Data Processor

If an organization out-sources all or part of its video surveillance activities to a third-party (a Data Processor), it remains liable for compliance with GDPR as a Data Controller. For example, security guards monitoring live surveillance video in the reception area of an organization working for a private company to whom the organization outsourced the task of live monitoring. In this case, the organization must ensure that the security guards carry out their activities in compliance with the GDPR.

To be compliant with GDPR, third-party Data Processors (excluding law enforcement) must:

• Fulfill the same requirements as the operator (see VMS operator)
• Sign and comply with a Data Processor Agreement (see Appendix: Data Processor Agreement).