Anyone planning video surveillance at an event needs to keep the GDPR and the Austrian DSG (§ 12) in mind. It involves personal data – and therefore clear ground rules: choose a legal basis, limit the areas, inform visibly, keep retention periods short and control access. This page summarises the expectations of the Austrian Data Protection Authority (DSB) in a concise and practical way.
Am I allowed to film my event at all?
Filming at an event is permissible if there is a solid legal basis. In practice, this is usually legitimate interest (Art. 6 (1) (f) GDPR; e.g. protection of people and property) or – less frequently – consent. The DSB cites as typical justifying interests: protection of life, health and property. For public events, the following applies: consent is organisationally complex and often not truly voluntary, so relying on legitimate interest plus strict limitation is usually more realistic.
Austria has specific rules on image recording in § 12 DSG (keyword: permissible image processing; supplementary to the GDPR and partly debated). For events this mainly means: before putting a system into operation, check and document lawfulness on your own responsibility.
What the DSB specifically expects
The Data Protection Authority has published clear, easy-to-apply guardrails. They relate to information, storage limitation, capture areas and evaluation.
Signage & information duties
Before the monitored area, a “video surveillance” notice sign must be placed in a clearly visible position (e.g. at eye level). The sign announces the surveillance and refers to further information (controller, purposes, contact, rights). Visitors should be able to decide before entering whether they want to enter the area.
Mini example: At the entrance to the festival site there is a pylon with a “video” pictogram and a short text block; the QR code leads to the privacy notice with details.
Storage limitation – why “72 hours” is the rule
The GDPR does not mention a fixed number; as a rule of thumb, the DSB works with 72 hours. Longer periods are permitted only in exceptional, well-justified cases (e.g. documented incidents, weekend operation). Courts and decisions regularly follow this approach.
Limit capture areas
Public traffic areas (pavement/road) must generally not be filmed. The DSB only accepts a tolerance of up to 50 cm beyond the property boundary in exceptional cases, where the protection purpose cannot be achieved otherwise (e.g. facade protection against vandalism). Neighbouring properties remain off limits.
Access & evaluation only in case of a specific incident
Recordings may only be evaluated if there is a concrete reason (theft, damage to property). Posting clips on social media or putting up “wanted” notices is not permitted; searches for individuals are reserved for authorities. Roles and access rights must be defined.
Consent vs legitimate interest at public events
When selling tickets or handling registrations, it is tempting to “bundle in” consent to video recordings. Caution: the GDPR requires consent to be freely given; participation must not depend on unnecessary consent (prohibition of tying, Art. 7 (4)). In practice: it is usually better to base video surveillance on legitimate interest and be transparent – instead of “hiding” consents.
Mini example: In the checkout flow there is a clear notice “CCTV to protect guests & crew”. Participation is not tied to ticking a video consent box; instead, a link leads to the privacy information.
Live transmission without storage: a less intrusive measure – with obligations
A live transmission without recording is also considered processing, but is “less intrusive” than CCTV with storage. Nevertheless, signage, purpose limitation, restricted capture areas and data subject rights must still be respected.
Drones at events: data protection ≠ aviation law
Drone video is subject to the same data protection rules as fixed cameras as soon as people are identifiable. In parallel, aviation requirements apply (EASA categories; in Austria: Austro Control). In the Open category, flights over assemblies of people are generally prohibited; registration and, in some cases, proof/insurance are mandatory. Data protection and aviation law must be assessed separately.
Mini example: A festival plans a short drone flyover for the opening: without flying over the crowd (Open A1/A3) and with a clearly defined corridor, this can be manageable under aviation law – but the data protection notices at the entrance are still required.
Short overview: key points & sources
The following table summarises key requirements for videoüberwachung veranstaltung dsgvo – including indicative values and primary sources.
|
Topic
|
What applies at the event?
|
Source
|
|---|---|---|
|
Legal basis
|
Legitimate interest is usually practical; consent only if genuinely voluntary.
|
WKO/DSB.
|
|
Signage
|
Clearly visible before entry; information on purpose, controller, rights.
|
DSB.
|
|
Retention period
|
Reference value 72 h; longer only with a solid justification.
|
DSB/DSB decisions.
|
|
Capture area
|
No public areas; 50 cm tolerance only in exceptional cases.
|
DSB.
|
|
Evaluation
|
Only in case of a specific incident; no social uploads.
|
DSB.
|
|
Prohibition of tying
|
Do not make participation dependent on video consent.
|
WKO.
|
|
Drones
|
Data protection as for cameras + EASA/Austro Control regime; flights over crowds prohibited (Open category).
|
oesterreich.gv.at/Austro Control.
|
The table does not replace a case-by-case assessment; it helps you avoid typical pitfalls early and documents your due diligence.
Checklist for organisers
Use this compact to-do list to implement videoüberwachung veranstaltung dsgvo in a compliant way. Add your internal processes (security, IT, legal department).
-
Define purpose & areas: Why are you filming? Which camera angles are actually necessary? (Create documentation.)
-
Place signage: Before entry, clearly visible, with reference to privacy information.
-
Set retention period ≤ 72 h: Longer periods only with robust justification.
-
Roles & permissions: Who is allowed to access recordings? Evaluation only in case of an incident.
-
DPIA check (data protection impact assessment): For elevated risk (e.g. large-scale capture, sensitive areas), check whether a DPIA is required.
-
Process for data subject rights: Access, erasure, objection – clarify internal contact points and deadlines.
At the same time, crowd and access concepts should be considered – video is never the sole solution, but complements access control, stewarding and structural measures.
Practical tips for events (selected do’s & don’ts)
Before cameras start running, it is worth looking at small details that often decide whether you are compliant.
-
Do: Mask/blur capture areas in the camera; limit operating times to the event window.
-
Do: Use a live wall in the control room without recording as a “less intrusive measure” – with signage and purpose indication.
-
Don’t: Aim the stage camera so that the pavement is recorded continuously – 50 cm tolerance applies only in narrow exceptional cases.
-
Don’t: Post clips on social networks just because something looks “exciting”.
These points significantly reduce your risk profile and can be implemented quickly with standard systems.
Where does video fit into your event safety concept?
Video works best when it runs in parallel with access control and stewarding. For access, crowd management and stewarding, see our Event-Sicherheitsdienst. The interface between check-in, ticketing and CCTV is handled by our Zutrittskontrolldienst. Good integration reduces capture areas and storage needs – and strengthens lawfulness.
Small scenario: Access control at the main entrance regulates flow and screening; CCTV covers only the gate lines and ticket desks. Public areas are kept out of frame, the notice sign stands before the zone change, and retention is limited to 72 h.
