Recording Export Under GDPR - Definition
Recording export under GDPR refers to the set of legal and organizational requirements that apply when video recordings or photos containing personal data are transferred outside the European Economic Area (EEA). In practice, this covers the transfer of files, working copies, backups, materials for analysis, training data for AI models, or remote access to a system where the recipient or processing infrastructure is located outside the EEA.
In the context of images and video, personal data primarily includes a person’s facial image and, depending on the identification context, vehicle registration plates. The legal basis is Article 4(1) and Articles 44-49 of Regulation (EU) 2016/679, i.e. the GDPR, as well as the case law of the Court of Justice of the European Union, including the judgment of 16 July 2020 in Case C-311/18, commonly known as Schrems II. A transfer is permitted only where the controller ensures an adequate level of data protection in the third country or uses a transfer mechanism provided for in Chapter V of the GDPR.
For video materials, the distinction between anonymization and pseudonymization is crucial. If a face or registration plate has been reversibly blurred and the controller retains the source version or the reversal key, the material still constitutes personal data. If identifying a person becomes irreversibly impossible using means reasonably likely to be used, the material may cease to fall under the GDPR. This position follows from Recital 26 GDPR and Opinion 05/2014 of the Article 29 Working Party on anonymization techniques.
When Exporting Recordings Outside the EEA Is a Personal Data Transfer
Not every file export in the technical sense is legally neutral. For GDPR purposes, what matters is not the name of the operation, but whether a recipient outside the EEA gains access to personal data or the ability to process it. This also applies to cloud environments, support services, data labeling tools, and subcontractors training detection models.
The following situations are typically treated as a transfer outside the EEA:
- sending a recording to an entity established outside the EEA,
- storing a recording on infrastructure located outside the EEA,
- remote access by a controller, processor, or other recipient outside the EEA to material stored within the EEA,
- sharing a dataset of photos or video frames for AI model training or testing outside the EEA,
- replicating backup copies to a data center outside the EEA.
In Guidelines 05/2021, the European Data Protection Board adopts a broad interpretation of what constitutes a transfer. In practice, this means that even granting access to recordings from a third country may trigger the obligations set out in Articles 44-49 GDPR.
Legal Mechanisms for Transferring Recordings Outside the EEA
If video or photographic material contains identifiable individuals, the controller should first determine whether the transfer is necessary at all. Only then should the appropriate legal mechanism be selected. The GDPR provides a hierarchy of solutions.
Mechanism | Legal basis | When to use it | Practical notes
|
|---|---|---|---|
Adequacy decision | Article 45 GDPR | Where the European Commission has adopted a decision for a country or, in specific cases, a territory or sector | The simplest option, but the scope and current validity of the decision must be verified |
Standard Contractual Clauses | Article 46(2)(c) GDPR | Where no adequacy decision exists | Requires an assessment of the third country’s laws and, where necessary, supplementary measures following Schrems II |
Binding Corporate Rules | Article 47 GDPR | For intra-group transfers within a group of undertakings or enterprises engaged in a joint economic activity | A solution for large organizations; implementation is resource-intensive |
Derogations for specific situations | Article 49 GDPR | For occasional and limited cases | Should not be used as the basis for ongoing, large-scale transfers of recordings |
After the Schrems II ruling, simply signing Standard Contractual Clauses may be insufficient. A transfer impact assessment may be required to determine whether the law of the importing country undermines the protection provided by the clauses. This approach is confirmed by EDPB Recommendations 01/2020, updated on 18 June 2021.
When Recording Anonymization Is Necessary or Practically Essential
For photos and video, recording anonymization is the safest solution where the controller wants to reduce transfer-related risk or fully remove the material from the scope of Chapter V GDPR. However, this requires the process to be technically effective and irreversible.
Anonymization becomes particularly important when:
- recordings are to be sent to a provider outside the EEA for analysis, editing, or archiving,
- the material is to be used for training AI models that detect faces or license plates,
- the controller cannot demonstrate effective supplementary measures for the transfer,
- the purpose of processing does not require retaining an identifiable image.
In practice, this means blurring faces and, depending on the context and the purpose of publication or disclosure, vehicle registration plates. In many European countries, registration plates are treated at least as information capable of leading to indirect identification, although the assessment depends on the circumstances. In Poland, the situation is also not entirely clear-cut: in the practice of supervisory authorities and some case law, the possibility of indirect identification is emphasized, while certain court decisions have also taken the view that a registration plate alone does not always constitute personal data.
The Technical Side of Photo and Video Anonymization Before Export
In visual materials, effective anonymization requires object detection in every frame and continuity of tracking. In practice, deep learning models are used to detect faces and license plates, followed by tracking algorithms so that the blur area does not disappear when the angle changes, lighting shifts, or the object becomes partially obscured.
A typical technical workflow includes:
- object detection - face detection, license plate detection,
- inter-frame tracking - maintaining the object identifier over time,
- image redaction - blur, pixelation, or an irreversible mask,
- quality control - reviewing false negatives, i.e. undetected faces or plates,
- exporting the output file without retaining any layer that would allow the redaction to be reversed.
For compliance purposes, model quality metrics are critical. In compliance use cases, recall and the false negative rate are often more important than average speed. Recall can be expressed as: recall = TP / (TP + FN), where TP means correctly detected objects and FN means missed objects. In anonymization, regulatory risk increases as FN increases, because every undetected face may result in the disclosure of personal data. High precision alone is not enough if the system misses some objects.
Gallio PRO automatically blurs only faces and license plates. It does not automatically detect logos, tattoos, name badges, documents, or content displayed on monitor screens. Such elements can be redacted manually in the editor. The software does not perform real-time anonymization or live video stream anonymization.
Key Controller Obligations When Exporting Recordings
Selecting a provider or transfer channel alone does not complete the compliance analysis. The controller must be able to demonstrate accountability and document its decisions. This is particularly important where the material involves CCTV footage, road incidents, workplace recordings, or images of bystanders.
The minimum set of actions will usually include:
- defining the purpose of the export and the legal basis for processing under Article 6 GDPR,
- verifying whether the material contains personal data and whether anonymization before transfer is possible,
- selecting a transfer mechanism under Articles 45-49 GDPR,
- carrying out a risk assessment and, where necessary, a DPIA under Article 35 GDPR,
- entering into a data processing agreement with the processor under Article 28 GDPR,
- implementing security measures under Article 32 GDPR, including encryption and access controls,
- defining retention periods and deletion rules for working copies and backups.
Normative References and Interpretive Practice
When assessing the export of recordings, it is advisable to rely on primary legal and regulatory sources. These provide a more stable basis than secondary materials or market practice.
- Regulation (EU) 2016/679, in particular Articles 4, 28, 32, 35, 44-49 and Recital 26 - European Parliament and Council, 27 April 2016.
- CJEU judgment C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems - 16 July 2020.
- EDPB, Guidelines 05/2021 on the interplay between Article 3 and the provisions on international transfers - version adopted on 14 February 2023.
- EDPB, Recommendations 01/2020 on measures that supplement transfer tools - Version 2.0 of 18 June 2021.
- Article 29 Working Party, Opinion 05/2014 on Anonymisation Techniques - 10 April 2014.