Insight 43 - Magazine - Page 8
LEGAL MATTERS
Car Park CCTV and Data Protection
Nat Young explains how the use of CCTV in a commercial or
office car park is subject to data protection law.
WHAT RULES APPLY TO CCTV IN CAR
PARKS?
The use of CCTV in England and Wales is
governed primarily by data protection
law – the Data Protection Act 2018 and
UK GDPR. Other legal principles can
affect the use of CCTV systems, such as
private nuisance or harassment, but these
are less likely to be issues in a car park
environment.
WHY DOES DATA PROTECTION LAW
APPLY TO CCTV IN CAR PARKS?
Data protection law concerns personal
data, which is data about identified
or identifiable living individuals. Any
operational car park CCTV systems is
likely to capture personal data within
this definition, particularly since car
park operators will often have other
information about individuals using the
car park such as their car, number plate or
the parking space that they use.
DO YOU NEED TO REGISTER WITH THE
ICO?
If you are responsible for deciding
about which CCTV system to use and
what happens to its footage, you will
be a data controller for the purpose of
data protection law. Data controllers
are required to notify and pay a data
protection fee to the Information
Commissioner’s Office (ICO). Anyone
merely operating CCTV for someone else
would be a data processor, so would
not need to register. Processors still owe
obligations under data protection law, but
not to the same extent as controllers.
WHAT ELSE DO YOU NEED TO DO WHEN
USING CCTV IN A CAR PARK?
The main obligations are to identify an
appropriate lawful basis for capturing
personal data, justify why it is necessary
and proportionate, and consider and
integrate the principles of data protection
law into how you capture and process
footage. Crucially, you must keep a
written record of this. Other key issues
8
include how data is shared with other
parties (a common situation with car
parks), installing signage and the need
to respond correctly to subject access
requests made by individuals for their
data.
WHAT ARE THE CONSEQUENCES OF
GETTING THINGS WRONG?
The Information Commissioner can
investigate and fine any organisation
that breaches UK data protection law.
These fines can be substantial – up to
a maximum of £17.5 million or 4% of
an organisation’s annual worldwide
turnover. However, regulatory action is still
comparatively rare, and other issues have
a bigger practical impact. For example,
breaches of data protection law can make
it harder to enforce parking policies and
there is a growing trend towards using
civil claims to enforce rights under data
protection law, which exposes businesses
to the risk of litigation.
HOW CAN I GET FURTHER GUIDANCE ON
THESE ISSUES?
The ICO publish guidance on the use of
CCTV on their website, but this is quite
bIZ4BIZ INSIGHT MAGAZINE | APRIL 2025
generic. Organisations may therefore
benefit from a solicitor’s advice on their
own particular situation, particularly when
it comes to developing and documenting
policies around the use of CCTV.
Nat Young
Partner in Insolvency and
Dispute Resolution
www.longmores.law
enquiries@longmores.law
01992 300333
