Every AI vision camera pointed at a workplace is processing personal data — the moment a face, a body, or a badge appears in a frame, GDPR applies. The regulation does not care whether a human watches the footage or an algorithm does; both are processing under Article 4. Since GDPR came into force, total fines have crossed €5.65 billion, employee-monitoring cases alone have produced penalties in the hundreds of millions, and the EU AI Act layered a fresh set of high-risk obligations on top from 2 February 2025. Getting the architecture right is no longer optional. You can book a demo to see how the iFactory vision layer handles this by design.
GDPR · CCPA · EU AI ACT · AI VISION PRIVACY · 2025
AI Vision Cameras Process Personal Data — Privacy Has to Be Designed Into the Architecture, Not Bolted On After
iFactory's vision layer is built around GDPR Article 25 privacy-by-design principles — on-premises processing, anonymised event data, encrypted storage, role-based access, and complete audit logging. Safety monitoring does not have to come at the cost of worker privacy or a regulator's next enforcement notice.
€5.65B
Cumulative GDPR fines issued across the EU since enforcement began in May 2018
€35M
EU AI Act maximum fine or 7% of global annual turnover, whichever is higher
$7,500
Per-affected-employee CCPA civil damages available in California
0
Raw video frames leaving the plant when detection runs on the edge appliance
THE SIX GDPR PRINCIPLES · MAPPED ONTO A VISION CAMERA
Six GDPR Principles, One Camera Feed — How Each Principle Actually Applies to an AI Vision Deployment
Article 5 of GDPR lists six data-protection principles that every processing activity must satisfy. A workplace camera feed touches every one the moment the shutter opens. Below is what each principle demands of an AI vision system, and how the iFactory layer answers in practice.
01
Lawfulness & Transparency
Processing needs a documented legal basis — usually legitimate interest for safety monitoring, supported by a written balancing test. Workers see signage, receive written notice, and can review the DPIA on request.
02
Purpose Limitation
Cameras deployed for safety must not be repurposed for performance management, disciplinary action, or productivity tracking. The system config locks the model library to the declared purpose and logs any out-of-scope query.
03
Data Minimisation
Only what is necessary — no continuous archive of the whole shift. The layer keeps short evidence clips around confirmed events and discards everything else, so the record set is proportionate to the safety purpose.
04
Accuracy
Model outputs are auditable, false positives can be flagged and corrected by workers or supervisors, and the retraining loop uses the corrections to sharpen accuracy over time — a documented feedback path that survives inspection.
05
Storage Limitation
Retention periods are configurable per event class, tied to a written schedule, and enforced automatically — clips age out on their own. Nothing sits in a folder longer than the DPIA justified.
06
Integrity & Confidentiality
Encrypted-at-rest storage, encrypted-in-transit event streams, role-based access with named users, and full audit logging of every viewer and every export — the security controls Article 32 requires in practice.
PRIVACY-BY-DESIGN · THE ARCHITECTURE STACK
Privacy Is a Stack, Not a Setting — Seven Layers That Together Answer Article 25
Article 25 of GDPR requires privacy by design and by default. That obligation cannot be met with a single feature toggle — it takes a stack of decisions from the camera hardware up to the export policy. The layers below are what the iFactory deployment ships with on day one, not as add-on modules.
Layer 7
Governance & Audit
DPIA on record, retention schedule signed off, quarterly access-log review, DPO sign-off on new use cases
Layer 6
Data Subject Rights
Access, rectification, and erasure workflows for any worker who submits a request under Articles 15-17
Layer 5
Access Control
Role-based permissions, named users only, MFA, granular per-camera and per-event-type authorisation
Layer 4
Storage & Retention
Encrypted at rest, configurable retention per event class, automatic deletion when the schedule expires
Layer 3
Anonymisation
Face and body blur applied at inference for downstream views, structured event data with no biometrics
Layer 2
Processing Location
On-premises edge appliance — raw frames never leave the plant, no cross-border transfer question ever arises
Layer 1
Camera Placement
Process areas only — never restrooms, locker rooms, break rooms, or union meeting spaces
THREE REGULATIONS · SIDE BY SIDE
GDPR, CCPA, and the EU AI Act — What Each One Actually Asks of a Workplace AI Vision Deployment
A multinational site typically has to answer to more than one regulator at the same time. The table below sets the three most consequential frameworks side by side, so a compliance director can see at a glance where the obligations overlap and where they diverge.
