Body Cameras - GDPR Article 13
On 18 December 2025, the Court of Justice of the European Union (“CJEU”) delivered a salient GDPR transparency ruling for organisations using body-worn cameras and other ‘observational’ recording tools. In Integritetsskyddsmyndigheten v AB Storstockholms Lokaltrafik (C-422/24), the CJEU held that where personal data are captured by a body camera worn by ticket inspectors on public transport, the controller’s information duties are governed by Article 13 GDPR, not Article 14.
The incidental question: ‘Which of Articles 13 and 14 of the GDPR applies where personal data are [collected] by [means of] a body camera?’
| Article 13 | Information to be provided where personal data are collected from the data subject |
| Article 14 | Information to be provided where personal data have not been obtained from the data subject |
AB Storstockholms Lokaltrafik (“SL”) which operates Stockholm's public transport system, equipped ticket inspectors with body cameras. The cameras served three stated purposes: 1. preventing and documenting threats and violence against staff; 2. verifying passenger identity in fine-issuing situations; and 3. supporting subsequent legal proceedings.
The technical architecture reflected data minimisation principles, whereas the cameras operated with a circular memory, automatically overwriting footage after a fixed retention period of one minute. Crucially, the equipped ticket inspectors could manually preserve recordings by pressing a dedicated button, which interrupted such automatic deletion process. The system incorporated pre-recording technology, capturing the 60 seconds preceding the button press enabling inspectors to preserve complete context of incidents even if the response time was delayed.
Inspectors received explicit instructions to preserve footage in two specific scenarios: 1. when issuing fines to passengers; and 2. when facing verbal or physical threats. Over the course of the supervision period, inspectors recorded passengers without providing individual notification at the point of collection.
Article 13, requires that controllers provide specified information "at the time when personal data are obtained." Conversely, article 14 permits notification "within a reasonable period" up to one month.
The CJEU recognised that this textual distinction rests exclusively on the source of the personal data. The operative concept is not whether the data subject actively participated in providing the data, nor whether the data subject was aware that collection was occurring. Rather, the distinction turns on whether the personal data originated directly from the data subject or from another source entirely.
This formulation is decisive for body camera surveillance. When a ticket inspector activates a body camera to record a passenger, the controller (in this circumstance, SL) is taking direct action to collect personal data. The source is the data subject (the passenger) even though the data subject has not actively "provided" the data through a conscious, voluntary act. The passenger's unawareness or inability to consent is legally immaterial to the classification.
The CJEU grounded its analysis in Recital 61 of the GDPR, which distinguishes between information obligations based on whether personal data are "obtained from a source other than the data subject." The inclusion of explicit reference to the data source in Article 14(2)(f) requiring controllers to inform subjects "from which source the personal data originate" underscores that source identification is the defining characteristic of indirect collection.
By contrast, Article 13 contains no such source identification requirement. It is to be noted that this structural difference is not incidental as it reflects the regulatory assumption that where data are collected directly from the data subject, the source is inherently known and transparent.
Additionally, the CJEU rejected SL's argument that linguistic variations across EU language versions (notably, the Swedish version's different terminology) could displace this principle. The CJEU reiterated settled case-law requiring that EU legislation be interpreted uniformly across all language versions, with divergences resolved by reference to the legislation's general scheme and purpose. The Court noted that the term "obtaining" used in Article 14(5)(c) encompasses both data collected from third parties and data the controller itself generated from such data. The distinction remains rooted in source, not in the data subject's level of active cooperation.
The judgment's reasoning extends beyond simple video recording. Any system that processes personal data through direct observation including facial recognition systems or AI-powered behavior analysis constitutes direct collection from the data subject if the observation target is the source. Ergo, article 13's immediate notification requirement also applies in this context.
Controllers deploying such surveillance technologies must particularly attend to data subject rights information, including the requirement under Article 13(2)(f) to provide "meaningful information about the logic involved" in automated decision-making and profiling.
For any further information or assistance, please contact us at info@gtg.com.mt
Authors: Dr Terence Cassar and Dr J.J. Galea