Timelapse cameras have become essential tools for documenting construction progress, creating marketing content and monitoring site activity. However, when footage captures identifiable individuals – even indirectly – it triggers GDPR obligations across the European Union.

Under Regulation (EU) 2016/679, video footage qualifies as personal data if it allows identification of a natural person. This means timelapse systems must be designed with privacy by design, ensuring lawfulness, transparency and data minimization from the outset.

GDPR Core Principles for Timelapse Processing

The GDPR sets seven key principles that apply to all timelapse projects involving personal data:

• Lawfulness, fairness and transparency: Processing must have a clear legal basis, typically legitimate interest or contractual necessity.
• Purpose limitation: Footage collected for site monitoring cannot be repurposed for unrelated marketing without reassessment.
• Data minimisation: Capture only essential areas; avoid unnecessary coverage of public spaces or non-relevant zones.
• Storage limitation: Retain raw footage only as long as necessary – often days or weeks, not indefinitely.
• Integrity and confidentiality: Secure footage against unauthorised access, with encryption and access controls.

The European Data Protection Board (EDPB) Guidelines 3/2019 on video devices provide specific guidance, stressing that video surveillance must avoid “function creep” into unexpected uses like performance monitoring.

Article 13: Transparency Obligations

Article 13 GDPR requires controllers to provide data subjects with clear information at the point of data collection. For timelapse cameras on construction sites, this means visible signage explaining:

• Identity of the controller and contact details.
• Purposes of processing (e.g., site documentation, safety monitoring).
• Legal basis (e.g., legitimate interests under Art. 6(1)(f)).
• Retention periods and erasure policies.
• Rights to access, rectification, erasure and objection.
• Any automated decision-making or data transfers.

EDPB guidance emphasises that notices must be concise yet comprehensive, placed before entry to the monitored area. Failure to inform properly can invalidate the processing.

Lawful Basis for Construction Site Timelapse

The most common legal bases for timelapse processing are:

• Legitimate interests (Art. 6(1)(f)): Site security, progress documentation or theft prevention – but a balancing test is required against individuals’ rights.
• Contractual necessity (Art. 6(1)(b)): If footage is essential for project contracts with clients or insurers.
• Legal obligation (Art. 6(1)(c)): Compliance with site safety regulations.

Controllers must document the chosen basis and conduct a Legitimate Interests Assessment (LIA) where applicable.

EDPB Guidelines on Video Surveillance

The EDPB’s Guidelines 3/2019 offer practical advice for video devices, including timelapse systems:

• Field of view: Narrow to essential areas; avoid capturing neighbouring properties without consent.
• Special categories: Biometric data (e.g., facial recognition) requires explicit consent or strict necessity.
• Disclosure to third parties: Footage can be shared with police or insurers, but only under strict conditions.
• Rights of data subjects: Handle access requests efficiently; provide extracts rather than full footage if disproportionate.
• DPIA requirement: Mandatory for high-risk surveillance like large sites or AI-enhanced processing.

These guidelines ensure consistent GDPR application across EU Member States.

Anonymisation and Blurring Techniques

To minimise data processing, automatic anonymisation is highly recommended. Effective measures include:

• AI-powered blurring: Irreversibly obscure faces, bodies and license plates.
• Area masking: Black out sensitive zones like entrances or public paths.
• Pixelation: Render individuals unidentifiable while preserving site progress visibility.

TimelapseLab’s software, for example, automates this process, making footage GDPR-ready for sharing or publication. Such tools align with data minimisation and reduce DPIA complexity.

Storage, Access and Erasure

Raw timelapse footage should not be stored indefinitely. Best practices:

• Retention policy: 7-30 days for monitoring; longer only for specific incidents.
• Access logs: Track who views footage and why.
• Automated deletion: Purge data after retention period expires.
• Secure deletion: Overwrite or encrypt before erasure.

Document these policies in your records of processing activities (Art. 30 GDPR).

Technical and Organisational Measures

Implement robust safeguards:

• Encryption: Protect stored and transmitted footage.
• Access controls: Role-based permissions for site managers only.
• Audit trails: Log all system changes and views.
• Vendor agreements: Ensure cloud providers are GDPR-compliant (Art. 28 DPA).

For AI features like object detection, conduct additional assessments.

Construction Site Best Practices

1. Conduct a pre-installation privacy impact assessment.
2. Install prominent GDPR signage.
3. Limit camera angles and enable blurring by default.
4. Define clear retention and access policies.
5. Train staff on data subject requests.
6. Review annually or after system changes.

For seamless compliance, consider professional solutions like TimelapseLab’s GDPR documentation and privacy features, which handle blurring, notices and records automatically.

Conclusion

Timelapse projects on EU construction sites can fully comply with GDPR by prioritising transparency, minimisation and technical safeguards. Following EDPB guidelines ensures lawful processing while delivering valuable site documentation. Always document your approach – accountability is key under the GDPR.