General Data Protection

Regulation (GDPR) Compliance

The General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/EC,
protecting extended privacy rights granted to EU individuals. The consequences of certain breaches may
include administrative fines of up to 20,000,000 EUR or up to 4% of the total worldwide annual turnover of
the preceding financial year, whichever is higher.

It is of particular importance, for these reasons among others, that we increase awareness regarding
these regulations.

The GDPR formally entered into effect on May 25th, 2018. It applies to almost all processing of personal
data performed by organizations within the EU or outside the EU that target or monitor the behavior of EU
individuals. Compliance by this time is mandatory.

Data Controller and Data Processor

The GDPR specifies the two main types of entities involved in the processing of personal data as the data
“Controller” and the data “Processor”. The GDPR distinguishes between these entities as follows: While
the data “Controller” determines the purposes and means of the processing of personal data the data
“Processor” processes personal data on behalf of the controller.

AnyVision’s Actions

AnyVision affirms the principles behind the GDPR and supports the regulation’s mission to raise the bar
for data protection, security, and compliance. We have analyzed the GDPR requirements and are working
diligently to implement all the required enhancements to our products, contracts, and documentation.
We have approached this process with our engineering, product, security, and legal teams, working
in pursuant to the guidelines published by data protection authorities (such as CNIL - the French
Commission Nationale de L’informatique et des Libertés). We are committed to securing the necessary
procedures and practices to comply with the GDPR.
How AnyVision is Adhering to the GDPR

1. We have initiated a Processing Record, which includes information about our clients and
a description of the processing carried out by them, in accordance with Article 28 of the
GDPR. We have also developed policies regarding data processing risk assessments to be
applied to each project we carry out, in accordance with Article 30(2) of the GDPR.
2. In accordance with Articles 28 and 32 of the GDPR, we have implemented, and
are continually improving, an information security management policy.
3. As a data Controller, we have applied clearly defined guidelines across our
organization to ensure that our internal conduct meets the requirements
of the GDPR (further details may be provided upon request).
4. We have designated a Data Processing Officer (DPO), in accordance with Article 37 of the
GDPR, who is tasked with overseeing GDPR compliance within the organization.
5. We have revised our contracts to address data processing issues and the distribution of responsibilities
regarding the processing and the protection of personal data between our clients and us.
6. Those of our employees who process our clients’ data are subject to strict confidentiality obligations
with regards to the data processed, in accordance with article 28 and 29 of the GDPR.
7. We are prepared to assist and advise our clients with ensuring their compliance with their
obligations, as set forth in the GDPR, including: data protection impact assessments
(DPIA), breach notifications, security, destruction of data, and contribution to audits.

How AnyVision’s Products

Help our Clients Adhere to the GDPR

To provide our clients with the necessary tools to meet GDPR requirements and to protect the
rights of their data subjects, we have implanted several features that are designed to:

1. Allow our clients to apply default privacy settings and to easily apply such settings as desired.
2. Allow our clients to collect only the data that is strictly necessary for the purposes of the
processing (data minimization).
3. Allow our clients to automatically and selectively clear data from an active database at the end
of a certain period, or to easily delete unused data.
The following features are set as a default in our system and are
easily adjustable under the control of our clients:

FEATURE I – Anonymous Processing (Inherent Feature)

Description - The software analyzes images and video streams and extracts mathematical vectors
(represented as a number between -1 and 1, with 18 digits after decimal point) of the detected faces. The
system then compares these vectors to the vectors extracted from the image enrolled to the database.
These mathematical vectors are irreversible, thus do not represent data that can be identified or associated
with a certain individual. Moreover, such vectors represent the facial features extracted from a specific
image and are not identical to the vectors to which they are matched. The system only provides a score
that indicates the resemblance between the mathematical vectors and alerts when a certain resemblance
score surpasses the predefined threshold score. The data that is actually processed by the system is that of
the mathematical vectors and not the actual facial images. The system can operate without displaying any
facial images.

GDPR Requirements Addressed:

• Article 12(2) of the GDPR – Obligation of the Controller regarding unidentified data subjects.
• Article 32 of the GDPR – Data Security.

