What construction companies need to know about GDPR and privacy laws - photo and video anonymization

Łukasz Bonczol
Every European construction company has to stay compliant with the data protection requirements outlined in GDPR. This question is especially important today when construction sites are filled with video monitoring and surveillance increasing workers' and site safety. Plus, there is always extensive photo documentation for the project purposes (e.g., obtaining necessary permits). How can companies operating in this sector fulfill all the data protection requirements imposed by GDPR?

Until recently, construction companies had the same obligations as any other entities under GDPR. They had to protect the personal data of their employees, vendors, and contractors. Relatively simple solutions such as encrypted data transmission, regular backups, and password-protected databases were, in many cases, sufficient. Of course, there also had to be a DPO (data protection officer) responsible for adjusting the company's procedures to legal requirements.

But that's just the beginning of data protection in construction companies, especially given the fact they now need to gather and process gigabytes of visual data, often containing images of guests, officials, workers, other employees, and even random people and car license plates.

Photo data gathered by construction companies

Today, things are more complicated as construction companies are processing huge amounts of visual data (both video and photo). These materials are used to:

  • Prepare blueprints, plans and designs
  • Increase workers' safety and ensure they follow the safety regulations
  • Monitor people entering and leaving the premises
  • Protect construction equipment (the 24/7 monitoring sign can discourage many potential thefts)
  • Document the progress of work, used materials, and applied solutions

This is especially crucial when dealing with large infrastructural projects, such as:

  • Roads and highways
  • Railroads
  • Wind farms
  • Pipelines
  • Artificial water reservoirs
  • Agricultural and land transformation projects

Some of these pictures are very specialized photographs (e.g., panoramic photos and 360-degree pictures). They are frequently taken using specialized equipment mounted on vehicles, similar to those used in mobile mapping. In other situations, the process of documenting the building site is far more straightforward. Perhaps some pictures are even taken by personnel with their digital cameras or even smartphones. And, of course, in theory, one can instruct workers to avoid taking pictures containing people or vehicles with visible license plates, but that's not always possible.

It is very likely that at least some of the pictures which a construction company processes contain people or vehicles. Construction companies need to be aware that all these pictures are subject to data protection regulations outlined in GDPR. Even if the company operates outside the European Union, most likely, there is a similar regulation in a given country with similar provisions.

How can construction companies comply with these regulations?

Personal data protection: Challenges and obligations

Every European construction company is obliged to operate in full compliance with GDPR. What does it mean in practice?


Here, one of the questions construction companies need to remember about is the right of access by the data subject (art. 15). Needless to say, literally anyone can be the data subject as CCTV cameras can “catch” even bystanders looking at the new building in progress. We devoted one of our latest blog posts to the question of data access rights on Gallio.PRO blog: Article 15 GDPR and Video Monitoring - obligation to share the recordings .


Video and photo materials containing personal data cannot be stored in just any way and in any place. These assets need to be secured so that they don't get into the wrong hands. Surely no one wants to have problems because footage has been leaked with the visible faces of workers, bystanders, and local or government officials. Therefore, construction companies need to ensure that:

  1. All the visual data is stored in a secured location protected by access control.
  2. There is a data access and protection policy that's specific and tailored to a given company's needs.
  3. All the visual (and non-visual) data containing people and vehicles is protected with passwords and other relevant cybersecurity measures (e.g., firewall).
  4. Personal data is not stored longer than necessary, and there is someone responsible for data retention schedules and procedures (in general, once materials containing personal data achieve certain business goals, or after “reasonable time”, they should be deleted).


Importantly, large companies that collect visual data regularly and on a large scale need to ensure even more rigid procedures and safety solutions. That's because of the so-called proportionality rule.

The more personal data a given company stores, the more safety measures must be implemented.

Consider this example: There are two e-commerce companies. One is a small shop with a database of a few thousand customers, and the other is a market leader with hundreds of thousands of customers and newsletter subscribers. The GDPR regulation (primarily its proportionality principle) implies that every large entity has to protect itself better, establish more procedures, employ data protection specialists, and pay for more advanced security measures. Furthermore, such companies need stricter rules for reporting incidents, and in the event of an incident, they are subject to much higher penalties, even for minor negligence.

