Customers' insight 12 May 2022
People counting systems and GDPR - All you need to know
If you already have a people counting system in your stores or sites with 3D or 2D sensors or if you are about to purchase one, then you may not think about GDPR straight away. When talking to some of the suppliers, you can be forgiven if you get the impression that GDPR is irrelevant in this context.
Their arguments will be that "there's no need to worry about GDPR as no video recordings or personal data will be stored. Relax, they say - their business is GDPR certified and compliant. So, there's no reason what-so-ever for you to worry.
Is that so? Are they correct in their laid-back attitude? Does GDPR not apply in these situations? Are there some risks involved? And what is a GDPR certificate, really?
Indivd was founded in 2017 as a humanitarian, self-funded research project and is the first and only supplier of people counting systems that has been assessed and approved by the Swedish Authority for Privacy Protection. Based on the above, we fully understand that this all seems a bit complicated.
To help clarify things, this article addresses everything you need to know about GDPR in the context of people counters.
We will explain the benefits of understanding GDPR prior to investing in a people counting system, why GDPR applies to people counters, what you ought to be across before you invest in a system, how you should act vis-a-vis your customers and how Indivd's system deals with the requirements under GDPR.
Why you need to understand the GDPR requirements before buying a people counting system
There are many significant reasons (and advantages) to deal with any GDPR matters before you buy a people counting system, including the following:
- You improve your sustainability because privacy is about sustainability and one of UN:s 17 sustainable development goals.
- You reduce the risk of non-compliance which can lead to fines of up to EUR 20 million or four percent of your global annual sales.
- You increase your customer satisfaction, as 95% of all consumers say privacy is of critical importance to them.
- You reduce your risk of repetitional damages.
- You get peace of mind, as you know you're doing the right thing!
What is a GDPR certificate and what does it mean to be GDPR compliant?
Before we explain why GDPR applies to people counting systems, we need to work out this certificate-matter.
Many suppliers claim they have been granted a GDPR certificate or are GDPR compliant.
It may sound like a great thing and that there's nothing to worry about. However, that's not quite how it works. There are no certificates that release a store or mall from their personal data responsibilities.
It is always you, as person data controller, who is responsible to ensure any personal data processing complies with GDPR, even if the supplier in fact is GDPR-compliant.
They may be correct when they claim they are compliant, but they can only talk for themselves and their business. What's happening in your business is your risk and your responsibility.
Why does GDPR apply to people counters
Most people counting systems use 3D or 2D sensors. This means the people counters and the supplier of your system will process personal data (images of visitors) for yo to be provide statistics and insights.
Many suppliers argue that GDPR does not apply because they do not store the images but delete them or only take images from above.
That's not correct, according to the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten). The authority has previously stated that deletion or anonymisation of personal data is in fact processing of personal data. Therefore, stores and sites need to take GDPR into consideration when deploying people counters.
The data processing carried out by suppliers of people counters, as described above, makes them so-called Personal Data Processors. Simply put, you assign them the right to process personal data (images) on your behalf and under identified situations. These situations shall be spelt out under a Personal Data Processor Agreement.
As Person Data Controller you are required to ensure your organisation complies with GDPR. This is usually done through an impact assessment, where risks and the legal basis are assessed.
The purpose of an impact assessment is to minimise risks, which does not mean that things become risk-free. The Authority for Privacy Protection can still be of the view that the risks are too high or that the processing is disproportionate.
To get some peace of mind, you can request a so-called Prior Consultation at the Authority for Privacy Protection. When a Prior Consultation is performed, the Authority spends several weeks reviewing and assessing whether the planned personal data processing is in breach of GDPR.
Indivd is the first and only supplier of people counters that has requested an assessment of its business, followed by an approved under Prior Consultation. Obtaining this approval was a logical step in our ongoing efforts to achieve our sustainability goals.
What you need to ensure before you install a people counting system
The first thing is to clearly define the purpose of the people counting.
In doing so, consider what type of personal data you're planning to process. Different people counters operate differently. That's why it's important to ask the supplier what personal data their system will collect and process.
