Video Surveillance in Kindergartens under Privacy Law & GDPR

Video Surveillance in Kindergartens under Privacy Law & GDPR

2026-07-06

Abstract. This article examines the legal framework governing closed-circuit video surveillance in Polish kindergartens. It argues that Article 108a of the Education Law, contrary to a widespread reading, extends to preschool institutions through the statutory equation of “school” and “kindergarten”, yet simultaneously prohibits cameras in the very rooms in which kindergartens are most inclined to install them. The analysis maps the strict statutory exception to that prohibition, the available GDPR bases for public and non-public institutions, the mandatory character of the data protection impact assessment, retention and transparency duties, and the distinct legal character of live-streaming services offered to parents.

 

I. Introduction

Parents ask about cameras at enrolment, and directors install them in activity rooms on the assumption that the education law permits it. In truth, video surveillance in Polish kindergartens is governed by a provision which, read to its end, prohibits cameras precisely where institutions are most inclined to place them. An exception exists, but it is fenced by conditions of which few have heard. Independently of that provision, the entire burden of lawfulness of the processing rests on the General Data Protection Regulation, and documentation which most institutions treat as a formality becomes the sole load-bearing structure.

 

II. The Apparent Lacuna and the Real Prohibition: Article 108a of the Education Law

Article 108a of the Act of 14 December 2016, the Education Law (Prawo oświatowe), permits the director of a “school or institution” to introduce video monitoring where necessary for the safety of pupils and staff or for the protection of property. At first sight kindergartens fall outside the provision: the statutory definition of an “institution” (placówka) in Article 4(14) refers to the units listed in Article 2(3) to (8) and (10), while kindergartens appear in Article 2(1). A second look restores them to the frame: under Article 4(1) of the same Act, wherever the statute speaks of a “school”, the term is to be read as including a kindergarten. Article 108a therefore applies to kindergartens directly, by terminological equation, and not merely per analogiam.

The real difficulty lies elsewhere. Article 108a(3) prohibits monitoring in teaching, educational and care rooms, in rooms in which psychological and pedagogical assistance is provided, in staff rest and recreation rooms, in sanitary facilities, in the health prevention office, and in cloakrooms and changing rooms. For a school that is a catalogue of ancillary spaces. For a kindergarten the activity room is the heart of the institution: it is where the children spend their entire day. In extending the provision to kindergartens, the legislature prohibited cameras precisely where directors are most inclined to mount them.

The prohibition is not absolute. The second sentence of Article 108a(3) permits monitoring of the listed rooms where, cumulatively: it is necessary by reason of an existing threat to safety; it will not infringe the dignity and other personal rights of those observed; and techniques are applied which prevent the recognition of the persons present. Three conditions at once: a real threat (not parental comfort), dignity (of which more below), and anonymisation of the image. A camera showing recognisable children in an activity room “just in case” satisfies none of them.

The regulatory lacuna commonly asserted for kindergartens does exist, one rung lower: the Act on the Care of Children under the Age of Three says nothing about cameras, so surveillance in a nursery rests exclusively on the general rules of the GDPR.

 

The image of a child or of a member of staff constitutes personal data within the meaning of Article 4(1) GDPR, and the capture of that image constitutes processing. Article 108a determines where a camera may hang; it does not relieve the controller of the duty to identify a valid basis under Article 6 GDPR for the processing itself.

 

A. Public and Non-Public Kindergartens: Two Different Bases

A public kindergarten will rest its surveillance on Article 6(1)(e) GDPR: processing necessary for the performance of a task carried out in the public interest. The content of that task is supplied by Article 68(1)(6) of the Education Law, which obliges the director to ensure safe conditions of care.

A non-public kindergarten must instead invoke Article 6(1)(f) GDPR, the legitimate interests of the controller. That basis requires a balancing test, conducted and documented, in which the institution’s interest in safety and the protection of property is weighed against the rights and freedoms of those observed.

