In first steps we explain GDPR necessity, The GDPR applies when
- Whether or not the processing occurs within the EU, the data controllers and processors are situated in the EU.
- Non-EU data controllers or data processors process the personal data of data subjects who reside in the EU for activities such as delivering goods and services, or monitoring behavior that occurs within the EU.
- The case is subject to the national law of an EU member state.
As a result, all providers of goods and services who have customers in the EU must conduct their data processing activities in compliance with the GDPR.
1-1- Key definitions
In this section we define six Key words that would help us in forward explanations:
Personal Data: “Personal Data” refers to any information that pertains to a natural person who is identifiable or has been identified. Thus, an individual’s image, which directly identifies them, is regarded as personal data.
Video surveillance involves the capture of images and video recordings of individuals by cameras, which constitute personal data. When security cameras or CCTV capture footage or images of an individual in a way that can identify them directly or indirectly, it is classified as personal data.
Data Processing: Data processing involves the utilization of personal data in various ways, such as gathering, storing, analyzing, and sharing. It may be carried out by a data controller, who decides the reasons and methods of processing personal data, or a data processor, who handles data on behalf of the data controller.
The use of video surveillance systems and security cameras by an organization to obtain footage of individuals amounts to the collection of personal data. Subsequently, this data is stored and may be subject to analysis, which falls under processing as per the GDPR.
Data Subject : The term “data subject” refers to a natural person who has been identified or is identifiable, either directly or indirectly, by means of an identifier like a name, identification number, location data, image, online identifier, or by any other factor related to their physical, physiological, genetic, mental, economic, cultural, or social identity.
In video surveillance, individuals who are recorded by a video camera are considered data subjects. For instance, in a production facility that employs a video camera surveillance system to uphold occupational health and safety, the laborers performing their daily duties on the premises, as well as any visitors or contractors, would be considered data subjects under the GDPR.
Data Controller: The individual or legal entity responsible for deciding the purposes and methods of personal data processing and establishing and managing the data recording system is known as the Data Controller.
Regarding video surveillance, the Data Controllers are the owners or final users of the CCTV devices, which may include companies that have installed and are operating security cameras and video surveillance systems in their premises.
Data Processor: A Data Processor is an individual or legal entity who is not part of the Data Controller’s organization, but processes personal data on behalf of the Data Controller based on the latter’s authorization. The Data Processor, who is granted authority by the Data Controller through a personal data processing agreement, processes personal data as per the instructions provided while adhering to the terms of the agreement. In the case of video surveillance, companies providing cloud-based products that serve as cloud data storage servers or cloud-integrated VMS companies act as Data Processors.
Veunex acts as a Data Processor and processes personal data on behalf of our clients for the purpose of “ensuring occupational health and safety” at their facilities, as part of the services we offer.
Biometric Data: Under GDPR, personal data derived from technical processing that pertains to physical, physiological, or behavioral characteristics which facilitate or confirm the unique identification of a natural person, such as facial images or keystroke data, are referred to as biometric data. Biometric data should only be classified as such if it is utilized for purposes such as identifying or verifying individuals via biometric techniques.
Veunex does not gather biometric data or perform facial recognition, and instead uses default face-blurring algorithms to pseudonymize faces.
1-2-EDPB’s Guidelines 3/2019 on the processing of personal data through video devices
The guidelines regarding the processing of personal data through video devices highlight the following:
- Measures must be taken to prevent the misuse of video recordings for purposes that are completely different from the intended purpose, such as marketing or monitoring employee performance.
- Data controllers must carefully consider the general principles outlined in Article 5 of the GDPR when dealing with video surveillance.
- Data controllers should be aware of the risk of display device malfunctions and take necessary precautions to prevent harm.
- If the intended purpose of data processing can be achieved through other means or methods, video surveillance may not be necessary and cannot be used as a legitimate basis for data processing.
The Guidelines provide clarification on the following topics related to personal data processing through video devices:
- The application of the GDPR to such processing
- The legitimacy of such processing
- The processing of special categories of personal data, including biometric data
- The data subject’s rights in relation to this type of processing
- The obligations of data storage and retention
- The technical and institutional measures required for this type of data processing.
Fundamental Principles Governing the Processing of Personal Data
Article 5 of the GDPR provides seven general principles to protect privacy while processing personal data. These principles are:
Lawfulness, fairness, and transparency: Processing must be conducted in accordance with GDPR criteria, ensuring that personal data is handled in a manner that the subject would reasonably expect and not used in a way that would have unjustifiable negative consequences on them. The reason for the collection and processing of personal data must be explicitly stated.
Purpose limitation: Personal data can only be collected for “specified, explicit, and legitimate purposes.” The purpose for collecting the data must be disclosed to the data subject. Data pertaining to the public interest, research, or statistical reasons may not have requirements for purpose limitation, but processing without further consent should not be allowed.
