By Teresa Basile, Christine E. Lyon, and Janelle J. Sahouria of Morrison & Foerster

Spain’s strict new limitations on video surveillance

In recent months, Spain has imposed substantial new restrictions on video surveillance and other types of videotaping of individuals without their consent. These developments underscore important differences between U.S. and Spanish privacy law.

Spain’s approach to video surveillance is illustrated by a recent enforcement action, in which Spain’s Data Protection Authority (the AEPD) fined a 20 year-old for posting a video on YouTube without the consent of the individual shown in the video. This case received significant media attention, as the video showed a group of teenagers harassing a disabled person, and led to public outrage over the mistreatment of the victim. The AEPD investigated the incident and determined that the videotaping violated Spain’s Data Protection Law (the LOPD) because the victim had not consented to being recorded. In a subsequent statement, the AEPD explained that the LOPD generally requires a person or entity making a video recording to obtain the consent of each person who can be identified in the video recording:  “The collection of images of a person, as long as [the images] allow the identification of that person, is regulated by [the LOPD] and requires the consent of the person involved.”  This consent obligation applies even if the individual is videotaped in a public location, as discussed below.

Applicability of Spain’s data protection law to video surveillance

The LOPD provides that “the processing of personal data shall require the unambiguous consent of the data subject, unless laid down otherwise by law.” Processing is broadly defined to include collection, recording, storage, or transfer of personally identifiable information. The AEPD has explained that “collecting the images of a person in a public place constitutes data processing” as long as the images allow identification of that person. In other words, Spain recognizes an inherent right not to be videotaped without consent, even in public locations. This is a noteworthy difference from U.S. law, which generally recognizes a privacy interest only if the individual had a reasonable expectation of privacy in the location where the video surveillance occurred.

This leads to the question of whether a company operating in Spain may use video surveillance within its facility. In general, video surveillance may serve multiple functions:  protecting the safety of employees and customers in publicly accessible areas (such as retail areas), identifying theft by customers or employees, and deterring theft and other misconduct. The AEPD recently issued guidelines for video surveillance, which attempt to balance individual privacy rights with the legitimate purposes served by video surveillance.

New video surveillance guidelines

The new Video Surveillance Guidelines (the Guidelines) must be read as a complement to Instruction 1/2006 on the processing of personal data when using cameras or video cameras for security purposes.

In general, the processing of personal data by means of video surveillance systems requires the data subject’s consent. Exceptions to this rule can be found in the Spanish Private Security Law and in section 20 of the Labor Statute, as described in more detail below.

When using video surveillance systems for security purposes, private companies must comply with certain requirements.

First, before creating any databases that contain video surveillance files, private companies must notify the AEPD of their intention to create video surveillance files. In comparison, there is no need to notify the AEPD when video surveillance systems are used to simply play or broadcast images in real time (without storing such images as files).
Second, private companies have a duty of information vis-à-vis those individuals whose images are to be captured. Organizations must place at least one sign in zones that are under video-surveillance, notifying individuals that they are under surveillance. These signs must be placed “in a sufficiently visible zone, in open as well as enclosed spaces.”  In addition, organizations must provide affected individuals with certain information as required under the LOPD.

Third, organizations must ensure that technical and organizational measures are in place to guarantee the security of the data, and to protect against alteration, loss, or unauthorized processing or access to the video surveillance files.
Lastly, the video surveillance files can be stored for a maximum of one month, unless data are needed for purposes of criminal or administrative investigations.

In addition to the above rules, another set of requirements is prescribed for those organizations wishing to use video cameras for monitoring purposes in the workplace. Section 20.3 of the Spanish Labor Statute allows the video monitoring of employees, without their consent, in order to check that employees are fulfilling their labor obligations. Nonetheless, there are minimum requirements to be observed by the organizations:

  • There must be no other alternatives or more appropriate means to accomplish this purpose than the use of such video surveillance;
  • The implementation of video surveillance systems must be strictly limited to the uses and locations necessary for fulfilling the purpose of the employee monitoring;
  • Video surveillance systems cannot be located in facilities meant for employees’ private use (e.g., toilets, restrooms, or recreation rooms);
  • Employees’ right to their private lives must be respected, and private conversations cannot be recorded;
  • Organizations must fully respect their employees’ information rights (i) by notifying the employees’ union representatives that a video surveillance system is to be put in place, (ii) by placing the information sign described above as set out in the Instruction 1/2006, and (iii) by means of a personalized notice;
  • In cases where video surveillance files are created, the notification requirement described above applies;
  • Employees’ images must be deleted within 30 days, unless these data are needed for investigative purposes (crimes or non compliance with labor obligations);
  • Employees’ rights of access to and erasure of their images must be guaranteed;
  • Organizational and technical measures to secure data must be implemented; and
  • The company retained to install the video surveillance equipment must comply with specific requirements pursuant to Spanish sector based law.

Additionally, video surveillance systems installed by financial entities are governed by separate sector specific laws.

Penalties for non compliance

The AEPD is empowered to enforce the LOPD and levy fines for violations. Penalties are based on the severity of the infringement, but the fines can be very harsh compared to those imposed in other European Union Member States. In 2007, the AEPD collected ?19.6 million in fines. Additionally, the Spanish Criminal Code allows imprisonment for certain violations of the LOPD (e.g., unauthorized access to personal data, use, or theft of such data).

Practical implications

While Spain has stricter rules on video surveillance than many other EU Member States, Spain’s approach demonstrates general principles that apply in all EU Member States:

   1. Privacy rights in the EU are not limited to situations in which an individual has a reasonable expectation of privacy, or a reasonable expectation that he or she will not be observed. To the contrary, EU data protection laws recognize an inherent right of privacy against surveillance, even in the workplace or other public places.
   2. A company cannot diminish these EU privacy rights simply by announcing its intent to conduct surveillance or monitoring. Notice is a fundamental requirement of EU data protection laws, but notice does not in itself suffice, because other obligations arising under those laws must also be met.

For these reasons, companies operating in Spain or other EU Member States should exercise caution in implementing video surveillance or other monitoring practices, even if the same practices are acceptable in the U.S. or other countries.

Christine Lyon is a partner in the Palo Alto office of Morrison & Foerster LLP. Her practice concentrates on privacy and employment law, including counseling, litigation, and transactional work.

Janelle Sahouria is an associate in the San Francisco office of Morrison & Foerster, where she is active in the firm’s pro bono efforts.

Teresa Basile is an associate in the Brussels office of Morrison & Foerster LLP and is a member of the firm’s Litigation Department. Her practice includes advising multinational companies on different aspects of EU competition law, such as cartels, mergers, and abuse of dominance, as well as data protection and privacy law at both the EU and national levels.




If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Early Bird ends TODAY.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»