Who are the key stakeholders of GDPR as related to video surveillance?

When it comes to the GDPR and video surveillance, there are three classes of stakeholders. This section of the document defines each stakeholder and describes their respective responsibilities regarding GDPR.

Data subject

A data subject is any person whose personal data is being collected, held, or processed.

Data subjects are the viewed objects of video surveillance, whether intentional or accidental.

Data subjects are also any registered person involved in the operation of the VMS, for example, operators or named third-party guards.

The key objective of the GDPR is to safeguard the personal data of these data subjects.

Data subject rights

Articles 12 to 23 of the GDPR cover the rights of the data subject.

  • Section 1: Transparency and modalities
    • Article 12: Transparent information, communication, and modalities for the exercise of the rights of the data subject
  • Section 2: Information and access to personal data
    • Article 13: Information to be provided where personal data are collected from the data subject
    • Article 14: Information to be provided where personal data have not been obtained from the data subject
    • Article 15: Right to access from the data subject (see Right to access)
  • Section 3: Rectification and erasure
    • Article 16: Right to rectification
    • Article 17: Right to be forgotten (Right to erasure) (see Right to be forgotten (Right to erasure))
    • Article 18: Right to restriction of processing (see Right to restriction of processing)
    • Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
    • Article 20: Right to data portability
  • Section 4: Right to object and automated individual decision-making
    • Article 21: Right to object
    • Article 22: Automated individual decision-making, including profiling
  • Section 5: Restrictions
    • Article 23: Restrictions

Of these, the rights that are most relevant in the context of video surveillance are:

The right to be informed (Articles 12 to 14 and 34, GDPR)

Article 12 deals with transparency and modalities, whereas Articles 13 and 14 deal with information and access to personal data. These articles provide the data subject with the ability to be informed of what personal data is collected and how long it is retained. In the VMS context, see Appendix: On-the-spot notice.

Article 34 provides the data subject with the right to be informed in case of a data breach if it is likely to result in a high risk to the rights and freedoms of the data subject.
The right of access (Article 15, GDPR)

This right provides the data subject with the ability to get access to his or her personal data that is being processed, for example, video recordings of the data subject.

The data subject is granted the right to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing.
The right to erasure ("right to be forgotten") (Article 17, GDPR)

This right provides the data subject with the ability to ask for the deletion of their data. In the VMS context, the erasure upon the data subjects' requests is exceptional due to the interests of the data controller and the short retention times. (See Appendix: Video Surveillance Policy and Deleting video recordings partially in Appendix: The Milestone XProtect VMS system and GDPR).
The right to object (Article 21, GDPR)

This right provides the data subject with the ability to object to the processing of their personal data. In the VMS context, other interests such as Legitimate interests (fraud detection, health, and safety), Legal obligation (bookkeeping, anti-money laundry), or even contractual fulfillment (employment contracts) may override the interests and rights of the data subject. In all cases, this must be fully transparent so the data subject can know and object. If the data subject objects, the data controller must assess the objection, or otherwise he might face a fine.

Data subject request

Your company must have a process for handling data subject rights requests, for example execute the right of access request. Such a request must be handled within a reasonable time frame. According to Article 12 (3) of the GDPR, this is “without undue delay and in any event within one month of receipt of the request.” It is recommended to use a Data Subject Request template to document such requests, since it may be vital in a GDPR case with national data protection authorities. For a sample template of a Data Subject Request, see the Milestone Data Subject Request template.

The Video Surveillance Policy describes the data subject request (see Appendix: Video Surveillance Policy).

What is personal data?

To be compliant with GDPR, you must know what personal data is, and limit the collection of that data to only what is necessary.

According to the regulation, personal data is any information relating to an identified or identifiable person.

An identifiable person is someone who can be identified directly or indirectly, by reference to an identifier such as:

  • A name
  • An identification number
  • Location data
  • Online identifier such as IP addresses or cookie identifier
  • User data
  • Video images
  • Or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person

Personal data is any type of information that directly or indirectly can be used to identify a natural person (data subject). This is the data that can be used to identify the viewed objects of video surveillance, whether that data is collected intentionally or accidentally.