- Is it only images, or also other type of data such as data collected via WiFi, Bluetooth or radar?
- Are all personal data erased? To erase an image, it must have been stored in the first place. So how can they ensure that the images really are erased and deleted? What remains stored once the images are erased? Is anything stored that can identify a person? Are you confident any stored data is not personal data or biometric data?
- Is all personal data anonymised? Anonymisation is a technically complicated process. How does this anonymisation work? How can you be confident this anonymisation works? Is it really an anonymisation, or perhaps rather a pseudonymisation?
- Are other data collected at the same time, such as location or time data? All such information is also personal data, and to collect such data there must be a purpose and a legal basis.
Once you have established this ground, there are still many important questions to ask both the supplier and yourself. Some examples:
- In whose interest is the processing performed and why is it important?
- Can the data processing have a negative impact on the shop customers? If the answer is yes, what is the probability and how severe is such impact?
- Are the shop/mall visitors assessed or evaluated in any way? For example, in terms of work performance, financial situation, health, personal preferences or interests, reliability or behaviour, place or movements?
- Are some people likely to object to the processing or find it intrusive?
- Does the processing result in data subjects being systematically monitored?
- Is the processing strenuous?
- Are there other less intrusive ways to achieve the purpose?
- Are you confident that personal data is collected for specific, explicit and legitimate purposes and that they are not processed in an illegal or immoral way?
- Nothing is risk-free. What safety measures do you have in place to reduce/mitigate any underlying privacy risks or damages?
- How well do you handle people's right to correct and erase stored personal data and to objection to or restrict data processing?
The answers give you an idea of the potential risks. Not until you feel completely satisfied and comfortable should you enter into a personal data processor agreement with the supplier. Only then can the installation be carried out.
These and many other questions have been addressed to us for many years. In fact, they are questions we constantly challenge ourselves with. They form the basis for our continuous efforts to ensure the highest degree of privacy.
If you after all these questions still have some matters to address, then we recommend you carry out a proper impact assessment. Please contact us on firstname.lastname@example.org for any questions on how such an assessment is performed.
You should to do the following for your visitors
Since people counting based on 3D or 2D sensors is seen as personal data processing, you have an obligation to inform your customers about the processing through something called first and second layer information.
For a store or mall, the first layer of information is usually provided at entrances, before customers enter the monitored area. You put out a sign clearly conveying important information e.g. Who the personal data controller is, how the data is processed, the purposes of processing and the customers'/data subjects' rights.
You can, as a suggestion, add a URL code on the first layer of information (the sign) to allow the visitors to easily access your second layer via the first layer. You can also add an information booklet about the processing on site.
We have already done the ground work and are more than happy to help our customers deal with these processes quickly and effortlessly. If you have any questions about the information obligations, please feel free to contact us via e-mail at email@example.com.
How Indivd complies with GDPR
Indivd has developed a new type of people counter. It is not only more cost-effective than others on the market, but also more secure as it is based on Data Protection by Design.
Data Protection by Design means we have integrated data protection functionality from the beginning, which leads to better and more cost-effective privacy protection.
We have, as part of our development, been assessed by around 30 experts and introduced clear ethical and privacy policies that all employees must follow. We have, for example, developed an Anonymisation Policy and a safe and secure policy for AI development.
In addition, our people counter is the first and only that has been assessed by the Swedish Authority for Privacy Protection through a so-called Prior Consultation.
In a Prior Consultation, the Authority spends several weeks assessing and evaluating whether the planned personal data processing is GDPR-compliant.
In their findings, the Authority concluded that the processing is lawful and may be carried out subject to GDPR Article 6.1 (f).
Article 6.1 (f) refers to legitimate interests, which simply put means that, in the view of the Authority, Indivd's people counting method minimises the risks in an acceptable manner.
“In our view, the risk for Indivd was low”
Jennie Bård, former lawyer at the Swedish Authority for Privacy Protection and involved in the Prior Consultation for Indivd