DPIA security robots: template and risk matrix

This article provides a working template for the Data Protection Impact Assessment (DPIA) when patrol robots are deployed in plant security. It addresses the company data protection officer and does not replace case-specific legal advice. The structure follows the practice from roughly 40 DPIA procedures we accompanied for KRITIS and industrial sites in 2023 to 2025.

DPIA security robots: when it is mandatory

Art. 35 GDPR obliges the controller to carry out an impact assessment as soon as a processing operation is likely to result in a high risk to the rights and freedoms of natural persons. This applies in particular to systematic large-scale monitoring and to new technologies (EUR-Lex GDPR context). Patrol robots usually fulfil both criteria cumulatively.

Art. 35 (3) (c) GDPR applies to systematic monitoring of publicly accessible areas. A plant site with delivery traffic, hauliers, tradespeople and visitors is in practice publicly accessible in the sense of data protection law. The mandatory list of the Conference of the Independent Data Protection Authorities (DSK) explicitly names video surveillance with AI-supported person recognition as subject to DPIA (DSK Muss-Liste, version 2018).

The QR-2 sensor profile with thermal person detection and the QR-3 with LiDAR and drone detection additionally meet the "new technology" criterion under Art. 35 (1) GDPR. A pure RGB recording without analysis, for example with the QR-1 on a purely internal private site, can stay below the threshold. Even then, the documented threshold analysis is mandatory, not optional.

The DPIA must be completed before commissioning. A pilot operation without a completed DPIA is a breach of Art. 35 in conjunction with Art. 83 (4) GDPR. Fines of up to EUR 10 million or 2 percent of global annual turnover are provided for this offence (Art. 83 (4) GDPR).

Next step: check the record of processing activities for already documented video surveillance entries and reconcile them with the sensor profiles under QR-2 sensor profile.

Threshold analysis: the nine DSK criteria

The DSK works with nine assessment criteria, derived from the WP248 guidelines of the Article 29 Working Party (WP248 rev.01). If at least two criteria apply, a DPIA must be conducted. Patrol robots typically meet three to five criteria.

The nine criteria in overview: evaluation or scoring, automated decision-making with legal effect, systematic monitoring, sensitive data or data of a highly personal nature, large-scale data processing, matching or combining datasets, data on vulnerable individuals, innovative use of new technological solutions, prevention of data subjects from exercising their rights.

The template uses five columns. Column 1: criterion. Column 2: applies (Y/N). Column 3: justification in two to three sentences. Column 4: data source (QR-1, QR-2 or QR-3). Column 5: responsible department.

Example for QR-2 with thermal sensors. Systematic monitoring: yes, 24/7 patrol on fixed routes, data subjects are employees and visitors. New technology: yes, autonomous mobility combined with thermal detection is not established in plant security. Large-scale data processing: yes for sites larger than 50,000 m². Three criteria trigger the DPIA obligation.

The result of the threshold analysis is released as a board resolution, not as an IT memo. Reason: the board is liable under Art. 24 GDPR for the controller's accountability. Delegation to the IT manager is not sufficient for the supervisory authority in an audit.

Legal basis and purpose limitation in plant security

The regular legal basis is Art. 6 (1) (f) GDPR (legitimate interest). Consent is ruled out. In the employment relationship it cannot be given freely; with visitors it cannot be obtained in practice.

The three-stage test must be documented in writing. Stage 1: legitimate interest. Protection against theft, sabotage, arson, unauthorised access to hazardous material storage. For KRITIS operators the interest is additionally based on the protection duties under BSI-KritisV (Gesetze im Internet) and on the requirements for KRITIS operators.

Stage 2: necessity. Milder means must be documented and reviewed, for example fixed cameras, human patrols, fence detectors. The EU Machinery Regulation 2023/1230 sets additional requirements for autonomous machines with sensors (EUR-Lex 2023/1230), which feed into the necessity review.

Stage 3: balancing. Weighting the interests of employees (personality rights, right to informational self-determination) and visitors against the security interest. Masking and access restriction shift the balance in favour of the controller.

BetrVG § 87 (1) no. 6 requires the involvement of the works council when introducing technical devices suitable for behavioural or performance monitoring. A works agreement is a precondition for commissioning, not a downstream administrative act.

Formulate purpose limitation precisely. Purpose: perimeter protection and detection of unauthorised presence. Excluded purposes: evaluation of break times, attendance control, performance assessment. Standard retention 72 hours, extension only in case of a documented incident with a file reference.

Risk matrix: probability and severity

Risk assessment runs along four risk fields. Risk field 1: unauthorised identification of data subjects. Risk field 2: profiling through movement patterns. Risk field 3: unlawful disclosure to third parties, for example law enforcement without legal basis or insurers. Risk field 4: data loss through cyber attack on the robot fleet or the cloud backend.

The scale has four levels. Probability from 1 (unlikely) to 4 (regularly expected). Severity from 1 (negligible) to 4 (existential for data subjects). The product gives the risk class: 1 to 3 low, 4 to 6 medium, 8 to 9 high, 12 to 16 very high.

Example assessment QR-2 without protective measures. Risk field unauthorised identification: probability 3, severity 3, product 9, risk class high. Risk field cyber attack: probability 2, severity 4, product 8, risk class high. Without measures the overall rating is "high" and triggers the consultation obligation under Art. 36 GDPR.

