Great read. Not just from a Dahua perspective but with relation to GDPR in general. It's not just what you buy, it's how you deploy it.
Dahua Products Are Not GDPR Compliant, No Products Can Be
Dahua products are neither GDPR-compliant nor certified, contrary to their marketing.
*** ****** ** **** ** ******** can **, ** *** ** **** not '*******' *** ******* ******** ** 'compliant'.
** **** ****, ***** ** *** **+ **** **** *** ***** ************ Guide, ** ******* **** ***** ** doing ****, *** ** ** ********** and *** ***** *** ***** ************* can ****** ******* ****.
Announcement *** *****
*** *** ****** *** ****’* ******** implementation **** ** *** **,***** ************* *** ** ******* *** ***** products **** **** **** “*********” ** “comply **** *** ****” ***Ü* *********. ***** ******* **** ********* *** *** their “********* ** ********” ***** *** “**** GDPR ******** [***]."
Who ** ‘**********’ *****?
*Ü* ** * *******, ***-****** ******* ** Germany **** ******** *****-***** ************** *** inspections ** ***** **********. ** ** not **** ** *** ** ********** or *** **** *********** *********. *Ü* *** ************ ****** ** ***** ** bolster *** ******** (**** ***** ***** media: *** ********* ***** ****** ** ***** Market.)
***** ***** ******* ** *** *** “first ** ****** ***** ************ ********” to ******* **** ************* *****Ü*, ****** ******* ************ ************ ******* **** the**** ***** * *** ****** ***** **** *** **** ******* *Ü*.
'Derived ****' ****, *** ****
*Ü* ********* ****** **** *** ******* ************* ******* “*** ******* **** *** ** ****,” rather **** ******** **** ******* ****** proof ** **********, ** **** ******.
GDPR *** *************
***** *** **** ********** ************* ** *** ******* **, ** **** *** ******* *** requirements **** ******** ** ********* *** establish *** ****** ********** **********. ************, ************* ** ***** *** **** controllers *** ********** ** **** "******* and *********** ***********" ********* "*********** **********" - it ** *** ***** *** ********.
******* **’* ******* * ****** **** any ************* ******* **** ** “********* *** ********* *** * ******* that ** ***********”. *******, *****’****** ******* [**** ** ****** *********]** ******* ***** ** *** ******* about ******* *** ** ******** ************* plus ** *** **** ******* ******* from *Ü* ****** ** *** ******* and TÜV *** *** ********* ** *** multiple ******** *** ******* ** ****.
No ****** ** ***** **************
******** *Ü*'* ************* *** ******* ********* ***** ** ***** weight *** ** *** ****** * firm’s ********* ** **** ********* **** wrong ********* **’* ******* *********:
False ***** ** ********
** ********* *** ******** **** *********, Dahua ***** ******* ******* **** ******** they *** ********* ******* *** ****’* potentially **** *****.
*** **** ********* ***** ** ** ** *% of ****** ********** ********** ***** ** ***** ** **** violated *** *****. ** ********* ** IPVM’s**** *****, ***** ***** *** *** ********* standards *** ******* ********** **** ********* authorities **** *****’* * ****** ** providing ****** **** ***** ******** **** if *********.
*** ***** *******, **’* *** ******** for * ****** ** ** ‘****-*********.’ There *** ****** ** ******** ** official ****** ** ********* ****. **** is ****** *** ***** ******* ****** no ******* ** ******* *** ***** products *** ****-********* ** *** ***** place.
Other ************ ******
***** ***’* *** **** **** ******* third-party **************. *** *******,******* ********* **** **** **** *** image ******* ******** ** “*********” ** “****-*****” *** ******* *** **** ******** ** its ******, ******** ** ** * specific **** ******* ******* ***** ******** the ***** ** *** ******** [**** ** ****** available], contra *****,**** *** ******** **** “********* ** comply **** *** ****”.
***, ** ********* *****, ******* ******** effectively *** **** ***** ******* **** the **** ******* * *** ******.
*******, ***** ** * ****** ************* are ** **** ** ******* ***** certifications. **’* ***** ********* *** ********** clients, *** ****** ********** **** *** GDPR ******.
What ** **** *** ** ******** ***** ****
******* ** ******** ** ‘**********’ ******* lines, ** **** *** ** ****** you *** ********* **** *** **** is ** *** * *** ***** questions **** **:
- **** *** ******* ******* ************* **** practices *** ********** ******** ** ****** personal **** ******** *** *******? (*** **** ********** ******* ****** ******’* ******** **** ***’* compromised. ***** *** * ******* ******* *****, ********* *** ** ******** ****** *********, ***** * ******** ******** ****** unauthorized ***** ****** *** *********** *** ****** *******.)
- ** *** ******* **** ** ********* large ******* ** ****** ***************, **** it **** **** ********/******* ********** ************? (*** **** ********** “****************”** ***** ********** ** **** ****** peoples’ *******. **** ********** ** *** a ****** ******* ** ***** *******.)
- ** **** ** * ******** **** breach, ** ***** * ****** ** inform *********** *** ******* ** **** as ******** ********? (**** ********** **** inform ******* “******* ***** *****” ***** ******** ***** ** * personal **** ******. ***** ********** ************* ************ ******** *****.)
- ** ***** * ********** ****** ******** when ****** *********** ** ***** ********* techniques *** ***** ****? (********* ************* ********** **** * *** ********* exceptions.***** ** **** ******* ** ****** ************** ************* **** * *** ******** ******* through * ******* **** ** * minutes ** * *************.)
