Appendix: The Milestone XProtect VMS system and GDPR

Please be aware: This section describes requirements and restrictions to be a European Privacy Seal (EuroPriSe) certified product. A data controller / data processor deviating from these requirements cannot point out that he or she is using a product that especially facilitates data protection and GDPR compliance.

Components and devices that are not covered by the European Privacy Seal

The following components are not covered by the European Privacy Seal:

  • Plug-ins available on Milestone marketplace
  • XProtect Mobile server (disabled by default)
  • XProtect Mobile client
  • XProtect Web Client
  • XProtect Access (disabled by default)
  • XProtect LPR (disabled by default)
  • XProtect Transact (disabled by default)
  • Milestone Interconnect
  • XProtect DLNA Server
  • Milestone Open Network Bridge (secure private-to-public video integration)
  • XProtect Event Server plug-ins
  • Processing of audio data (disabled by default)
  • Processing of metadata (disabled by default)
  • Processing of data from input and output devices (disabled by default)
  • XProtect BYOL as provided via https://aws.amazon.com/marketplace/pp/B089DKW36G

For the Milestone XProtect VMS installation to be covered by the European Privacy Seal, these components must not be installed.

In addition, the standard product does not perform facial recognition, behavior analysis, automatic tracking or recognition of persons in the live feed or the recorded media. These functionalities are also not compliant with the European Privacy Seal.

This means that when you install the XProtect VMS, do not use the Single computer option in the installer, because it automatically installs the Mobile Server.

Instead, install the XProtect VMS system with either the Distributed or Custom options. This does not install the Mobile Server.

After the XProtect VMS has been installed, the download page on the Management Server will list the additional DLNA Server and Mobile Server components. Do not install these servers.

Upgrade guide

If you are upgrading a Milestone XProtect VMS installation version 2018 R2 or earlier, the old log files must be deleted manually for the installation to be GDPR compliant.

After you have upgraded the XProtect VMS, the old log files can be deleted using the information and the tool described in this Knowledge Base article.

Secure network for authentication and data transmission

Design a network infrastructure that uses physical network or VLAN segmentation as much as possible.

Milestone recommends that you select cameras that support HTTPS. It is recommended that you set the cameras on separate VLANs and use HTTPS for your camera to recording server communication, as well as clients to recording server communication.

It is recommended that XProtect Smart Client and XProtect Smart Wall are on the same VLAN as the servers.

Use a VPN encrypted network or similar if using Smart Client or Smart Wall from a remote location.

Enable encryption for all communication. For information about securing your XProtect VMS installations, see the hardening guide and the certificates guide.

Please be aware: Unencrypted and non-secured transport of video data would violate the EuroPriSe seal and lead to the loss of the EuroPriSe privacy seal compliance.

Masking individuals in the case of access

According to Article 15 of the GDPR, the data subject has the right to get access to his or her personal data that is being processed, for example, video recordings of the data subject.

The data subject is granted the right to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing.

Because XProtect VMS does not support automatic identification of individuals, you must put in place additional measures to safeguard the individuals’ rights. In the VMS context, see Appendix: On-the-spot notice.

More so, XProtect VMS does not support the masking of other persons who are moving who are recorded together with the claimant for the right of access.

Several Milestone technical partner solutions for dynamic blurring of all or other persons before export can be found on Milestone Marketplace. Alternatively, blurring can be added to single images or video streams either manually or assisted after export. Some companies offer blurring as a service (for example, FACIT Data Systems).

Deleting video recordings partially

According to Article 17 of the GDPR , the data subject has the right to ask for the deletion of their data. In the VMS context, this is often not fulfilled due to overriding legitimate interests (fraud detection, health, and safety) or other business purposes stated in the Video surveillance policy (see Right to be forgotten (Right to erasure) and Appendix: Video surveillance policy). The Video surveillance policy defines the automatic retention (default 7 days) that ensures automatic deletion of footage, and this must fairly balance data subjects' rights against reasonable business purposes.