Personal data that is protected by GDPR is:

  • Data that is processed by the IT product or IT-based service (for example, name and address of a person, video image, payment data, health data).
  • Data that is incidentally produced when the product or service is used (for example, usage data, log files, statistical data, data for authorization, configuration data). This data can be personal data of the users of the service, personal data of the people operating the product or service (this may include both staff of the service provider and staff of the users of the product or service), or privacy-relevant configuration data (see Data controller).

Personal data is defined as any information relating to an identified or identifiable natural person or data subject, for example:

  • Full name
  • Home address
  • Email address
  • Phone number
  • Location data
  • Digital identity
  • Vehicle registration plate
  • Driver's license number
  • Credit card numbers
  • Identifiable information, images, etc., such as video recordings and still images
  • User activities, such as those found in log files

This data is not necessarily only a direct relation to the object. Personal data can also be a quasi-identifier. Quasi-identifiers are pieces of information that are not of themselves unique identifiers but are sufficiently well correlated with something so that they can be combined with other quasi-identifiers to create a unique identifier. Quasi-identifiers are particularly important when it comes to special categories of personal data.

Special categories of personal data include data depicting racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation, for example:

  • Medical history
  • Biometric data (including photos, videos, fingerprints)
  • Criminal record
  • Racial or ethnic identity
  • Genetic information
  • Political opinions and engagements
  • Religious or philosophical beliefs
  • Sexual orientation and history

This is the personal data that potentially is collected by a video surveillance system:

What types of personal data descriptions, stored by XProtect, fall within the scope of GDPR?

Personal data is any type of information that directly or indirectly can be used to identity a natural person (data subject). This can be video surveillance streams, a single image or a video sequence combined with location information from cameras and/or layered maps, an access control integration identifying a personal access card and combining it with a specific location, or data from License Place Recognition (LPR) with or without any location data.

Special categories of personal data is when the video surveillance is near hospitals (related to health information), jails (criminal convictions), political activity (union membership), religious activity, or images that reveal sexual orientation (for example, gay bars).

Personal data also refers to user data (operator, supervisor, and administrator) activity and audit logging. This includes XProtect Smart Client personal user logs, including log on/log off timestamps and audit logging of accessed video streams, audio or metadata, as well as playback and export of recordings.

See Inherent risks with using VMS to make sure that you are not impinging on personal rights.

Data controller

In the context of video surveillance, data controllers own and operate the video surveillance systems. Data controllers are the legal entity that collects, processes, and shares data about the data subject.

What are the responsibilities of the data controller?

Data controllers are required to respect data protection principles and fulfill certain specific obligations. The data controller must implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. This also includes:

  • Applying and maintaining information security policies and procedures to protect personal data. Such internal policies and processes should be approved at the highest level within the organization and therefore be binding for all staff members.
  • Maintaining an overview of personal data records and processing flows, for example Record of Processing Activities (Article 30, GDPR) and a list of systems and archives that handle personal data (the XProtect VMS system and other systems that hold personal data such as staff records, data processor agreements, etc., including information on how and where personal data flows). For a sample template of a Record of Processing Activities, see the Record of Processing Activities template.
  • Putting in place mechanisms that execute the internal policies and processes, including complaints procedures, to make such policies effective in practice. This includes creating data protection awareness, and training and instruction for staff. Awareness training is available at https://www.milestonesys.com/solutions/services/learning-and-performance/.
  • Defining the Video Surveillance Policy (see Appendix: Video Surveillance Policy). This policy must refer to domestic laws regarding video surveillance.
  • Carrying out the Data Protection Impact Assessments, particularly for certain data processing operations deemed to present specific risks to the rights and freedoms of data subjects, for example, by virtue of their nature, their scope, or their purpose (see Appendix: Data Protection Impact Assessment).
  • Ensuring transparency of these adopted measures regarding data subjects and the public in general. Transparency requirements contribute to the accountability of data controllers (for example, publication of privacy policies on the internet, transparency regarding internal complaints procedures, and publication in annual reports).
  • Publishing the right of information notice to the public (see Appendix: On-the-spot notice). This notice informs individuals who are affected of the purpose of the surveillance, who keeps the data that is collected (data controller), and the retention policy.
  • Assigning responsibility for data protection to designated persons with direct responsibility for their organizations' compliance with data protection laws. In particular, appoint the Data Protection Officer (DPO).

