CCTV and privacy in Norway

Compliance Hub

CCTV is regulated by data protection law. This page summarises the Norwegian Data Protection Authority’s (Datatilsynet) requirements and recommendations — with quotes from official guidance, checklists and FAQs. Solid Sikring does not provide legal advice; in case of doubt, contact Datatilsynet or a legal adviser.

Last updated: 2026-01-19

Read more at Datatilsynet

Requirements under data protection law

Purpose limitation

«You must define a clear purpose for the surveillance in writing. The surveillance cannot be used in ways that are incompatible with that purpose. CCTV for security purposes cannot later be used to check employees’ time sheets.» Source: Datatilsynet · Last updated: 2026-01-19

The purpose must be specific and documented. “Security” alone is not enough — specify e.g. protection of property, investigation of incidents or protection of persons. Document the purpose in writing, per camera or group.

Necessity

«CCTV must be necessary for the purpose. You should first consider whether surveillance will have a preventive effect or help investigate incidents. Will it help, and against what? CCTV must be a suitable measure. Then consider whether the problem can be solved or the risk reduced by other, less intrusive measures.» Source: Datatilsynet · Last updated: 2026-01-19

Surveillance must be suitable and necessary. Consider alternatives (lighting, access control, guards, physical security) first. If less intrusive measures are sufficient, CCTV is not permitted.

Interest balancing

«The interest in using CCTV must outweigh the privacy of those being filmed. Everyone has a right to move without being tracked, and CCTV interferes with that right. So weighty interests are required to use CCTV.» Source: Datatilsynet · Last updated: 2026-01-19

Legitimate interest (e.g. protection of life, health or property, prevention and investigation of crime) must outweigh the data subjects’ privacy. Audio surveillance is so intrusive that it is generally not permitted.

Signage and information

«Covert surveillance is not permitted. The most practical way to inform about CCTV is with signs stating that CCTV is in use, who is the controller, the purpose and where to find more information. Signs must be of a size, placement and number that make it easy to notice that the area is under surveillance. They should preferably be placed where you enter the surveilled area.» Source: Datatilsynet · Last updated: 2026-01-19

Notify clearly with signs: that surveillance takes place, who is the controller, purpose and where to find more info. Signs at the entrance to the surveilled area; inside buildings, notify again when surveillance continues in new zones.

Audio recording

«Surveillance with audio is so intrusive that it is normally not permitted. Covert recording of others’ conversations may also be a criminal offence.» Source: Datatilsynet · Last updated: 2026-01-19

Audio recording with CCTV is as a main rule not permitted. Exceptions must be assessed separately; if audio is used, it must be clearly stated on signs.

Sensitive personal data

«If the surveillance involves collecting sensitive personal data, the place surveilled is inextricably linked to sensitive matters (e.g. CCTV at the entrance to a place of worship) or the cameras use facial recognition, stricter rules apply.» Source: Datatilsynet · Last updated: 2026-01-19

Stricter requirements apply for sensitive data, special categories or facial recognition. Avoid surveillance that captures such data unless you have a valid basis and have assessed the risk.

Retention and deletion

«Personal data must not be kept longer than necessary. Where CCTV is used proactively, recordings should be deleted at reasonable intervals unless an incident has been detected. In practice, seven days is often used as a rule of thumb. Where CCTV is used reactively, you may keep the recording as long as necessary to investigate, report to the police or pursue a legal claim.» Source: Datatilsynet · Last updated: 2026-01-19

Proactive surveillance: delete at reasonable intervals (recommended up to 7 days). Reactive: keep only what is needed for investigation or legal steps. The longer the retention, the more you must document the need.

Data protection impact assessment (DPIA)

«Before use, the purposes of the processing must be specified. These purposes must be documented in writing and specified for each camera. The controller must assess whether the measure is first suitable to achieve the purpose, and second adequate and necessary.» Source: Datatilsynet · Last updated: 2026-01-19

For systematic surveillance you should document purpose, necessity, interest balancing and measures to limit intrusion (DPIA). Stricter rules apply for sensitive data, special categories or facial recognition.

