Appendix: The Milestone XProtect VMS system and GDPR

Components and devices that are not covered

The following components are not covered here:

  • Plug-ins available on Milestone marketplace
  • XProtect Access (disabled by default)
  • XProtect LPR (disabled by default)
  • XProtect Transact (disabled by default)
  • Milestone Interconnect
  • XProtect DLNA Server
  • Milestone Open Network Bridge (secure private-to-public video integration)
  • XProtect Rapid REVIEW
  • XProtect Event Server plug-ins
  • Processing of audio data (disabled by default)
  • Processing of metadata (disabled by default)
  • Processing of data from input and output devices (disabled by default)
  • XProtect BYOL as provided via https://aws.amazon.com/marketplace/pp/prodview-ryozifnbg4kas

Upgrade guide

If you are upgrading a Milestone XProtect VMS installation version 2018 R2 or earlier, the old log files must be deleted manually for the installation to be GDPR compliant.

After you have upgraded the XProtect VMS, the old log files can be deleted using the information and the tool described in this Knowledge Base article.

Backup the SQL Server databases

It is recommended to make a backup of the SQL Server database, particularly before starting an upgrade, so that you can restore the previous working installation in case the upgrade fails. Whether the upgrade is made from the XProtect installer or the Management Client, or made through the native SQL Server functions, you must keep the backup data in a secure place and not store it on a cloud drive if the cloud vendor is outside EU, such as Microsoft.

For more information, see the administrator manual for XProtect VMS.

Do not use a managed SQL Server service

While XProtect supports the use of externally managed databases such as Azure SQL Database, this possibly exposes personal data outside the EU. For GDPR compliancy, do not use a managed SQL Server service.

Secure network for authentication and data transmission

Design a network infrastructure that uses physical network or VLAN segmentation as much as possible.

Milestone recommends that you select cameras that support HTTPS. It is recommended that you set the cameras on separate VLANs and use HTTPS for your camera to recording server communication, as well as clients to recording server communication.

It is recommended that XProtect Smart Client and XProtect Smart Wall are on the same VLAN as the servers.

Use a VPN encrypted network or similar if using Smart Client or Smart Wall from a remote location.

Enable encryption for all communication. For information about securing your XProtect VMS installations, see the hardening guide and the certificates guide.

Data collection and privacy settings

While you are able to collect usage data in XProtect Mobile-server, XProtect Mobile-klient, and XProtect Web Client, this may risk violating the GDPR.

From the XProtect Management Client, you can enable usage data collection in the Options dialog box on the Privacy settings tab.

This usage data provides information on crashes and usage statistics. The data is processed using Google Firebase.

If you enable data collection, you risk violating the GDPR by activating Google Analytics.

Processing by Google occurs outside the EU.

Although the data is set to be anonymized, Milestone cannot guarantee that Google cannot derive personal data from the data processed by them.

When conducting a Legitimate Interests Assessment (LIA), refer to the following:

The European Data Protection Board (EDPB) is of the opinion that a consent according Article 49 (1)(a) of the GDPR is not applicable to Google Analytics, because the processing for the purpose of analytics is not an exception (see International Association of Privacy Professionals on Schrems II).

Refer to any updates to the Schrems II judgment by the EU Commission on the official website.

Masking individuals in the case of access

According to Article 15 of the GDPR, the data subject has the right to get access to his or her personal data that is being processed, for example, video recordings of the data subject.

The data subject is granted the right to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing.

Because XProtect VMS does not support automatic identification of individuals, you must put in place additional measures to safeguard the individuals’ rights. In the VMS context, see Appendix: On-the-spot notice.

More so, XProtect VMS does not support the masking of other persons who are moving who are recorded together with the claimant for the right of access.

Several Milestone technical partner solutions for dynamic blurring of all or other persons before export can be found on Milestone Marketplace. Alternatively, blurring can be added to single images or video streams either manually or assisted after export. Some companies offer blurring as a service (for example, FACIT Data Systems).

Deleting video recordings partially

According to Article 17 of the GDPR, the data subject has the right to ask for the deletion of their data. In the VMS context, this is often not fulfilled due to overriding legitimate interests (fraud detection, health, and safety) or other business purposes stated in the Video Surveillance Policy (see Right to be forgotten (Right to erasure) and Appendix: Video Surveillance Policy). The Video Surveillance Policy defines the automatic retention (default 7 days) that ensures automatic deletion of footage, and this must fairly balance data subjects' rights against reasonable business purposes.

If a data subject requests their data to be deleted, it is recommended that the data controller uses a Data Subject Request to document the claim (see Data subject request). For a sample template of a Data Subject Request, see the Milestone Data Subject Request template.

