GDPR

1-Introduction 

In first steps we explain GDPR necessity, The GDPR applies when 

As a result, all providers of goods and services who have customers in the EU must conduct their data processing activities in compliance with the GDPR. 

1-1- Key definitions 

In this section we define six Key words that would help us in forward explanations: 

Personal Data: “Personal Data” refers to any information that pertains to a natural person who is identifiable or has been identified. Thus, an individual’s image, which directly identifies them, is regarded as personal data. 

Video surveillance involves the capture of images and video recordings of individuals by cameras, which constitute personal data. When security cameras or CCTV capture footage or images of an individual in a way that can identify them directly or indirectly, it is classified as personal data. 

Data Processing: Data processing involves the utilization of personal data in various ways, such as gathering, storing, analyzing, and sharing. It may be carried out by a data controller, who decides the reasons and methods of processing personal data, or a data processor, who handles data on behalf of the data controller. 

The use of video surveillance systems and security cameras by an organization to obtain footage of individuals amounts to the collection of personal data. Subsequently, this data is stored and may be subject to analysis, which falls under processing as per the GDPR. 
Data Subject : The term “data subject” refers to a natural person who has been identified or is identifiable, either directly or indirectly, by means of an identifier like a name, identification number, location data, image, online identifier, or by any other factor related to their physical, physiological, genetic, mental, economic, cultural, or social identity.  

In video surveillance, individuals who are recorded by a video camera are considered data subjects. For instance, in a production facility that employs a video camera surveillance system to uphold occupational health and safety, the laborers performing their daily duties on the premises, as well as any visitors or contractors, would be considered data subjects under the GDPR. 

Data Controller: The individual or legal entity responsible for deciding the purposes and methods of personal data processing and establishing and managing the data recording system is known as the Data Controller. 

Regarding video surveillance, the Data Controllers are the owners or final users of the CCTV devices, which may include companies that have installed and are operating security cameras and video surveillance systems in their premises. 

Data Processor: A Data Processor is an individual or legal entity who is not part of the Data Controller’s organization, but processes personal data on behalf of the Data Controller based on the latter’s authorization. The Data Processor, who is granted authority by the Data Controller through a personal data processing agreement, processes personal data as per the instructions provided while adhering to the terms of the agreement. In the case of video surveillance, companies providing cloud-based products that serve as cloud data storage servers or cloud-integrated VMS companies act as Data Processors. 

Veunex acts as a Data Processor and processes personal data on behalf of our clients for the purpose of “ensuring occupational health and safety” at their facilities, as part of the services we offer. 

Biometric Data: Under GDPR, personal data derived from technical processing that pertains to physical, physiological, or behavioral characteristics which facilitate or confirm the unique identification of a natural person, such as facial images or keystroke data, are referred to as biometric data. Biometric data should only be classified as such if it is utilized for purposes such as identifying or verifying individuals via biometric techniques. 

Veunex does not gather biometric data or perform facial recognition, and instead uses default face-blurring algorithms to pseudonymize faces. 

 

1-2-EDPB’s Guidelines 3/2019 on the processing of personal data through video devices 

The guidelines regarding the processing of personal data through video devices highlight the following: 

The Guidelines provide clarification on the following topics related to personal data processing through video devices: 

Fundamental Principles Governing the Processing of Personal Data 

Article 5 of the GDPR provides seven general principles to protect privacy while processing personal data. These principles are: 

  

Lawfulness, fairness, and transparency: Processing must be conducted in accordance with GDPR criteria, ensuring that personal data is handled in a manner that the subject would reasonably expect and not used in a way that would have unjustifiable negative consequences on them. The reason for the collection and processing of personal data must be explicitly stated. 

Purpose limitation: Personal data can only be collected for “specified, explicit, and legitimate purposes.” The purpose for collecting the data must be disclosed to the data subject. Data pertaining to the public interest, research, or statistical reasons may not have requirements for purpose limitation, but processing without further consent should not be allowed. 

