Additional safeguards

To better ensure that the Milestone XProtect VMS configuration is GDPR compliant, this list provides you with some additional safeguards to keep in mind when configuring the system.

Issue Negative impact on privacy Hints for the controller
PTZ cameras and privacy masking do not work together. The maskings do not follow the PTZ motions. The privacy enhancing effect of the masking can be circumvented.

Milestone recommends that you do one of the following:

  • You should not use the XProtect built-in privacy masking feature on PTZ cameras because the mask is static relative to the image's decoded pixels and not the actual direction / location of the PTZ camera.
  • Deactivate PTZ functionality when you use masks.
  • Purchase PTZ cameras that support dynamic privacy masking (so the selected areas always are masked no matter the location and zoom of the camera).
Use of microphone or metadata devices may impinge on personal privacy. (In XProtect Corporate, these are by default deactivated.)

The usage of microphones may easily violate GDPR compliance.

Please be aware: Using microphone and metadata devices is not covered by the European Privacy Seal. Their activation would violate the EuroPriSe seal.

Before you activate microphones or metadata devices, you must ensure that you have a clearly justified purpose for collecting data. See Do you have a lawful basis for collecting data?
Operators and administrators can export or copy video data, video archives, configuration back-ups and audit logs to local hard drives or removable media like CDs, DVDs, USB flash drives, etc. Personal data leaves the governance borders of XProtect VMS. The data is not protected by XProtect VMS's access control mechanisms anymore and it cannot be deleted by XProtect VMS when the retention period is reached. This bears the risk that the data is stored longer than allowed, that it is used for different purposes and that the confidentiality of the data is violated.

Data controllers shall take technical and organizational measures to protect data that leaves the boundary of XProtect VMS. See Handling exported data for possible measures to take.

Audit log data and other personal data are not encrypted by the product before it is stored in the SQL databases.

Database administrators can access audit log data using database clients. XProtect Corporate cannot control or log this access.

Especially, the sensitive audit log data may be disclosed to unauthorised users. See Protecting stored and transmitted dataFor more information on how to secure your XProtect VMS installations against cyper-attacks, see the hardening guide.

Do the following:

  • Implement an adequate role concept for the database administration.
  • Limit the access to the database to authorized personnel only.
  • If possible, activate encryption of the database using database mechanisms.
The product implements a back-up feature. This feature backs up the configuration of the VMS but not the audit log database. A physical destruction of the data carrier that holds the audit log database might prevent the data controller from fulfilling its accountability duties when no back-ups of the audit logs exist.

Consider creating audit log database back-ups.

If the Data Controller decides to create backups of the audit log database, one should also establish a process to delete the backups when the retention period is reached and protect it against unauthorised access (for example, encrypting the backup, locking away the backup media, etc.). For more information, see the administrator manual for XProtect VMS.
XProtect VMS uses for some client-to-server and for some server-to-server communication cryptographically unsecured authentication / authorization tokens over unsecured communication channels.

Attackers with access to the network could eavesdrop the tokens and use it to either impersonate VMS users or server components. This could compromise the confidentiality of video data or it could compromise the integrity of the whole system.

Please be aware: VPN and / or HTTPS must be configured to protect insecure communications in order to be compliant with the EuroPriSe seal.

Do the following:

  • Use cryptographically secure VPNs. For more information on how to secure your XProtect VMS installations against cyper-attacks, see the hardening guide.
  • Separate networks. For more information on how to secure your XProtect VMS installations against cyper-attacks, see the hardening guide.
  • Configure https for the Recording Server. For more information about securing your XProtect VMS installations, see the hardening guide and the certificate guide.
The product allows for setting retention times for audit logs, video data, alarms and other personal data. Setting the retention time to periods that are too long might violate the GDPR requirements for storage limitations (GDPR Article 5 (1) (e) and Article 17). The retention times must be adapted to the processing purposes (see Right to be forgotten (Right to erasure)).
Administrators can configure email recipients that may receive video snippets or image stills from the VMS when certain events occur. It is not possible to configure a whitelist of allowed domains for such email recipients. A typo might possibly lead to a data breach when a third-person receives emails with video data and system alarms.

Make the Data Controller aware of this risk.

Milestone recommends that you establish an organizational process such as a four-eyes principle that reduces the risk for failures when entering email addresses.
Notifications are emails that are sent to a specified email address. When creating a notification, the administrator can choose to include a set of snapshots or an AVI of a sequence. Because the attached snapshots and AVI sequences in notifications leave the VMS, they are outside the control of the VMS for user access and retention.

Since emails and their content leaves the user access and retention control of the VMS, it is recommended not to attach images or AVI sequences to email notifications.

If the customer needs this feature, they at least must ensure that there are organizational procedures and controls for who receives the emails and how they are handled. See Handling exported data in notifications and email.