GDPR Video Surveillance at the Workplace: Section 4 BDSG and DPIA

April 27, 2026· Category: GDPR· As of: 2026-05-02· Reading time: ~6 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

Section 4 BDSG (German Federal Data Protection Act) requires necessity for own duties, premises rights, or legitimate interest plus proportionality
Mandatory signage at the recording perimeter: controller, purpose, retention, DPO contact
Default retention 48-72 hours; longer retention only with documented incident trigger
Prohibited zones: toilets, changing rooms, break rooms, infirmaries; covert workplace recording is inadmissible (BAG 1 ABR 16/22)
Works council co-determination mandatory under Section 87(1) No. 6 BetrVG (Works Constitution Act); DPIA required at 20+ employees plus high-risk areas

1. Section 4 BDSG Requirements

Workplace video surveillance must be necessary for the controller's own duties, the exercise of premises rights, or a documented legitimate interest. Proportionality is mandatory: less intrusive measures (better lighting, access control, locks) must be evaluated first.

2. Signage Requirement

Display a notice at every entry to the recording zone. Mandatory content: controller name, purpose, retention period, DPO contact details. The notice must be visible BEFORE entering the monitored area.

3. Retention Period

Standard: 48-72 hours. After an incident, retention may extend until the investigation closes. Longer default retention requires a documented justification per area (cash desk, warehouse).

4. Prohibited Zones

Toilets, changing rooms, break rooms, infirmaries are off-limits. BAG ruling 1 ABR 16/22 confirmed that covert workplace recording is inadmissible. Continuous monitoring of regular workstations fails the proportionality test.

5. Works Council Co-Determination

Section 87(1) No. 6 BetrVG (Works Constitution Act) imposes mandatory co-determination for any workplace surveillance system. Without works council approval, recordings are inadmissible as evidence and use of the system is unlawful.

6. DPIA Obligation

Surveillance covering more than 20 employees, or covering high-risk areas (cash desks, warehouses, areas with sensitive data) triggers a Data Protection Impact Assessment under Art. 35(3)(c) GDPR. Document the DPIA before deploying the system.

Summary

Video surveillance at the workplace is one of the highest-risk processing categories. Covert recording is inadmissible (BAG line); evidence is unusable. Fines under DPA practice range EUR 5,000-50,000 for general violations and EUR 100,000+ for systemic surveillance without lawful basis. The safe baseline: documented Section 4 BDSG basis, signage, 72h retention default, no prohibited zones, works council agreement, DPIA where applicable.

View GDPR Kit →

Frequently Asked Questions

Is covert video surveillance permitted?

Only in cases of specific suspicion (e.g. theft), for a limited duration, and after considering other means.

Fines in practice?

DSK fines of EUR 5,000-50,000. For systemic video surveillance without a legal basis: EUR 100,000+.

Sources

Regulation (EU) 2016/679 — GDPR (Art. 35 DPIA) (As of: 2026-05-02)
German Federal Data Protection Act (BDSG, Section 4) (as of: ongoing)
European Commission — Data Protection (as of: ongoing)

Tools & self-assessments

GDPR Checklist 30 check points for data protection compliance in SMEs. Fining Calculator Calculate the potential fining risk for your organisation. GDPR Self-Assessment Structured self-check with maturity score and action roadmap. Cookie Banner Audit TDDDG/GDPR check of your cookie banner with concrete correction notes.