GDPR For Access Control Guide

By: IPVM Team, Published on Jul 03, 2018

Electronic access control is common in businesses plus organizations are increasingly considering biometrics for access control. With GDPR coming into force this Spring, it is important to understand how this will impact these systems.

IPVM has already published an extensive guide about the GDPR’s effect on video surveillance. This new 13-page guide covers GDPR’s effect on the access control industry since much of the data collected for access control purposes – e.g., names, addresses, fingerprints – are personal data whose processing is clearly regulated by the GDPR.

The guide has the following core sections:

  • Where Access Control Providers Fit into GDPR categories of controllers and processors
  • Why Processors Aim To Keep Distance
  • Legal Basis for Processing Access Control
  • Impact of Biometrics on Access Control GDPR Requirements
  • Dealing With Employees Who Refuse Biometrics Consent
  • Access Control Systems Excluded From Biometrics Claim
  • Guidelines for Storing Access Control data
  • Handling Right to be forgotten/Right to information requests for access control systems
  • Encrypting / Anonymizing access control information
  • Concerns with AD / LDAP integrations
  • Data breach response for access control
  • Data Protection Impact Assessments for access control systems
  • Dealing with Data Specific to Access Control, e.g. Physical Activity Log
  • Manufacturer GDPR guides including Avigilon, Brivo, Genetec, Lenel, Paxton, RS2, S2, Tyco

Introduction

To start, it’s important to realize that the GDPR is a broad set of regulations which do not mention particular industries, including access control or its products.

Therefore, anyone claiming to provide “GDPR certification” for particular products in access control or any other industry is wrong. (See IPVM’s previous report: Dahua Products Are Not GDPR Compliant, No Products Can Be.)

Data Controller and Data Processors

The GDPR creates two distinct categories – data controllers and data processors. Controllers are the firms which gather and control the use of peoples’ personal data, and processors are the ones who process that data on behalf of controllers.

The distinction is important as data controllers typically have more responsibilities under the GDPR; for example, only controllers have a duty to report data breaches to authorities.

Access Control GDPR Category Examples

As in video surveillance, access control end users would typically be considered “data controllers.” For example, if a pharmaceutical company buys an access control system for a new building and its employees, the pharma company is the data controller.

Data processors are the companies which handle the personal data collected by end users. For access control, in most cases this means firms like Genetec, Lenel, Software House, S2 Security, etc..

Access control integrators/installers could also be considered data processors depending on whether they handle their end users’ personal data or not. For example, an integrator with temporary access to employees’ personal addresses for maintenance purposes would be considered a data processor in this instance.

Processors Keep Distance

Many data processors in the access control industry emphasize that they can only provide the means to comply with the GDPR’s provisions, rather than assuring compliance in and of themselves.

Because access control involves data which is very easy to immediately identify people with (unlike video surveillance), processors are keen to distance themselves from end users/data controllers in case those end users mishandle the data.

For example, S2 Security says in its public GDPR guide that it may not be considered a data processor in some cases because “on-premises deployments of access monitoring and video management systems often do not involve a Data Processor because the Data Controller handles all personal data.” S2 is correct when it comes to on-premise deployments.

However, it is worth remembering that firms providing cloud-connected access control solutions would be considered data processors under the GDPR. Moreover, as more systems are moving to the cloud, either for hosting, management or access, access control providers are more likely to fall under the data processor category.

Main Points of Compliance for Access Control

Legal Basis of Processing

********** ****** ******* ** common ** ********** **** ************* are ************ *********** ********** *** access *******. **** **** coming **** ***** **** Spring, ** ** ********* to ********** *** **** will ****** ***** *******.

**** *** ******* ********* an********* ***** ***** *** GDPR’s ****** ** ***** surveillance. **** *** **-**** ***** covers ****’* ****** ** the ****** ******* ******** since **** ** *** data ********* *** ****** control ******** – *.*., names, *********, ************ – are ******** **** ***** processing ** ******* ********* by *** ****.

