Compliance: GDPR & AI Act — privacy by design
Thesis: faces and plates blurred, frames not stored, no identification and no register; only counters and blurred event snapshots are saved for verification. Enforcement stays with the authority.
- Face/plate blur at the analysis stage; the frame exists only transiently in RAM.
- Zero biometrics: a face is only a region to blur — no embeddings (AI Act Art. 5).
- Minimisation (GDPR Art. 5): disk holds counters + blurred event snapshots, no personal data in the output.
- Basis for the processing moment: legitimate interest (Art. 6(1)(f), road safety) — LIA + DPIA before any production deployment on an own/permissioned camera.
- No automated decisions about individuals (Art. 22) and no register of offences (Art. 10).
- Role: Andrii Shramko (sole trader, VAT PL7543116302) as controller (demo); an authority deployment = processor (Art. 28) on their legal basis.
This demonstrator runs on a public camera to show the technology; a client deployment requires the camera owner's permission and a lawyer's sign-off (LIA/DPIA).