When EU makes laws (or any government entity, really), it’s a trial and error process. Traffic laws are simple. If you’re allowed to drive at 50 km/h, then driving 49 km/h is OK, driving 51 km/h is not. Social laws are much more complex. Tax law has become a massive pile of spaghetti filled with bugs that allow some entities to pay very little, and other entities to pay a lot.
The General Data Protection Regulation is an attempt to protect the privacy of citizens of the EU. Companies are not allowed to covertly collect massive amounts of information about people; they must inform the user, and they must delete personal information if asked to do so.
From the EU’s FAQ on the topic, you can find this passage
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
It seems to me that EU is thinking about companies like Facebook, Google and just about every other company that collects massive amounts of data about their users.
Most video surveillance systems are not capable of tracking people around the store, let alone recognize the same user as they visit the store on different days. Naturally, if you have this wonderful technology deployed, and you are actually identifying people in the feed, I believe that you might have to take a much closer look at GDPR and start posting notes and ask for consent (in clear language).
As I understand it, if regular video surveillance is in effect, you need to post information about this (you already are), and probably be able to document your retention policies if anyone asks.
Granted, if you start building cases about people, where you are collecting clips and images, then you def. need consent.
Adding a bit of Gaussian blur to the faces of people (when displayed in the client) is simply irrelevant in relation to GDPR. If you are storing the information, you have to inform and get consent.
I harbor no illusions that slick salespeople won’t try to use these new laws as a way to sell more snake-oil. I am also pretty certain that you’ll hear unverified anecdotes about companies that were fined because they did not blur the faces in the viewer application.
So, post a sign that says “video is recorded and kept for 30 days” and you’re good. But you have to actually abide by it. If you perform analytics (poor you), track people, correlate purchases and arrival times to POS readouts, then you have to post that too.
In Denmark, they’ve already announced that because this is such a complicated issue (mostly due to charlatans spreading FUD), they will be very lenient with non-compliance unless it is an intentional violation of the rules (e.g. a standard VMS running a 2 week loop in a store is not going to be fined for not posting a consent form at the door).