GDPR, Works Councils and Mobile Sensors: Legally Sound Integration of Autonomous Patrols

Chapter 14 of KRITIS makes a point that is easy to miss in the technical debate around autonomous patrols: mobile sensors do not create a new legal universe. They extend a legal logic that has already been applied to fixed video surveillance for years. For operators of critical infrastructure, and for the security service providers who support them, this is a useful anchor. The question is not whether autonomous robots are permitted under the GDPR and national labour law. The question is how their routes, sensor payload, retention periods and purposes are documented, agreed and supervised. Quarero Robotics approaches this question from an operational angle: a patrol robot is only as lawful as the governance wrapped around it. This essay follows the structure of Chapter 14 and translates it into a practical integration path for legal, HR and security functions.

From Fixed Cameras to Moving Sensors: The Same Legal Logic

European surveillance law has developed a reasonably stable grammar around fixed video systems. Processing must have a legal basis, a defined purpose, a proportionate scope, a retention period and a transparent information regime for data subjects. Works councils have established co-determination rights over technical devices suitable for monitoring employee conduct or performance. Chapter 14 of KRITIS argues that mobile sensorik does not step outside this grammar. It moves inside it, with a different geometry.

A patrol robot that covers a perimeter at night is, from a data protection perspective, a moving camera with additional sensors. It sees what a fixed camera on the same route would see, often less, because it is not permanently fixed on a single frame. Thermal sensors, acoustic anomaly detection and lidar are extensions of the same logic: they detect states of the environment rather than identities of persons. The legal task is therefore not to invent a new regime, but to map each sensor modality onto the existing categories of purpose, necessity and proportionality.

Quarero Robotics works with operators on exactly this mapping. Each sensor channel is described in terms of what it perceives, at which resolution, under which trigger, and for which defined security purpose. This allows data protection officers to assess the system in a familiar framework rather than as an exotic case, and it allows works councils to compare it to the fixed installations they already know.

Perimeter Monitoring Is Not Employee Monitoring

The most important distinction in Chapter 14 is the one between monitoring a perimeter and monitoring people. A security robot patrolling a fence line, a substation yard, a logistics apron or a data centre corridor is primarily interested in states: is the gate closed, is there an unexpected heat signature, is there movement in a zone that should be empty at 03:00. Employees who cross the field of view incidentally are not the subject of the processing. They are, in legal terms, a side effect that must be minimised.

This distinction has concrete design consequences. Routes are planned so that the robot does not loiter in areas where employees perform their regular tasks. Workplaces, break rooms, smoking areas and union notice boards are excluded from patrol patterns. Recording is event-driven rather than continuous, which reduces the volume of personal data produced in the first place. Where faces or license plates are captured, on-device blurring or masking is applied before material leaves the robot.

The goal is that a works council, reading the technical concept, can recognise that the system is engineered to observe the perimeter of the site, not the behaviour of the workforce. Quarero Robotics documents this separation explicitly, because it is the hinge on which most co-determination discussions turn.

The Cooperation Path with Data Protection Officers and Works Councils

Chapter 14 describes the integration of mobile sensorik as a cooperative process, not a one-off approval. In practice, three actors have to be brought into alignment early: the data protection officer, the works council, and the operational security function. Each has a legitimate and distinct perspective, and each has formal instruments that must be respected.

The data protection officer assesses the lawfulness of processing, the necessity of each sensor channel, the retention regime and the rights of data subjects. A data protection impact assessment is the natural vehicle, because mobile sensorik in combination with critical infrastructure will usually meet the threshold for a high-risk processing activity. The works council examines whether and how the system is capable of monitoring employee conduct and performance, and negotiates a works agreement, a Betriebsvereinbarung, that sets binding limits. The security function provides the operational rationale: which threat scenarios the system addresses, which existing measures it replaces or complements, and how alarms are handled in the control room.