After measures (pseudonymisation of biometric vectors, AES-256 encryption, granular access matrix, four-eyes principle on unmasking) the values drop. Target corridor: product value smaller than or equal to 4 per risk field. A residual risk with product value greater than 6 after measures forces prior consultation with the supervisory authority.

EN ISO 13482 defines safety requirements for personal care robots and serves as a reference for mobile service robots (ISO 13482). The standard addresses physical safety but does not supplement the data protection risk assessment. Both assessments must be kept separately and linked in the record of processing activities.

Technical and organisational measures (TOMs)

The TOMs must follow the state of the art under Art. 32 GDPR. The following measures are minimum standard for patrol robots in plant security.

Encryption. AES-256 for storage on the robot and in the backend. TLS 1.3 for transmission between robot, control centre and cloud. Documentation according to BSI TR-02102-1 and TR-02102-2.

Masking. Faces and number plates are automatically blurred in standard operation. Unmasking only takes place on documented occasion. It requires the four-eyes principle between the head of plant security and the data protection officer. Every unmasking is recorded in an audit-proof log with timestamp, reason and file reference.

Access matrix. The head of plant security receives access to the live stream and masked recordings. The data protection officer receives access to the audit log, not to the content. Management receives incident reports in anonymised form. Blanket admin rights for IT staff are not granted. Access is audited quarterly.

Audio. Audio recording on the QR series is deactivated by default. Activation requires a separate legal basis, a dedicated DPIA addendum and adjusted signage. § 201 StGB (violation of the confidentiality of the spoken word) must be observed.

Deletion concept according to DIN 66398 with audit-proof protocol. Standard deletion period 72 hours, extended period in case of incident maximum 30 days, then transfer to incident file with its own legal basis.

Transparency obligations and signage

Art. 13 GDPR requires informing data subjects before processing begins. Translated to the plant site this means: information before entering the monitored area, not only at the plant entrance.

Signage at the plant gate and at all external accesses. Content: pictogram of robot with camera, controller with company name and address, purpose (perimeter protection), contact details of the data protection officer, QR code to the long version of the privacy notice in at least German and English. Sign size such that the text is legible from three metres distance.

The robot itself carries a visible marking with operating number, manufacturer and competent supervisory authority. This matches the practice for fixed video systems and is a prerequisite for the recognisability of the processing during operation.

Employee information as a separate document, countersigned by the works council, included in the personnel file. Content: specific patrol zones, times, retention period, rights under Art. 15 to 22 GDPR, complaint channel. For new hires part of onboarding.

Visitor handling in the reception process. Signage alone is not sufficient for complex supply chains with frequently changing drivers. Registration at reception or via self-service terminal contains a reference to the robot monitoring and a link to the full information.

A practical implementation example is given under Perimeter protection industrial park.

Processing on behalf with Quarero Robotics

The Robotics-as-a-Service model means in data protection terms: Quarero Robotics is a processor under Art. 28 GDPR. The operator remains the controller and thus the primary addressee of the supervisory authority.

The data processing agreement (DPA) is in place before signature of the main contract. Subsequent submission is not permissible, not even for the pilot phase. The DPA covers the eight mandatory contents under Art. 28 (3) GDPR: subject matter, duration, nature and purpose, categories of data and data subjects. Also included: rights and duties, right of instruction, confidentiality, TOMs, sub-processors, support obligations, deletion and proof obligations.

Sub-processors are named individually. Cloud hosting in Frankfurt am Main (data centre according to ISO 27001) and Zurich (data centre according to FINMA requirements for the Swiss sites). Maintenance service providers for the robot fleet are listed. A change to the sub-processor list requires prior notification with the controller's right of objection.

Audit rights. Annual on-site review at the processor or presentation of a current report according to ISO 27001 Annex A. In case of substantiated suspicion, an ad-hoc audit at the controller's expense is possible. If a breach is established, the processor bears the costs.

Data transfer to third countries is contractually excluded. Data processing takes place exclusively in the DACH region. This removes the need for review of the standard contractual clauses under Schrems II and for the Transfer Impact Assessment.

An economic comparison against classic guarding is documented by the BDSW through the annually updated hourly rates (BDSW Zahlen, Daten, Fakten). The economic case for the DPIA investment can be built on this basis, the full TCO comparison guard service provides the calculation.

Consultation of the supervisory authority and review cycle

If a high residual risk remains after measures, prior consultation under Art. 36 GDPR must be carried out. The state data protection authority needs 8 to 14 weeks, in individual cases longer. This period must be factored into the project plan; bringing commissioning forward is not permissible.

Consultation file. Full DPIA report, catalogue of measures with effectiveness assessment, residual risk assessment with a traceable scale, justification of necessity including a description of the milder means examined, statement of the data protection officer, statement of the works council. The supervisory authority can impose conditions or prohibit the processing.

DPIA review. Annually or upon material change. Material changes include: extension of sensors (for example activation of audio), new sites, software updates with new AI functions, change of processor, change of purpose or extension of the group of data subjects.

Versioning in the record of processing activities under Art. 30 GDPR. Each DPIA version receives a sequential number, a change date, a responsible person and a justification for the change. Previous versions must be retained for 10 years, parallel to the commercial retention period under § 257 HGB. Supervisory authorities and KRITIS auditors in the context of NIS-2 implementation expect this file status at the first request.

Next step: set up Works council robotics co-determination as a parallel work stream to the DPIA and anchor the Robotics on-site service agreement in the DPA.