The GDPR applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of individuals in the EU by a controller or processor established outside the EU, where those processing activities relate to offering goods or services to EU citizens or the monitoring of their behaviour.

​

Where images of parties other than the requesting data subject appear on the CCTV footage the data controller needs to consider, on a case-by-case basis, whether the release of the unedited footage ‘adversely affects’ the rights or freedoms of the third parties, such as their data protection rights, trade secrets, or intellectual property rights such as copyright.

The controller needs to conduct a balancing test between the right of the data subject (requester) to access his or her personal data as against the identified risk to the third party that may be brought about by the disclosure of the footage.

The GDPR notes that these considerations should not result simply in a refusal to provide all relevant information to the data subject. Where necessary, measures may include pixelating or otherwise de-identifing the images of other identifiable parties before supplying a copy of the footage from the footage to the requester. Alternatively, the data controller may seek the consent of those other parties whose images appear in the footage to release an unedited copy containing their images to the requester.