top of page

Does GDPR Affect How Computer Vision Utilizes Data?

In recent years, many companies that utilize computer vision have evolved. The introduction of GDPR (General Data Protection Regulation) in 2018 changed how these companies can handle personal data, especially photos or videos of people. These companies must understand how their business can observe stricter-than-ever regulation.

What is GDPR?

On 25th May 2018, the General Data Protection Regulation (GDPR) came into effect. This regulation aims to give individuals more control over how personal data is processed. Although GDPR is a European Union regulation, it also affects companies based outside of the EU, if the company processes personal data of EU citizens. For instance, if a US-based camera surveillance company collects images of EU citizens, the company must follow the rules set out by GDPR when dealing with data of EU citizens. Since it is impossible to predict when EU citizens will walk by and implement measures only when EU citizens are around, the company should follow the rules at all times. Therefore, the new regulation has a global impact.

With the launch of GDPR, companies now hold greater accountability for the processing of personal data, and they need to ensure that every step of data processing is GDPR-compliant.

What is personal data?

The first step to ensuring that the company is GDPR-compliant is to understand what kind of data constitutes personal data. According to GDPR, personal data is “any information relating to an identified or identifiable natural person.” The key aspect of determining whether any data is personal data is whether the data can be traced back to a person. Email address, phone number, name, IP address, and location data are all examples of personal data. A new emerging type of personal data that is of interest to computer vision companies is photographs or video clips of people, which are also categorized as personal data because they can be used to identify individuals.

Computer Vision is Not Exempt From GDPR

Since many computer vision companies deal with personal data, such companies cannot be exempt from the rules outlined by GDPR. Companies utilizing such data need to make sure that every step of their business process conforms to the guidelines set out in GDPR.

These are some methods to ensure such companies are GDPR-compliant.

Anonymization and Pseudonymization

Anonymization and pseudonymization of personal data are some of the most commonly used methods to simplify the strict regulations set out by GDPR. Anonymized data has been completely stripped of any identifiable information and is impossible to trace to an individual. Pseudonymized data is data that cannot be traced to an individual by itself but may be able to trace back to an individual with additional information. Anonymized data does not fall within the restrictions of GDPR, and pseudonymized data allows for a more lenient standard for data processing.

To ensure data privacy, many computer vision companies transform images of people into numerical representations, and only the numerical data is further processed to generate meaningful information for companies, such as demographics of people. The essence here is that such data should not be reversible back to the original image or video stream of the person.

User Consent

Since GDPR is all about increasing transparency and letting the customers know how personal data is processed, companies are required to provide customers information about data collection and obtain their consent.

Some companies use facial recognition technology to measure the frequency of customer visits or customer retention rate in retail stores. Since this would require the storage of personal data and identification of individuals, companies would have had to obtain explicit consent from customers. Such companies can only process personal data of customers who have given them consent, for example, through memberships or loyalty schemes. When obtaining consent, companies must inform customers of specific information on the purpose of data collection, what kind of data they are collecting, and how the data will be processed and shared. Customers must also be free to withdraw the consent anytime, and companies should immediately discontinue the processing of personal data and erase any existing data of such customers.

Safe Data Storage and Sharing

Companies should ensure that they are implementing the strictest rules to guarantee data security at all stages, including data storage, transmission, and processing.

For example, video analytics companies only store metadata, such as demographics, but do not save the original image or video stream that can be used to identify individuals. When there is a need for companies to store data, such as for facial recognition, companies take additional measures to securely encrypt such data and prevent any unauthorized access through various means such as password login.


The implementation of GDPR was inevitable since there have been increased concerns over the use of personal information in recent years. Customers place more confidence in companies that have strict regulations regarding data processing and security, so implementing high standards allows companies to collect quality information without infringing on data privacy. Companies, therefore, must design their processes so that personal data is used only for legitimate purposes and is securely processed in every step.

Please bear in mind that the content in this article should not be taken as legal advice. Please consult a qualified legal professional to seek advice on data protection matters if your company needs to process personal data.


Cyclops is a retail analytics system that can help retailers generate insights into how their customers shop inside their stores. To understand more about how Cyclops can help retailers digitally transform their stores amid the COVID-19 pandemic, visit our website:


댓글 작성이 차단되었습니다.
bottom of page