| Requirement | GDPR (EU/UK) | CCPA/CPRA (California) | EU AI Act |
| Applies to workers | Yes — since May 2018 | Yes — since January 2023 | Yes — high-risk employment systems |
| Legal basis required | Article 6 — usually legitimate interest | Notice at or before collection | Article 27 fundamental-rights assessment |
| Impact assessment | DPIA under Article 35 | Risk assessment under CPPA regs | FRIA for high-risk deployments |
| Worker notification | Article 13-14 information duty | CCPA notice at collection | Article 26 deployer transparency |
| Emotion recognition | Restricted (sensitive data) | Sensitive personal info category | Prohibited in workplaces |
| Maximum penalty | €20M or 4% global turnover | $7,500 per affected employee | €35M or 7% global turnover |
The strictest applicable standard sets the baseline. A site with California and EU workforce components must meet CCPA notice rules, GDPR Article 35 DPIA obligations, and the EU AI Act's Article 27 FRIA in the same deployment — the vision layer's default configuration is scoped to satisfy the union of all three.
Walk Through a Privacy-by-Design Vision Deployment With Our Team — Bring Your DPO
Bring your Data Protection Officer, your legal counsel, or your works-council representative. We will walk through the architecture, the DPIA template, and the retention schedule against your own site conditions.
WHAT THE VISION LAYER PROCESSES · AND WHAT IT NEVER DOES
The Fastest Way to Have This Conversation With Your Workforce Is to Show What the System Does Not Do
Trust is built by drawing a clear line, and privacy engineering is easier to explain by contrast than by claim. The panel below is the plain-English list of what the vision layer processes for a safety detection, and what it deliberately never touches.
The System Processes
Presence of a person in a monitored zone
PPE state — hard hat, vest, glasses, gloves
Body pose relative to machine and hazard boundaries
Location within pre-defined exclusion zones
Timestamp, duration, and severity of a safety event
Anonymised evidence clip tied to a confirmed detection
The System Never Does
Identify a specific worker by name or badge number
Store or transmit facial biometrics off the edge
Infer emotion, fatigue, or mental state
Track productivity, keystrokes, or task time
Watch restrooms, locker rooms, or break areas
Feed footage to unrelated performance or HR systems
THE DPIA LIFECYCLE · SIX STAGES FROM SCOPING TO SIGN-OFF
Article 35 Data Protection Impact Assessment — Six Stages, With the Vision Layer Producing the Evidence Automatically
A DPIA is not paperwork you file and forget — it is the living document a regulator asks for on day one of any investigation. The stages below show what the vision layer contributes at each phase, so the compliance team is not reconstructing a record after the fact.
Stage 01
Scoping & Necessity Test
Define the safety purpose, the camera locations, and the less-intrusive alternatives considered. The vision layer ships with a scoping template pre-populated for common industrial deployments.
Stage 02
Legitimate-Interest Balancing
Weigh the safety benefit against worker privacy impact. Data-minimisation and on-premises architecture make the balancing test easier to pass on the record.
Stage 03
Worker Consultation
Present to the works council, union representatives, or health and safety committee. The system's technical documentation packet is designed to answer their most common questions directly.
Stage 04
Risk Register & Mitigation
Document residual risks and the controls that mitigate them — anonymisation, retention schedule, access control matrix. The vision layer's configuration file is the primary evidence artefact here.
Stage 05
DPO Sign-Off & Publication
Data Protection Officer signs off, the DPIA summary is made available to workers, and the record is filed with the supervisory authority where required by national implementation.
Stage 06
Ongoing Review
DPIA is a living document — reviewed on model updates, new camera deployments, or regulatory change. The audit log dashboard surfaces the exact events a reviewer needs to see.
