The General Data Protection Regulation (“GDPR”) is a set of rules and regulations that govern how personal data is collected, processed, and stored. As video surveillance systems collect and store personal data, it is important to ensure that they are compliant with the GDPR. In this blog post, we will discuss the technical and organizational measures that organizations should take to ensure compliance with the GDPR while dealing with video surveillance systems.
Article 32 of the GDPR stipulates that not only must the processing of personal data in video surveillance be legally permissible, but it must also be adequately secured by controllers and processors. Measures taken to secure the data must be proportional to the risks to individuals’ rights and freedoms that may arise from accidental or illegal destruction, loss, alteration, unauthorized disclosure, or access to video surveillance data. The GDPR also requires controllers to implement technical and organizational measures to uphold all data protection principles during processing and to provide means for individuals to exercise their rights as outlined in Articles 15-22. Controllers should develop internal frameworks and policies to ensure adherence to these requirements, including conducting data protection impact assessments when necessary, both in the determination of means for processing and during the processing itself.
Technical Measures
Organizations should take the following technical measures to ensure compliance with the GDPR when dealing with video surveillance systems:
Data minimization: Organizations should only collect the personal data that is necessary for the specific purpose of the video surveillance system. This means that the organization should only collect data that is necessary for the system to perform its intended function.
Pseudonymization: Pseudonymization is a technique that replaces identifying data with a pseudonym. This makes it more difficult for unauthorized individuals to access the personal data that is stored via the video surveillance system. For detailed information on Pseudonymization, you can check one of our previous blog posts.
Encryption: Encryption is a technique that makes it difficult for unauthorized individuals to read the data that is stored via the video surveillance system. Organizations should use encryption to protect the personal data that is stored via the video surveillance system. However, in the GDPR there is no clear definition of what kind of encryption must be applied. Still, it can be interpreted as the personal data must not be transmitted or streamed in an unencrypted format, and it must be stored in the cloud or on-premises as encrypted. The secure protocols and ways of data transmission must be used like HTTPS, RTSP or TLS tunnels provided by VPN solutions.
Data encryption, integrity, availability, and resilience are stated as an obligation in the first section of the Article 32 Security of Processing. Also, as stated in section 3(a) of Article 34 of the GDPR, encryption is used to prevent data breaches likely to result in a high risk to the rights and freedoms of natural persons.
💡 Intenseye has its in-house developed client application in order to establish the secure integration between the internal CCTV devices and Intenseye GPU servers running on the cloud. We apply encryption of both data in transit and data at rest.
Secure storage: Organizations should store the personal data that is collected by the video surveillance system in a secure location. This means that the data should be stored on a server that is protected by a firewall and that is only accessible by authorized individuals.
Regular backups: Organizations should make regular backups of the personal data that is stored in the video surveillance system. This means that the organization should keep copies of the data in case the original data is lost or damaged.
Physical security of all system components: Organizations should ensure that all physical components of the video surveillance system, such as cameras and servers, are secured in a locked location. This will prevent unauthorized access to the system and the personal data that it contains.
The use of firewalls: Organizations should use firewalls to protect their video surveillance systems from unauthorized access. Firewalls act as a barrier between the system and the internet and can be configured to block unauthorized access attempts.
Antivirus software: Organizations should use antivirus software to prevent malware from infiltrating the system. This software can detect and remove malware before it can cause harm to the system or the personal data that it contains.
Penetration tests: Organizations should conduct regular penetration tests to identify vulnerabilities in the video surveillance system. These tests simulate cyberattacks and can help organizations identify potential weaknesses that need to be addressed.
Authentication and authorization: Organizations should implement authentication and authorization mechanisms to ensure that only authorized individuals can access the video surveillance system. This includes requiring users to enter a username and password to access the system and restricting access to specific individuals or groups.
Access restriction: Organizations should restrict access to the personal data that is stored in the video surveillance system. This means that only authorized individuals should be able to view and process the data, and that access to the data should be logged and monitored.

Organizational Measures
Organizations should take the following operational measures to ensure compliance with the GDPR when dealing with video surveillance systems:
Risk assessment: Organizations should conduct a risk assessment of the video surveillance system to identify any potential risks to the personal data that is stored in the system. This means that the organization should identify any potential vulnerabilities in the system and take steps to mitigate them.
Data subject access requests: Organizations should have processes in place to handle data subject access requests. This means that individuals have the right to access their personal data that is stored in the video surveillance system and organizations should have a process in place to handle these requests.
Notification of data breaches: Organizations should have processes in place to notify individuals in the event of a data breach. This means that if a data breach occurs, the organization should notify individuals whose personal data has been compromised.
Regular audits: Organizations should conduct regular audits of the video surveillance system to ensure that it is compliant with the GDPR. This means that the organization should regularly check the system to ensure that it is operating in accordance with the GDPR.
Management of personal data: Organizations should have processes in place to manage the personal data that is collected by the video surveillance system. This includes ensuring that the data is accurate, and up-to-date and that it is stored in a secure location.
Data retention period: Organizations should have policies in place to determine the retention period for personal data that is collected by the video surveillance system. This means that the organization should have a process in place to delete the data after it is no longer needed.
Access control: Organizations should have processes in place to control access to the personal data that is stored in the video surveillance system. This includes ensuring that only authorized individuals can view and process the data.
Training and awareness: Organizations should provide training and awareness to employees who are responsible for the video surveillance system. This includes educating employees about the GDPR, the personal data that is collected, and how the data should be handled.
Procedures for incident management and recovery: Organizations should have procedures in place to manage and recover from data breaches. This includes identifying potential vulnerabilities in the system, creating a response plan, and training employees on how to handle data breaches.
💡 Intenseye has its well-detailed Data Security and Incident Response Policy in place for maintaining the security, integrity, and resiliency of its customers’ data.
In conclusion, organizations should take technical and organizational measures to ensure that their video surveillance systems are compliant with the GDPR. By following these measures, organizations can ensure that they are collecting, processing, and storing personal data in a way that is compliant with the GDPR and that the rights of individuals are being protected.
Stay tuned for our next blog post where intenseye Head of Legal, Melih Yönet, will explain Privacy by Design and by Default.
