EU GDPR Data

First of all, you must consider that GDPR is a regulation technology-neutral, which means that all obligations apply to any data processing no matter what technology you decide to use. Regarding the topic you asked, I will split my answers.

Usage, Collection, Processing, and Storage of CCTV Data  

CCTV is mostly ruled by Member States legislation, so you need to verify the internal requirement in order to comply with it. Many Member States require to avoid workers’ video surveillance, to explicit the security reasons to adopt CCTV and to not shot the public path unless authorized by public authorities. 

You must ensure that monitor displaying the images of CCTV are not accessible and viewed only by authorized staff, that data retention periods are clearly established with automatic cancellation of previous videos.

Collection, Processing, and Storage of Biometric Data

Biometric Data are considered a special category of data under article 9 GDPR (the so-called sensitive data), like health, sex, ethnics, politics or religious orientation, because they can constitute a threat to freedom of individuals. Therefore, some additional precautions are required.

Article 9 GDPR requires consent of individuals as a legal ground to process biometric data along with the other cases listed in letters from "b" to "j" in article 9 GDPR. GDPR also explains that “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.”

 A Data Protection Impact Assessment (DPIA) and a Data Protection Officer (DPO) are required if biometric data are processed on a large scale.

You should make sure you determine 

• the purposes of biometric data processing (why you are collecting those data)

• the legal ground (consent or other cases listed in article 9 GDPR)

• data retention policy

• DPIA in order to identify the risks the processing presents to data subjects and implementing measures tailored to mitigate those risks.

• Hiring a DPO

• Check for additional requirements from the Member States.

Here you can find some information: 

Article 9 GDPR: https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/

5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

How to hire the right DPO:

https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/

Checklist of Mandatory Documentation Required by EU GDPR:

https://info.advisera.com/eugdpracademy/free-download/checklist-of-mandatory-documentation-required-by-eu-gdpr/

This course can also be of help:

EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//