DPIA Guide: Drop-in rate

This guide is designed to support controllers using Indivd's Drop-in Rate feature. The feature combines two independent anonymous counting streams to produce a single conversion metric: the proportion of individuals passing in front of a store window, within the camera's field of view, who enter the store. No images are stored, no faces are analysed, and no individuals are tracked. Nonetheless, given that video streams are involved and that one camera operates in a public outdoor environment, we recommend that a DPIA is completed in accordance with GDPR Article 35.

This document is not legal advice but a practical guide to support your data protection compliance. It is aligned with the GDPR and the EU AI Act and complements the DPIA for People Counting.

Note: For further documentation, see the attached DPIA at the end of this guide.

This article contains the following topics:

• 1. Why and when to conduct a DPIA
• 2. Understanding the processing activity
• 3. What the system is used for
• 4. Your role and responsibilities
• 5. Transparency and visitor information
• 6. Internal communication and union involvement
• 7. Ethical and legal residual risks and mitigations
• 8. AI Act: Assessment of prohibited use cases

1. Why and when to conduct a DPIA

A DPIA is recommended because the Drop-in Rate feature involves the use of new technology and may qualify as large-scale processing under Article 35 GDPR, despite processing being limited to 1-2 milliseconds per frame. A DPIA is particularly recommended for the passers-by camera, which operates in a public outdoor environment. This context is legally distinct from the indoor entrance camera and requires its own proportionality assessment under EDPB Guidelines 3/2019 on video devices.

2. Understanding the processing activity

Indivd's Drop-in Rate feature uses two independent camera streams, each processed separately. One camera is positioned to observe the pedestrian area in front of the store window (passers-by stream). A second camera is positioned at or above the store entrance (entrant stream). Neither stream is linked to the other at the individual level. The output is a single anonymous ratio: entrants divided by passers-by.

Processing workflow:

No personal or special category data is ever stored or retained.

1. Two cameras record video footage: one facing the pavement outside the window, one facing the entrance.
2. Recorded images are encrypted and transferred to the processing instance within the customer's VPN.
3. The processing instance identifies whether a human-shaped object has crossed the virtual counting line in each stream.
4. The detection result (crossing: yes/no) is recorded as a count increment. The image frame is immediately and irreversibly deleted.
5. All image data is automatically deleted without being stored on any persistent storage device. Only the anonymous counter increment is kept.
6. Anonymous counts from both streams are securely transferred to Indivd's cloud environment for statistical processing.
7. Drop-in Rate is calculated as entrants divided by passers-by. Aggregated metrics are stored and made available in Indivd's analytics dashboard.

What data we collect:

All data is instantly anonymised. No personal data is stored.

1. An anonymous integer count of individuals crossing the virtual line in front of the store window.
2. An anonymous integer count of individuals crossing the entrance threshold in the inbound direction.

What we do not collect:

No personal data is ever stored or retained: Raw image data is deleted before it can be saved to disk, ensuring it never touches an HDD or permanent storage.

No biometric data is processed: The detection algorithm identifies the presence of a human-shaped object crossing a line. It does not analyse facial geometry, infer demographic attributes, or create any biometric representation.

No facial recognition or identification is possible: No face is located, processed, or retained at any stage. The output is binary: a crossing has occurred, or it has not.

No demographic inference: The system does not infer age, gender, clothing, or any other personal characteristic. It detects body presence only.

No linking between the two streams: A person who passes the window and then enters the store generates one count increment in each stream. These increments are not linked. Each stream maintains an independent counter with no event-level record, no timestamp, and no identifier that could connect the two increments to the same individual.

No tracking of specific individuals: The system has no mechanism to distinguish, follow, or re-identify any individual across frames, cameras, or time periods.

No quality assurance on the passers-by stream: The street-facing camera stream is automatically excluded from Indivd's quality assurance process. No manual observer ever views footage from the passers-by camera. This means there is no verification of what the passers-by camera detects: the system counts human-shaped objects crossing a virtual line, but there is no confirmation of who or what is being counted. The passers-by count is an approximation, not a verified measurement. This exclusion is enforced by the system architecture and cannot be overridden.