Data Protection Officer (DPO)

Every organization must have an appointed DPO or at least an assigned person responsible for privacy.

From the start, the plans to install or update a video surveillance system should be communicated to the DPO.

The DPO should be consulted in all cases and in a timely manner in all issues which relate to the protection of personal data that are processed when the service is provided or used.

The DPO should be involved in all stages of the decision-making.

The DPO's responsibilities include:

  • Participating in defining the business purpose of the video surveillance, for example, crime prevention, fraud detection, product quality verification or public health and safety, and so forth.
  • Commenting on the organization's draft Video Surveillance Policy, including its attachments, (see Appendix: Video Surveillance Policy), and correcting mistakes and suggesting improvements
  • Assisting in communications with the national or regional data protection authorities
  • Checking agreements with third parties when sharing data. That is, maintaining and managing the Data Processor Agreement (see Appendix: Data Processor Agreement)
  • Drafting compliance reports and carrying out audits to obtain third-party certification approving the internal measures adopted to ensure compliance effectively manages, protects, and secures personal data
  • Store and make sure that the Record of Processing Activities and Data Protection Impact Assessments (see Appendix: Data Protection Impact Assessment) are updated every time data protection relevant changes are made to the VMS. For a sample template of a Record of Processing Activities, see the Record of Processing Activities template.

Data controller roles

The following sections describe the responsibilities of the respective data controllers:

Security officer (VMS supervisor)

Security officers or supervisors are responsible for enforcing the GDPR compliant environment. Security officers must:

  • Define user permissions (see User permissions management)
  • Enforce awareness training of personnel (see Data protection training)
  • Contact the Data Protection Officer (DPO) if GDPR non-compliance is suspected, for example, in the case of data breach of video materials (see Appendix: GDPR compliance)
  • Apply and maintain a high general security level. For more information on how to secure your XProtect VMS installations against cyber-attacks, see the hardening guide.

User permissions management

Who should have access to the VMS resources?

Organizations must:

  • Limit user access to a small number of clearly identified individuals on a need-to-know basis.
  • Maintain audit logs of user access and activities.

Access permissions must be limited to a small number of clearly identified individuals on a strictly need-to-know basis. Make sure that authorized users can access only the data to which their access permissions refer. Access control policies should be defined following the principle of “least privilege”: access permission to users should be granted to only those resources which are strictly necessary to carry out their tasks.

When sharing a computer, Milestone recommends that VMS operators do not share the login account to Windows. Each operator should have an individual account.

In addition, VMS operators should not select to remember their password when signing in to the VMS system.

Only the security officer, the system administrator, or other staff members specifically appointed by the security officer for this purpose should be able to grant, alter or annul access permissions of any persons. Any provision, alteration, or annulment of access permissions must be made in accordance with criteria established in the Video Surveillance Policy (see Appendix: Video Surveillance Policy).

Those having access permissions must at all times be clearly identifiable individuals. For example, no generic or common user names and passwords should be allocated to an outsourced security company that employs several people to work for the organization.

The Video Surveillance Policy must clearly specify and document the technical architecture of the video surveillance system, who has access to the surveillance video, and for what purpose, and what those access permissions consist of. In particular, you must specify who has the permission to:

  • View or access the video in real-time
  • Operate the pan-tilt-and-zoom (PTZ) cameras
  • View or access the recorded video
  • Export recordings and audit trails
  • Delete or remove devices (cameras) and delete any recordings
  • Alter any data after initial configuration

In addition, you must ensure that only those needing access to the following VMS features get these permissions:

  • Administrate the VMS
  • Create / edit / view / delete bookmarks
  • Create / edit / view / delete evidence locks
  • Lift Privacy masks
  • Export to defined paths (for example, only export XProtect format with encryption to a shared drive)
  • Read audit logs
  • Start/stop recording
  • Create / edit / delete / activate / lock / release PTZ presets
  • Create / edit / delete / start / stop PTZ patrolling schemes
  • Audio, metadata, I/O and event permissions

Data protection training

All personnel with access permissions, including outsourced personnel carrying out the day-to-day CCTV operations or the maintenance of the system, should be given data protection training and should be familiar with the provisions of GDPR to the extent that they are relevant to their tasks. The training should pay special attention to the need to prevent the disclosure of surveillance video to anyone other than authorized individuals.

