Privacy and Personal Data Processing

Overview
Our solutions supporting automotive and law enforcement are designed according to the principle of privacy by design and operates in normal (production) mode without processing personal data as defined by the EU General Data Protection Regulation (GDPR).

Technology and Data Handling in Operation
• All analysis of image and sensor data is performed locally on the device, processed frame-by-frame in the device’s working memory (RAM) in real time.
• No raw data is stored or transmitted. No video streams, eye-movement data, or logs are saved or sent to external servers.
• Only a non-identifiable analysis result (e.g., “alert / not alert”) is produced and made available externally.
• Reconstruction or re-identification is technically impossible, ensuring that individuals cannot be identified.

Legal Basis: No Personal Data Processing in Operation
• GDPR applies only to personal data, meaning information that can directly or indirectly identify a living person.
• Temporary processing in working memory that leaves no residual or reconstructable data falls outside the scope of GDPR.
• In production mode, our solutions therefore do not perform activities that GDPR defines as processing (such as collection, storage, or transmission).
• The European Data Protection Board (EDPB), in its Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models, emphasises that processing can fall outside GDPR if it is highly unlikely that personal data can be identified or re-created.
• The EU AI Act sets requirements for transparency, accountability, and risk management for AI systems but does not alter the conclusion that no personal data processing occurs when the system is architected without data collection or storage.

Exceptions: Development, Testing and Research
When our solutions are used in specific contexts such as model development, testing, or research, where recordings and data storage may occur, personal data may be processed. In those cases, Sightic applies full GDPR compliance, including:
• Informed consent from all data subjects
• Purpose limitation, data minimisation, secure storage and controlled access
• Proper documentation and the ability to fulfil rights of data subjects (e.g., erasure)

Summary
• In production use, our solutions do not constitute personal data processing under GDPR.
• Its architecture, based on local real-time analysis without storage or transmission, ensures that the technology operates without privacy risks related to identification.
• During development, testing or research phases where data is recorded, full GDPR obligations apply.

References

European Data Protection Board. (2024). Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models. Retrieved April 2025, from https://www.edpb.europa.eu/system/files/2024-12/edpb_opinion_202428_ai-models_en.pdf

European Parliament & Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Official Journal of the European Union, L119. https://eur-lex.europa.eu/eli/reg/2016/679/oj

European Parliament & Council of the European Union. (2024). Regulation (EU) 2024/1689 of the European Parliament and of the Council establishing harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L1689. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202401689

Privacy Regulation. (n.d.). Recital 26 of the GDPR – Anonymisation. Retrieved April 2025, from https://www.privacy-regulation.eu/en/recital-26-GDPR.htm