Checklist before starting CCTV

Use this as a starting point. It does not replace legal assessment.

  • Define and document a specific purpose in writing.
  • Assess whether CCTV is necessary or whether less intrusive measures are sufficient.
  • Carry out an interest balancing: does the purpose outweigh the privacy of those filmed?
  • Provide clear signage (who is the controller, purpose, where to find more info).
  • Avoid audio unless exceptionally justified and clearly informed.
  • Set retention period and deletion routines (recommended up to 7 days for proactive surveillance).
  • Document the assessment (DPIA) and update when circumstances change.

Templates and documentation

You should have written documentation that includes:

Retail

Purpose statement
Download as .txt 
PURPOSE STATEMENT – CCTV (RETAIL)

Organisation: [Name]
Date: [Date]

Purpose of CCTV: Protect property against theft, vandalism and violence; document incidents. Limited to shop floor, till area, entrances. Not for monitoring staff.

Controller: [Name, org. no.]
More information: [URL or contact]
Legitimate interest assessment
Download as .txt 
LEGITIMATE INTEREST ASSESSMENT – CCTV (RETAIL)

[Name], [Date]. Interest: property protection, theft/vandalism. Necessity: alternatives considered. Balancing: signage and short retention. Documented.
DPIA checklist
Download as .txt 
DPIA CHECKLIST – CCTV (RETAIL)

[ ] Purpose documented [ ] Necessity and alternatives [ ] Interest balancing [ ] Signage [ ] Retention max 7 days [ ] No audio [ ] Access restricted and logged
Signage text
Download as .txt 
Sign text (retail): "This area is under CCTV. Controller: [Name]. Purpose: security. More info: [contact/URL]."
Retention schedule
Download as .txt 
RETENTION – RETAIL

Proactive: delete after 7 days. Incidents: export and keep as needed for police/insurance. Max [X] months. Document deletion.

Office / workspace

Purpose statement
Download as .txt 
PURPOSE STATEMENT – CCTV (OFFICE)

Organisation: [Name]
Date: [Date]

Purpose: Securing entrances, technical rooms, common areas. No surveillance of workstations unless justified. Controller: [Name]. More info: [URL]
Legitimate interest assessment
Download as .txt 
LEGITIMATE INTEREST ASSESSMENT – CCTV (OFFICE)

[Name], [Date]. Interest: securing premises. Cameras only where needed. Employees' privacy weighted. Documented and communicated.
DPIA checklist
Download as .txt 
DPIA CHECKLIST – CCTV (OFFICE)

[ ] Purpose; no workstation surveillance without justification [ ] Necessity [ ] Balancing; staff informed [ ] Signage [ ] Retention [ ] No audio/sensitive areas
Signage text
Download as .txt 
Sign text (office): "CCTV in this area. Controller: [Name]. Purpose: securing premises. More info: [URL]."
Retention schedule
Download as .txt 
RETENTION – OFFICE

Delete after 7 days. Incident material until case closed. Access limited. Log who accessed.

Exterior / facade

Purpose statement
Download as .txt 
PURPOSE STATEMENT – CCTV (EXTERIOR)

Organisation: [Name]
Date: [Date]

Purpose: Protect building and premises. Cameras cover entrances, car park, facade. No filming of public street or neighbours. Controller: [Name]. More info: [URL]
Legitimate interest assessment
Download as .txt 
LEGITIMATE INTEREST ASSESSMENT – CCTV (EXTERIOR)

[Name], [Date]. Interest: building/area protection. Limited to own property. Signage and short retention.
DPIA checklist
Download as .txt 
DPIA CHECKLIST – CCTV (EXTERIOR)

[ ] Purpose [ ] Own property only [ ] Signage [ ] 7-day retention [ ] No audio; no neighbours' property
Signage text
Download as .txt 
Sign text (exterior): "CCTV surveillance. Controller: [Name]. Purpose: security. More info: [URL]."
Retention schedule
Download as .txt 
RETENTION – EXTERIOR

Delete after 7 days. Incidents until resolved. Max [X] months.