Data minimization: Data collected should be “adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed,” which means only necessary information should be gathered and stored for a particular procedure.
Accuracy: Collected data must be “accurate and where necessary kept up to date.” Changes should not be made to prevent identity theft. Data controllers must create editable data management systems so that subjects can update their data.
Storage limitations: Personal data must be kept in a form that permits identification of data subjects for no longer than necessary. Data for statistical, academic, or public interest purposes can be stored for a long time with the right security measures in place. A controller’s repositories should be cleaned out of any unnecessary data.
Integrity and confidentiality: Data controllers must maintain the integrity and confidentiality of the data they collect, essentially keeping it secure from internal or external threats. They should use appropriate technical or organizational measures to provide “appropriate security of the personal data, including protection against unlawful processing or accidental loss, destruction, or damage.”
Accountability: Controllers shall be accountable if the data processing is not compliant with GDPR.
2- lawfulness of video surveillance
For data processing activities to be lawful, they must be based on one of six valid justifications for processing personal data: consent, contract, legal obligation, vital interest, public task, or legitimate interests.
- Consent: Under the consent justification, organizations may process personal data if individuals have explicitly agreed to the processing of their data for a specific purpose. Before using video surveillance, organizations must obtain individuals’ clear consent and inform them of the purpose of the system.
- Contract: If processing is necessary for the performance of a contract to which an individual is a party, organizations may rely on the contract justification. For example, an organization may use video surveillance to monitor employee attendance and performance as part of their employment contract.
- Legal obligation: Organizations can rely on the legal obligation justification if processing is necessary to comply with a legal obligation. For instance, an organization may be required to use video surveillance to comply with health and safety regulations.
- Vital interest: If processing is necessary to protect the vital interests of an individual or another person, organizations can rely on the vital interest justification. This may include using video surveillance to prevent crime or protect individuals from harm.
- Public task: The public task justification allows organizations to process personal data for the performance of a task carried out in the public interest. For instance, an organization may use video surveillance to monitor public areas for the purpose of public safety.
- Legitimate interests: Under the legitimate interests justification, organizations may process personal data if it is necessary for their legitimate interests or those of a third party, provided that these interests do not override the fundamental rights and freedoms of the individual. Before using video surveillance, organizations must carefully consider the impact on individuals’ rights and freedoms and ensure that their legitimate interests are not outweighed by any negative impacts.
The legitimate interest for video surveillance lies in ensuring physical security, protecting against workplace hazards, and promoting occupational health and safety. In the context of workplace safety, the use of video surveillance can be justified as necessary for protecting the safety and well-being of employees and other individuals present in the workplace. This may include monitoring hazardous areas and identifying and preventing safety risks. At Veunex, data processing serves the simple purpose of providing a risk-free work environment in terms of occupational safety and health.
We believe that video surveillance for workplace safety can be legally justified under the legitimate interests basis as defined by the GDPR. Legitimate interests refer to an organization’s or a third party’s interests, provided that they do not override the individual’s interests or fundamental rights and freedoms. However, it is crucial for organizations to carefully assess which lawful basis is the most appropriate for their video surveillance activities and ensure that they can justify the use of the system under one of the GDPR’s lawful bases. Furthermore, organizations must be transparent with individuals about the purpose of the video surveillance and inform them of their rights in relation to the processing of their personal data.
3- Transparency in video surveillance
When it comes to video surveillance systems, the warning sign should prominently display the essential information (first layer), while additional mandatory details can be provided through other means (second layer).
First Layer: Warning Sign
The initial stage of communicating with the data subject in the layered approach to privacy notices and warning signs is the first layer. Here, controllers can use warning signs to convey relevant information, which can be accompanied by an icon to offer a clear and easily comprehensible overview of the intended processing in compliance with Article 12 (7) of the GDPR.
The first layer sign typically comprises five distinct elements, including the identity of the controller and, where appropriate, the controller’s representative, contact details of the data protection officer (if applicable), purposes of the processing for which the personal data are intended, as well as the legal basis for the processing, and the data subject rights, such as the right to request access to or erasure of their personal data from the controller.
Additionally, a QR code that leads to the second layer notice may be included in the first layer sign.
Second Layer: Privacy Notice regarding Video Surveillance
To ensure that data subjects can easily access complete information about the processing of their personal data, the second layer of information should be readily available. This may be accomplished by making a comprehensive information sheet available at a central location, such as a reception desk or information kiosk, or by displaying the information on a prominent poster.
The first layer warning sign should clearly indicate that a second layer of information exists and provide a means of accessing it, such as a QR code or website address. If the second layer of information is provided digitally, it should be accessible without the need to enter the monitored area. Alternatively, a phone number could be provided for individuals to call and access the information.