Parental consent, superficially attractive, is a trap. First, surveillance captures everyone present, so the withdrawal of consent by a single parent confronts the institution with a choice between switching the cameras off and infringing the Regulation. Secondly, the consent of staff is doubtful in view of the relationship of subordination (recital 43 GDPR). A basis revocable by a single e-mail is arguably no foundation on which to build a security system.

 

B. The Child’s Best Interests as a Primary Consideration

Article 6(1)(f) GDPR in fine mandates particular caution where the data subject is a child. The EDPB Guidelines 1/2024 on legitimate interest direct that the child’s interests be treated as a primary consideration within the balancing test, consistently with Article 24(2) of the Charter of Fundamental Rights; they do not alter the structure of Article 6(1)(f) and, like all EDPB guidance, remain soft law, though of a kind the supervisory authority will apply. Recital 38 adds that children’s lesser awareness of risks argues for stronger, not weaker, protection. In practical terms, the balancing test in a kindergarten must contain a separate, child-specific limb, and not merely an accounting of adult interests.

 

IV. Staff Under the Lens: Article 22² of the Labour Code and Case C-34/21

Teachers and auxiliary staff are employees, and employee monitoring is governed by Article 22² of the Labour Code (Kodeks pracy). The catalogue of permissible purposes is closed: employee safety, protection of property, production control, and the safeguarding of confidential information. Surveillance directed at the safety of children and the protection of property fits within that catalogue, provided the procedure is observed: the workforce must be informed no later than two weeks before activation; the purposes, scope and manner of monitoring must be set out in the workplace regulations or in a notice; and the monitored premises must be signposted.

The judgment of the Court of Justice in Case C-34/21 added a significant caveat: national provisions on the processing of employees’ data must contain the specific and suitable safeguards required by Article 88(2) GDPR, failing which they must be disapplied. The practical lesson for kindergartens is this: the further surveillance drifts from the classic protection of property towards the continuous observation of how work is performed, the weaker its footing becomes. Recordings may not be used to appraise the quality of a teacher’s work where the declared purpose was safety; a change of purpose after the fact infringes the purpose-limitation principle of Article 5(1)(b) GDPR. Analytical candour requires a reservation: the judgment arose on the Hessian law on the public service, so its transposition to Article 22² of the Polish Labour Code is an extrapolation, sound in direction yet counselling caution in the framing of categorical conclusions.

 

V. The Data Protection Impact Assessment as a Threshold Requirement

A data protection impact assessment (Article 35 GDPR) is required where processing is likely to result in a high risk to rights and freedoms. The Communication of the President of the Personal Data Protection Office (UODO) of 17 June 2019 (M.P. item 666) sets out a list of twelve types of operations requiring a DPIA. Three items matter for a kindergarten: large-scale processing of children’s data; processing of the data of persons whose assessment or situation depends on an entity holding supervisory or evaluative powers; and large-scale systematic monitoring of publicly accessible places involving the recognition of features, the Communication expressly providing that ordinary video surveillance recorded solely for incident analysis does not fall within this last category. The list adopts a rule of cumulation: the DPIA obligation is ordinarily triggered by the conjunction of at least two criteria. In a kindergarten the cumulation is all but written into the nature of the operation: children’s data plus staff in a relationship of dependence. The UODO has itself advocated de lege ferenda a mandatory DPIA for surveillance in educational institutions, which confirms that the provisions do not settle the point expressly; a prudent controller will not, however, wait for the legislature.

A rigorous DPIA comprises a description of the operations, a necessity and proportionality test (why cameras rather than less intrusive measures), a risk assessment, and mitigating measures; in substance it resembles a targeted legal audit of a single processing operation. Where the residual risk remains high, Article 36 GDPR requires prior consultation with the President of the UODO before the system is activated, and the supervisory authority’s decisions remain subject to review by the administrative courts.