Data minimization: Data collected should be “adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed,” which means only necessary information should be gathered and stored for a particular procedure. 

Accuracy: Collected data must be “accurate and where necessary kept up to date.” Changes should not be made to prevent identity theft. Data controllers must create editable data management systems so that subjects can update their data. 

Storage limitations: Personal data must be kept in a form that permits identification of data subjects for no longer than necessary. Data for statistical, academic, or public interest purposes can be stored for a long time with the right security measures in place. A controller’s repositories should be cleaned out of any unnecessary data. 

Integrity and confidentiality: Data controllers must maintain the integrity and confidentiality of the data they collect, essentially keeping it secure from internal or external threats. They should use appropriate technical or organizational measures to provide “appropriate security of the personal data, including protection against unlawful processing or accidental loss, destruction, or damage.” 

Accountability: Controllers shall be accountable if the data processing is not compliant with GDPR. 

 

2- lawfulness of video surveillance  

For data processing activities to be lawful, they must be based on one of six valid justifications for processing personal data: consent, contract, legal obligation, vital interest, public task, or legitimate interests. 

The legitimate interest for video surveillance lies in ensuring physical security, protecting against workplace hazards, and promoting occupational health and safety. In the context of workplace safety, the use of video surveillance can be justified as necessary for protecting the safety and well-being of employees and other individuals present in the workplace. This may include monitoring hazardous areas and identifying and preventing safety risks. At Veunex, data processing serves the simple purpose of providing a risk-free work environment in terms of occupational safety and health. 

We believe that video surveillance for workplace safety can be legally justified under the legitimate interests basis as defined by the GDPR. Legitimate interests refer to an organization’s or a third party’s interests, provided that they do not override the individual’s interests or fundamental rights and freedoms. However, it is crucial for organizations to carefully assess which lawful basis is the most appropriate for their video surveillance activities and ensure that they can justify the use of the system under one of the GDPR’s lawful bases. Furthermore, organizations must be transparent with individuals about the purpose of the video surveillance and inform them of their rights in relation to the processing of their personal data. 

3- Transparency in video surveillance 

When it comes to video surveillance systems, the warning sign should prominently display the essential information (first layer), while additional mandatory details can be provided through other means (second layer). 

First Layer: Warning Sign 

 

The initial stage of communicating with the data subject in the layered approach to privacy notices and warning signs is the first layer. Here, controllers can use warning signs to convey relevant information, which can be accompanied by an icon to offer a clear and easily comprehensible overview of the intended processing in compliance with Article 12 (7) of the GDPR. 

The first layer sign typically comprises five distinct elements, including the identity of the controller and, where appropriate, the controller’s representative, contact details of the data protection officer (if applicable), purposes of the processing for which the personal data are intended, as well as the legal basis for the processing, and the data subject rights, such as the right to request access to or erasure of their personal data from the controller. 

Additionally, a QR code that leads to the second layer notice may be included in the first layer sign. 

 

Second Layer: Privacy Notice regarding Video Surveillance 

To ensure that data subjects can easily access complete information about the processing of their personal data, the second layer of information should be readily available. This may be accomplished by making a comprehensive information sheet available at a central location, such as a reception desk or information kiosk, or by displaying the information on a prominent poster. 

The first layer warning sign should clearly indicate that a second layer of information exists and provide a means of accessing it, such as a QR code or website address. If the second layer of information is provided digitally, it should be accessible without the need to enter the monitored area. Alternatively, a phone number could be provided for individuals to call and access the information. 

In accordance with Article 13 of the GDPR, the second layer of information must contain all required details. It is important to ensure that the information is easily accessible and presented in a clear and understandable format, so that data subjects can be fully informed about the processing of their personal data. 