FEATURE II – Identification of Re-Appearing Individuals

Description - The software enables identification of individuals without requiring enrollment of any personal
information to the database. Our clients are able to enroll individuals into the database directly from the
captured video stream, without providing any identifiable personal information. The system will generate an
alert upon the re-appearance of any enrolled individual in the video.
FEATURE III – Privacy Mode

Description - The software offers our clients the option to discard all detections of non-enrolled individuals.
The system allows our clients to choose whether or not to record the faces of individuals who are not
enrolled to the watchlist. Once this feature is enabled, the images of faces of non-enrolled individuals
will not be displayed in the gallery and will not be saved on the server. Our clients can thus avoid the
exposure and the recording of personal data not necessary for the purposes of the processing.

GDPR Requirements Addressed:

• Article 32 of the GDPR – Data Security.
• Article 28 and 29 of the GDPR – Obligation of confidentiality.

FEATURE IV – Face-Blur

Description - Upon the detection of a face, the software offers our clients the capability to generate a short
video clip presenting the moment of detection. To restrict the exposure of personal data of individuals who are
not relevant to our client, we have enabled the option to blur all the faces of individuals that are not enrolled
to the watchlist. This feature can be set as default and can be switched on or off with the click of a button.

GDPR Requirements Addressed:

• Article 32 of the GDPR – Data Security.

• Article 28 and 29 of the GDPR – Obligation of confidentiality.
• Automatic erasure/anonymization of all personal data after all valid purposes are fulfilled.
FEATURE V – Easy Delete

Description - The software offers our clients the option to easily delete records. The system allows our
clients to set automatic deletion rules (e.g. automatically delete all records after 30 days, automatically
delete all records of non-enrolled individuals) and easily customized deletion options (e.g. delete all
records of individual #000987) so that our clients are never stuck with unnecessary or unwanted data.

GDPR Requirements Addressed:

• Article 21 of the GDPR - Right to object to processing.

• Do not hold data that is not in use or is not required for the purpose of the processing.
• Automatic erasure/anonymization of all personal data after all valid purposes are fulfilled.
• Article 17 of the GDPR - Right to erasure (the “right to be forgotten”)
• Article 21 of the GDPR - Right to object to processing.

FEATURE VI – Search Backwards

Description - The software offers our clients the option to search backwards for previous detections
of a certain individual (provided it he/her were enrolled to the system or there is a face image of such
individual in hand) and display all related information of the record (time and of detection, capturing
camera). This allows our clients to comply with transparency requirements of the GDPR.

GDPR Requirements Addressed:

• Article 15 of the GDPR – data subjects may request a copy of the personal data being processed.
• Article 17 of the GDPR - Right to erasure (the “right to be forgotten”)
• Article 20 of the GDPR - Right of data portability.
• Article 21 of the GDPR - Right to object to processing.
Feature VII – Limiting Access by Password

Description - Access to the dashboard is limited only to authorized personnel, allowing our
clients to create an access policy, and to prevent the exposure of personal data collected by
our clients to individuals who are not essential for the purposes of the processing.

GDPR Requirements Addressed:

Article 28 and 29 of the GDPR – Obligation of confidentiality.

Feature VIII – Complete Control Over the Watchlist

Description - The software offers our clients the option to manage the database of enrolled faces (the
Watchlist). This includes giving the record a name and description and easily changing such properties.

GDPR Requirements Addressed:

Article 16 of the GDPR – Right of Rectification.

In Addition, the System Enables the

Following Abilities for our Clients:
1. Storing a timestamp when the personal data is collected.
2. Providing data subjects with detailed information
concerning their processed personal data.
3. Exporting certain personal data provided by the data subject
in a machine-readable format (PDF, Excel, etc.)
Where Can I Learn More
about GDPR?
Additional information is available on the official GDPR website of the
European Union and on CNIL’s Guide for Processors from Sep. 2017.

I Have More Questions.

Who Should I Contact?
We are happy to address any additional questions about the GDPR, and
help connect you to more resources. You are welcome to contact us
at privacy@anyvision.co or your point of contact at AnyVision.

Disclaimer
This document is confidential and may not be disclosed to any
third party without the prior written approval of Anyvision.

This document and its contents are for general information purposes only
and do not constitute legal or any other type of professional advice.

For more information please contact us at: info@anyvision.co