If a data subject requests their data to be deleted, it is recommended that the data controller uses a Data Subject Request to document the claim (see Data subject request). For a sample template of a Data Subject Request, see the Milestone Data Subject Request template.

You must delete all recordings from the camera or cameras in question.

To retain all the other recordings that should not be deleted, export all of the data and keep it secure. You cannot restore this data back to the VMS.

Any export must be encrypted and digitally signed, and exclude the specified time intervals from the specific specified camera or cameras. That is, export up to the time/date and export after the time/date. This may result in multi-time period backups.

The Smart Client – Player can then be used to view the data.

It’s recommended that the data controller seek legal counsel, conduct both a business impact assessment and a Privacy Impact Assessment (see Conducting an impact assessment) before the right to be forgotten of the data subject is executed, since deletion may introduce new business risks that may tip the balance of interest and introduce risks affecting the privacy protection of other data subjects negatively.

Using geographic backgrounds in XProtect Smart Client

XProtect Smart Client supports the use of geographic backgrounds. These backgrounds display map backgrounds.

You risk violating the GDPR if you use any of the following map services, and you will not be GDPR compliant within the EuroPriSe certification:

  • Bing Maps
  • Google Maps
  • Milestone Map Service

These services do not provide adequate safeguards regarding the processing of personal data in the US. The customer becomes (joint) controller regarding the processing of the user data.

Refer to any updates to the Schrems II judgment by the the EU Commission on the official website.

As an alternative, it is recommended that you set up the private OpenStreetMap service for the geographic background.

Integrations from registered partners

When a license is activated, Milestone collects data on a "per integration" basis. The XProtect VMS gathers data about plugins and plugin manufacturers and about the plugins and integration that the customer uses.

The data that is collected from each installation are:

  • Integration name

  • Integration manufacturer

  • Integration version

  • Integration type (standalone, Smart Client, Management Client, Event Server) and number of instances of each type (that is, how many clients are running the plugin)

Plugin developers must never use personal names when registering their product. Only use the company name.

The data is only processed by Milestone if the plugin manufacturer is listed in the marketplace and has approved the processing of the data for the purpose to improve Milestone XProtect Corporate (and not for marketing and market research). If the plugin is not registered, then the data is immediately deleted. The legal basis of processing is Article 6 (1)(f) of the GDPR, which shows legitimate interests of Milestone and the users of the VMS.

Additional safeguards

To better ensure that the Milestone XProtect VMS configuration is GDPR compliant, this list provides you with some additional safeguards to keep in mind when configuring the system.

Issue Negative impact on privacy Hints for the data controller
PTZ cameras and privacy masking do not work together. The maskings do not follow the PTZ motions. The privacy enhancing effect of the masking can be circumvented.

Milestone recommends that you do one of the following:

  • You should not use the XProtect built-in privacy masking feature on PTZ cameras because the mask is static relative to the image's decoded pixels and not the actual direction / location of the PTZ camera.
  • Deactivate PTZ functionality when you use masks.
  • Purchase PTZ cameras that support dynamic privacy masking (so the selected areas always are masked no matter the location and zoom of the camera).
Use of microphone or metadata devices may impinge on personal privacy. (In XProtect Corporate, these are by default deactivated.)

The usage of microphones may easily violate GDPR compliance.

Please be aware: Using microphone and metadata devices is not covered by the European Privacy Seal. Their activation would violate the EuroPriSe seal.

Before you activate microphones or metadata devices, you must ensure that you have a clearly justified purpose for collecting data. See Do you have a lawful basis for collecting data?
Operators and administrators can export or copy video data, video archives, configuration back-ups, and audit logs to local hard drives or removable media like CDs, DVDs, USB flash drives, etc. Personal data leaves the governance borders of XProtect VMS. The data is not protected by XProtect VMS's access control mechanisms anymore and it cannot be deleted by XProtect VMS when the retention period is reached. This bears the risk that the data is stored longer than allowed, that it is used for different purposes, and that the confidentiality of the data is violated.