Training of personnel is mandatory and must include:

  • Cybersecurity
  • Export of VMS data
  • Video push

Training should be held when a new system is installed, when significant modifications are made to the system, when a new person joins the organization, as well as periodically afterward at regular intervals. For existing systems, initial training should be held during the transitory period and periodically afterwards at regular intervals.

For more information about GDPR for the VMS operator, see the Milestone GDPR Privacy Guide for VMS Operators and the Milestone GDPR e-learning for VMS Operators.

VMS system administrator

System administrators are responsible for setting up the GDPR compliant system environment. System administrators do amongst the following:

  • Apply and maintain a high general security level. For more information on how to secure your XProtect VMS installations against cyber-attacks, see the hardening guide.
  • Apply a secure password policy
  • Conduct security audits
  • Ensure devices record according to the defined purpose – for example, on event, motion, always-on, and so forth
  • Ensure recording and audit log retention time is set according to local law and the defined purpose of the VMS
  • Ensure user management (add and remove users)
  • Ensure cameras follow privacy laws and do not record areas that should not be recorded – mask out areas that should not be recorded
  • Contact the Data Protection Officer (DPO) if GDPR non-compliance is suspected, for example, in the case of a data breach of video materials (see Appendix: GDPR compliance)

VMS operator

VMS operators must follow processes and work instructions when accessing data in the system, for example, when viewing video or exporting video, and so forth.

To be GDPR compliant, operators must have the following:

  • A general understanding of GDPR and the rules for data export
  • Training in GDPR

    Operators should have adequate training of the video surveillance system to ensure that the privacy and other fundamental rights of the data subjects caught on the cameras are not intruded upon. They must be taught what the Video Surveillance Policies define (for example, video evidence handout procedures), who to contact if in doubt (escalation point persons such as the supervisor or Data Protection Officer), and so forth (see Security officer (VMS supervisor)).

    For more information about GDPR for the VMS operator, see the Milestone GDPR Privacy Guide for VMS Operators and the Milestone GDPR e-learning for VMS Operators.

Handling exported data

Exporting is done when there has been an incident that requires sharing evidence with authorities. If you have the user permissions to export evidence, you have the responsibility when handling it. The reason why it's sensitive is both due to the contents and the fact that the data leaves the surveillance system. Most likely, there has been an incident that may involve criminal activity. There may also be sensitive private details in the evidence. When you export it, it is usually stored on a removable storage of some kind (USB drive, optical disc, etc.).

If that data ends up in the wrong hands, the privacy of the data subjects in the evidence would be lost.

You should have a clear process for exporting evidence, which covers:

  • Who can export evidence?
  • Where is the evidence stored until handed to authorities?
  • Who has access to it?
  • What format(s) should be used?
  • Whether encryption should be applied (highly recommended)?
  • When is the evidence destroyed?

Data controllers must take technical and organizational measures to protect data that leaves the Milestone XProtect VMS. Such measures could be:

  • Limit the permission to export videos and audit logs to special personnel only
  • Consider encrypting the data before or after it is being exported
  • Apply privacy masks before exporting video data, where appropriate
  • Physically protect removable media with personal data on it
  • Establish policies that ensure that personal data is deleted from media according to the retention time
  • Keep a register of removable media – who exported what data to the media? To whom has it been forwarded and for what purpose? Is the recipient informed to destroy the media or to return it after the purpose has been reached? Etc.
  • Use Windows group policies to disable USB ports or media access on the client PCs
  • Monitor the audit logs for unauthorized export events
  • Commit employees to the data protection policy
  • Properly sanitize the media or physically delete it if sanitization is not possible (for example, DVDs)

If it is necessary to mask out parts of a camera view from a video sequence that will be shared with third parties, the VMS operator should use the export functionality from Smart Client rather than from XProtect Web Client because XProtect Web Client does not support privacy masking.

See the Milestone GDPR e-learning for VMS Operators for more information on handling data exports.

Handling exported data in notifications and email

In addition to exports, data can also be extracted from the VMS by means of attachments to notifications. Notifications are emails that are sent to a specified email address. When creating a notification, the administrator can choose to include a set of snapshots or an AVI of a sequence. Because the attached snapshots and AVI sequences in notifications leave the VMS, they are outside the control of the VMS for user access and retention. It is recommended not to attach images or AVI sequences to email notifications. If the attachments are necessary, then you must at least ensure that there are organizational procedures and controls for who receives the emails and how they are handled.