You must delete all recordings from the camera or cameras in question.

To retain all the other recordings that should not be deleted, export all of the data and keep it secure. You cannot restore this data back to the VMS.

Any export must be encrypted and digitally signed, and exclude the specified time intervals from the specific specified camera or cameras. That is, export up to the time/date and export after the time/date. This may result in multi-time period backups.

The Smart Client – Player can then be used to view the data.

It’s recommended that the data controller seek legal counsel, conduct both a business impact assessment and a Privacy Impact Assessment (see Conducting an impact assessment) before the right to be forgotten of the data subject is executed, since deletion may introduce new business risks that may tip the balance of interest and introduce risks affecting the privacy protection of other data subjects negatively.

Using geographic backgrounds in XProtect Smart Client

XProtect Smart Client supports the use of geographic backgrounds. These backgrounds display map backgrounds.

You risk violating the GDPR if you use any of the following map services:

  • Bing Maps
  • Google Maps
  • Milestone Map Service

These services do not provide adequate safeguards regarding the processing of personal data in the US. The customer becomes (joint) controller regarding the processing of the user data.

Refer to any updates to the Schrems II judgment by the EU Commission on the official website.

As an alternative, it is recommended that you set up the private OpenStreetMap service for the geographic background.

Integrations from registered partners

When a license is activated, Milestone collects data on a "per integration" basis. The XProtect VMS gathers data about plugins and plugin manufacturers and about the plugins and integration that the customer uses.

The data that is collected from each installation are:

  • Integration name

  • Integration manufacturer

  • Integration version

  • Integration type (standalone, Smart Client, Management Client, Event Server) and number of instances of each type (that is, how many clients are running the plugin)

Plugin developers must never use personal names when registering their product. Only use the company name.

The data is only processed by Milestone if the plugin manufacturer is listed in the marketplace and has approved the processing of the data for the purpose to improve Milestone XProtect Corporate (and not for marketing and market research). If the plugin is not registered, then the data is immediately deleted. The legal basis of processing is Article 6 (1)(f) of the GDPR, which shows legitimate interests of Milestone and the users of the VMS.

Additional safeguards

To better ensure that the Milestone XProtect VMS configuration is GDPR compliant, this list provides you with some additional safeguards to keep in mind when configuring the system.

Issue Negative impact on privacy Hints for the data controller
PTZ cameras and privacy masking do not work together. The maskings do not follow the PTZ motions. The privacy enhancing effect of the masking can be circumvented.

Milestone recommends that you do one of the following:

  • You should not use the XProtect built-in privacy masking feature on PTZ cameras because the mask is static relative to the image's decoded pixels and not the actual direction / location of the PTZ camera.
  • Deactivate PTZ functionality when you use masks.
  • Purchase PTZ cameras that support dynamic privacy masking (so the selected areas always are masked no matter the location and zoom of the camera).
Use of microphone or metadata devices may impinge on personal privacy. (In XProtect Corporate, these are by default deactivated.)

The usage of microphones may easily violate GDPR compliance.

Before you activate microphones or metadata devices, you must ensure that you have a clearly justified purpose for collecting data. See Do you have a lawful basis for collecting data?

Operators and administrators can export or copy video data, video archives, configuration backups, and audit logs to local hard drives or removable media like CDs, DVDs, USB flash drives, etc. Personal data leaves the governance borders of XProtect VMS. The data is not protected by XProtect VMS's access control mechanisms anymore and it cannot be deleted by XProtect VMS when the retention period is reached. This bears the risk that the data is stored longer than allowed, that it is used for different purposes, and that the confidentiality of the data is violated.

Data controllers shall take technical and organizational measures to protect data that leaves the boundary of XProtect VMS. See Handling exported data for possible measures to take.

Audit log data and other personal data are not encrypted by the product before it is stored in the SQL Server databases.

Database administrators can access audit log data using database clients. XProtect Corporate cannot control or log this access.

Especially, the sensitive audit log data may be disclosed to unauthorized users. See Protecting stored and transmitted data. For more information on how to secure your XProtect VMS installations against cyber-attacks, see the hardening guide.

Do the following:

  • Implement an adequate role concept for the database administration.
  • Limit the access to the database to authorized personnel only.
  • If possible, activate encryption of the database using database mechanisms.

The backups of the SQL Server configuration database are not encrypted.

Set a system configuration password to protect sensitive account information in extension to encrypting the SQL Server database.

Backups of the SQL Server configuration database are automatically encrypted when the configuration database is password protected.

Protect the overall system configuration by assigning a system configuration password.

After you assign a system configuration password, backups are protected by this password.

