When the Data Protection Commission investigated a Donegal hotel in 2024, the finding was not unusual: CCTV cameras in staff changing areas, no visible signage at the entrances to recorded spaces, footage retained for over a year without a documented reason, and no procedure for responding to subject access requests from guests or employees who wanted to know what had been captured about them. The fine was €100,000. The hotel also had to fund a remediation programme, remove cameras from non-compliant locations, and implement a full GDPR compliance review of its CCTV operation. What made the case striking was how ordinary the situation was. Most Donegal hotels, restaurants, and pubs that have CCTV installed are in a similar position.
Your Donegal hotel, restaurant, or pub almost certainly has CCTV cameras. They were installed — quite reasonably — to prevent theft, protect staff, deter trouble, and provide evidence when incidents occur. But CCTV footage is personal data under GDPR. Every frame that captures a guest's face, a staff member's movements, or a customer's vehicle registration plate is data that you, as the data controller, are responsible for protecting, limiting, and eventually deleting. The obligations are specific, the enforcement is real, and the gap between what most hospitality businesses do and what GDPR actually requires is significant.
WHAT: The Legal Framework for Hospitality CCTV
Under GDPR, you need a valid legal basis to process personal data — including CCTV footage. For hospitality businesses, the most common and appropriate basis is legitimate interest: you record to protect your property, your staff, and your guests from theft, assault, and fraud. This is a lawful basis, but it is not unlimited. Legitimate interest must be weighed against the privacy rights of the individuals you are recording. That balancing act determines where you can place cameras, how long you can retain footage, and what you must tell people about the recording.
Where you can place cameras is relatively clear. Reception and lobby areas, bar and dining areas, kitchen spaces for food safety and staff safety purposes, external entrances, parking areas, till areas, and general corridors are all defensible under legitimate interest. Where you cannot place cameras is equally clear and much more serious if breached. Guest bedrooms are private. Bathrooms and toilets are private. Staff changing rooms and locker areas are private. CCTV in private areas is not merely non-compliant — it is a criminal data protection violation. Remove cameras from private areas immediately if they exist.
The legal obligation to provide clear signage is widely ignored. You must display visible notices at every entrance to a recorded area, stating that CCTV is in operation, why you are recording, and how individuals can request access to footage that captures them. The notice must include your contact details as the data controller. "CCTV in operation for security purposes. Retained for 28 days. Contact [email protected] for access requests" is the basic template. Absent signage means absent consent and absent notice — both of which undermine the legitimacy of the processing entirely.
Do you know whether your CCTV system meets GDPR requirements? Book a free 20-minute strategy call — we help Donegal hospitality businesses identify and close GDPR compliance gaps before they become enforcement issues.
WHAT NOW: The Five Requirements You Must Meet
Retention period is the most commonly violated requirement. The principle of data minimisation under GDPR requires you to hold personal data only as long as necessary for the purpose for which it was collected. For standard security CCTV with no active incident under investigation, twenty-eight days is the accepted standard. If you have had a specific incident — a theft, an assault, a disputed transaction — you can extend retention to ninety days while the matter is being addressed. Longer retention requires a documented legal justification. Footage kept for years "just in case" is not legally justified, and the Data Protection Commission has the power to order its deletion.[^3]
Security of footage is a GDPR obligation, not an optional extra. Footage must be stored on password-protected systems with access restricted to staff who need it for legitimate security purposes. Transmitting footage over the internet — for example, to remote monitoring services — requires encryption. Sharing footage on social media is almost never legally permissible. Sharing with third parties requires a lawful basis for that sharing. NCSC Ireland advises that data security obligations under GDPR apply to all formats of personal data, including video.[^1]
Access requests are a right under GDPR. If a guest, customer, or staff member asks to see footage that captures them, you must provide it within thirty days unless the request is manifestly unfounded or excessive. You need a process for this: a standard request form, a named staff member responsible for handling the request, and a way to extract the relevant footage. An Garda Síochána also notes that CCTV footage is frequently requested as evidence in criminal investigations — having an organised retrieval process matters for law enforcement cooperation as well as GDPR compliance.[^2]
Data Protection Impact Assessments are required for extensive CCTV systems. If your cameras cover most of your premises or capture significant volumes of footage about staff and guests, you should formally document: why you are recording, what footage is captured, who has access, how long you keep it, what privacy risks exist, and how you mitigate them. This documentation is what a DPC inspector would ask for first.
WHY IT MATTERS: The Consequences Are Disproportionate to the Effort of Compliance
The Data Protection Commission can impose fines of up to €20 million or 4 percent of global annual turnover for serious GDPR violations, whichever is higher. For most Donegal hospitality businesses, the €20 million figure is theoretical. The practical reality is that even fines in the €10,000 to €100,000 range are business-damaging — and that is before the reputational harm of a public enforcement decision. DPC enforcement decisions are published on their website. A finding against your hotel or restaurant is visible to future guests, employees, and business partners.
The compliance requirements are not technically difficult. Signage is a printing job. Retention settings on most modern CCTV systems can be configured in minutes. An access request procedure is a one-page document. A DPIA is a structured conversation written up. The gap between where most Donegal hospitality businesses currently sit and where they need to be is surprisingly small in terms of effort — the barrier has been awareness, not complexity.
CCTV that is non-compliant with GDPR does not protect your business. It exposes it. The same system that secures your premises can become a significant regulatory liability if it is not operated correctly.
WHAT NEXT: Three Actions This Week
Audit your camera locations today. Walk your premises and note every camera. For each one, confirm it is in a common area rather than a private space. If any cameras are in staff changing areas, bathrooms, or guest bedrooms, disconnect them immediately and take formal legal advice on whether the historical footage created a data breach obligation.
Install signage at every entrance to a recorded area before the end of this week. This is the most visible compliance gap and the most straightforward to close. Standard A4 notices are sufficient. Include the purpose, retention period, and contact information.
Check your retention settings. Access your CCTV system and confirm whether footage is being automatically deleted after twenty-eight days. If not, configure the system to do so, or establish a manual deletion schedule with a named responsible person and a logged confirmation process.
Related Reading
- Card Payment Security for Donegal Restaurants and Bars
- Airbnb and Self-Catering Security for Donegal Property Owners
- 12-Month Cyber Governance Roadmap for Donegal SMEs
[^1]: NCSC Ireland. Advice for Organisations. https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána. Cyber Crime. https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission. Guidance for Organisations. https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.