Can hotel guests request CCTV deletion under UK GDPR right to erasure?
The right to erasure under UK GDPR dictates that guests have a legal basis to request the deletion of their personal CCTV footage, but exceptions apply, particularly in the context of security and law.
Can hotel guests request CCTV deletion under UK GDPR right to erasure?
While Article 17 of the UK GDPR grants individuals the "right to erasure," this right is not absolute, especially for commercial organisations like hotels, where legitimate interests (e.g., crime prevention, investigation) override the request. Hotels must conduct a Data Retention Impact Assessment (DRIA) to determine if the footage is necessary for compliance or legal requirements, guided by the ICO. Deletion is mandatory if the footage is no longer required for stated purposes or statutory obligations. However, if the footage is needed for an active police investigation or local council inquiry, the hotel can, and should, refuse the deletion request, documenting the legal basis for the refusal. Clear, visible signage outlining data retention periods and the scope of surveillance is essential for transparency and compliance.
More questions about Hotels and Hospitality:
Must hotels inform guests if they are using facial recognition CCTV?
Yes, under UK GDPR and ICO guidance, any use of sophisticated technology like facial recognition requires explicit, prominent notification. Simply having a sign is often insufficient; the hotel must clearly inform guests that biometric data is being processed, explaining the purpose, the legal basis, and the right to object. If the system is used to match faces against specific databases, this significantly increases the legal burden and requires a robust Data Protection Impact Assessment (DPIA) before deployment.
How long can hotels legally keep general CCTV footage of common areas?
Generally, the ICO advises that CCTV footage should only be retained for the period absolutely necessary to achieve the stated purpose, typically aiming for 24 to 48 hours for common area monitoring. Retaining footage beyond this window significantly increases data risk and the organisation’s liability in the event of a data breach. If an incident or potential crime is reported, the retention period may be extended, but this extension must be fully documented and minimised to only the required timeframe for investigation.
What documentation is required for CCTV when dealing with hotel contractors or service staff?
When external contractors (e.g., maintenance, housekeeping) or non-staff service personnel are present, the hotel must ensure proper data handling protocols are in place. This means implementing defined access controls and maintaining records detailing who had access, when, and for what purpose. Training documentation for staff and contractors, supervised by management, is critical to demonstrate compliance and mitigate the risk of unauthorised viewing or mishandling of sensitive images.
Does a hotel need specific signage if they are using cameras in a public-facing lobby area?
Absolutely. All visible CCTV systems must be accompanied by clear, unambiguous signage that adheres to data protection principles. The sign must clearly state that CCTV is in operation, specify the purpose of the monitoring (e.g., safety, theft prevention), and identify the name and contact details of the organisation responsible for the recording. Failure to adequately inform the public can be viewed by the ICO as a failure of transparency, regardless of the system’s technical compliance.
Phone: 07830 638 337 | GitHub: https://github.com/gazpearce/gary-ai-assistant | Pillar: Hotels and Hospitality
Related CCTV Guides - Pubs, Bars and Restaurants - Gyms and Fitness Centres - Car Parks
Gary Pearce - 07830 638 337 | GitHub Main pillar: Hotels and Hospitality