VMS operators who are using a mobile device must be aware that media galleries on their device may be automatically backed up to Google or Apple servers, if this is configured on the device. In this case, if there are images of identifiable natural persons, this might lead to an unlawful data transfer to a third country.

To manage this, you should enforce privacy and security policies with Mobile Device Management (MDM) software, and establish safeguards such as those listed in Policies to safeguard use of mobile devices.

Further, you should have a clear process, which covers:

  • Where is the data stored?

    Ensure that the sending and receiving email servers are under the control of the organization that is the data controller / data processor of the video surveillance. In particular, recipients should not be email accounts on free mail accounts such as Gmail or Hotmail, and so forth.

  • Who has access to it?

  • What format(s) should be used?

  • Whether SMTP encryption should be applied?

    Use an SMTP/SMTPS mail server. You must encrypt the connection between the VMS and the outgoing mail servers, as well as between the sending and receiving SMTP servers.

  • When is the data destroyed?

    Milestone recommends that the retention time of video data in the outgoing and incoming mailboxes should be aligned with the retention time of the media database or with the retention time of alarms that may be triggered by the same events that caused the notification.

    Retention time in the mailboxes needs to be limited to a boundary that is reasonable for the purpose behind the notification process.

    Milestone recommends to only use mailboxes of the data controller / data processor and to configure automatic deletion of the emails after the defined retention time has been reached.

    Data controllers / data processors should make sure that these mailboxes are not automatically archived by the email system.

Considerations regarding evidence lock

With the evidence lock functionality, client operators can protect video sequences, including audio and other data, from deletion if required, for example, while an investigation or trial is ongoing.

When protected, the data cannot be deleted, neither automatically by the system after the system's default retention time or in other situations nor manually by the client users. The system or a user cannot delete the data until a user with sufficient user permissions unlocks the evidence.

You must only keep recordings locked as long as there is a valid reason to keep the recordings, for example an ongoing investigation. Keeping recordings indefinitely is not in compliance with GDPR.

Considerations regarding video push

Video push enables the operator to stream live video from a smartphone to the VMS.

Video push is likely to be more intrusive than the more standard, stationary surveillance systems because of its mobility.

Before you decide to use a system with this functionality, it is important that you justify its use and consider whether or not it is proportionate, necessary and addresses a pressing social need. It is recommended that you undertake a data protection impact assessment to demonstrate that this is the case. See Appendix: Data Protection Impact Assessment.

When using devices with video push capability, it is important to know when and when not to record. It is also important to use these devices only within the defined premises of your video surveillance installation, that is, the area that you have covered with signage. It is therefore important that clear signage is displayed, for example on an individual’s uniform, to show that recording is taking place.

Operators using these devices should be provided training about where this feature may be used and how to respect the privacy of people being recorded with video push, such as not recording people in private or vulnerable situations. See Data protection training.

Personal data breach

GDPR defines a "personal data breach" as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of -- or access to -- personal data transmitted, stored or otherwise processed."

In the case of a security breach, the DPO must determine whether to notify the Data Protection Authority and the data subjects involved, according to Articles 33 and 34 of the GDPR.

According to Article 33 (1) of the GDPR:

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

If deemed necessary, the controller must post the Data Breach Notification within 72 hours of being made aware of the breach (see Personal data breach). For a sample template of a Data Breach Notification, see Milestone Data Breach Notification template. Data subjects also must be notified if the personal data breach "is likely to result in a high risk to the rights and freedoms of individuals."

Data processors experiencing a personal data breach must notify the data controller, but otherwise have no other notification or reporting obligation under the GDPR.

For information about the other responsibilities of the DPO, see Data controller.

Data processor

If an organization out-sources all or part of its video surveillance activities to a third party (a data processor), it remains liable for compliance with GDPR as a data controller. For example, security guards monitoring live surveillance video in the reception area of an organization working for a private company to whom the organization outsourced the task of live monitoring. In this case, the organization must ensure that the security guards carry out their activities in compliance with the GDPR.

To be compliant with GDPR, third-party data processors (excluding law enforcement) must: