← Back to Resources
case studyJuly 11th 2022 • 10 m read

How to use computer vision technology within the boundaries of privacy (GDPR) regulations

The General Data Protection Regulation (GDPR) is a set of rules designed to give EU citizens more control over their personal data. Under the terms of GDPR, not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it are obliged to protect it from misuse and exploitation while respecting the rights of data owners.

At Assaia we are committed to ensuring the security and protection of the personal data that we process and to provide a compliant and consistent approach to data protection. We achieve this by fully adhering to the principles of the regulations and in particular, by removing personal identifiable information (PII) from the video footage we gather before it is saved.

When does an image contain personal data?

Video footage is subject to GDPR as images of individuals could enable identification of these individuals, either directly or indirectly. Whether a video image contains PII or not is determined by the quality of the image measured in pixel count horizontally across captured faces (px/face), in accordance with various industry norms (e.g., DIN EN-62676-4, BS EN 62676-4, IEC 62676-4:2014). An image with a count of 40 px/face or higher could enable identification and is therefore considered to contain PII. An image where the count is between 20 and 40 px/face could enable recognition of an individual but is not considered high enough to enable reliable identification. Below 20 px/face, no identification or recognition is possible.

Image quality to support operational requirements

Снимок экрана 2022-07-11 в 14.50.46.png

Appearance under ideal conditions

image1.jpg

Assaia Personal Data processing

The data collected by the ApronAI system are video images of aircraft turnaround activities on airport aprons, generally using CCTV cameras installed externally at the head end of each aircraft stand and sometimes also using a camera in the passenger boarding bridge. The PII collected (where camera quality is high enough) are images of people boarding/deboarding aircraft or working around aircraft within the field of view of these cameras and are entirely incidental to the operation of our system.

We do not use personal data for any purpose and our software does not require PII to function. Hence, we destroy any incidentally collected PII in our video processing pipeline before saving by means of irrevocable obfuscation or resolution reduction to below 20 px/face.

Therefore, the only processing we carry out involving personal data is (1) the collection of video that may include images of people and (2) the detection and obfuscation of any included facial images i.e, destruction of PII. No personal data is saved by the system.

Lawful basis

The lawful basis for this processing is Legitimate Interests: ensuring safety compliance and improving operational efficiency. Given this legitimate lawful basis, destroying all personal data before it is saved is not even a requirement for our system to be GDPR compliant. It is however a fail-safe way to manage risks around unauthorised disclosure.