The password settings are stored on the computer that is running the management server in a secure folder. You will need this password to:

  • Restore the configuration from a configuration backup that was created with password settings different than the current password settings

  • Move or install the management server on another computer due to a hardware failure (recovery)

  • Configure an additional management server in a system with clustering

For more information, see the administrator manual for XProtect VMS.

The product implements a backup feature. This feature backs up the configuration of the VMS but not the audit log database. A physical destruction of the data carrier that holds the audit log database might prevent the data controller from fulfilling its accountability duties when no backups of the audit logs exist.

Consider creating audit log database backups.

If the data controller decides to create backups of the audit log database, one should also establish a process to delete the backups when the retention period is reached and protect it against unauthorized access (for example, encrypting the backup, locking away the backup media, etc.). For more information, see the administrator manual for XProtect VMS.

Operating a VPN in split mode might reveal the private IP address of XProtect VMS users. When split tunneling is enabled, users bypass gateway level security that might be in place within the network infrastructure.

Do the following:

  • Use a secure VPN connection (a VPN is secure by default, but some old VPN protocols do not encrypt the data exchanged between the server and the client)

  • Always use Full tunneling

  • Use the highest supported authentication protocols (if present)

  • Use Active Directory to authenticate VPN users

For more information on how to secure your XProtect VMS installations against cyber-attacks, see the hardening guide.

The product allows for setting retention times for audit logs, video data, alarms, and other personal data. Setting the retention time to periods that are too long might violate the GDPR requirements for storage limitations (Article 5 (1)(e) and Article 17 of the GDPR). The retention times must be adapted to the processing purposes (see Right to be forgotten (Right to erasure)).
Administrators can configure email recipients that may receive video snippets or image stills from the VMS when certain events occur. It is not possible to configure a whitelist of allowed domains for such email recipients. A typo might possibly lead to a data breach when a third party receives emails with video data and system alarms.

Make the data controller aware of this risk.

Milestone recommends that you establish an organizational process such as a four-eyes principle that reduces the risk for failures when entering email addresses.

Notifications are emails that are sent to a specified email address. When creating a notification, the administrator can choose to include a set of snapshots or an AVI of a sequence. Because the attached snapshots and AVI sequences in notifications leave the VMS, they are outside the control of the VMS for user access and retention.

Since emails and their content leaves the user access and retention control of the VMS, it is recommended not to attach images or AVI sequences to email notifications.

If the customer needs this feature, they at least must ensure that there are organizational procedures and controls for who receives the emails and how they are handled. See Handling exported data in notifications and email.

When push notification is enabled, the vendor of the mobile operating system (that is, Google or Apple) processes data to deliver the push notifications to the smartphones. Although the content of push notification messages is set to be anonymized, Milestone cannot guarantee that Google and Apple cannot derive personal data from the data processed by them. The vendors of the mobile operating system (that is, Google or Apple) use a message addressing scheme. This scheme involves registration tokens and Installation IDs of the mobile client app. This enables the vendors to deliver the messages to the corresponding apps on the devices. For Google and Apple, the token and the Installation ID are pseudonyms.

According to Article 49 (1)(a) of the GDPR, a consent from the VMS operator is necessary if push notification is activated.

It is recommended to acquire consent or otherwise deactivate push messages.

The XProtect Incident Manager enables organizations to document incidents and combine them with sequence evidence (video and, potentially, audio) from their XProtect VMS. Controllers or operators can create incident reports that contain the textual information added to an incident project. These reports may contain the controller’s or operator’s personal data, that is, their name. When incident reports are made available outside the controller's or operator’s sphere, personal data may be revealed. Controllers or operators should only create reports with clear, identifiable names of the controller or operator when there is a clear need, depending on the purpose and recipient of the report.

Only include the controller or operator names in incident reports if there is a specific and reasonable purpose for including the names.

Controllers or operators should only select the Show user name check box if there is a specific and reasonable purpose for including the names in the report.

Controllers or operators can create alarm reports that contain information about the alarm, including the alarm history and, if available, a still image from the time of the alarm. These reports may contain the controller’s or operator’s personal data, that is, their name. When alarms are made available outside the controller's or operator’s sphere, personal data may be revealed. Controllers or operators should only create reports with clear, identifiable names of the controller or operator when there is a clear need, depending on the purpose and recipient of the report.

Only include the controller or operator names in alarm reports if there is a specific and reasonable purpose for including the names.

Controllers or operators should only select the Display names check box if there is a specific and reasonable purpose for including the names in the report.

Alarm reports may contain images that show bystanders.

If reports are given to third parties, the rights of non-involved bystanders might be violated. Consider to manually blacken or mask the images on PDF reports or printouts.