Data controllers shall take technical and organizational measures to protect data that leaves the boundary of XProtect VMS. See Handling exported data for possible measures to take.

Audit log data and other personal data are not encrypted by the product before it is stored in the SQL databases.

Database administrators can access audit log data using database clients. XProtect Corporate cannot control or log this access.

Especially, the sensitive audit log data may be disclosed to unauthorized users. See Protecting stored and transmitted data. For more information on how to secure your XProtect VMS installations against cyber-attacks, see the hardening guide.

Do the following:

  • Implement an adequate role concept for the database administration.
  • Limit the access to the database to authorized personnel only.
  • If possible, activate encryption of the database using database mechanisms.
The product implements a back-up feature. This feature backs up the configuration of the VMS but not the audit log database. A physical destruction of the data carrier that holds the audit log database might prevent the data controller from fulfilling its accountability duties when no back-ups of the audit logs exist.

Consider creating audit log database back-ups.

If the data controller decides to create backups of the audit log database, one should also establish a process to delete the backups when the retention period is reached and protect it against unauthorized access (for example, encrypting the backup, locking away the backup media, etc.). For more information, see the administrator manual for XProtect VMS.
XProtect VMS uses for some client-to-server and for some server-to-server communication cryptographically non-secured authentication / authorization tokens over non-secured communication channels.

Attackers with access to the network could eavesdrop on the tokens and use it to either impersonate VMS users or server components. This could compromise the confidentiality of video data or it could compromise the integrity of the whole system.

Please be aware: VPN and/or HTTPS must be configured to protect non-secure communications in order to be compliant with the EuroPriSe seal.

Do the following:

  • Use cryptographically secure VPNs. For more information on how to secure your XProtect VMS installations against cyber-attacks, see the hardening guide.
  • Separate networks. For more information on how to secure your XProtect VMS installations against cyber-attacks, see the hardening guide.
  • Configure the HTTPS address for the Recording Server. For information about securing your XProtect VMS installations, see the hardening guide and the certificates guide.
Operating a VPN in split mode might reveal the private IP address of XProtect VMS users. When split tunneling is enabled, users bypass gateway level security that might be in place within the network infrastructure.

Do the following:

  • Use a secure VPN connection (a VPN is secure by default, but some old VPN protocols do not encrypt the data exchanged between the server and the client)

  • Always use Full tunneling

  • Use the highest supported authentication protocols (if present)

  • Use Active Directory to authenticate VPN users

For more information on how to secure your XProtect VMS installations against cyber-attacks, see the hardening guide.
The product allows for setting retention times for audit logs, video data, alarms, and other personal data. Setting the retention time to periods that are too long might violate the GDPR requirements for storage limitations (Article 5 (1)(e) and Article 17 of the GDPR). The retention times must be adapted to the processing purposes (see Right to be forgotten (Right to erasure)).
Administrators can configure email recipients that may receive video snippets or image stills from the VMS when certain events occur. It is not possible to configure a whitelist of allowed domains for such email recipients. A typo might possibly lead to a data breach when a third party receives emails with video data and system alarms.

Make the data controller aware of this risk.

Milestone recommends that you establish an organizational process such as a four-eyes principle that reduces the risk for failures when entering email addresses.
Notifications are emails that are sent to a specified email address. When creating a notification, the administrator can choose to include a set of snapshots or an AVI of a sequence. Because the attached snapshots and AVI sequences in notifications leave the VMS, they are outside the control of the VMS for user access and retention.

Since emails and their content leaves the user access and retention control of the VMS, it is recommended not to attach images or AVI sequences to email notifications.

If the customer needs this feature, they at least must ensure that there are organizational procedures and controls for who receives the emails and how they are handled. See Handling exported data in notifications and email.