Answering GDPR article 15 requests for video footage

Written By Pimloc

Requests for personal data are becoming a routine part of how organizations manage video footage. Whether it’s a public authority handling surveillance recordings, a transport operator managing CCTV systems, or a private organization responding to customer inquiries, video has become one of the most complex data types to manage under privacy law.

Under GDPR Article 15, individuals have the right to access personal data held about them. This includes video footage where they are identifiable. In practice, this creates a difficult operational challenge: video often contains multiple people, background individuals, and sensitive contextual information that must be carefully reviewed before disclosure.

Handling these requests correctly is not just a legal obligation. It is also a test of an organization’s ability to manage privacy, security, and operational efficiency at scale.

What GDPR article 15 covers in the context of video

GDPR Article 15 grants individuals the right to obtain confirmation of whether their personal data is being processed and, if so, access to that data. When applied to video footage, this includes any recording where a person can be identified directly or indirectly.

Video presents unique complications compared to other data types. A single clip may include:

  • The individual making the request

  • Other identifiable people in the background

  • Sensitive visual context (locations, screens, documents)

  • Audio containing personal information

Unlike structured data such as spreadsheets or databases, video is unfiltered and continuous. This makes extraction and disclosure significantly more complex.

Organizations must ensure that only the relevant individual’s data is disclosed, while protecting the privacy of others captured in the same footage.

Why video makes article 15 requests difficult

Responding to Article 15 requests is straightforward in principle but difficult in execution when video is involved.

The main challenges include:

Identifying the Relevant Individual

Video footage rarely isolates one person. Even when the requester is present in a recording, they may appear:

  • Briefly in a crowd

  • Partially obscured

  • At different angles or times across multiple clips

Locating all instances of that individual across large video archives requires advanced search and tracking capabilities.

Protecting Third-Party Privacy

Perhaps the most difficult aspect is ensuring that other individuals in the footage are not exposed.

Every frame may contain:

  • Bystanders in public spaces

  • Employees or staff members

  • Minors or vulnerable individuals

  • Individuals not related to the request

These individuals have their own privacy rights, which must be protected before disclosure.

Managing Large Volumes of Footage

Organizations often store vast amounts of video data. A single request may require reviewing:

  • Hours of CCTV footage

  • Multiple camera angles

  • Footage spanning days or weeks

Manual review quickly becomes impractical at this scale.

Ensuring Consistency in Redaction

Even small inconsistencies in redaction can create compliance risks. For example, missing a single frame where a third party appears clearly identifiable can lead to privacy breaches.

Consistency across long video sequences is essential but difficult to achieve manually.

The article 15 video response workflow

A structured workflow helps organizations manage GDPR Article 15 requests more effectively. While exact processes vary, most follow a similar sequence.

Step 1: Request Verification

The first step is confirming the identity of the requester. Organizations must ensure the request is legitimate before processing any data.

This often includes:

  • Identity verification checks

  • Clarifying the time period or location of interest

  • Confirming the scope of the request

Step 2: Locating Relevant Footage

Once verified, the organization must locate all relevant video recordings.

This may involve searching:

  • CCTV archives

  • Body-worn camera systems

  • Dashcam or mobile video storage

  • Cloud-based surveillance platforms

The broader the video infrastructure, the more complex this step becomes.

Step 3: Reviewing and Identifying Personal Data

At this stage, footage must be reviewed to identify:

  • The requester

  • Any third parties visible in the footage

  • Any sensitive contextual information

This review is typically the most time-consuming part of the process.

Step 4: Applying Redaction

Before any video is disclosed, personal data belonging to third parties must be protected.

Redaction may include:

  • Blurring or obscuring faces

  • Removing license plates or identifying details

  • Muting or removing sensitive audio

  • Masking screens or documents visible in the footage

This step ensures compliance with data protection obligations while still allowing the requester to access their own data.

Step 5: Quality Assurance Review

A secondary review is often necessary to ensure:

  • All third-party data has been properly redacted

  • The requester’s data remains visible

  • No accidental over-redaction has occurred

This step is critical for minimizing compliance risk.

Step 6: Secure Delivery

Once approved, the redacted footage must be shared securely.

Organizations typically use:

  • Secure download portals

  • Encrypted file transfer systems

  • Controlled access links with expiration settings

Common compliance risks in article 15 video responses

Video-based subject access requests introduce several risks if not handled carefully.

Incomplete Redaction

One of the most common issues is failing to fully obscure third-party individuals. Even partial visibility can create compliance violations.

Over-Redaction

While protecting privacy is essential, excessive redaction can also be problematic if it prevents the requester from accessing their own data.

Data Leakage During Processing

Footage may be exposed unintentionally during internal handling, especially if multiple teams or systems are involved.

Lack of Audit Trails

Organizations must be able to demonstrate how a request was processed. Without detailed logs, it becomes difficult to prove compliance in the event of a dispute.

How automation is changing article 15 compliance

Traditional manual review processes are no longer sustainable for organizations handling large volumes of video data.

Modern AI-driven systems can:

  • Detect individuals across frames

  • Track movement across multiple clips

  • Identify and classify sensitive objects

  • Apply consistent redaction automatically

This reduces processing time significantly while improving consistency.

Automation also helps standardize workflows, ensuring that every request follows the same compliance steps.

Role of secure redact in article 15 video processing

Pimloc’s Secure Redact is designed to support organizations dealing with high volumes of video disclosure requests, including GDPR Article 15 subject access workflows.

Rather than relying on manual frame-by-frame review, Secure Redact uses AI-based detection to identify personal information in video footage and apply redactions consistently across entire sequences. This is particularly important when dealing with multi-camera environments or long-duration recordings.

The platform also supports scalable workflows that help teams manage request intake, processing, and review more efficiently. By integrating redaction into a structured workflow, organizations can reduce turnaround times while maintaining compliance with data protection requirements.

Best practices for handling article 15 video requests

Organizations can improve both compliance and efficiency by adopting a few key practices.

Centralize Video Storage

Keeping video footage in fragmented systems makes retrieval and review more difficult. Centralized storage simplifies search and processing.

Standardize Request Handling Procedures

Clear internal procedures ensure that every request is handled consistently, regardless of who processes it.

Use Automated Redaction Where Possible

Automation reduces manual workload and helps maintain consistency across large video datasets.

Maintain Detailed Audit Logs

Every step in the process should be recorded, including:

  • Search and retrieval actions

  • Redaction decisions

  • Review approvals

  • Final disclosure steps

Train Staff on Privacy Requirements

Even with automation, staff must understand the principles behind GDPR Article 15 to make informed decisions during edge cases.

Building a scalable approach to video subject access requests

As video continues to dominate modern evidence and operational workflows, Article 15 requests will only increase in frequency and complexity.

Organizations that rely on manual processes will struggle to keep up with demand, leading to delays, inconsistencies, and compliance risk.

A scalable approach combines structured workflows, strong governance, and automation. By embedding privacy controls directly into video processing systems, organizations can respond to requests more efficiently while maintaining confidence in their compliance posture.

In this environment, Pimloc’s Secure Redact plays an increasingly important role in helping teams manage video subject access requests at scale - without compromising accuracy, security, or privacy standards.

Pimloc
Previous

9 Risk factors facing the insurance industry in 2026
Next

Interrogation video management: best practices