In accordance with Article 13 of the GDPR, the second layer of information must contain all required details. It is important to ensure that the information is easily accessible and presented in a clear and understandable format, so that data subjects can be fully informed about the processing of their personal data.
At Veunex, we highly encourage our clients to provide their employees and contractors with adequate information regarding the security camera, CCTV, and video surveillance data collected on their premises, which is shared with us to enhance Environmental Health and Safety conditions and ensure Occupational Health and Safety in the facility. We advise our clients to prioritize transparency with regards to the privacy of their workers and take all necessary measures to ensure they are fully informed about the collection and processing of their personal data.
4- Biometric data in GDPR
In the context of the General Data Protection Regulation (GDPR), biometric data falls under the category of “special categories of personal data,” which includes information related to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed to uniquely identify an individual, and data about an individual’s health, sex life, or sexual orientation. In continuation of our series on the GDPR and video surveillance, this article will explore biometric data, its meaning, and its importance in video surveillance systems.
To be classified as biometric data under the GDPR, the data must satisfy certain conditions. These conditions include:
- Nature of the data: The data must pertain to the physical, physiological, or behavioral attributes of an individual. At Veunex, we do not associate data with any personal attributes of individuals.
- Manner of processing: The data must be generated as a result of “specific technical processing.” Veunex does not process data in a way that extracts biometric information.
- Purpose of processing: The data must be utilized for the purpose of uniquely identifying an individual. At Veunex, we do not identify individuals; our system is designed to detect unsafe acts or behaviors.
Veunex’s platform ensures complete anonymity of individuals by blurring their faces, thereby making it impossible to identify them from the images or videos. Additionally, Veunex does not store any biometric data related to the individuals. The primary objective of Veunex is to analyze occurrences of unsafe acts or conditions and to develop strategies to prevent them and ensure occupational health and safety. Once an individual goes out of the camera’s range, their tracking information is lost, and Veunex does not use any biometric data to track them.
5-Data minimization and pseudonymization
Organizations are expected to adhere to the principle of data minimization, which mandates that they should limit the collection and retention of personal data to the minimum amount necessary for a particular purpose. This principle holds particular significance in the context of video surveillance, where the collection and storage of vast quantities of personal data can give rise to significant privacy issues.
Article 4 of the GDPR defines pseudonymization as the processing of personal data in a way that makes it impossible to attribute the data to a specific individual without additional information. However, this additional information must be kept separate and subject to technical and organizational measures to prevent the personal data from being linked to an identifiable natural person.
Article 25 of the GDPR stipulates that data pseudonymization is a requirement for data controllers. This involves implementing suitable technical and organizational measures, such as pseudonymization, at both the planning and processing stages, in order to uphold data protection principles.
In the context of video surveillance systems, data pseudonymization can involve methods to conceal the identities of individuals in the footage. One common approach is the use of face blur algorithms that automatically detect and obscure faces in video footage. By implementing this technique, the privacy of individuals in the footage can be safeguarded, as their identities are effectively hidden from view.
Veunex applies face blurring by default to both alert evidence images and videos in order to prevent identification of individuals. The system is designed to detect potential hazards in high-risk areas already covered by existing video surveillance systems and security cameras in production facilities. The face blurring feature is a standard practice for all video data and cannot be reversed, even at the request of customers. Veunex’s Research Team is also working on a broader and more advanced Data Pseudonymization technique, which aims to remove all personally identifiable information from collected frames and videos.
The Veunex platform offers the option to set the archive duration, and the data controller can even set it to zero, which means that no data is recorded at all. This feature is not limited to video footage from cameras but also extends to any videos related to alarms that have a specified deletion time. This architecture aligns with the data minimization principle of GDPR.
6- Storage Limitations and Data Retention
Data retention refers to the practice of storing information for a defined period of time. At an individual level, data retention can be observed when data is saved on a mobile device, where a storage limit may be reached if there is no established process for backing up, migrating, and disposing of the data.
Article 30 of the GDPR mandates that companies maintain records of processing activities and retention schedules for different categories of data. This underscores the importance of having a data retention policy for GDPR compliance. Such policies are also critical in ensuring that data is securely and properly deleted, preventing unauthorized access by individuals or parties. This serves to satisfy the GDPR’s requirement for organizations to protect personal data against unauthorized destruction or access.
A policy document outlining when and for how long specific data types will be stored and when they will be deleted is known as a data retention policy. When creating a data retention policy, the following best practices should be followed:
- Conduct a data audit: Identify the data your organization gathers, stores, and processes, and categorize it based on its importance, legal requirements, and regulatory compliance.
- Understand legal and regulatory requirements: Different types of data are subject to different retention requirements, such as financial data needing to be kept for a certain number of years for tax compliance, and personal data needing to be deleted once it is no longer necessary for its initial purpose.
- Consider data value: Retaining data indefinitely is not always necessary. Establish how long the data is required for business or legal purposes, and delete it once it is no longer required.