*** ***** *** *** following **** ********:

  • ***** ****** ******* ********* Fit **** **** ********** of *********** *** **********
  • *** ********** *** ** Keep ********
  • ***** ***** *** ********** Access *******
  • ****** ** ********** ** Access ******* **** ************
  • ******* **** ********* *** Refuse ********** *******
  • ****** ******* ******* ******** From ********** *****
  • ********** *** ******* ****** Control ****
  • ******** ***** ** ** *********/***** to information ******** *** ****** control *******
  • ********** / *********** ****** control ***********
  • ******** **** ** / LDAP ************
  • **** ****** ******** *** access *******
  • **** ********** ****** *********** for ****** ******* *******
  • ******* **** **** ******** ** Access *******, *.*. ******** Activity ***
  • ************ **** ****** ********* Avigilon, *****, *******, *****, Paxton, ***, **, ****

************

** *****, **’* ********* to ******* **** *** GDPR ** * ***** set ** *********** ***** do *** ******* ********** industries, ********* ****** ******* or *** ********.

*********, ****** ******** ** provide “**** *************” *** particular ******** ** ****** control ** *** ***** industry ** *****. (*** IPVM’s ******** ******:***** ******** *** *** GDPR *********, ** ******** Can **.)

Data ********** *** **** **********

*** **** ********** ******** **********– **** *********** *** data **********. *********** *** the ***** ***** ****** and ******* *** *** of *******’ ******** ****, and ********** *** *** ones *** ******* **** data ** ****** ** controllers.

*** *********** ** ********* as **** *********** ********* have **** **************** ***** the ****; *** *******, only *************** * ****** ****** **** ******** to ***********.

Access ******* **** ******** ********

** ** ***** ************, access ******* *** ***** would ********* ** ********** “data ***********.” *** *******, if * ************** ******* buys ** ****** ******* system *** * *** building *** *** *********, the ****** ******* ** the **** **********.

**** ********** *** *** companies ***** ****** *** personal **** ********* ** end *****. *** ****** control, ** **** ***** this ***** ***** **** Genetec, *****, ******** *****, S2 ********, ***..

****** ******* ***********/********** ***** also ** ********** **** processors ********* ** ******* they ****** ***** *** users’ ******** **** ** not. *** *******, ** integrator **** ********* ****** to *********’ ******** ********* for *********** ******** ***** be ********** * **** processor ** **** ********.

Processors **** ********

**** **** ********** ** the ****** ******* ******** emphasize **** **** *** only ******* *** ***** to ****** **** *** GDPR’s **********, ****** **** assuring ********** ** *** of **********.

******* ****** ******* ******** data ***** ** **** easy ** *********** ******** people **** (****** ***** surveillance), ********** *** **** to ******** ********** **** end *****/**** *********** ** case ***** *** ***** mishandle *** ****.

*** *******, ** ******** says ***** ****** **** ********* ** *** *** be ********** * **** processor ** **** ***** because “**-******** *********** ** access ********** *** ***** management ******* ***** ** not ******* * **** Processor ******* *** **** Controller ******* *** ******** data.” ** ** ******* **** it ***** ** **-******* deployments.

*******, ** ** ***** remembering **** ***** ********* cloud-connected ****** ******* ********* would ** ********** **** processors ***** *** ****. Moreover, as **** ******* *** moving ** *** *****, either *** *******, ********** or ******, ****** ******* providers *** **** ****** to **** ***** *** data ********* ********.

Main ****** ** ********** *** ****** *******

Legal ***** ** **********

[***************]

*** ****’******** ******* ******* ***** ***** for **** **********, ** which *** ** *** following ***** ** ****** control:

  • *** **** ******* *** given********* *** ********** ** his ** *** ******** data *** *** ** more ******** ********
  • ********** **necessary *** *** *********** ** * ********** ***** *** **** subject ** *****
  • ********** ** ********* *** the *********** ** * task ******* ***in *** ****** ********** ** *** ******** of ******** ********* ****** in *** **********
  • ********** ** ********* *** thepurposes ** *** ********** ********* ******* ** *** ********** ** ** * ***** *****, ****** ***** **** interests *** ********** ** the ********* ** *********** rights *** ******** ** the **** ******* ***** require ********** ** ******** data, ** ********** ***** the **** ******* ** a *****.

Biometrics *** *******

********** (************, **** *****, facial ***********, ***) *** ** area **** **** ****** find ****** ******* ***** needing ** ****** **** the ****’* ********* ******* requirements.

********** ********* ** ********** under *** **** **** several **********. *** **** that ***** ***** ** access ******* *** “*********** public ********” *** “******** consent.”(******* *).

