Video Surveillance Footage as Evidence in Employee Disciplinary Proceedings: What the Data Controller Is Allowed to Do

In this context, visual data anonymization means preparing video footage so it can be used as evidence without unnecessarily disclosing the image and other identifiers of bystanders. In practice, this most often means face blurring and license plate blurring before the material is shown to a disciplinary committee, a lawyer, or other people involved in the case. This is the starting point for answering a question that comes up very often in organizations: disciplinary proceedings are being conducted against an employee - can CCTV footage be used, and what needs to be done to it first?

As a rule, an organization can often use video surveillance footage as evidence in an employment matter if the monitoring system was implemented in compliance with labor law and data protection rules, and if the purpose of using the footage falls within, or is closely related to, the purposes for which the monitoring was introduced. However, simply having the footage does not mean it can be used freely. Three issues are crucial: the legal basis for using the material, the scope of disclosure, and how long it may continue to be stored [1][2][3].

When can CCTV footage be used in disciplinary proceedings?

In the Polish legal context, the reference point is Article 222 of the Labor Code, which allows video surveillance, among other things, where it is necessary to ensure employee safety, protect property, supervise production, or keep confidential information secret where disclosure could expose the employer to harm [2]. If the incident covered by the disciplinary proceedings was recorded through lawfully operating workplace CCTV, organizations often treat that recording as material that may be preserved and used as evidence.

That does not mean, however, that the entire recording can be freely circulated within the company. The GDPR principle of data minimization requires access to be limited to people who genuinely need to review the material [1]. From a compliance perspective, the safest approach is usually to isolate the specific segment covering the incident and prepare a working version only for the small group of people handling the case.

What should the data controller do immediately after detecting the incident?

The first step is to secure the footage against overwriting. As a rule, the Polish Labor Code provides for a storage period not exceeding 3 months from the date of recording, unless the footage constitutes evidence in proceedings conducted under the law or the employer has learned that it may constitute evidence in such proceedings. In that case, the retention period is extended until the proceedings are finally concluded [2].

This distinction matters. The data controller should not keep everything “just in case.” However, a specific recording may be retained beyond the standard retention period where there is a real, documented link to disciplinary proceedings, an employment dispute, or anticipated court or regulatory proceedings. A good practice is to record the date of preservation, the scope of the material, the person responsible, and the purpose of retention. That kind of organizational record helps demonstrate compliance with the accountability principle [1].

Before showing the footage, limit data relating to bystanders

The most common mistake is that HR or a manager shows raw footage to the entire committee, an external law firm, or several managers. From a data protection perspective, that is risky. If people other than the employee subject to the proceedings appear in the frame, then before the material is shown, the organization should at least assess whether their identification is necessary for the evidentiary purpose. In many cases, it is not.

That is why, before showing footage to a committee or a lawyer, the organization should generally consider anonymizing or pseudonymizing the faces and other identifiers of people visible in the frame if their identification is not necessary for the evidentiary purpose. This approach follows from the data minimization principle and from guidance commonly recommended when processing visual data by data protection authorities [1][3]. If the visible sequence of events is enough to assess the employee’s conduct, there is no justification for disclosing the faces of witnesses, customers, visitors, or other employees.

In practice, Gallio PRO is useful here as on-premise software for preparing video materials for further disclosure. This is particularly important where an organization does not want recordings to leave its own environment. From a compliance perspective, it also matters that the software does not collect logs containing face or license plate detection data and does not collect logs containing personal data or special categories of personal data.

How far should video anonymization go?

In disciplinary matters, the goal is not to “beautify” the footage but to limit the disclosure of personal data to the absolute minimum. A typical scope of work includes:

• cutting the relevant time segment,
• face blurring of bystanders,
• license plate blurring if plates appear in the frame and their disclosure is not necessary,
• manual redaction of other elements that enable identification or reveal excessive information.

Precision matters here. Gallio PRO automatically blurs only faces and license plates. It does not blur entire bodies. It does not perform real-time anonymization or anonymize live video streams. It does not automatically detect company logos, tattoos, name tags, documents, or content displayed on monitor screens. Those elements can be redacted manually using the simple editor built into the tool. That is important because, in disciplinary proceedings, such details often appear incidentally in the background.

If an organization wants to test this workflow using its own materials, it is worth doing so on a sample by trying the demo and checking whether preparing a version for the committee and an archival version aligns with internal procedures.

Table: Raw footage vs. the version shown in disciplinary proceedings

Does the footage also need to be anonymized before being shown to a lawyer?