These limitations are not just policy decisions. They are enforced by the system design and technical architecture. It is technically impossible for the system to collect, store, or link personal data.

3. What the system is used for

The Drop-in Rate metric is used solely to understand storefront conversion efficiency at a population level. The goal is to measure what proportion of individuals passing in front of a store window, within the camera's field of view, actually enter the store, enabling evidence-based decisions on merchandising, location, and layout.

Purposes:

1. Evaluate whether a window display or store location is attracting a sufficient share of available pedestrian traffic.
2. Measure the effect of changes in window merchandising, signage, or promotional content on storefront conversion.
3. Compare Drop-in Rate performance across a retailer's store network.
4. Support lease renewal decisions and location investment analysis.
5. Predict pedestrian flow patterns to optimise staffing and internal operations.
6. Use anonymised benchmark data to compare Drop-in Rate performance across stores or regions.
7. Understand how changes in store presentation, location, or external environment affect conversion rates.
8. Adapt business models, such as adjusting opening hours, staffing levels, or window refresh frequency, based on observed pedestrian conversion patterns.

4. Your role and responsibilities

As a customer, you are the data controller. Indivd acts as the data processor. You are responsible for ensuring appropriate signage and transparency measures in accordance with GDPR Article 13. Detailed processor obligations and safeguards are set out in Indivd's Data Processing Agreement (DPA), which governs all third-party processor relationships.

Third-party processors (within the EU):

1. GleSYS AB (Sweden): Infrastructure.
2. DigitalOcean EU B.V. (Germany): Platform data storage.

5. Transparency and visitor information

Clear signs must be posted at all monitored locations. For the entrance camera, this can be integrated with existing camera surveillance signage. For the passers-by camera operating in a public outdoor environment, a dedicated first-layer sign must be posted at or near the monitored surface in accordance with EDPB Guidelines 3/2019.

The first-layer sign should state that pedestrian counting is in operation, that no images are stored, and provide a QR code or URL linking to the full privacy notice. The full privacy notice constitutes the second layer of transparency and must include all information required under GDPR Article 13.

Even with strong anonymisation, perceived surveillance can raise ethical concerns and affect public trust. Public communication should clearly explain what data is used for, how it is anonymised, and how individuals' rights are respected. This includes easily accessible privacy notices, understandable language for non-technical audiences, and providing contact details for data protection inquiries.

Recommendation: Use Indivd's signage examples and ensure alignment with GDPR Article 13 and EDPB video surveillance guidance. These are available in the Indivd Help Center.

6. Internal communication and union involvement

For deployments in workplace environments, ensure internal transparency and explain the system's purpose and limitations. The Drop-in Rate system cannot identify or track individuals, and no personal data is stored. Street-facing camera streams are never viewable by employees. The system is technically incapable of being used for employee monitoring.

• Union representation: If your organisation has union representation or safety delegates, involve them early in the DPIA process and before rollout. Doing so strengthens trust, helps prevent misunderstandings, and demonstrates accountability.

Identified risks and mitigation measures:

• Human (Risk: Low R1-R2): Information will be posted at each monitored location. Staff will be informed of the system's purpose and how data is handled before deployment.
• Technology/Physical work environment (Risk: Low R1-R2): The system uses immediate deletion of image data to ensure that no individual can be identified or reconstructed.
• Organisation (Risk: Low R1-R2): Store teams do not have access to the system or data. Street-facing camera streams are never viewable by employees.
• Organisation (Risk: Low R1-R2): Signage and briefings ensure internal transparency and prevent misinterpretation of the system's role and impact.

7. Ethical and legal residual risks and mitigations

Beyond technical alignment with applicable law, ethical considerations are essential to responsible data processing. Even with anonymisation, the perception and context of data use can influence trust and public acceptance. This section outlines residual ethical and legal risks and how they are addressed through Indivd's technical, organisational, and communicative measures.