*********, ****** ** ****** control **** *** *********** their ********** ********* *** a “*********** ****** ********,” it ***** **** ** make *****, ******-*****, *** informed ******* * ********. That *****:

  • ******* ***** **** ** written** * *******, ***********, intelligible *** ****** ********** form, ***** ***** *** plain ******** (******* *)
  • **** ******** *** ******* and ***“******** *** ** *** consent ** *** ****” with ****(******* *)
  • ** ****** ********* *, *** ******* ***** must ******* **** **** of ********** *** ***** used *** ***
  • ******* **** ** “****** given”, *.*. “******* ****** *** ** regarded ** ****** ***** if *** **** ******* has ** ******* ** free ****** ** ** unable ** ****** ** withdraw ******* ******* *********.” (******* **.)

**** ***** ** * consulting **** ** ********** access ******* *** *** employees ***** ******** **** scans, ** ***** ** obtain ********, *****, *** freely-given ******* **** ****.

Refusing ******* *** **********

************* *** **** * problem **** ********* ** people ** ***** *********-***** access ******* ****** ** ******* ** ******:

******* ****** *** ** regarded ** ****** ***** if *** **** ******* has ** ******* ** free ****** ** ** unable ** ****** **withdraw ******* ******* *********. [emphasis added]

** **** ***, ** is ******** **** ** organization *** **** ** punish ***** *** ** not **** ******* *** ***** biometric *********** ** ** used. ** *********** *** require ***-********* ***** ****** control *** ***** *** deny *******.

**** *****, ** **** of ** ***** *** contesting **** *** ** will ****** ******* ******* *********** this ******** *** ***** guidance ** **** ***********. However, ************* ****** ********* consider *** ************ ** Recital ** **** ***** biometrics *** ****** *******. 

Access ******* ******* ******** **** **********?

**** ****** ******* ****** providers ******* **** ***** systems ** *** **** under **** ******* ******* **** only ***** **** **** cannot ** **** ** original ****** – ****** storing * **** ***** of * **** ** fingerprint, *** *******. **** can ** ****** ** a **** ** *************. *** **** ***** ********* applications, *** **** ********* and ****** ** *** reader ** ******** ** the ****** ******* ****** entirely, *** *** **** data ******** ** *** access ****** ** * Wiegand ** **** **** string *********** * **********. ******, **** ********* ******* (like ***** **** ** ‘verification’ *****) *** *** store ********* **** ** the ****** ****** ** all, *** ****** ********* and **** *** ****** on ********** ***** ** inside ******-***** *********.

**** ** * ***** and ******** ******** ** the **** ****** **** not **** *** ********** to **** ** ********* to ** ********* ****, as **** ** ** is “********* **** *** the ******* ** ******** identifying * ******* ******” (******* *) - ******* **’* anonymized ** ***.

****** ******* ********* ****** err ** *** **** of ******* **** ******* with *** ********** ***** its “******* ******** ** personal ****” ****** ** the ****. ** *** take * **** *********/******* to ***** ******* ******* things **** **** **** strings *** ********** ********** under *** **** ** not.

Storage ****** ******* ***********

*** **** *** ** precise ********** ** *******, but******* * ***** ** ***** **** personal **** ****** *** be ****** *** "****** than ** ********* *** the ******** *** ***** the ******** **** *** processed".

** ****** *******, **** would **** ****** ***** policies ***** ******* *** making **** **'* *** kept ****** **** ** indefinitely ****** *** *** prove **'* *** “****** interest, **********, ** ********** research ********”. **** ***** employees *** ***** * firm ****** **** ***** data ******* ********.

**** ******* ** *** personally ************ ***********, **** as ****** **** ********* when * ******** ****** goes ******* * **********. However, ** **** ****** data ** *** **** to * ******** ******, it ***** ****** *** fall ***** *** **** and **** ** ******** storage **********. (*** **** on ****, *** “***** ** **** ******** to ****** *******.” *****)

Right ** ** *********/***** ** *********** ********

*** **** ***** ***** rights *** ****** ** access *** ****** ***** personal **** ********** *******, ** ****** ******* firms **** ** **** established ********** ** ******* these ******** *** *** users **** ** ***** of *** ** *** them.

***** *** **** ******** to ****** ******** **** require **** ************** **** simply ********* *** ****, and **** ******* ** least *** ***********, **** whether *** **** ** “no ****** ********* ** relation ** *** ******** for ***** **** **** collected” (******* **.)

