docs(legal): retention EU

This commit is contained in:
2026-05-09 18:46:28 +00:00
parent bfe1dbdbb0
commit 472904e245
+130
View File
@@ -0,0 +1,130 @@
# Retention · EU
Regulatory baselines for video retention in EU jurisdictions where Blocao expects to operate.
**Disclaimer**: Working summary, not legal advice. Per-deployment review by counsel required.
## EU baseline (GDPR + national laws)
GDPR Article 5(1)(e) requires personal data (which includes video of identifiable people) to be kept "for no longer than is necessary for the purposes for which the personal data are processed".
Each EU member state has implementing legislation that interprets this differently for video surveillance. The de facto pattern: ~30 days as a default, with national variations.
## Spain
**Authority**: Agencia Española de Protección de Datos (AEPD).
**Law**: LOPDGDD (Ley Orgánica 3/2018) implementing GDPR.
**Default retention**: **30 days max**. After 30 days, footage must be deleted unless there's an active investigation or specific legal requirement.
**Notes**:
- AEPD has issued multiple sanctions for retention beyond 30 days without justification.
- Workplace surveillance has additional requirements (worker representative consultation, signage, registered policy).
- Public-space surveillance by private actors is highly restricted.
**Wizard default for ES**: 30 days.
## France
**Authority**: Commission Nationale de l'Informatique et des Libertés (CNIL).
**Law**: Loi Informatique et Libertés + GDPR.
**Default retention**: **30 days** is the recommended baseline for general use.
**Notes**:
- CNIL allows up to 1 month by default for video surveillance.
- Workplace surveillance: prior CSE/CSSCT consultation required, retention typically 1 month.
- Public-space surveillance has its own framework (LOPMI, "vidéoprotection").
- "Cloud de Confiance" framework for sovereignty-conscious deployments increasingly aligned with on-premise / EU-sovereign hosting.
**Wizard default for FR**: 30 days.
## Germany
**Authority**: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) at federal level + state-level DPAs.
**Law**: BDSG (Bundesdatenschutzgesetz) implementing GDPR.
**Default retention**: **48-72 hours** is often the baseline for public spaces; **14 days** for security-purpose general retention.
**Notes**:
- Germany is the strictest among major EU markets on retention.
- Datenschutzfolgenabschätzung (DPIA, Art. 35 GDPR) typically required for any non-trivial video surveillance.
- Workplace cameras face strict requirements (works council consent, narrow purpose).
**Wizard default for DE**: 14 days. Presets for 7d, 30d (with DPIA reminder).
## Italy
**Authority**: Garante per la protezione dei dati personali.
**Law**: Codice in materia di protezione dei dati personali + GDPR.
**Default retention**: **24 hours to 7 days** is the typical baseline. Longer retention requires explicit justification.
**Notes**:
- Garante has been particularly strict on retention beyond 7 days.
- Workplace surveillance: Statuto dei Lavoratori Article 4 requires union agreement or labor authority approval.
- Public-space cameras: heavy restriction; usually 7-day retention max.
**Wizard default for IT**: 7 days. Presets for 14d, 30d (with Garante caution).
## Netherlands
**Authority**: Autoriteit Persoonsgegevens (AP).
**Default**: 4 weeks (28 days) for general surveillance, with longer retention requiring documented justification.
## Belgium
**Authority**: Autorité de protection des données / Gegevensbeschermingsautoriteit.
**Default**: 1 month for general, with specific framework for "cameras de surveillance publique" under separate camera law.
## Other EU countries
For markets we'll enter post-MVP (Portugal, Ireland, Nordics): retention defaults track the GDPR + national-implementing-law pattern, generally between 14 and 30 days. Specific guidance to be researched per market when relevant.
## Cross-cutting GDPR principles
Beyond retention duration, all EU deployments must satisfy:
- **Lawful basis** (Art. 6): legitimate interest is most common for security cameras; consent is rarely workable.
- **Transparency** (Art. 13/14): signage informing people they are recorded.
- **DPIA** (Art. 35) when high-risk processing is involved (workplace, public spaces, sensitive contexts).
- **Data subject rights**: access, rectification, erasure, etc.
- **Records of processing** (Art. 30): document the purpose, retention, security measures.
Blocao supports all of these by being **demonstrably local**: data doesn't transfer cross-border, retention enforced by storage rotation, audit trail in Git.
## How Blocao maps to wizard defaults
When country selected at first boot:
| Country | Default | Presets available |
|---|---|---|
| Spain | 30 d | 14 d, 30 d, 60 d (justified) |
| France | 30 d | 14 d, 30 d, 60 d (justified) |
| Germany | **14 d** | 7 d, 14 d, 30 d (with DPIA reminder) |
| Italy | **7 d** | 7 d, 14 d, 30 d (with Garante caution) |
| Netherlands | 28 d | 14 d, 28 d, 60 d (justified) |
| Belgium | 30 d | 14 d, 30 d, 60 d (justified) |
Each selection produces:
- frigate config retention setting.
- `site-config` repo annotation with regulatory basis.
- HEALTH selftest verifying enforcement.
## Schrems II and sovereignty
Post-Schrems II (CJEU 2020), transferring EU personal data to US-based cloud is heavily restricted. Standard Contractual Clauses (SCCs) require supplementary measures, and "supplementary measures" for video data effectively mean encryption with non-US-accessible keys.
For most EU customers, the cleanest answer is "don't transfer to US cloud at all". Blocao's architecture (local storage + EU sovereign hub) is built precisely for this.
This is **the** sovereignty conversation in EU sales. The customer's DPO will love this architecture; their procurement may push for SaaS for cost reasons; the legal team will side with the DPO.
## See also
- [`retention-argentina.md`](retention-argentina.md) — LATAM comparison.
- [`evidence-chain-roadmap.md`](evidence-chain-roadmap.md) — the eIDAS-aligned evidence story.