What Is a DSAR for Video Footage?

DSAR for Video Footage – Definition
How to Understand a DSAR in Video Anonymization
DSAR Process for Video Material
Technologies Used for DSARs Involving Video Footage
Key Parameters and Metrics for Video Anonymization in DSAR Handling
Risks and Limitations in DSARs for Video Footage
Legal References and Sources for DSARs Involving Video Footage

DSAR for Video Footage – Definition

A DSAR, or Data Subject Access Request, is a request by a data subject to access the personal data processed by a controller. In the context of video footage, this refers to a situation in which a person asks for confirmation as to whether their image or other identifying data has been captured in a video recording and then requests access to that data to the extent provided by law. The legal basis is Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, i.e. the GDPR.

In practice, a DSAR relating to video footage does not mean the automatic release of the entire source file. The controller must balance the requester’s right of access with the rights and freedoms of other individuals visible in the recording. This follows directly from Article 15(4) GDPR. For this reason, the material disclosed in response to the request usually requires a prepared version with redaction or anonymization of elements relating to third parties, primarily by blurring faces and often vehicle registration plates as well.

In the context of photos and video, a video DSAR therefore involves not only an analysis of the legal basis but also the technical preparation of the material. If the recording contains multiple people, effective handling of the request requires detecting identifying objects, tracking them across frames, and permanently concealing those parts of the image that should not be disclosed to the recipient.

How to Understand a DSAR in Video Anonymization

For CCTV footage, mobile cameras, body-worn cameras, or dashcams, the key point is that an image alone may constitute personal data if it allows a person to be identified directly or indirectly. This approach is reflected in data protection authority guidance and EU case law. Therefore, if a person is recognizable in the footage, the controller must assess to what extent a copy of the recording can be provided without infringing the rights of others.

In practice, responding to a DSAR for video footage comes down to three operations. First, the relevant part of the recording must be located. Next, it must be confirmed that the requester actually appears in the footage, where this is necessary and proportionate for handling the request. The final step is to prepare a copy for disclosure, usually after blurring or otherwise anonymizing third-party personal data.

Scope of identification – face, body shape, location and time context, vehicle registration plate, clothing characteristics.
Scope of protection – primarily other people’s faces and, depending on the context, registration plates and other identifiers as well.
Form of response – a copy of the recording, extracted frames, or a description of the data, depending on proportionality and risk.
Limitation – the rights and freedoms of other individuals must not be infringed by disclosing the full footage.

DSAR Process for Video Material

Handling a DSAR requires a documented process. As a general rule, the standard deadline is 1 month from receipt of the request, in accordance with Article 12(3) GDPR. In complex cases, the deadline may be extended by an additional 2 months, but the controller must inform the requester and provide reasons. For video footage, complexity often results from the length of the recording, the number of third parties involved, and the need for frame-by-frame anonymization.

In day-to-day operations, it is worth following a structured workflow because video footage is unstructured data and difficult to review manually at scale.

Receive and log the request.
Verify the requester’s identity, if necessary.
Determine the relevant time range and location of the recording.
Search for the correct files or sequences.
Assess whether the recording contains other individuals or other identifiers.
Prepare a copy with anonymization.
Perform quality control before release.
Disclose the copy and record the action in compliance documentation.

Technologies Used for DSARs Involving Video Footage

Preparing footage for disclosure usually requires support from image analysis tools. For faces and registration plates, deep learning-based object detection models are commonly used. This is necessary because manually masking every frame in longer recordings is costly and carries a high risk of error. An AI model is first trained to detect a specific type of object on a training dataset and is then used to automatically identify areas that need to be blurred.

In a compliance environment, it is important to distinguish between automated detection and the scope of the anonymization itself. Gallio PRO automatically blurs faces and vehicle registration plates. The software does not anonymize full body silhouettes, does not operate in real time or on live video streams, and does not automatically detect logos, tattoos, name badges, documents, or content displayed on monitor screens. These elements can be concealed manually using the built-in editor.

Key Parameters and Metrics for Video Anonymization in DSAR Handling

The quality of prepared footage should not be assessed solely by stating that the recording has been blurred. For a Data Protection Officer or compliance team, specific technical and operational parameters matter. Some come from computer vision practice, while others relate to process management.

Parameter	Meaning in a DSAR	Practical interpretation
Detection precision	The proportion of correct detections among all detections	A low value means too many false positives and more corrective work
Detection recall	The proportion of detected objects among all actual objects	A low value increases the risk of disclosing a third party’s face or other identifiers
IoU – Intersection over Union	How closely the detected area matches the actual area	If IoU is too low, visible parts of a face or registration plate may remain exposed
Footage preparation time	Affects the timeliness of the response under Article 12(3) GDPR	Search, anonymization, and quality control time should be measured separately
Post-review error rate	The number of undetected or incorrectly blurred objects	Should be monitored through internal procedures

In larger-scale projects, it is worth defining your own process SLA, for example the maximum time to prepare 1 hour of footage or the acceptable error level after manual review. These values do not follow directly from the GDPR, but they help demonstrate accountability under Article 5(2).

Risks and Limitations in DSARs for Video Footage

The greatest risk is releasing a copy that still makes it possible to identify third parties. Any blur or masking must be permanent and irreversible in the disclosed copy. Otherwise, the footage may still contain the personal data of individuals who are not the subject of the request. The problem becomes more significant with high resolution, changing lighting conditions, obstructed faces, and rapid camera movement.

A second group of limitations concerns the status of vehicle registration plates. In European practice, blurring them is often treated as a privacy protection standard, but the assessment depends on the context. In Poland, the legal situation is also not entirely clear-cut. On the one hand, guidance from data protection authorities and European practice support a cautious approach. On the other hand, some administrative court rulings have suggested that a registration plate does not always constitute personal data in itself. In DSAR practice, the safer approach is a contextual assessment and the frequent masking of registration plates, especially where the footage includes additional information that could identify the vehicle owner or user.

Legal References and Sources for DSARs Involving Video Footage

The concept of a DSAR and the way it should be handled must be assessed in light of several legal acts and guidance documents. The most important are the GDPR provisions and supervisory authority interpretations regarding video surveillance and the right of access. In the case of recordings, the right to image protection and privacy must also be taken into account.

GDPR – Regulation (EU) 2016/679, in particular Articles 12, 15, 15(4), and 5(2).
European Data Protection Board Guidelines 3/2019 on processing personal data through video devices, version adopted on 29 January 2020.
Polish Civil Code – provisions on personal rights, including image rights and privacy.
Polish Copyright and Related Rights Act – rules on the dissemination of a person’s image and statutory exceptions.
Guidance from the Polish Personal Data Protection Office (UODO) on the identifiability of individuals in recordings and video surveillance practices.

It is worth keeping documentation of decisions concerning the scope of anonymization, as this helps demonstrate that the controller considered both the requester’s right of access and the protection of other individuals’ rights. For on-premise environments, it is also important that the anonymization tool does not generate additional logs containing personal data. Gallio PRO does not collect logs containing face or registration plate detections or any other logs containing personal data.