*** ****** ******* **** told **** **** **** struggling **** *** ** implement *** ****’* ****** and ******** ************. ** would ********* **** ****** end ***** *** ***** within ***** ****** ******* software ** ***** **** subjects ** *******, ****, and ****** ***** *** data. *** *******, ******** from **** ******* ****’* identity ********** **** ****** individual ********* ******** ***** “****** **” requests.

*** ****** ******* *******, most ********* ** ****** allow *** ******** ** all **** *********** *** activity, ******** *** ***** needed ** ** **** are ***** ****** ****** ‘user *******’ ********* ****** operators *** ***** ** management *******.

*** ****** ** ‘*********** destroy’ *** ******* ** a ****** *** ******* a ***** ****, *************, or ******* ********** ****** simple ******** ** ****** records, *** ** ***** records *** ****** **** other ***********, **** ** ‘Time & **********’ ** ‘Visitor **********’****, **** ******** record ******** *** ******* interaction **** ******** *******.

***** ********* **** *** right ** ** ********* and *** ***** ** their ******** ****. *** that ******* ** **** the **** ******** *** data, *** *** **** subject’s ********** ******. *******, this ***** *** ** possible ** *** ********’* personal **** *** **** deleted ********* *** ** her ********* **** * firm – ** ****** be **** ** ********** with *** ****’* ******* recommendations (*** “*******.”)

*******, **** ** **** that ***** ***** ** need ** ******* ** information ********, **** **** 1 ***** ** ** so, ***** *** ** extended ** ********** * months. **** **** ** not **** ** ******* them ** **** *** “manifestly ********* ** *********.” (******* **.)

Encryption *** *************

******* ****** ******* ********* handle significant ******* ** ********* and ******* ******** ****, strong ********** ** ***. The **** ********** ********** strong ********** ********* **** ****** *******’ ******** data ** *********, ** it’s ****** ********* *** access ******* ********* *** users ** **** **** they *** ******** ***** passwords *** ******** ****-**** practices **** ******* ****** Sign **. ******* **** ********** ***** two-factor **************, ********* ***** Security, ** ******* *********, etc.

*******, **** ****** ******* systems ******* ************ **** Microsoft ****** ********* ** LDAP ** ******** ***** processes, *** ***** ******* utilities *** *** ** Article ** **********. ** proxy, ****** ******* *******, especially ***** **** ** large ********** *** *****-******** deployments **** *****, ******** House, *******, **, *** Avigilon *** *** ** at ****.

*************/**************** ** **** ********** by *** ****. ***** these **********, ***** ****** leaked **** ***’* ** immediately **** ** ****** people, ** ****** ** it ******* ********* ************ in **** ** * breach. *** *******,******* *********** **** ********** **** subjects *** *** **** to ** ********* ** appropriate ************* ********** *** used.

****** ******* ********* ***** anonymize/blur *********** **** ** lessen *** ****** ** a ******, *** ********. Names *** **** ** anonymized ** ********* **** person * ****** *** instead ** ********* ** them ******** ** ***** full ****.

Data ******** – ********** ***** *** ******* ******

****** **** ** ****** control, *** ***** *** most ****** ** ** considered **** ***********, ***** larger ****** ******* ***** like ******* *** **** likely ** ** ********** data **********.  

***** *** ****, *********** have ** ***** ** inform *********** ** *** case ** * ******. Controllers **** *********** **** inform ********** **** ******** as **** ** **** the ****** ***** “* **** **** ** the ****** *** ******** of ******* *******”(******** **&**.)

**** *********** **** ****** in * *** ************ communication **** ****** ********** or ****** **** *** exist ** *******. ************* of **** ******** *** *** existent, ********, ** ****** controlled **** ******* *************, and **** **** ********* stringent *** ******* ****** notification ************.

****** ******* ********* ***** biometrics ****** **** *** special ********* ** ****** reporting ************, ** *** EU’s ******* ** ******* Party, ** ******** ** advisory ****,*** ********* ****** ********* ********** ** particularly **** ****, **** requiring ************ ** ********** data ******** ***** **** authorities:** ******* ********** ** personal **** [**********] *** disclosed ******, *** ********** should *** ******* ***** delay ** ******* *** breach *** ** *********** it ** *** *********** concerned.”

