10 simple steps to use people counting and comply with the GDPR
There are two legal parties when using people counting, a controller and a processor. The personal data controller is the one who decides the purpose of processing and how the processing is to take place. The personal data processor is the person who processes personal data on behalf of the controller.
For people counting, the organization that has the cameras and uses the people counter is the personal data controller while the technology provider, such as Indivd AB, is the personal data processor.
This means that the controller gives the technology an assignment to process the image data. Processing personal data is about following the law and ensuring that customers and visitors can trust the processing. That is why we recommend everybody to follow the GDPR, be transparent in the processing of personal data, keep the information clear, simple and use experts in case of uncertainty.
This article is a simplified guide on what an organization needs to do to comply with the GDPR. Always consult an external expert If you feel any uncertainties and need help.
Legal obligations when using people counting
2. Check if you need to assign a Data Protection Officer, one reason why you would need a Data Protection Officer could be the large-scale processing of personal data.
3. Create a record of the processing of personal data. That it includes its purposes, categories, recipients, lawful basis, security measures, rules for data retention, etc.
4. Introduce routines and processes for deleting personal data since you are not allowed to store personal data forever. Keep in mind that different types of personal data and different processing have different requirements and standards. You should also have routines in case someone asks for an extract from the register. Some technologies, such as Indivd's people counting, are based on data protection principles and therefore never store any image data.
5. You need to protect the personal data that you store. Consider introducing IT- and Information Security Policies, since your own staff and their routines are probably one of the big security risks.
6. You need to have routines for dealing with incidents. Consider creating a policy to be which defines how you should act if something happens.
7. You must conduct a data processing impact assessment if your planned processing is likely to lead to a high risk to the rights and freedoms of natural persons. You are also obliged to conduct a data processing impact assessment if your planned processing is on a large scale. Turn to an expert If you do not have the necessary skills to do this by yourself. This is something we at Indivd assist all our customers with.
9. You need to sign a data processing agreement with your technology provider since you give another organization the assignment of processing personal data (images) on your behalf.
10. You should ensure that your existing agreements comply with the GDPR.