Should you use CCTV?

Use this simple check as a starting point. It does not replace legal assessment.

  1. 1

    Do you have a concrete, documentable purpose (e.g. protection of property, investigation of incidents)?

    No → You should not install CCTV. Yes → Next step.

  2. 2

    Can the purpose be achieved with less intrusive measures (better lighting, access control, guards)?

    Yes → Consider these first. No → Next step.

  3. 3

    Does your interest outweigh the data subjects' right to privacy (interest balancing)?

    No → CCTV is not justified. Yes → Next step.

  4. 4

    Can you inform clearly (signage) and limit retention (e.g. 7 days)?

    No → Adjust the solution. Yes → Document purpose, assessment and routines before starting.

Practice examples (anonymised)

These examples illustrate permitted vs. not permitted use in a Norwegian context.

Shop in Oslo: Cameras in shop and at entrance, clear signage, 7-day retention. Purpose: theft and incidents.

Permitted

Concrete purpose, necessity, signage and limited retention satisfied.

Office: Cameras at each workstation to "monitor that people work".

Not permitted

Surveillance of work performance; employees' privacy outweighs employer's interest.

Car park: Cameras on own car park, sign at entrance, filming only own premises. Previous vandalism documented.

Permitted

Legitimate interest, limited area, signage and documented need.

Restaurant: Cameras in toilets "to check cleaning".

Not permitted

Highly intrusive; data subjects' rights outweigh the controller's interest.

Warehouse/facade: Cameras at entrances and loading areas, not workstations. Signage and 7-day retention.

Permitted

Purpose is securing property and access; less intrusive and documented.

Changelog (Datatilsynet)

This page is based on the Norwegian Data Protection Authority's public guidance. We update references when they change.

  • 2026-01-19 — Updated in line with Datatilsynet's CCTV pages (last checked).

Frequently asked questions about CCTV and privacy

Does CCTV need to be approved by Datatilsynet?

No. CCTV does not need to be approved by Datatilsynet. The controller is responsible for complying with the law before starting surveillance. You should still document purpose, necessity and signage, and carry out a DPIA when required.

Read more: Data protection impact assessment (DPIA)

How long can I keep CCTV recordings?

Personal data must not be kept longer than necessary. For proactive surveillance, Datatilsynet recommends deleting recordings at reasonable intervals — seven days is often used as a rule of thumb. For detected incidents, relevant material may be kept as long as needed for investigation or legal steps.

Read more: Retention and deletion

Is covert CCTV allowed?

No. Covert surveillance is not permitted. You must inform clearly, preferably with signs at the entrance to the surveilled area, that CCTV is in use, who is the controller and the purpose.

Read more: Signage and information

Can I use cameras with audio?

Surveillance with audio is so intrusive that it is normally not permitted. Covert recording of others’ conversations may be a criminal offence. If you have a special need, consult a legal adviser and inform clearly about audio if you use it.

When do I need a DPIA?

For systematic surveillance you should document purpose, necessity and measures. A formal DPIA is especially important when the processing may pose a high risk to data subjects’ rights — e.g. at sensitive locations, special categories of data or use of facial recognition. Datatilsynet has guidance on DPIAs.

Can I film employees with CCTV?

Interest balancing applies. As a main rule, an employer cannot use CCTV to monitor employees’ work performance; employees’ privacy then carries more weight. Surveillance for security in common areas may in some cases be permitted when necessary and limited.

Need CCTV that meets the requirements?

We help with planning, installation and documentation. Contact us for a no-obligation chat.

Contact us Back to CCTV