**** ********** **** **** responsibility ** *** ***** that **** *** **** obliged ** ******* **** controllers, ****** **** *********** and **** ********, ****** 72 ***** ** ******* to * ****** ***** discloses ******** **** **** controllers.

Data ********** ********

***** ** ** *** mandatory *** *** ****** control ***** ** ******* a *** (******* ****** with ********** **** **********), an ****** ******* **** using ********** *** **** to ** **.

*** **** **** *** 3 ********* ********* ****** **** **** ** be *********, ********* **** *** **** ********** ** the ********** ** *** processor ******* ** ********** on * ***** ***** of ******* ********** ** data [**** ******** **********]”.

***** **** ****** ******* providers’ ********** *** ** biometric ***********, ********** * DPO ***** ** ****. This **** *** ** especially **********, ** *** GDPR ****** **** * DPO *** ** ********** or ** ** ******** employee ****** **** *** more ****.

Data ********** ****** ***********

******* ** ****** **** ***** *** required ** ***** “****** ** ****** ** a **** **** ** the ****** *** ******** of ******* *******”, ********** **** "********** on * ***** ***** of ******* ********** ** data [*.*. **********]" ***** place.

*******, ***** **** *** GDPR *****’* ****** “***** scale” *** **** ********** based ** ******* ** “legitimate ********” – **** access ******* – ** not ****** ** ****** in * **** ** people’s ********, ** ***** unlikely ***** ***** ** required ** ***** ******** of ****** *******.

******* ** ***** **** yet ** *** *** EU ********* **** ***** these **** ************ ** practice, **** ***** ******. So *** **** *** seen ** ******** ** access ******* ***** ********* for ********* *****.

Data ******** ** ****** *******, *.*. ******** ******** ***

*** **** ********* ******** data, ** "*********** ******** to ** ********** ** identifiable ******* ******". (******* *). *******, ***** *** types ** **** ** access ******* ***** **** under * **** ****, specifically *** **** ** physical ******** **** ****** every **** ******* **** a ********* ** ***** a ********, *** *******.

****** ******* ***** ********* by **** **** **** did *** ******** **** sort ** **** ** be ******** ** ********* data, ***** ** *** exist ************* ** * specific ****** *** ***** not ** **** ** identify *******. **** ***, if *** ******* ** employee ****** * *******, the **** ********** ***** delete *** ******** *********** but **** *** *********** anonymous ******** *** (** is ******* *** ******** for **** *****).

***** *** ********** ** personal **** ***** ** the ****, **** ******** makes *****. *******, ** remains *** **** ********* realize **** *** **** they ******* ***** *** be **** ** ******** a ******** ****** ***** under *** ****** ******* of *** ****.

GDPR ********** ** ****** ******* *****

**** ****** ******* ******** providers **** ********* **** statements, ****** ********* **** are ***** ** *** specifics ** ****'* ****** on ****** ******* *******. Below *** ***** ** ****** **** statements ** ****** ******* firms, **** ******** **** commentary:

******** **** *********:******** ********** (**** ** Avigilon ******* ****** (***) video ********** ********) ****** itself ** **** *********, all ********** ********* **** consider *** ***** ******** and ********* *** ****** enterprises ** ********* *** operating * **** ********* system. ******** *** ***** care ** ****** **** its ***** ******** ********* include ******** *** ************* that **** ******* **** compliance.”

**** *******: ******** ********* states **** *** **** is ** ******* *** means ** **** ********** rather **** *** ********** itself.

***** **** *********:“*********** **** **** ****** in ***** ***** ** individuals ***** ***** ************ are ********** **** ********. Brivo ***-***** *** ** some ***** ***** ********* are ********** **** ***********. Brivo ** * **** Processor.”

**** *******: **** *** **** *********** ** the **** ***** ******* to ****** *******. **** that ***** ** *** statement, ***** ********* ** has ********* * *** and ***** ** ***** to ******* **** **** GDPR *******.

******* ****** **** *****:“**** ******* *** ***** requirements *** ********* ***** to ********* *** ****** data ******** **** ****** PII. ****** **** *** data *** ******* ** protected ******* ************ ****** is *** ***** **** in ********* *** ****. Our ********* ******* *** the ***** *** **** to ****** **** *** PII ******** *** ****** by *** ******** ******* is ***** *******.”