Additionally, the proportionality rule instructs that only personal data which is adequate and relevant for the purposes of the processing is collected and processed.


Construction companies usually want or even need to share collected visual data with other entities, including:

  • Clients
  • Contractors
  • Authorities
  • And even media

In theory, each such situation requires signing separate data entrustment agreements, clearly stating what kind of personal data is being transferred to a third party, why, and under what conditions. Under such an agreement, the receiving party has the same obligations as the providing party, especially concerning ensuring the full safety of received data.

How to avoid these problems

All these challenges and obligations listed above disappear almost completely when there is the option to remove people and license plates from pictures and recordings. Does it mean, though, that it's necessary to get rid of such materials altogether? Thankfully, no. There is a safer and more effective solution - data anonymization.

Once the visual data is anonymized, the company doesn't need to worry about privacy matters related to these materials. That's because all the personal data embedded in the photo or video material has been “neutralized” and, therefore, is no longer subject to GDPR.


In the most straightforward form, construction firms can anonymize their pictures manually. Even simple graphic software can be sufficient. However, this solution becomes ineffective, expensive, and time-consuming when there is a need to anonymize hundreds or even thousands of files.

Thankfully, there is a second, more effective option - automated data anonymization software. AI algorithms usually power such software, so these tools are very effective at detecting pieces of personal data (faces, license plates) and anonymizing them by applying a permanent blurring filter on the picture/recording.

Of course, no anonymizing software is 100% accurate (although the accuracy level is usually close to 100%), but even if the tool fails to anonymize one face out of - to give an example - 10,000 anonymized ones, the data processor can at least claim that they have taken all the appropriate measures to secure personal data in their visual materials. And this could be an effective line of defense mitigating severity of possible fines and penalties.


There are two main options for construction companies looking to anonymize their visual materials effectively:

  • Cloud-based solutions: The main disadvantage of these tools is that the company still needs to sign the data transfer agreement (the user is required to send pictures and videos to third-party servers) with the provider to use these tools lawfully. Using cloud-based platforms without appropriate data provision agreements still violates GDPR.
  • On-premises solutions: They are slower than cloud tools, but since they operate offline, there is no risk of leaking personal data, and therefore, no need to sign any additional agreements. The data stays within the company during the whole process. In this scenario, the company is 100% compliant with GDPR when it comes to data anonymization.


Additionally, some industry-grade on-premises solutions require dedicated implementations on the construction company's servers, while others are delivered as a “container” which can be run within the client's server. This setup usually requires skilled IT staff and entails additional implementation/service costs. These kinds of anonymization solutions are reasonable almost exclusively for large-scale, continuous industrial workflows (rather not for construction companies that need to anonymize materials in batches associated with specific projects), especially when it happens only from time to time when handing over material to third parties (contractors or clients).

Ease of use is another vital factor here. For some applications, using a dedicated server solution entails complex implementation and configuration processes. This is where a simple desktop solution has a clear advantage. Any user, even less tech-savvy one, can install such desktop software on any Windows/Mac computer.

Yet, the AI algorithms powering these desktop applications are often equally powerful as in tailored, custom-made solutions.


Pricing is also something one should take into consideration. When it comes to anonymization software, there are several pricing models. The most popular ones are the following:

  • Pay per use
  • Flat rate combined with a time-limited license

Company owners need to make sure they pick the pricing model appropriate to their company's needs so that they can anonymize all the relevant files and not overpay for access to a selected tool.

Summary: Construction companies must take care of data anonymization

In today's legal environment, all European construction companies must take necessary measures for data minimization and, where applicable, data anonymization. This entails removing/blurring faces and license plates in all the photos and videos. Anonymizing visual data helps to avoid additional organizational costs, possible risks, and legal problems caused by data protection malpractice.

If, after reading this post, there are still some questions, it's usually best to get in touch with the local privacy compliance advisor or local data protection institution.