Updated July 2026 · 7 min read · Adente Vision Engineering Team
Where do factory inspection cameras and personal data overlap?
A vision system pointed at a part is usually inspecting the part, not a person, but the frame does not know the difference. When the camera field of view can include an operator's hand, face, badge or movement, even incidentally, that frame can contain personal data as the EU General Data Protection Regulation defines it. The overlap is not exotic; it happens any time an inspection station sits where people load, unload or pass by.
That overlap is what turns an inspection choice into a data-protection question. The moment a frame can carry personal data, where that frame is processed and stored starts to matter for the same reasons any other personal data does. The architecture you pick for inspection, on-premises or cloud, sets how large that question becomes, before anyone writes a single policy.
Why does sending frames to a cloud region raise a transfer question?
Sending inspection frames to a cloud region raises a transfer question because the frame, and any personal data in it, physically moves to wherever that region's data centre sits. If that location is outside the European Economic Area, the movement can fall under the GDPR rules on international transfers, which set conditions on sending personal data to a third country. A part image processed in a distant region is no longer only an engineering decision; it is a transfer to assess.
The point is not that cloud processing is disallowed; it is that cloud processing creates a compliance surface an on-premises decision does not. Someone has to identify the region, the vendor as a processor, the legal basis for the transfer, and the retention of the frames. Each of those is a real obligation to document and defend. Adente Vision is an edge-AI visual inspection unit built by ADENTE Advanced Engineering Technologies, part of the Aden Group, sold through automation system integrators, and it is built to keep that frame on the line rather than create the transfer in the first place.
How does on-premises processing narrow the GDPR compliance surface?
On-premises processing narrows the compliance surface by removing the transfer and the third-party storage from the picture. When inference runs on the unit, on a fanless Jetson-class board, the frame is analysed where it is captured and the output that leaves is a pass or fail, not the image. No frame crosses the site boundary, so there is no international transfer to justify and no cloud vendor holding pictures of your line.
Narrowing is the honest word, not eliminating. On-premises processing does not make a line compliant by itself; it shrinks the set of questions a controller has to answer to the ones inside the plant: what the camera sees, how long any image is retained locally, who can access it, and whether the processing is necessary and proportionate. Those are questions an organisation answers with its data protection officer. The architecture just keeps the list short by keeping the data resident, and the sibling post on edge versus cloud visual inspection covers the same keep-it-on-the-line principle for non-personal production IP.
Cloud region vs on-premises: how does the data-protection risk compare?
Compared side by side, the two architectures differ mainly in how much leaves the premises and therefore how much has to be assessed. The table below contrasts them as an architecture decision, not as legal outcomes.
| Consideration | Frames to a cloud region | On-premises edge unit |
|---|---|---|
| Where frames are processed | A data centre, possibly outside the EEA | On the unit, inside the plant |
| International transfer question | GDPR transfer rules can apply | No cross-border transfer of the frame |
| Personal data in the frame (operator) | Leaves the premises to a third party | Analysed locally, not shipped |
| Retention of raw images | Held by a cloud processor | Processed on the line, minimal local retention |
| Compliance surface to document | Vendor, region, transfer basis, retention | The line and the unit only |
The pattern is consistent: every row that a cloud region turns into an off-site obligation, an on-premises unit keeps as an on-site question. That is why edge processing is often the simplest data-protection posture for a line where a camera can capture a person, even though it is a decision about architecture rather than a legal conclusion.
What should you document for your data protection officer?
What you document is a matter for your own DPO, but the architecture decides how short the record can be. For an on-premises inspection unit, the notes are local and finite: where the camera is aimed and whether people can appear in frame, what image is retained on the unit and for how long, who can access the unit and its dashboard, and the reasoning that the processing is limited to inspection. Because nothing leaves the site, there is no processor agreement or transfer basis to add.
A cloud pipeline extends that same record with the off-site items, the processor, the region, the transfer mechanism and the vendor's retention, and, where required, feeds a data protection impact assessment under the GDPR. None of this is legal advice, and none of it is a claim that the product is compliant; it is a description of which questions each architecture leaves on the table. Your DPO or counsel decides what your specific line requires. For how on-device inference keeps the frame on the unit, see the system overview, and for the full method, see the pillar guide on AI visual inspection.