Files
wdmUI/docs/06-legal/retention-eu.md
T
2026-05-09 18:46:28 +00:00

5.9 KiB

Retention · EU

Regulatory baselines for video retention in EU jurisdictions where Blocao expects to operate.

Disclaimer: Working summary, not legal advice. Per-deployment review by counsel required.

EU baseline (GDPR + national laws)

GDPR Article 5(1)(e) requires personal data (which includes video of identifiable people) to be kept "for no longer than is necessary for the purposes for which the personal data are processed".

Each EU member state has implementing legislation that interprets this differently for video surveillance. The de facto pattern: ~30 days as a default, with national variations.

Spain

Authority: Agencia Española de Protección de Datos (AEPD). Law: LOPDGDD (Ley Orgánica 3/2018) implementing GDPR.

Default retention: 30 days max. After 30 days, footage must be deleted unless there's an active investigation or specific legal requirement.

Notes:

  • AEPD has issued multiple sanctions for retention beyond 30 days without justification.
  • Workplace surveillance has additional requirements (worker representative consultation, signage, registered policy).
  • Public-space surveillance by private actors is highly restricted.

Wizard default for ES: 30 days.

France

Authority: Commission Nationale de l'Informatique et des Libertés (CNIL). Law: Loi Informatique et Libertés + GDPR.

Default retention: 30 days is the recommended baseline for general use.

Notes:

  • CNIL allows up to 1 month by default for video surveillance.
  • Workplace surveillance: prior CSE/CSSCT consultation required, retention typically 1 month.
  • Public-space surveillance has its own framework (LOPMI, "vidéoprotection").
  • "Cloud de Confiance" framework for sovereignty-conscious deployments increasingly aligned with on-premise / EU-sovereign hosting.

Wizard default for FR: 30 days.

Germany

Authority: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) at federal level + state-level DPAs. Law: BDSG (Bundesdatenschutzgesetz) implementing GDPR.

Default retention: 48-72 hours is often the baseline for public spaces; 14 days for security-purpose general retention.

Notes:

  • Germany is the strictest among major EU markets on retention.
  • Datenschutzfolgenabschätzung (DPIA, Art. 35 GDPR) typically required for any non-trivial video surveillance.
  • Workplace cameras face strict requirements (works council consent, narrow purpose).

Wizard default for DE: 14 days. Presets for 7d, 30d (with DPIA reminder).

Italy

Authority: Garante per la protezione dei dati personali. Law: Codice in materia di protezione dei dati personali + GDPR.

Default retention: 24 hours to 7 days is the typical baseline. Longer retention requires explicit justification.

Notes:

  • Garante has been particularly strict on retention beyond 7 days.
  • Workplace surveillance: Statuto dei Lavoratori Article 4 requires union agreement or labor authority approval.
  • Public-space cameras: heavy restriction; usually 7-day retention max.

Wizard default for IT: 7 days. Presets for 14d, 30d (with Garante caution).

Netherlands

Authority: Autoriteit Persoonsgegevens (AP). Default: 4 weeks (28 days) for general surveillance, with longer retention requiring documented justification.

Belgium

Authority: Autorité de protection des données / Gegevensbeschermingsautoriteit. Default: 1 month for general, with specific framework for "cameras de surveillance publique" under separate camera law.

Other EU countries

For markets we'll enter post-MVP (Portugal, Ireland, Nordics): retention defaults track the GDPR + national-implementing-law pattern, generally between 14 and 30 days. Specific guidance to be researched per market when relevant.

Cross-cutting GDPR principles

Beyond retention duration, all EU deployments must satisfy:

  • Lawful basis (Art. 6): legitimate interest is most common for security cameras; consent is rarely workable.
  • Transparency (Art. 13/14): signage informing people they are recorded.
  • DPIA (Art. 35) when high-risk processing is involved (workplace, public spaces, sensitive contexts).
  • Data subject rights: access, rectification, erasure, etc.
  • Records of processing (Art. 30): document the purpose, retention, security measures.

Blocao supports all of these by being demonstrably local: data doesn't transfer cross-border, retention enforced by storage rotation, audit trail in Git.

How Blocao maps to wizard defaults

When country selected at first boot:

Country Default Presets available
Spain 30 d 14 d, 30 d, 60 d (justified)
France 30 d 14 d, 30 d, 60 d (justified)
Germany 14 d 7 d, 14 d, 30 d (with DPIA reminder)
Italy 7 d 7 d, 14 d, 30 d (with Garante caution)
Netherlands 28 d 14 d, 28 d, 60 d (justified)
Belgium 30 d 14 d, 30 d, 60 d (justified)

Each selection produces:

  • frigate config retention setting.
  • site-config repo annotation with regulatory basis.
  • HEALTH selftest verifying enforcement.

Schrems II and sovereignty

Post-Schrems II (CJEU 2020), transferring EU personal data to US-based cloud is heavily restricted. Standard Contractual Clauses (SCCs) require supplementary measures, and "supplementary measures" for video data effectively mean encryption with non-US-accessible keys.

For most EU customers, the cleanest answer is "don't transfer to US cloud at all". Blocao's architecture (local storage + EU sovereign hub) is built precisely for this.

This is the sovereignty conversation in EU sales. The customer's DPO will love this architecture; their procurement may push for SaaS for cost reasons; the legal team will side with the DPO.

See also