Appendix: The Milestone XProtect VMS system and GDPR

Please be aware: This section describes requirements and restrictions to be a European Privacy Seal (EuroPriSe) certified product. A controller / processor deviating from these requirements cannot point out that he or she is using a product which especially facilitates data protection and GDPR compliance.

Components and devices that are not covered by the European Privacy Seal

The following components are not covered by the European Privacy Seal:

  • Plug-ins available on Milestone marketplace
  • Mobile Server (disabled by default)
  • XProtect® Mobile client
  • XProtect Web Client
  • XProtect Access (disabled by default)
  • XProtect LPR (disabled by default)
  • XProtect Transact (disabled by default)
  • Milestone Interconnect
  • XProtect DLNA Server
  • Milestone Open Network Bridge (secure private-to-public video integration)
  • XProtect Event Server plug-ins
  • Processing of audio data (disabled by default)
  • Processing of metadata (disabled by default)
  • Processing of data from input and output devices (disabled by default)
  • XProtect Corporate basic users
  • XProtect BYOL as provided via https://aws.amazon.com/marketplace/pp/B089DKW36G

For the Milestone XProtect VMS installation to be covered by the European Privacy Seal, these components must not be installed.

In addition, the standard product does not perform facial recognition, behavior analysis, automatic tracking or recognition of persons in the live feed or the recorded media. This functionality is also not compliant with the European Privacy Seal.

This means that when you install the XProtect VMS, do not use the Single computer option in the installer, because this automatically installs the Mobile Server.

Instead, install the XProtect VMS system with either the Distributed or Custom options. These do not install the Mobile Server.

After the XProtect VMS has been installed, the download page on the Management Server will list the additional XProtect DLNA Server and Mobile Server components. Do not install these servers.

Create Users

Do not create basic user types. If you add basic users to your system, the system will not be compliant with the GDPR legislation.

Milestone recommends that you delete all basic users and create these users as Windows Active Directory type users.

Please be aware: Using the basic user type is not covered by the European Privacy Seal.
A VMS configuration with basic user type is not entitled to use the EuroPriSe certified product profile. A controller / processor doing so cannot point out that he or she is using a product which especially facilitates data protection and GDPR compliance.

XProtect relies on Windows mechanisms for authentication and favors a domain controller for user and security management. It is then consistent to delegate the definition of security policies and their enforcement to an Active Directory. This way an enterprise can consistently manage their security and access control policies in one central place. Customers do not have to duplicate security policies in XProtect and keep adjustments manually in sync.

In a workgroup environment, all relevant security policies for Windows accounts are locally administered and enforced on the Windows machine that hosts the Management Server.

For more information on how to secure your XProtect VMS installations against cyper-attacks, see the hardening guide.

Upgrade guide

If you are upgrading a Milestone XProtect VMS installation version 2018 R2 or earlier, the old logs must be deleted manually for the installation to be GDPR compliant.

After you have upgraded the XProtect VMS, the old logs can be deleted using the information and the tool described in this Knowledge Base article.

Secure network for authentication and data transmission

Design a network infrastructure that uses physical network or VLAN segmentation as much as possible.

Milestone recommends that you select cameras that support HTTPS. It is recommended that you set the cameras on separate VLANs and use HTTPS for your camera to recording server communication, as well as clients to recording server communication.

It is recommended that XProtect Smart Client and XProtect Smart Wall are on the same VLAN as the servers.

Use a VPN encrypted network or similar if using Smart Client or Smart Wall from a remote location.

For more information on how to secure your XProtect VMS installations against cyper-attacks, see the hardening guide.

Please be aware: Unencrypted and unsecured transport of video data would violate the EuroPriSe seal and lead to the loss of the EuroPriSe privacy seal compliance.

Masking individuals in the case of access

According to GDPR Article 15, the Data Subject has the right to get access to his or her personal data that is being processed, for example, video recordings of the Data Subject.

The Data Subject is granted the right to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing.

Because XProtect VMS does not support automatic identification of individuals, you must put in place additional measures to safeguard the individuals’ rights. In the VMS context, see Appendix: On-the-spot notice.

More so, XProtect VMS does not support the masking of other persons who are moving who are recorded together with the claimant for the right of access.

Several Milestone technical partner solutions for dynamic blurring of all or other persons before export can be found on Milestone Marketplace. Alternatively blurring can be added to single images or video streams either manually or assisted after export. Some companies offers blurring as a service (for example, FACIT Data Systems).

Deleting video recordings partially

According to GDPR Article 17, the Data Subject has the right to ask for the deletion of their data. In the VMS context, this is often not fulfilled due to overriding legitimate interests (fraud detection, health and safety) or other business purposes stated in the Video surveillance policy (see Right to be forgotten (Right to erasure) and Appendix: Video surveillance policy). The Video surveillance policy defines the automatic retention (default 7 days) that ensures automatic deletion of footage, and this must fairly balance data subjects rights against reasonable business purposes.

If a Data Subject requests their data to be deleted, it is recommended that the Data Controller uses the Data Subject Request example to document the claim (see Data Subject request).

You must delete all recordings from the camera or cameras in question.

To retain all the other recordings that should not be deleted, export all of the data and keep it secure. You cannot restore this data back to the VMS.

Any export must be encrypted and digitally signed, and exclude the specified time intervals from the specific specified camera or cameras. That is, export up to the time/date and export after the time/date. This may result in multi-time period backups.

The Smart Client – Player can then be used to view the data.

It’s recommended that the Data Controller seek legal counsel, conduct both a business impact assessment and a Privacy Impact Assessment (see Conducting an impact assessment) before the right to be forgotten of the Data Subject is executed, since deletion may introduce new business risks that may tip the balance of interest and introduce risks affecting the privacy protection of other Data Subjects negatively.