In many organizations, the argument is made that a lawyer is already bound by confidentiality. That is true, but it does not override the principle of data minimization. If external counsel only needs to assess the conduct of a specific employee and the identification of other individuals is irrelevant to that analysis, organizations often prepare an anonymized version. This model narrows the scope of disclosure and usually aligns better with data protection by design [1].

Borderline situations are possible. If the course of events requires identifying a specific accompanying person, witness, or driver of a vehicle, full anonymization may weaken the evidentiary value. In that case, the extent of blurring depends on the context and should result from a documented evidentiary need. It is not worth pretending there is certainty where the law leaves room for assessment.

Faces and license plates - what really needs to be blurred?

The obligation to protect a person’s image does not arise only from the GDPR, but also from civil law and copyright law. However, there are 3 exceptions:

• the person is widely known, and the image was captured in connection with the performance of public functions, especially political, social, or professional ones,
• the person’s image is merely a detail of a larger whole such as a gathering, landscape, or public event,
• the person received agreed payment for posing, unless expressly stipulated otherwise.

These exceptions have limited relevance in workplace surveillance cases, because evidentiary footage from a workplace rarely falls within those scenarios.

With license plates, the situation is more complex. Under EU law and Polish practice, their status depends on the context and on whether the number can be linked to a specific person. It cannot therefore be stated categorically that they always are, or never are, personal data. In practical compliance terms, when footage is shown to third parties, license plate blurring is the safer approach, especially where the number is not needed for the evidentiary purpose [1][3][4].

How long may footage be stored after the standard retention period ends?

Proportionality is the key point here. As a rule, employee surveillance should not lead to unlimited storage of recordings. However, if a specific recording has been preserved as evidence, it may be stored longer than the usual 3 months - until the proceedings are finally concluded [2]. After that point, the organization should assess whether there is a separate basis for continued storage of the copy, for example in connection with defending against claims. If not, the material should be deleted in accordance with the adopted procedure [1].

A good practice is to separate two sets of materials: the source material preserved as evidence and working copies prepared for disclosure. Working copies, especially anonymized ones, should not circulate in mailboxes and shared folders for any longer than the case requires.

How should a secure evidence workflow be organized?

The most practical model looks like this. First, preserve the original file and restrict access. Then create a working copy. Next, carry out face blurring and license plate blurring for bystanders, and manually remove any remaining identifying elements. Finally, prepare the version to be shown and a note recording who accessed the material and for what purpose.

If the case requires on-premise software, a separate retention policy, or a procedure for a large organization, it is sensible to get in touch and discuss the implementation scenario and compliance requirements. This is especially relevant in environments where recordings cannot leave the organization’s infrastructure.

It is also worth noting the separate page on video anonymization, because this is the type of processing that most often appears in evidence-related cases based on workplace CCTV.

FAQ - CCTV Footage as Evidence in Employee Disciplinary Proceedings

Can an employer use CCTV footage as evidence against an employee?

Most often yes, provided the surveillance system was implemented lawfully and the footage is related to the purpose of the monitoring or to proceedings conducted under the law. The assessment always depends on the factual context and on whether the monitoring was implemented correctly [1][2].

Do other people in the footage need to be blurred before showing it to a disciplinary committee?

From a compliance perspective, most often yes. Before the footage is shown to a committee or a lawyer, the organization should usually limit the identification of other individuals visible in the frame if their identification is not necessary for the evidentiary purpose [1][3].

Can footage be retained for longer than 3 months?

Yes, if the footage constitutes evidence in proceedings or the employer has learned that it may constitute such evidence. In that case, retention may be extended until the proceedings are finally concluded [2].

Is it enough to blur the entire body of a bystander?

That depends on the tool and the purpose. In Gallio PRO, automatic detection covers only faces and license plates. The software does not blur entire bodies, and other identifying elements require manual redaction.

Are license plates always personal data?

No. Their status depends on the context and on whether the data controller can reasonably link the number to a specific person. From the perspective of caution and data minimization, license plate blurring is often used when footage is shown to third parties [1][3][4].

Can external counsel see the raw footage?

Sometimes yes, but that should not be automatic. If identifying bystanders is not necessary for analyzing the case, a common practice is to provide an anonymized version in line with the minimization principle [1].

Does Gallio PRO store logs containing face or license plate detection data?

No. According to the product guidelines, the software does not collect logs containing face or license plate detection data, nor logs containing personal data or special categories of personal data.