The GDPR is a major step forward in protecting the privacy of individuals and ensuring that their personal data is handled in a responsible and transparent manner. By clarifying key definitions and establishing clear rules and regulations, the GDPR helps to establish a level of trust between organizations and their customers, ultimately benefiting both parties.
In this blog post, we will discuss some of the key terms of the GDPR that businesses need to be aware of while dealing with video surveillance systems and security cameras. It is important for businesses to understand the key terms of the GDPR and to take steps to ensure that they are compliant with this law.
a. Personal Data
Personal Data means any information relating to an identified or identifiable natural person. Accordingly, the image of a person is the information that makes the person directly identifiable and is considered personal data.
💡 In video surveillance, images and video recordings of the people who are being recorded by the cameras are personal data. Whenever the footage or a picture of an individual is captured through a security camera or CCTV, that may be used to identify that person (directly or indirectly) it is considered to be personal data.
b. Data Processing
Data processing is the act of using personal data in any way, including collection, storage, analysis, and dissemination. This can be done by a data controller, who determines the purposes and means of processing personal data, or a data processor, who processes data on behalf of the data controller.
💡 When an organization uses video surveillance systems and security cameras to collect footage of individuals, it is collecting personal data. This data is then stored and potentially analyzed, which is considered processing under the GDPR.
c. Data Subject
A data subject is an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an image, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In video surveillance, data subjects are the people who are being recorded by a video camera.
💡 For example, in a production facility that has a video camera surveillance system to maintain occupational health and safety, the workers who are performing their daily jobs within the facility, or the contractors who are visiting the facility for a short period of time will be considered as data subjects under the GDPR.
d. Data Controller
The Data Controller is the real person or legal entity that determines the objectives and tools of processing of personal data and is responsible for the establishment and management of the data recording system.
💡 When it comes to video surveillance, data controllers are the owners or end users of the CCTV devices such as companies that installed and are operating security cameras and video surveillance systems in their facilities.
e. Data Processor
A data processor is a real person or legal person outside the organization of the data controller who processes personal data on behalf of the data controller, based on the authority given by the data controller. A data processor, who is authorized by the data controller through a personal data processing contract, processes personal data in accordance with the instructions given by considering the terms of the contract with the data controller. In video surveillance, the companies that have cloud-based products serve as the cloud data storage servers, or the cloud integrated VMS companies are the data processors.
💡 Intenseye is an AI-powered & image processing based occupational health and safety platform. Therefore, as Intenseye, we process personal data as a data processor on behalf of our customers in order to provide our services for the purpose of “ensuring occupational health and safety” at our customers’ facilities.
f. Biometric Data
In the GDPR, personal data resulting from specific technical processing with respect to physical, physiological or behavioral characteristics that enable or confirm the unique identification of a natural person, such as facial images or typewriter data, are defined as biometric data. In this context, biometric data should be subjected to applications such as identifying and verifying people through biometric methods. Only in this case will the relevant data be considered as biometric data.
💡 Intenseye neither collects biometric data nor recognizes faces, and faces are pseudonymisated by default face blurring algorithms.
The GDPR is a complex and comprehensive law that has significant implications for businesses and organizations. By understanding the key definitions outlined above, organizations can better ensure that they are in compliance with the GDPR and protecting the personal data of their customers and users.
Stay tuned for our next blog on EDPB’s Guidelines 3/2019 on Processing of Personal Data Through Video.