CJEU on camera-based data collection: why Art. 13 GDPR applies and Art. 14 exceptions are off the table
The Court of Justice of the European Union has delivered a judgment (C-422/24) that brings long-awaited clarity to a deceptively simple yet highly consequential question: when personal data are captured through cameras, which transparency regime under the GDPR applies?
At first glance, the issue might appear technical, almost semantic. Yet the distinction between Articles 13 and 14 GDPR determines not only when and how information must be provided, but also whether controllers can rely on exemptions that, in practice, have often served as a safety valve for complex or large-scale processing operations. The Court’s answer is unambiguous and far-reaching. Where personal data are collected through direct visual observation by means of cameras, those data are regarded as collected directly from the data subject. Consequently, the information obligations under Article 13 GDPR apply in full. Article 14 GDPR, including its well-known exceptions in Article 14(5), has no role to play in this scenario.
What may look like a narrow clarification of transparency rules in fact reshapes compliance strategies across a broad range of camera-based systems. The ruling affects not only body-worn cameras, which formed the factual background of the case, but also vehicle cameras, dashcams, drones, wearable devices, smart infrastructure and, more generally, any technology that observes individuals in real time. In short, wherever cameras are used to visually capture people, the Court’s logic will be difficult to escape.
The background: cameras, observation and transparency obligations
SL (Stockholm’s public transport operator) equipped ticket inspectors with body-worn cameras that continuously record video and audio into a “loop buffer”, and – if needed (e.g., when issuing a penalty fare or in threatening situations) – the inspector can press a button to save the recording permanently.
Individuals were visually recorded during interactions, often in situations characterised by movement, spontaneity and limited opportunity for explanation. Importantly, the individuals concerned were not actively involved in any data provision process. They did not upload information, fill out forms or otherwise engage with the controller in a way traditionally associated with data collection. In many cases, they were not even aware of the precise technical parameters of the recording.
This factual setting crystallised a long-standing tension in data protection law. On the one hand, the GDPR distinguishes between personal data collected directly from the data subject and data obtained from other sources. On the other hand, modern technologies increasingly generate personal data without any active input by the individual concerned. Cameras are perhaps the most prominent example of this development.
Against this background, the referring court asked whether camera recordings constitute personal data “collected from the data subject” within the meaning of Article 13 GDPR, or whether they should instead be treated as data obtained from another source, triggering Article 14 GDPR. This was not a merely theoretical question. If Article 14 GDPR were applicable, controllers could potentially rely on the exceptions set out in Article 14(5), in particular where providing information would involve disproportionate effort or prove impossible.
The distinction is anything but academic. Article 13 GDPR requires information to be provided at the time of collection and contains no general escape clauses based on proportionality or feasibility. Article 14 GDPR, by contrast, explicitly recognises that transparency may, in certain situations, collide with practical limitations and therefore allows for exceptions. For years, this structural difference has been a focal point of debate in relation to camera-based processing, with divergent views among supervisory authorities, courts and commentators.
The CJEU’s answer: observation equals direct collection
The Court’s reasoning is deliberately functional and firmly rooted in the protective purpose of the GDPR. Where personal data are obtained through direct visual observation of a person by means of a camera, the data are collected directly from that person. The decisive factor is not whether the individual actively provides the data, interacts with the controller or even consciously notices the recording. None of these elements, the Court makes clear, are required for data to be regarded as collected “from” the data subject.
What matters is the factual mechanism by which the data come into existence. If the controller obtains personal data by observing the data subject in real time, rather than by acquiring those data from a third party, a database or another external source, the collection is direct. Cameras do not mediate or relay information originating elsewhere; they create personal data by capturing the physical presence, appearance and behaviour of the individual at a specific moment in time.
This interpretation is fully consistent with the GDPR’s broad and protection-oriented understanding of “collection”. It avoids formalistic distinctions based on notions of user interaction that belong to an earlier, more static conception of data processing. Instead, it focuses on the factual relationship between the controller and the data subject at the moment the data come into existence. In doing so, the Court aligns transparency obligations with the lived reality of modern surveillance and observation technologies.
The decisive consequence: Article 14 GDPR and its exceptions do not apply
The most significant practical implication of the judgment lies not in what it adds, but in what it excludes. If Article 13 GDPR applies, Article 14 GDPR does not. And if Article 14 GDPR does not apply, its exceptions in Article 14(5) are simply off the table.
Controllers can no longer argue that providing information would involve disproportionate effort, nor can they rely on delayed, layered or purely ex post transparency concepts that have developed in the context of Article 14 GDPR. The obligation to inform is triggered at the moment of collection and must be addressed accordingly, even in environments characterised by mobility, scale or operational complexity.
This marks a decisive shift. Many controllers had assumed that camera-based systems, particularly those deployed in public or semi-public spaces, could rely on the flexibility built into Article 14 GDPR. The Court’s ruling significantly narrows this perceived compliance leeway and replaces it with a stricter, more immediate transparency standard.
