatically detect company logos, tattoos, name badges, documents, or content displayed on monitor screens, although such elements can be blurred manually in the built-in editor. The software also does not store logs containing personal data.

Person at desk with multiple monitors displaying blurred video call participants, notebooks, keyboard, and a calculator on the desk.

Workflow: When the Building Owner Must Anonymize Footage Before Sharing It with the Tenant

The same mechanism works in reverse. If the building manager shares footage from the lobby, lift, or parking area with a tenant, the default should not be to hand over the full recording showing all visitors’ faces. In most cases, the tenant needs only the relevant excerpt and only the information necessary for its business or security purpose.

Here is a simple example. A tenant reports property damage near the entrance to its unit. The building manager has cameras covering the corridor and adjacent areas. If the purpose is to confirm how the incident occurred, a version with bystanders blurred will usually be sufficient. Raw footage may be needed only in specific situations, depending on the context and legal basis.

From the building manager’s perspective, it is also important to separate operational footage from communication material. The fact that a recording was lawfully collected for security purposes does not automatically mean it can be shared with the tenant for PR, marketing, or publication. Any further use requires a separate assessment.

Person at desk with multiple monitors displaying blurred video call participants, notebooks, keyboard, and a calculator on the desk.

Allocation of Responsibility in Practice: A Table for Building Managers and Tenants

Situation

Who is usually the data controller?

Who anonymizes before disclosure?

Practical standard

Footage from a lobby, lift, or garage

Building owner or property manager

Building owner or property manager before sharing with the tenant

Face blurring and, where needed, license plate blurring

Footage from inside the tenant’s premises

Tenant

Tenant before sharing with the owner

Disclosure limited to the purpose and scope of the incident

Exchange of footage between tenants

Each tenant separately for its own system

The party disclosing the footage

Anonymization should be the starting point

Material for publication from a coworking event

The publishing entity

The publishing entity before publication

Assessment of image-right exceptions and data minimization

Black and white office scene with three blurred figures at a table, large windows, and round ceiling lights. Cityscape visible outside.

Publishing Photos and Recordings from an Office Building: When Faces Should Be Blurred

The obligation to anonymize faces does not flow automatically from a single legal provision. It depends on the assessment of the legal basis for processing personal data, the protection of personal rights, and the rules governing the publication of a person’s image. In particular, GDPR, the Civil Code, and Copyright Law are relevant here. Copyright law provides exceptions to the requirement for consent to publish a person’s image, including where:

  • the person is publicly known and the image was captured in connection with the performance of public functions, especially political, social, or professional ones,
  • the person is merely a detail of a larger whole such as an assembly, landscape, or public event,
  • the person received agreed payment for posing, unless expressly stated otherwise.

In office buildings and coworking spaces, these exceptions should be applied with caution. An industry event held in a coworking space will not always qualify as a public event in copyright practice. Likewise, the fact that someone is a recognizable speaker does not automatically legalize publishing the faces of all attendees visible in the background. That is why face blurring remains a common solution for promotional materials, event coverage, and crisis communications.

Surveillance camera view of a modern lobby with two people wearing transparent masks, multiple chairs, and a round table with plants.

License Plates in Parking Areas and Driveways

Footage from parking areas and delivery zones creates an additional issue. There is no general rule under which blurring license plates is always mandatory throughout Western Europe based on uniform EU recommendations. The assessment depends on the context in which the material will be used and on whether the plate, in the given circumstances, allows a person to be identified. In Poland, the positions are not entirely uniform either: in data protection practice, license plates are often treated as personal data or as data enabling indirect identification, although case law has also seen narrower interpretations.

For office building managers, this means one thing: if footage is to be disclosed beyond the strict circle of necessary recipients or published, license plate blurring is a sensible practice that reduces interpretive risk. This approach is especially justified in international properties, where group-wide standards are often broader than the local legal minimum.

Surveillance footage of a man standing near an elevator in a lobby with marble walls and floor, timestamped and marked by a camera overlay.

How to Implement a Split Governance Procedure Without Excessive Bureaucracy

A simple operational model works best. Contracts and procedures should specify that each party is responsible for anonymizing material originating from its own camera system before disclosing it to the other party, unless there is a documented need to provide raw footage. Such a clause simplifies day-to-day operations and reduces disputes over responsibility.

The second element is the tool itself. In facilities with a large number of cameras and frequent export of recordings, the ability to process multiple files and deploy locally matters. If an organization wants to test such a workflow in practice, it can try the demo. According to Gallio PRO materials, automatic detection covers only faces and license plates, while other visual elements require manual work.

The third element is an exception path. If the building has a complex lease structure, a central SOC, multiple parking areas, or enterprise requirements for on-premise software, it is often wise to get in touch and tailor the process to the actual allocation of responsibilities. This is especially relevant where footage circulates between the property manager, tenants, and external service providers.

Security camera footage showing a person seated at a computer and three people standing nearby, with faces highlighted in red squares.

The Most Common Mistake: Confusing Technical Access with the Role of Data Controller

The fact that the building owner has the technical ability to retrieve a recording does not mean it becomes the data controller for all tenant footage. Similarly, the mere fact that a tenant can receive a copy from cameras in common areas does not make it a joint controller of the manager’s system. What primarily determines the role is who decides on the purpose and means of processing [1].

That is precisely why split governance requires not only contractual wording, but also operational discipline. Each party should anonymize footage at source before sharing it with the other side, unless there is a specific and documented reason not to do so.

Five gray 3D question marks aligned horizontally on a light gray background.

FAQ - CCTV Monitoring in Office Buildings and Coworking Spaces

Are the building manager and the tenant always joint controllers?

No. In office buildings, the more common model is that of separate controllers, where each party independently determines the purposes and means of operating its own monitoring system. Joint controllership may arise, but it requires joint decision-making on the purposes and means of processing [1].

Can a tenant share raw footage from its own office with the owner?

It depends on the purpose and legal basis for the disclosure. A common compliance practice is to apply visual anonymization first if the owner does not need identifiable faces or license plates to achieve a specific purpose.

Can recordings be shared between tenants without blurring faces?

As a rule, this should not be the default. When footage is disclosed between tenants, anonymization is usually the first step, because every additional recipient expands the scope of disclosure of visual personal data.

Does Gallio PRO anonymize the entire image and all personal data visible in the recording?

No. Gallio PRO automatically blurs only faces and license plates. It does not automatically detect company logos, tattoos, name badges, documents, or monitor screens. Such elements can be hidden manually in the editor.

Does Gallio PRO work in real time on camera streams?

No. According to the product materials, the software does not perform real-time anonymization or live video stream anonymization.

Do license plates always have to be blurred?

Not always. The assessment depends on the purpose of using the material and the identification context. However, when footage is shared or published, license plate blurring is a common and cautious compliance practice.

Does the tool store logs with information about detected faces and plates?

According to Gallio PRO materials, the software does not store logs containing personal data.

Download free demo
Mateusz Zimoch

Mateusz Zimoch

CEO and Co-Founder of Gallio PRO, is an engineer with extensive expertise in Computer Science, Data Science, Robotics, and Artificial Intelligence. Mateusz graduated with dual majors from the Wrocław University of Technology and launched two startups centered on developing AI-powered Computer Vision solutions and constructing Remote Operated Vehicles (ROVs).

References list

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 - GDPR.
  2. European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices.
  3. Polish Personal Data Protection Office, materials and guidance on video surveillance.
  4. Act of 23 April 1964 - Civil Code.
  5. Act of 4 February 1994 on Copyright and Related Rights.