What is personal data?
To be compliant with GDPR, you must know what personal data is, and limit the collection of that data to only what is necessary.
According to the regulation, personal data is any information relating to an identified or identifiable person.
An identifiable person is someone who can be identified directly or indirectly, by reference to an identifier such as:
- A name
- An identification number
- Location data
- Online identifier such as IP addresses or cookie identifier
- User data
- Video images
- Or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person
Personal data is any type of information that directly or indirectly can be used to identify a natural person (Data Subject). This is the data that can be used to identify the viewed objects of video surveillance, whether that data is collected intentionally or accidentally.
Personal data that is protected by GDPR is:
- Data that is processed by the IT product or IT-based service (for example, name and address of a person, video image, payment data, health data).
- Data that is incidentally produced when the product or service is used (for example, usage data, log files, statistical data, data for authorization, configuration data). This data can be personal data of the users of the service, personal data of the people operating the product or service (this may include both staff of the service provider and staff of the users of the product or service), or privacy-relevant configuration data (see Data Controller).
Personal data is defined as any information relating to an identified or identifiable natural person or Data Subject, for example:
|
|
This data is not necessarily only a direct relation to the object. Personal data can also be a quasi-identifier. Quasi-identifiers are pieces of information that are not of themselves unique identifiers, but are sufficiently well correlated with something so that they can be combined with other quasi-identifiers to create a unique identifier. Quasi-identifiers are particularly important when it comes to special categories of personal data.
Special categories of personal data include data depicting racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation, for example:
|
|
This is the personal data that potentially is collected by a video surveillance system:
What types of personal data descriptions, stored by XProtect, fall within the scope of GDPR?
Personal data is any type of information that directly or indirectly can be used to identity a natural person (Data Subject). This can be video surveillance streams, a single image or a video sequence combined with location information from cameras and/or layered maps, an access control integration identifying a personal access card and combining it with a specific location, or data from License Place Recognition (LPR) with or without any location data.
Special categories of personal data is when the video surveillance is near hospitals (related to health information), jails (criminal convictions), political activity (union membership), religious activity, or images that reveal sexual orientation (for example, gay bars).
Personal data also refers to user data (operator, supervisor, and administrator) activity and audit logging. This includes XProtect Smart Client personal user logs, including log on/log off timestamps and audit logging of accessed video streams, audio or metadata, as well as playback and export of recordings.
See Inherent risks with using VMS to make sure that you are not impinging on personal rights.