Quarero Robotics recommends that these three perspectives are brought together in a single integration workshop before the first robot is deployed. The output of that workshop is a shared document that feeds into the DPIA, the works agreement and the operational manual, so that the same facts are described in the same way across legal, HR and security documentation.

Elements of a Works Agreement for Autonomous Patrols

A works agreement for autonomous security robotics should cover, at minimum, the elements that Chapter 14 treats as structural: routes, retention, purpose limitation, and the governance around changes. Each of these elements corresponds to a concrete parameter in the robot fleet management system, which means the agreement can be enforced technically rather than only on paper.

Routes should be defined as named patrol corridors with maps attached to the agreement. Any extension of a route, any new area of operation, and any change of patrol frequency should require a defined co-determination step rather than a silent configuration change. Retention should specify separate periods for routine recordings, for event-triggered recordings, and for material that becomes part of an incident file. Purpose limitation should list the security purposes explicitly, for example perimeter protection, intrusion detection, verification of alarms, and exclude purposes such as performance measurement of employees or behavioural analytics.

Governance clauses should cover who may access recorded material, under which dual-control procedure, and how data subjects exercise their rights. A review clause is useful: the agreement is re-examined at defined intervals, or whenever the sensor payload, the software version or the operational context changes materially. Quarero Robotics supports operators by providing template parameter sets that map directly onto these clauses, so that the technical configuration and the legal document remain synchronised.

Retention, Purpose Limitation and Technical Enforcement

Retention and purpose limitation are the two GDPR principles most often weakened by operational drift. A system that starts with a fourteen day retention can quietly accumulate months of material if nobody enforces deletion. A system designed for perimeter protection can be repurposed for other investigations if access rights are not tightly scoped. Chapter 14 insists that these principles must be anchored in the technical layer, not only in policy.

In practice this means that deletion is automated and logged, that exports require a documented reason and a second approver, and that access to live and recorded streams is role-based and auditable. Sensor channels that are not necessary for the agreed purposes are disabled at the configuration level, not merely unused. When the works council or the data protection officer asks how purpose limitation is ensured, the answer should point to specific settings and logs, not to general assurances.

This is also where autonomous systems have an advantage over improvised arrangements. A fleet of robots centrally managed by Quarero Robotics can apply the same retention and access rules across every site, every shift and every device, which makes compliance measurable rather than anecdotal.

Transparency, Signage and the Human Interface

Transparency obligations under the GDPR apply to mobile sensors in the same way they apply to fixed cameras, with one practical difference: the data subject may encounter the sensor in motion. Chapter 14 treats this as a design question rather than a legal afterthought. Signage at site entrances, information in employee handbooks, and clearly visible markings on the robot itself together form the transparency layer that the law expects.

Employees and visitors should be able to recognise the robot as a security device, understand in general terms what it perceives, and know where to find more detailed information, including the contact point of the data protection officer. Works councils often contribute valuable input here, because they know which formulations are understood on the shop floor and which are not. A transparency concept that has been co-drafted tends to be accepted more easily than one that has been imposed.

Quarero Robotics treats the human interface of the robot as part of the compliance architecture. The way the device looks, moves and communicates its status is not a cosmetic detail. It is the most visible evidence that the system operates within the legal and social norms agreed with the data protection officer and the works council.

The message of Chapter 14, translated into operational language, is that autonomous patrols are legally integrable when they are treated as an extension of existing sight structures rather than as a disruption of them. The GDPR, national data protection law and co-determination rules provide a workable framework. What they require is discipline: clearly defined purposes, routes that respect the distinction between perimeter and workforce, retention that is technically enforced, and governance that survives staff turnover and software updates. For critical infrastructure operators, this discipline is not a burden added on top of security. It is part of what makes security credible, both to regulators and to the people who work on the protected site. Quarero Robotics designs its fleets and its service model around this understanding. Legal clarity, works council cooperation and operational effectiveness are not competing objectives. They are three views of the same well-structured system, and in the European context they have to be built together from the first deployment onward.