 

At Veunex, we highly encourage our clients to provide their employees and contractors with adequate information regarding the security camera, CCTV, and video surveillance data collected on their premises, which is shared with us to enhance Environmental Health and Safety conditions and ensure Occupational Health and Safety in the facility. We advise our clients to prioritize transparency with regards to the privacy of their workers and take all necessary measures to ensure they are fully informed about the collection and processing of their personal data. 

 

4- Biometric data in GDPR 

In the context of the General Data Protection Regulation (GDPR), biometric data falls under the category of “special categories of personal data,” which includes information related to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed to uniquely identify an individual, and data about an individual’s health, sex life, or sexual orientation. In continuation of our series on the GDPR and video surveillance, this article will explore biometric data, its meaning, and its importance in video surveillance systems. 

To be classified as biometric data under the GDPR, the data must satisfy certain conditions. These conditions include: 

Veunex’s platform ensures complete anonymity of individuals by blurring their faces, thereby making it impossible to identify them from the images or videos. Additionally, Veunex does not store any biometric data related to the individuals. The primary objective of Veunex is to analyze occurrences of unsafe acts or conditions and to develop strategies to prevent them and ensure occupational health and safety. Once an individual goes out of the camera’s range, their tracking information is lost, and Veunex does not use any biometric data to track them. 

5-Data minimization and pseudonymization 

 

Organizations are expected to adhere to the principle of data minimization, which mandates that they should limit the collection and retention of personal data to the minimum amount necessary for a particular purpose. This principle holds particular significance in the context of video surveillance, where the collection and storage of vast quantities of personal data can give rise to significant privacy issues. 

Article 4 of the GDPR defines pseudonymization as the processing of personal data in a way that makes it impossible to attribute the data to a specific individual without additional information. However, this additional information must be kept separate and subject to technical and organizational measures to prevent the personal data from being linked to an identifiable natural person. 

Article 25 of the GDPR stipulates that data pseudonymization is a requirement for data controllers. This involves implementing suitable technical and organizational measures, such as pseudonymization, at both the planning and processing stages, in order to uphold data protection principles. 

In the context of video surveillance systems, data pseudonymization can involve methods to conceal the identities of individuals in the footage. One common approach is the use of face blur algorithms that automatically detect and obscure faces in video footage. By implementing this technique, the privacy of individuals in the footage can be safeguarded, as their identities are effectively hidden from view. 

Veunex applies face blurring by default to both alert evidence images and videos in order to prevent identification of individuals. The system is designed to detect potential hazards in high-risk areas already covered by existing video surveillance systems and security cameras in production facilities. The face blurring feature is a standard practice for all video data and cannot be reversed, even at the request of customers. Veunex’s Research Team is also working on a broader and more advanced Data Pseudonymization technique, which aims to remove all personally identifiable information from collected frames and videos. 

The Veunex platform offers the option to set the archive duration, and the data controller can even set it to zero, which means that no data is recorded at all. This feature is not limited to video footage from cameras but also extends to any videos related to alarms that have a specified deletion time. This architecture aligns with the data minimization principle of GDPR. 
 

6- Storage Limitations and Data Retention 

 

Data retention refers to the practice of storing information for a defined period of time. At an individual level, data retention can be observed when data is saved on a mobile device, where a storage limit may be reached if there is no established process for backing up, migrating, and disposing of the data. 

Article 30 of the GDPR mandates that companies maintain records of processing activities and retention schedules for different categories of data. This underscores the importance of having a data retention policy for GDPR compliance. Such policies are also critical in ensuring that data is securely and properly deleted, preventing unauthorized access by individuals or parties. This serves to satisfy the GDPR’s requirement for organizations to protect personal data against unauthorized destruction or access. 

