Skip to content

Blog · Data protection

GDPR and factory imagery: when visual inspection captures people.

Updated July 2026 · 7 min read · Adente Vision Engineering Team

When a line inspection camera can incidentally capture an operator, on-premises edge processing is the simplest data-protection posture, because inspection frames are analysed on the unit and never leave the site. Processing images on-premises narrows the compliance surface an EU factory manages. Treat this as an architecture choice, not legal advice.
Not legal advice. This post describes an architecture decision and cites the EU GDPR text as an external authority. It makes no legal guarantee, and no product removes an organisation's own obligation to assess its processing with its data protection officer or counsel.

Where do factory inspection cameras and personal data overlap?

A vision system pointed at a part is usually inspecting the part, not a person, but the frame does not know the difference. When the camera field of view can include an operator's hand, face, badge or movement, even incidentally, that frame can contain personal data as the EU General Data Protection Regulation defines it. The overlap is not exotic; it happens any time an inspection station sits where people load, unload or pass by.

That overlap is what turns an inspection choice into a data-protection question. The moment a frame can carry personal data, where that frame is processed and stored starts to matter for the same reasons any other personal data does. The architecture you pick for inspection, on-premises or cloud, sets how large that question becomes, before anyone writes a single policy.

Why does sending frames to a cloud region raise a transfer question?

Sending inspection frames to a cloud region raises a transfer question because the frame, and any personal data in it, physically moves to wherever that region's data centre sits. If that location is outside the European Economic Area, the movement can fall under the GDPR rules on international transfers, which set conditions on sending personal data to a third country. A part image processed in a distant region is no longer only an engineering decision; it is a transfer to assess.

The point is not that cloud processing is disallowed; it is that cloud processing creates a compliance surface an on-premises decision does not. Someone has to identify the region, the vendor as a processor, the legal basis for the transfer, and the retention of the frames. Each of those is a real obligation to document and defend. Adente Vision is an edge-AI visual inspection unit built by ADENTE Advanced Engineering Technologies, part of the Aden Group, sold through automation system integrators, and it is built to keep that frame on the line rather than create the transfer in the first place.

How does on-premises processing narrow the GDPR compliance surface?

On-premises processing narrows the compliance surface by removing the transfer and the third-party storage from the picture. When inference runs on the unit, on a fanless Jetson-class board, the frame is analysed where it is captured and the output that leaves is a pass or fail, not the image. No frame crosses the site boundary, so there is no international transfer to justify and no cloud vendor holding pictures of your line.

Narrowing is the honest word, not eliminating. On-premises processing does not make a line compliant by itself; it shrinks the set of questions a controller has to answer to the ones inside the plant: what the camera sees, how long any image is retained locally, who can access it, and whether the processing is necessary and proportionate. Those are questions an organisation answers with its data protection officer. The architecture just keeps the list short by keeping the data resident, and the sibling post on edge versus cloud visual inspection covers the same keep-it-on-the-line principle for non-personal production IP.

Cloud region vs on-premises: how does the data-protection risk compare?

Compared side by side, the two architectures differ mainly in how much leaves the premises and therefore how much has to be assessed. The table below contrasts them as an architecture decision, not as legal outcomes.

ConsiderationFrames to a cloud regionOn-premises edge unit
Where frames are processedA data centre, possibly outside the EEAOn the unit, inside the plant
International transfer questionGDPR transfer rules can applyNo cross-border transfer of the frame
Personal data in the frame (operator)Leaves the premises to a third partyAnalysed locally, not shipped
Retention of raw imagesHeld by a cloud processorProcessed on the line, minimal local retention
Compliance surface to documentVendor, region, transfer basis, retentionThe line and the unit only

The pattern is consistent: every row that a cloud region turns into an off-site obligation, an on-premises unit keeps as an on-site question. That is why edge processing is often the simplest data-protection posture for a line where a camera can capture a person, even though it is a decision about architecture rather than a legal conclusion.

What should you document for your data protection officer?

What you document is a matter for your own DPO, but the architecture decides how short the record can be. For an on-premises inspection unit, the notes are local and finite: where the camera is aimed and whether people can appear in frame, what image is retained on the unit and for how long, who can access the unit and its dashboard, and the reasoning that the processing is limited to inspection. Because nothing leaves the site, there is no processor agreement or transfer basis to add.

A cloud pipeline extends that same record with the off-site items, the processor, the region, the transfer mechanism and the vendor's retention, and, where required, feeds a data protection impact assessment under the GDPR. None of this is legal advice, and none of it is a claim that the product is compliant; it is a description of which questions each architecture leaves on the table. Your DPO or counsel decides what your specific line requires. For how on-device inference keeps the frame on the unit, see the system overview, and for the full method, see the pillar guide on AI visual inspection.

Frequently asked questions

Have a line where the camera can catch an operator?

Send us a sample part or a short video, and we show the on-device inspection result, then walk your IT and compliance teams through what stays on the line. See how Adente Vision keeps the frame on the edge, as an architecture choice you can take to your DPO.