ENFORCEMENT REALITY · WHAT REGULATORS ACTUALLY FINE
What Regulators Have Actually Fined Companies for With Cameras and AI Vision — Patterns Worth Learning From
Reading enforcement cases is worth more than reading regulation text. Below are the four failure patterns that dominate camera and AI vision enforcement across EU and California regulators — the patterns the iFactory architecture is designed to avoid.
Pattern 01
Missing or Inadequate DPIA
Article 35 failures are among the most cited GDPR violations, and regulators treat a missing DPIA as evidence of systemic non-compliance rather than a paperwork miss. The vision layer's on-premises architecture and pre-scoped DPIA template close this gap on day one.
Pattern 02
Purpose Creep
Cameras installed for safety and then used for performance management drive some of the largest employee-monitoring fines on record. Locking the model library and logging every out-of-scope query prevents this drift from ever starting.
Pattern 03
Excessive Retention
Regulators repeatedly cite indefinite storage of routine footage as disproportionate. Automatic retention enforcement — clips age out per the schedule without a human deciding — is the direct answer to Article 5(1)(e).
Pattern 04
Article 32 Security Gaps
Weak access controls and unencrypted archives feature in almost every major camera-related enforcement action. Named-user RBAC, encryption at rest and in transit, and full audit logging remove the easiest lines of criticism.
FREQUENTLY ASKED QUESTIONS
What Data Protection Officers and Compliance Leaders Ask About AI Vision Privacy
Do we really need a DPIA before deploying AI vision cameras for safety?
Almost certainly yes. Article 35 requires a DPIA before any processing likely to result in a high risk to individuals' rights. Systematic AI monitoring of workers meets that threshold in most national interpretations. The good news — the iFactory vision layer ships with a DPIA scoping template pre-populated for common industrial deployments, so the compliance team is filling in specifics rather than drafting from scratch. You can
book a demo to walk through the template with our team.
Is on-premise processing really necessary — can we use the cloud instead?
Cloud deployment is legal under GDPR provided the transfer mechanism, data residency, and processor agreement are properly documented — but on-premise processing sidesteps the hardest questions before they get asked. Raw video never leaves the plant, so Article 44 cross-border transfer stops being a concern, data sovereignty is simpler, and IT retains direct physical control. It is not the only compliant path, but it is the shortest one.
Contact support to review the deployment topology.
The EU AI Act came into force in 2025 — how does that change our obligations?
Article 5 prohibited practices took effect 2 February 2025, and Chapter III high-risk system obligations apply from 2 August 2026. Emotion recognition in the workplace is prohibited outright, except for narrow medical and safety exceptions. Computer vision for safety events like near misses and exclusion-zone breaches falls outside the prohibition but is likely classified as high-risk — triggering FRIA, human oversight, and logging obligations. The iFactory layer is designed to satisfy the high-risk requirements alongside GDPR.
Book a demo to see how the Act maps to your deployment.
What happens when a worker submits a Subject Access Request?
Under Article 15, a worker can request access to any personal data an organisation holds — including footage in which they are identifiable. The vision layer supports Subject Access Requests via search by camera, timestamp, and event class, then applies automated face-blur to third parties in the clip before release. Article 16 rectification and Article 17 erasure requests use the same dashboard, with the audit log recording every action.
Talk to our support team to review the workflow for your site.
How does this work for a site with both California and EU employees?
The vision layer's default configuration satisfies the strictest applicable standard — in a mixed-jurisdiction deployment, that usually means GDPR-plus-AI-Act obligations globally, with CCPA-specific notice, access, and deletion workflows layered on top for California residents. The DPIA and the CCPA risk assessment are prepared as parallel documents from a shared architecture. Your legal team owns final review, but the technical foundation supports both regimes without a fork. You can
book a demo that maps the layer against your geography.
PRIVACY-BY-DESIGN · READY FOR YOUR DPO'S REVIEW
Bring Your Data Protection Officer. We Will Walk Through the Architecture, the DPIA, and the Retention Schedule.
The fastest way to build confidence in an AI vision deployment is to let the privacy people ask the hard questions on their own terms. Send us the toughest questions your DPO or works council has — we will answer them against the actual architecture, not marketing slides.