A policy document outlining when and for how long specific data types will be stored and when they will be deleted is known as a data retention policy. When creating a data retention policy, the following best practices should be followed: 

Veunex has a lot of options for controlling storage limitation and data retention. Some of them are as flows: 

7-personal data protection and system security 

Article 32 of the GDPR stipulates that not only must the processing of personal data in video surveillance be legally permissible, but it must also be adequately secured by controllers and processors. Measures taken to secure the data must be proportional to the risks to individuals’ rights and freedoms that may arise from accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to video surveillance data. The GDPR also requires controllers to implement technical and organizational measures to uphold all data protection principles during processing and to provide means for individuals to exercise their rights as outlined in Articles 15-22. Controllers should develop internal frameworks and policies to ensure adherence to these requirements, including conducting data protection impact assessments, when necessary, both in the determination of means for processing and during the processing itself. 

Data encryption, integrity, availability, and resilience are stated as an obligation in the first section of the Article 32 Security of Processing. Also, as stated in the section 3(a) of the Article 34 of the GDPR, encryption is used to prevent the data breaches likely to result in a high risk to the rights and freedoms of natural persons 

At the technical level Veunex developed in-house to meet security concerns such at Secure storage, Regular backups, Physical security of all system components, The use of firewalls Passing penetration tests, Authentication and authorization and Access restriction 

At the organization level Veunex takes following steps to ensure compliance with the GDPR, this operation includes organizational risk assessments, Data subject access requests, Notification of data breaches, Regular audits, Management of personal data, Data retention period, Access control, Training and awareness, Procedures for incident management and recovery 

8- Data Protection Impact Assessment 

 

One way to ensure this is through conducting a Data Protection Impact Assessment (“DPIA”). DPIAs are a crucial component of the GDPR. The GDPR requires organizations to carry out DPIAs in certain circumstances, to ensure that personal data is processed in a manner that is compliant with the regulation. A DPIA is a process of evaluating the potential privacy risks of a project or activity that involves the processing of personal data, and it is regulated under Article 35 of the GDPR. The aim of a DPIA is to identify and mitigate potential privacy risks, and to ensure that personal data is processed in a manner that is consistent with the GDPR’s requirements. DPIAs are a proactive tool that organizations can use to assess the privacy implications of their activities and identify potential privacy risks. It is particularly important for video surveillance activities, as they typically process large amounts of personal data and can have significant privacy implications.

The delivery of VEUNEX value begins with a focus on people. We start by reviewing the client’s risk assessment and adding our industry expertise to help them better understand the situation from their perspective. Together with the client, we prioritize the highest risk areas in production, health and safety, and security, and then utilize VEUNEX’s innovative technology to control and mitigate these risks. This step provides a clear understanding for both parties of the value of using this new technology and the implementation process within the company. 



VEUNEX can be deployed either on the cloud or on-premises, depending on the client’s preference. For on-premises installations, VEUNEX can provide the necessary hardware or work with the client’s existing setup. VEUNEX is compatible with all types of cameras, DVRs, and NVRs and can collect camera information from the local network. Additionally, it uses standard industrial protocols to gather operational sensor data, such as Modbus, Profibus, or Fieldbus. 

Once installed, we implement real-time risk assessment, configure dashboards, tune AI algorithms, and integrate with third-party systems on the plant. Performance testing and delivery ensure that agreed-upon risk controls meet expectations. 

After delivery, our focus shifts to supporting the client to ensure satisfaction with the reduced risks and to help them incorporate this new tool into their daily operations for maximum benefit. Our ambition is to train operators, review and customize processes, and tailor solutions until the lowest level of risk is achieved. 

 

9-Data Subjects Rights 

A data subject has the right to obtain confirmation from the controller as to whether or not their personal data are being processed. For video surveillance this means that if no data is stored or transferred in any way then once the real-time monitoring moment has passed the controller could only give the information that no personal data is any longer being processed (besides the general information obligations under Article 13, see section 7 – Transparency and information obligations). If however data is still being processed at the time of the request (i.e. if the data is stored or continuously processed in any other way), the data subject should receive access and information in accordance with Article 15. 

At Veunex we have complete access control modules that help you to define specific roles and users with limited access, that helps data controllers to give temporary access to data subjects to respond their requests.