“**** ****, *********** *** now ******* ****** ** a **** ** *** data ** ************ *** collected ***** ****. ********** *********™ ******* ******** ********** platform ***** **** *** are ***** ** ******* to ***** ********. ** provides * ****** ***-***** portal ***** *** *** easily *** *********** ***** private ****. ** **** you ******* *********** ****** to ***** ******** *********** in * ********** *** common ******.”

**** *******: * ******** ** Genetec’s ***** ** *** focuson ***** ************ ****** than ****** ******* *********, however ** ******** ********** the ********** ** ****** cybersecurity ********* *** ******** software ** **** **** compliance ******.

***** **** *****: “***** *** ******** *** products ** ***** ********* to *** **** ** GDPR-compliant ****. ***** ******* offers ******* ****** ** security ** ******* *** Personal **** ** ********* and ********. ********* ******** standards *** ***-********* ********** methods *** ** ********** in *** ***** ******* system **** ** ******* between **** *** ******, OSDP ******* ****** *** controller, ****.* ******* ********** and ******, *** ***** for * ****** ******** experience. ********, ***** ******* supports ************* ****** ************ to ***** ****** ** authorised ********* *** ******** the *********** ** ******* data ******, ** **** which ** ********* ******** for *** ****** ** function.” 

**** *******: *****'* ***** was *** ** *** most ******** *** ******** ***** GDPR's ****** ** ****** control. 

****** **** *********: “** **** **** **** that *** ******** **** provide *** ***** ******** to ***** ********** ** used *********, *******, ****** is *** *********** *** a ****’* ********** **** GDPR *** ** *** offer ****** ** *** to ** *********.”

**** *******: ****** **** correctly ***** **** ***** it *** **** *** means ** ****** **** GDPR, *** ******** ****** automatically ****** **.

*** **** *********: “** *** **** ** access ** ***** *** other ******** **** ** hold ***** ***, ** to ******* **** ** delete *** *********** ***** you, *** *** ******* us ** ******** ***@***.***. We **** *********** **** request ****** *******-*** (**) hours *** ****** ** promptly. *** ******** *.*.*. will ******* ** ***** requests ****** * *****, with * *********** ** extend **** ****** *** particularly ******* ******** ** accordance **** ********** ***. We **** ****** **** information *** ** **** as **** ******* ** active, ** ****** ** provide *** ********, ** to ****** **** *** legal ***********, ******* ******** and ******* *** **********.”

**** *******: **’* *** actually ********* *** *********** or ********** ** ******* to ***** ******** ****** 72 *****, ***** ** the **** ******** ** report ********. *** **** gives *********** *** ********** up ** * ****** to ******* ** ***** requests.

** **** *****: “*** ******** ********** ****** falls ** *** **** Controller, *** ****** **** decides ***** ******** **** to ******* *** *** the ******** ************** *** safeguarding **.”

“********* **** ****** ***** regarding ******** **** *** prevent ****** ******. ****** the ***** ****** ** personal **** *** **** for ******** **********. ****** that *********** *** *** shortest ****** ** **** necessary. ***, ******* **** importantly, ** *********** ***** your ******** **** *********.”

**** *******: ***** *** all ******* ********** *** underline *** ******* ********** burden *** ****** ******* end *****/***********.

*** / **** ************ Kantech *** ******** ***** offer *** **** **** guides (*.*.*****) *** ***** ****** control ***** ****** ***** ** as *** ***** ************:“** ** ********* ** note **** ******* ***/** product ********* *** *** by ********** **** *********. Any ******* **** ** subject ** *** **** will **** ** ****** what ******** *** ********** are ******** ** ****** with ***** **************** ***** the **********, *** ** procure, ********* *** *** products ***/** ******* ********* in * ****** **** is *********.”

“******* ********’ ***** ******* portfolio ******** * ****** of ******** *** ********* that *** **** **** aspects ** **** ********** ************ *** ************ for ******** *** ********** of **** *********. **** features *** ******* **********, role-based ****** ******* ** limit ***** ***** *** access ****, *** **** to ***** ******* ***** trails *** **** ****** and *********. *******, ********** with *** **** *** only ** ******** ******* deployment ******* *** ******** policies ******* ************ ** meet *** *********** ***** of **** ********** ********. Therefore, **** ********** ****** be ****** ** * product’s ******* ***. ***** the *******’* ******* *** can **** **** ********** easier ** *******, ***** will ********** ** ********** specific *** ******** ******** actions ******** ** ****** compliance **** *** ****. GDPR ******* **** **** contain ************ ***** ***** data ** ******, **** information ** ****** *** user ******* ************ **** product ******** ****** *******.”