Timing and content: transparency must be immediate and effective
The Court places particular emphasis on the timing of the information obligation. Where Article 13 GDPR applies, information must be provided at the time the personal data are collected. In the context of camera-based processing, this means at the moment recording begins or, at the latest, when individuals enter the area or situation in which observation takes place.
The Court does not require that every data subject receive a personalised explanation, nor does it insist on a single prescribed format. What it does require, however, is that transparency be real rather than theoretical. Individuals must have a genuine opportunity to become aware of the processing and to understand its essential parameters.
This includes, at a minimum, the identity of the controller, the purpose of the recording, the legal basis relied upon and the rights available under the GDPR. These elements are not optional. They form the core of informational self-determination and allow individuals to assess the legitimacy of the processing and to exercise their rights in an informed manner.
From a compliance perspective, this shifts the centre of gravity from legal documentation to operational design. Transparency cannot be relegated to privacy policies hidden on websites that data subjects may never visit. Instead, it must be embedded into the physical and digital environment in which the camera operates. Signage, layered information concepts, visual symbols, QR codes and contextual explanations all become part of the compliance toolkit. The decisive criterion is not formal completeness, but whether transparency actually reaches the individuals concerned at the relevant moment.
Not just about body cams
Body-worn cameras are the most intuitive and visible example and formed the factual basis of the case. They involve close-range, direct observation of individuals in real-world interactions, often in situations of heightened sensitivity. It is therefore unsurprising that they sit at the heart of the Court’s reasoning.
Yet the implications extend far beyond this specific use case.
Vehicle cameras that record their surroundings operate on the same principle of visual observation. This includes dashcams, parking surveillance systems and so-called sentry modes that continuously monitor the environment around a vehicle. Drones used for inspection, monitoring or security purposes similarly capture individuals directly as they move through physical space.
The same logic applies to wearable cameras, smart glasses, augmented reality devices, mobile inspection tools, security patrol equipment and an increasing range of smart city and smart building technologies. In all these scenarios, individuals are observed in real time. Their images, movements and behaviours are captured not from third-party databases, but directly from their physical presence.
Under the logic of the judgment, this constitutes direct collection of personal data. The fact that the recording may be automated, incidental or secondary to another function does not change the legal character of the collection. Where cameras see people, Article 13 GDPR applies in full.
Confirmation of Austrian practice
From an Austrian perspective, the judgment will come as a confirmation rather than a departure from existing case law. The Austrian Federal Administrative Court (BVwG) has already taken the position that camera footage captured from vehicles constitutes direct collection of personal data and therefore triggers the application of Article 13 GDPR.
By endorsing this reasoning at EU level, the CJEU strengthens legal certainty and ensures a harmonised approach across Member States. What may previously have been perceived as a particularly strict national interpretation is now clearly anchored in Union law.
Why this matters beyond transparency
The ruling does more than clarify which information provision rule applies. It reinforces a broader structural principle of data protection law: technical distance does not create legal distance.
Controllers cannot rely on the passive nature of recording, the absence of user interaction or the scale of processing to dilute their obligations. If technology allows them to observe individuals, the law treats this as a direct relationship with the data subject, accompanied by corresponding duties.
This has implications well beyond transparency notices. It affects risk assessments, data protection impact assessments, product development and internal governance. Camera-based processing must be evaluated not as an ancillary technical feature, but as a core element of the processing operation that shapes compliance from the outset.
In this sense, the decision fits squarely within the GDPR’s broader emphasis on accountability and data protection by design. Transparency is not an afterthought to be bolted on once a system is operational. It is a design parameter that must be addressed at the same level as functionality, security and efficiency.
Practical challenges and compliance strategies
Implementing Article 13 GDPR transparency in camera-based systems is undeniably challenging. Cameras are often deployed in environments characterised by movement, unpredictability and limited attention spans. Traditional information channels, such as written notices or direct explanations, may be impractical or insufficient.
However, the Court makes it clear that difficulty does not equal exemption. The absence of a convenient solution does not justify falling back on Article 14 GDPR logic or its exceptions. Controllers must instead develop context-sensitive transparency concepts that are capable of functioning in real-world settings.
This requires a reassessment of existing camera deployments. Controllers should examine when and how individuals are informed, whether the information provided is intelligible in context and whether it genuinely enables data subjects to exercise their rights. In many cases, this will involve rethinking signage, updating internal procedures and aligning technical configurations with transparency requirements.
Conclusion
With this judgment, the CJEU draws a clear and principled line. Camera-based observation constitutes direct collection of personal data. Article 13 GDPR applies. Article 14 GDPR and its exceptions do not.
The decision has immediate relevance for body-worn cameras, vehicle cameras and a wide array of emerging technologies that rely on visual observation. It confirms existing Austrian case law, harmonises practice at EU level and significantly raises the bar for transparency compliance.
For organisations deploying camera-based systems, the message is simple but demanding: transparency starts when the camera starts.