*********** *** *** ***** ****** ****** equipment **** **** ******* **** ******* to *** ********* *****. ** **** *** matter ** ***** *** “****-*********” ** someone.
Update, *** **:***** **** **** *** *********, **** added *** ********* **** ** ********* that ***** *** ****, ************* ** ******** *** data *********** *** ********** ****** **** actual ********:
"************, ************* ** ***** *** **** controllers *** ********** ** **** '******* and *********** ***********' ********* '*********** **********' - ** ** *** ***** *** products."
******, *** **:*********** *** ** ***** ***** ** Europe***** ******** ** ***** *** "*****" to ** ********* ** *Ü* ** its *****.
I've checked my emails but don't seem to have received IPVMs updated T&C's for my acceptance, that are required by GDPR. Could it be that IPVM are now contravening the GDPR? Surely not.....
On a practical note, the whole thrust of how GDPR affects CCTV is in regards to the protection of the data stored and the justification for gathering it and retaining it.
I'm sick of idiots claiming their equipment is GDPR compliant. My ashtray is compliant....so what? It's all about data, not about hardware.
GDPR does not actually state that emails should be sent out with revised T&Cs. All it has done is drive a massive amount of additional 'almost spam' notification emails. Companies should have thought about this more carefully placing notices on websites confirming acceptance rather than cramming the Internet!
That is only correct where the existing T&Cs relating to the use of personal data are already 100% GDPR compliant. In the vast majority of cases, this has required changes to be made - hence the ridiculous amount of emails. I’m fairness GDPR has been on the way for many years so the last minute dash had been entirely unnecessary. It still leaves the question as to whether IPVM are ahead of the game or behind - only s bedtime read of the T&Cs will confirm this - or of course, Jon could confirm?
Who assesses if the GDPR is 100% compliant? The point i am making is that everyone has had over two years to get their act together. Yes, there is significant scaremongering, however, the plethora of emails requesting acknowledgement is ridiculous. in most cases i delete them as i know who i want to be registered with and unsubscribe if i do not. Simple as that. Let us all stop these bloody GDPR emails. Please.
Can't agree anymore. The number of emails flying in is simply ridiculous. The scaremongering with massive fines has definitely put the 'fear of god' in to may DPOs in the various organisations. When it comes to CCTV I am looking at this as GDPR 1.0 and I would imagine that GDPR 2.0 would not be far away after a few court cases go horribly wrong for example.
It's worrying though as we have been asked are your products GDPR compliant yes or no many times. It shows that there is a lot left to do when it comes to educating the market.
It seems like every time these regulatory requirements come up there is a company willing to cash in on a false certification.
Agreed, they're banking on customers taking their word for it, rather than doing the kind of research we can be glad IPVM does.
It's like they're willing to lie to get in the door to sell their products, without any thought to what the backlash may be if the same customer finds out they aren't compliant after spending all of that money.
Our experience with Dahua is that they are highly incompetent. I am not excusing what they did with this press release but that's certainly a factor that they don't understand technical details or consider nuances in marketing, etc.
When you look at TUV's marketing, it is pretty clear TUV understands that they cannot directly claim GDPR compliance or certification, so they use qualifications like 'derived from'. By contrast, Dahua misses it. My best guess it is a combination of incompetence and willful ignorance.
Our experience with Dahua is that they are highly incompetent. I am not excusing what they did with this press release but that's certainly a factor...
Only with Dahua could calling a company “highly incompetent” be confused with making an excuse for them ;)
Black image from the camera should be GDPR compliant, no?
Genetec was more cautious in its claims, limiting it to a specific GDPR related feature while avoiding the claim in its headline, contra Dahua, that its products were “certified to comply with the GDPR”.
Still Genetec does make the compliance claim,
Additionally, this re-certification comes with the special distinction that the Privacy Protector software is 'GDPR-ready', meeting the highest certifiable compliance with the European Union (EU) privacy standards," added Meissner.
For a software or hardware product to obtain the 'GDPR-ready' European Privacy Seal, the source code is tested to ensure that there are no vulnerabilities that can be exploited or hacked to suspend privacy protection (destructive anonymization), assuring that product conformity with the GDPR is verified. It is crucial that the examination is conducted by an independent and impartial institution, and that all criteria are made public. The EuroPriSe seal is valid for two years and must be re-awarded after its expiration. This assures that the product always complies with the latest EU privacy laws and policies.
Minimizing Genetec’s culpability because they didn’t put it in the headline doesn’t seem to square with
The reason is that no products can be, as the EU does not 'certify' nor endorse products as 'compliant'.
In any event, do you think that they purposefully avoided putting the claim in the headline for that reason?
Putting something in a headline is far more powerful than putting it midway through the body, simply because headlines get read 10x or more than sentences in the middle of an announcement.
Let's try another scenario. Dahua does not issue this press release but an RSM tells you personally at an ADI counter that they are GDPR compliant. Both are wrong but clearly this later scenario is far less serious / misleading than being the title of a marketing campaign.
Putting something in a headline is far more powerful...
Agreed, more powerful. Both were official corporate communications however. Also, I don’t think that Genetec didn’t put it in the headline to be less misleading.
In any case, unless Genetec and Dahua, et al are to retract their compliance claims, there is simply no excuse for them to continue to dissemble.
Catch 22
gdpr still needs work to be cctv specific
if you request your image other people in frame are supposed to be masked out
the courts would view that as being able to tamper with evidence