**** *******: **** ******* and ******** *****, **** owned ** ******* ********, offer *** ******* ******* of ****** ******* ***** distancing ********** **** *** users **** ** ***** to **** **********, ****** that ******* ******** ***** cannot ****** **********.

Future *******

**** **** ******* ******* updates ** *** **** related ****** ******* *********** arises *** ** ***** impacting **** *** ****** control *** *******.

Comments (0)

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Installation Course - Last Chance - Register Now on Sep 12, 2019
Last Chance - Register Now - September 2019 Video Surveillance Install Course. Thursday, September 12th is your last chance to register for the...
US State Department: "Chinese Tech Giants" "Tools of the Chinese Communist Party" on Sep 12, 2019
The US State Department has called out "Chinese tech giants" for being "tools of the Chinese Communist Party" in a blunt new speech that makes...
Fingerprints for Access Control Guide on Sep 09, 2019
Users can lose badges, but they never misplace a finger, right? The most common biometric used in access are fingerprints, and it has become one...
Genetec Stratocast VSaaS Tested on Sep 05, 2019
The VSaaS market is rapidly expanding in 2019, with Verkada, Meraki, Eagle Eye, Avigilon and numerous startups growing their market share. When we...
Mobotix First CNPP CCTV Cybersecurity Certification Examined on Sep 05, 2019
Mobotix recently became the first video surveillance manufacturer to receive the CNPP cybsersecurity certification for its cameras, in which they...
Assa Acquires LifeSafety Power on Sep 04, 2019
Assa Abloy is acquiring LifeSafety Power, adding to their growing collection of access control brands like Mercury, August, Pioneer Doors, and...
Register Now - October 2019 IP Networking Course on Aug 28, 2019
Register now for the Fall 2019 IP Networking Course. This is the only networking course designed specifically for video surveillance...
Mobile Access Control Guide on Aug 28, 2019
One of the biggest trends in access for the last few years has been the marriage of mobile phones and access cards. But how does this...
UK Facewatch GDPR Compliance Questioned on Aug 27, 2019
Even as the GDPR strictly regulates biometrics, a UK company called Facewatch is selling anti-shoplifter facial recognition systems to hundreds of...
First GDPR Facial Recognition Fine For Sweden School on Aug 22, 2019
A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is...

Most Recent Industry Reports

Schmode is Back, Aims To Turn Boulder AI Into Giant on Sep 16, 2019
One of the most influential and controversial executives in the past decade is back. Bryan Schmode ascended and drove the hypergrowth of Avigilon...
Manufacturers Unhappy With Weak ASIS GSX 2019 And 2020 Shift on Sep 16, 2019
Manufacturers were generally unhappy with ASIS GSX, both for weak 2019 booth traffic and a scheduling shift for the 2020 show, according to a new...
How Cobalt Robotics May Disrupt Security on Sep 13, 2019
While security robots have largely become a joke over the last few years, one organization, Cobalt Robotics, has raised $50+ million from top US...
Panasonic 4K Camera Tested (WV-S2570L) on Sep 13, 2019
Panasonic has released their latest generation 4K dome, the WV-S2570L, claiming "Extreme image quality allows evidence to be captured even under...
ASIS GSX 2019 Final Show Report on Sep 12, 2019
IPVM went to Chicago for ASIS GSX 2019, with many exhibitors disappointed about traffic and the exhibitor schedule changing next year. However,...
Installation Course - Last Chance - Register Now on Sep 12, 2019
Last Chance - Register Now - September 2019 Video Surveillance Install Course. Thursday, September 12th is your last chance to register for the...
Commend ID5 Intercom Tested on Sep 12, 2019
Commend touts the new ID5 intercom as 'timelessly elegant' and the slim body, glass front touchscreen indeed looks better than common, but ugly,...
US State Department: "Chinese Tech Giants" "Tools of the Chinese Communist Party" on Sep 12, 2019
The US State Department has called out "Chinese tech giants" for being "tools of the Chinese Communist Party" in a blunt new speech that makes...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Yi Home Camera 3 AI Analytics Tested on Sep 10, 2019
Yi Technology is claiming "new AI features" in its $50 Home Camera 3 "eliminates 'false positives' caused by flying insects, small pets, or light...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact