What is GDPR?

The General Data Protection Regulation (GDPR) is a set of rules that govern all forms of personal data that are held by an organization. GDPR gives every individual ownership of their personal data, and, on the organization’s side, introduces accountability at all stages of data processing and storage. GDPR achieves this by providing a number of rights to individuals and putting corresponding obligations on the organizations that process personal data.

GDPR harmonizes data privacy laws across the EU, and it compliments existing national CCTV and video surveillance regulations.

Although GDPR is an EU regulation, it affects many other parts of the world.
It applies to the processing of personal data by a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
It applies to the processing of personal data by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services to data subjects in the Union; or the monitoring of their behavior as far as their behavior takes place within the Union.
Furthermore, many other parts of the world are applying similar privacy protection regulations, based on the core principles of GDPR.

GDPR is enforced through domestic authorities.

There are hefty fines in case of violation:

  • Up to 4% of the company's world-wide annual revenue
  • Up to €20 million per incident

Who is responsible for making sure an XProtect Video Management System complies with GDPR?

The VMS owner is responsible for complying with the GDPR regulation, including:

  • Actual installations and the applied usage
  • Organizational processes and matureness
  • Data breach notification and reporting to authorities

GDPR does not apply to any specific products, but the combination of the product, the data it processes, and the usage of the product and data all affect GDPR compliance.

GDPR has direct implications for installers, system integrators and users of video surveillance technology.

The VMS owner is the Data Controller (see Data Controller).

The Data Controller might outsource parts or the entire VMS operations to a Data Processor, for example a security company. If this is the case, the Data Controller and the Data Processor must have a Data Processor Agreement in place. The Data Processor Agreement states what data is processed, how it is protected, and how long the data is kept (see Data Processor and Appendix: Data Processor Agreement).

Are all video surveillance installations required to comply with GDPR?

GDPR applies to controllers and processors within the European Union, regardless of where the video is actually processed.

Furthermore, GDPR protects the privacy of any resident of the geographical area of the European Union, covers all forms of video surveillance within the EU, and protects citizens of all countries who reside within the EU (GDPR article 3).

For more information about GDPR, particularly as related to video surveillance, see Appendix: GDPR compliance.