 

VI. Dignity as the Boundary: the Lesson of the Garante Decision

The spatial limits are set by Article 108a(3), discussed above. In a kindergarten, however, a further layer arises which the statutory exception renders central: the dignity of those observed. The Italian supervisory authority, in a decision of 10 July 2025 (provvedimento no. 10162731), fined a nursery EUR 10,000 for publishing online photographs of children aged 3 to 36 months and for operating a camera system devoid of the required safeguards, ordering the removal of the images and the alignment of the system with the law. The universal conclusion: recording the image of children in intimate contexts violates their dignity irrespective of the declared purpose. A camera whose frame captures a hygiene corner or a changing area is not a compliance risk; it is a completed infringement awaiting its first complainant.

 

VII. Retention and Transparency

The retention of recordings is fixed by Article 108a(4): a maximum of three months, with automatic overwriting, and longer only where a recording constitutes evidence in proceedings. It is worth knowing that the EDPB Guidelines 3/2019 take as their starting point a period measured in days rather than months (72 hours by way of illustration), every longer period requiring additional justification; the Polish three-month standard is therefore liberal, and an institution should be able to defend in its DPIA why it relies on it. The information obligation is discharged in layers, in accordance with the same Guidelines: the first layer consists of legible signage at the entrance (controller, purpose, contact, reference to the full notice); the second, of a complete information clause available on the kindergarten’s website and at the front office. Surveillance must also be entered in the record of processing activities (Article 30 GDPR).

 

VIII. Live Streaming to Parents: A Distinct Category

The market increasingly offers services enabling parents to watch the kindergarten playroom in real time. As a matter of law this is an operation entirely distinct from surveillance: the purpose differs (supporting the child’s adaptation and reducing parental separation stress, not safety), the audience differs (parents rather than the director), and the allocation of roles frequently differs as well, the technology provider acting as a processor. Article 22² of the Labour Code does not legitimise transmitting the work of staff to third parties, and Case C-34/21 only sharpens that boundary. Streaming requires its own legal basis, its own DPIA, its own contractual layer of service terms and commercial agreements, and its own security architecture: individual credentials, a prohibition on recording, no archiving, and the hard exclusion of intimate contexts. To treat it as ordinary surveillance with a wider audience is a category error, and category errors tend to be invoiced at the first inspection.

 

IX. A Compliance Checklist for the Kindergarten Director

  1. Identify the legal basis: Article 6(1)(e) GDPR for a public kindergarten, or Article 6(1)(f) with a documented balancing test for a non-public one.
  2. Conduct and sign a DPIA before the cameras are activated.
  3. Include a separate analysis of the child’s best interests within the balancing test.
  4. Inform staff at least two weeks before launch and amend the workplace regulations or issue a notice.
  5. Exclude activity rooms from monitoring unless the conditions of the exception in Article 108a(3) are met cumulatively (an existing threat, dignity, anonymisation), and exclude without exception: toilets, cloakrooms and changing rooms, staff rooms, and areas used for care and hygiene activities.
  6. Signpost the monitored zones and make the full information clause available.
  7. Limit retention to a maximum of three months with automatic overwriting and justify that period in the DPIA.
  8. Restrict access to recordings to a narrow circle of authorised persons and log every playback.
  9. Enter the surveillance in the record of processing activities.
  10. Do not use recordings for purposes other than those declared, in particular for staff appraisal.

X. Concluding Remarks

Video surveillance in a kindergarten is permissible, but its lawfulness is constructed rather than conferred: it requires the correct GDPR basis, a rigorous DPIA, respect for the limits of Article 108a(3), and discipline in the use of recordings. The greatest risk is not the absence of a provision but its careless reading: Article 108a first embraces kindergartens and then prohibits cameras in their most important rooms. Responsibility for that reading rests entirely with the director as controller.

Skarbiec Law Firm advises educational institutions and technology providers on the documentation of surveillance and streaming, from impact assessments and information clauses to service terms and data processing agreements, within its data protection practice, and provides court representation in disputes arising from data processing.