Residual ethical risks:

• Re-identification: Not possible due to immediate image deletion and binary-only output with no individual attributes.
• Two-stream correlation: Not possible. The two counting streams produce independent counters with no event-level timestamp or identifier that could connect increments from the two streams to the same individual.
• Transparency misunderstanding: Managed through clear signage and layered information, including dedicated outdoor signage for the passers-by camera.

Controls in place:

• Immediate image deletion: images never touch an HDD or permanent storage.
• Binary-only output: the only persistent data is an anonymous integer counter value.
• No biometric processing: no face is located, analysed, or retained at any stage.
• Street-facing camera streams are never viewable by employees.
• Automatic exclusion from quality assurance: the passers-by camera stream is excluded from Indivd's QA process by design. No manual observer ever views footage from the street-facing camera. The passers-by count is therefore an unverified approximation, further reducing the risk of any connection to identifiable individuals.
• EU-hosted infrastructure.
• Union consultation and employee communication for workplace deployments.
• Indivd enforces a strict anonymisation policy that requires a documented risk analysis for any change, update, or enhancement to the detection or anonymisation method. Changes that might affect anonymity must be approved by both the Product Owner and the Head of AI. Any change that would reduce anonymisation capability is categorically prohibited.

Identified ethical and legal risks and mitigations:

1. Beneficial use risk

   Risk: Misunderstanding the purpose of the Drop-in Rate feature.
   Mitigation: Clear limitation to anonymous, population-level conversion statistics only.

2. Security risk

   Risk: Unauthorised access to temporary data.
   Mitigation: Strong encryption, 1-2 millisecond data retention, and role-based access control.

3. Fairness risk

   Risk: Use perceived as profiling or surveillance of pedestrians.
   Mitigation: No tracking or identification is possible. The output is a single aggregate ratio with no individual attributes.

4. Governance risk: Children's data

   Risk: Inadvertent capture of children could be perceived as high-risk.
   Mitigation: No identifying data relating to children is retained. The output is a binary count increment with no demographic information.

5. Governance risk: Outdoor public space

   Risk: The passers-by camera operates in a public outdoor environment, which requires specific justification under EDPB Guidelines 3/2019.
   Mitigation: No alternative sensor technology achieves equivalent counting across variable outdoor distances and angles. Processing is more transient than any retention-based alternative. Dedicated outdoor signage is required.

6. Governance risk: AI literacy

   Risk: Lack of understanding of how anonymous counting works.
   Mitigation: Communication through signage and support materials explaining the system's limits and safeguards.

8. AI Act: Assessment of prohibited use cases

Indivd's Drop-in Rate feature has been reviewed against Article 5 of the EU Artificial Intelligence Act (AI Act), which defines prohibited AI practices. The system does not fall under any of the banned categories.

• Biometric categorization: The system performs body-presence detection only. It does not analyse facial features, infer demographic attributes, or create biometric representations.
• Surveillance of workers: Street-facing camera streams are never viewable by employees. The system cannot identify individuals and is not capable of employee monitoring.
• Manipulation of human behavior: The system provides statistical aggregate insights only. It does not influence, manipulate, or respond to individual behavior.
• Exploitation of vulnerable individuals: No vulnerable group is targeted. The system does not track, identify, or infer any characteristic of any individual.
• Social scoring: No ranking or scoring of individuals or groups occurs. All outputs are anonymous and statistical.
• Biometric identification in public spaces: No biometric identifiers are used. Image data is deleted within 1-2 milliseconds. No face is located or analysed at any stage.
• Facial recognition database or scraping: Indivd does not create or expand facial recognition databases, nor does it use any scraping techniques. Data collected is anonymised instantly and does not support facial recognition.
• Emotion recognition: The system does not analyse or infer emotional states.

Indivd's Drop-in Rate feature does not meet the criteria of any prohibited AI practices defined by Article 5 of the EU AI Act. The technology has been intentionally designed around privacy-by-design principles, immediate image deletion, data minimisation, and ethical use, supporting lawful and responsible data processing.