4 minutes

Protecting Personal Data in Computer Vision: Applying GDPR's Six Data Protection Principles

This article outlines how to apply GDPR's data protection principles to CV technology. It emphasizes transparency, specified purposes, data minimization, storage limitation, accuracy, and integrity/confidentiality.

Wojciech Tubek

CEO @ Surveily

In today's digital world, data protection is critical, particularly when using computer vision (CV) technology. This article will detail how to apply the six data protection principles of the General Data Protection Regulation (GDPR) to CV use, including transparency, specified purposes, data minimization, storage limitation, accuracy, and integrity and confidentiality.

People expect their personal data to be safeguarded in both their personal and professional lives, and the GDPR's principles, originally established in the EU, affect organizations worldwide that trade with or hold data for EU countries. The UK GDPR, which incorporates the EU GDPR principles, has been accepted by the EU as "essentially equivalent" since Brexit. Unlike previous data protection laws that focused primarily on textual information such as bank accounts and staff records, GDPR defines data as "any information relating to an identifiable living individual," including images of people captured through CCTV and AI-assisted CV technology.

However, complying with GDPR does not preclude reaping the benefits of CV. To apply GDPR's six data protection principles to the use of CV, the following guidelines should be followed:

Lawful, fair, and transparent

Notify individuals of the location of CCTV cameras and ensure transparency by displaying signs. In the workplace, back up these signs with briefings and inform workers when still images or film clips might be captured, who will see these, and how they can be used. The most transparent approach would be to show staff examples of the type of information collected, reminding them of their rights. Under EU and UK law, if individuals are identifiable in any recorded video, they have the right to see that video.

Specified, explicit, and legitimate purposes

Ensure that the legal basis for the use of existing CCTV cameras, balancing the legitimate interests of the organization with the privacy rights of individuals, is documented. Adding CV technology changes the purpose of the cameras and might impact the legal basis. Communicate new functions for CCTV to workers and clarify that in the event of an accident, individuals might have to be identified within the video.

Data minimization

Limit information collection to what is necessary for the task, blurring faces of people within video clips to avoid identification when unnecessary. Recording the audio of personal conversations breaches this principle. Look for systems that limit access levels for different staff to meet this principle.

Storage limitation

Identify which clips need to be retained, and blur faces before the safety team or operations manager views them to meet this principle. A written retention policy for any images stored should be in place, and the organization must justify how long the video is kept.


Any CCTV images kept must be accurate, retaining timestamps and locations, and it should be evident if any annotations have been made. Individuals identifiable in images have the right to challenge any labels assigned to them.

Integrity and confidentiality

Avoid placing CCTV cameras in areas such as changing rooms or toilets unless circumstances are exceptional, such as during a criminal investigation. The organizational policy must clearly state who can see original video and who can see anonymized clips. The policy also needs to specify under what circumstances images can be passed to third parties. Ensure that any technology used provides the functionality needed to meet GDPR principles and protects workplace CCTV and recordings made from unauthorized access.

By following these guidelines, organizations can ensure that they can benefit from CV technology while maintaining people's rights and meeting GDPR's six data protection principles.