- Develop a data deletion plan: Once the data’s retention period has expired, a secure and permanent method for its deletion must be established.
- Review and update: The data retention policy should be examined and revised periodically to ensure it complies with legal and regulatory requirements and adapts to the organization’s evolving needs.
- Communicate and train relevant parties: Communicate the data retention policy to employees, contractors, and vendors and ensure they are trained on the requirements for data retention and deletion.
- Monitor and audit: Regularly review data storage and processing activities to ensure compliance with the retention policy and address any non-compliance issues promptly.
Veunex has a lot of options for controlling storage limitation and data retention. Some of them are as flows:
- Alarms can be saved with videos or without any videos
- The delete time of each type of alarm can be configured separately from after a minute to days
- Alarms videos duration is not more than 5 seconds
- Retention period of each camera is configurable separately
7-personal data protection and system security
Article 32 of the GDPR stipulates that not only must the processing of personal data in video surveillance be legally permissible, but it must also be adequately secured by controllers and processors. Measures taken to secure the data must be proportional to the risks to individuals’ rights and freedoms that may arise from accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to video surveillance data. The GDPR also requires controllers to implement technical and organizational measures to uphold all data protection principles during processing and to provide means for individuals to exercise their rights as outlined in Articles 15-22. Controllers should develop internal frameworks and policies to ensure adherence to these requirements, including conducting data protection impact assessments, when necessary, both in the determination of means for processing and during the processing itself.
Data encryption, integrity, availability, and resilience are stated as an obligation in the first section of the Article 32 Security of Processing. Also, as stated in the section 3(a) of the Article 34 of the GDPR, encryption is used to prevent the data breaches likely to result in a high risk to the rights and freedoms of natural persons
At the technical level Veunex developed in-house to meet security concerns such at Secure storage, Regular backups, Physical security of all system components, The use of firewalls Passing penetration tests, Authentication and authorization and Access restriction
At the organization level Veunex takes following steps to ensure compliance with the GDPR, this operation includes organizational risk assessments, Data subject access requests, Notification of data breaches, Regular audits, Management of personal data, Data retention period, Access control, Training and awareness, Procedures for incident management and recovery
8- Data Protection Impact Assessment
One way to ensure this is through conducting a Data Protection Impact Assessment (“DPIA”). DPIAs are a crucial component of the GDPR. The GDPR requires organizations to carry out DPIAs in certain circumstances, to ensure that personal data is processed in a manner that is compliant with the regulation. A DPIA is a process of evaluating the potential privacy risks of a project or activity that involves the processing of personal data, and it is regulated under Article 35 of the GDPR. The aim of a DPIA is to identify and mitigate potential privacy risks, and to ensure that personal data is processed in a manner that is consistent with the GDPR’s requirements. DPIAs are a proactive tool that organizations can use to assess the privacy implications of their activities and identify potential privacy risks. It is particularly important for video surveillance activities, as they typically process large amounts of personal data and can have significant privacy implications.
The delivery of VEUNEX value begins with a focus on people. We start by reviewing the client’s risk assessment and adding our industry expertise to help them better understand the situation from their perspective. Together with the client, we prioritize the highest risk areas in production, health and safety, and security, and then utilize VEUNEX’s innovative technology to control and mitigate these risks. This step provides a clear understanding for both parties of the value of using this new technology and the implementation process within the company.
VEUNEX can be deployed either on the cloud or on-premises, depending on the client’s preference. For on-premises installations, VEUNEX can provide the necessary hardware or work with the client’s existing setup. VEUNEX is compatible with all types of cameras, DVRs, and NVRs and can collect camera information from the local network. Additionally, it uses standard industrial protocols to gather operational sensor data, such as Modbus, Profibus, or Fieldbus.
Once installed, we implement real-time risk assessment, configure dashboards, tune AI algorithms, and integrate with third-party systems on the plant. Performance testing and delivery ensure that agreed-upon risk controls meet expectations.
After delivery, our focus shifts to supporting the client to ensure satisfaction with the reduced risks and to help them incorporate this new tool into their daily operations for maximum benefit. Our ambition is to train operators, review and customize processes, and tailor solutions until the lowest level of risk is achieved.
9-Data Subjects Rights
A data subject has the right to obtain confirmation from the controller as to whether or not their personal data are being processed. For video surveillance this means that if no data is stored or transferred in any way then once the real-time monitoring moment has passed the controller could only give the information that no personal data is any longer being processed (besides the general information obligations under Article 13, see section 7 – Transparency and information obligations). If however data is still being processed at the time of the request (i.e. if the data is stored or continuously processed in any other way), the data subject should receive access and information in accordance with Article 15.
At Veunex we have complete access control modules that help you to define specific roles and users with limited access, that helps data controllers to give temporary access to data subjects to respond their requests.