Occupancy Sensors and Privacy: A GDPR-Ready Guide for European Workplaces

European workplace teams face a unique challenge: they need occupancy data to optimize their spaces, but they operate under the world’s strictest privacy regulations. The General Data Protection Regulation (GDPR) creates specific requirements around any technology that could collect employee data, and occupancy sensors sit directly in this compliance zone.

This guide breaks down what you need to know to deploy occupancy sensors without creating privacy risk.

A split-screen graphic comparing occupancy tracking methods. The left side, tinted red, shows a person's silhouette overlaid with facial recognition wireframes, an ID tag, and a

Why GDPR Matters for Occupancy Sensors

Under GDPR, any data that could directly or indirectly identify an individual qualifies as personal data. This is where occupancy sensor technology choices become a compliance decision, not just a technical one.

Camera sensors capture images of people. Even with blurring or anonymization, the raw capture is of identifiable individuals. This typically requires a Data Protection Impact Assessment (DPIA), a legitimate interest assessment, employee notification, and in some countries, works council approval.

Wi-Fi tracking monitors device MAC addresses, which the European Data Protection Board has confirmed constitute personal identifiable information (PII) even when hashed. Wi-Fi tracking systems are tracking individual devices — and by extension, individual people.

Thermal sensors detect heat signatures that cannot identify individuals. This generally falls outside GDPR personal data requirements, making compliance simpler.

Edge AI sensors process optical data on-device and output only anonymous coordinate data. No images are stored, transmitted, or accessible. The output data (aggregate occupancy counts and anonymous positions) does not constitute PII under GDPR.

The Edge AI Privacy Architecture

PointGrab’s approach is specifically designed for privacy-regulated environments. Here is what happens inside a CogniPoint sensor: the optical CMOS (Complementary Metal-Oxide-Semiconductor) captures the pixels, the edge AI chip processes the image within memory and then outputs only numerical data (count, X/Y positions). The captured pixels are not converted into a file (.JPG etc) that can be stored locally or leaves the device, and the output data cannot be reverse-engineered into images.

This architecture means there is no personal data processing under GDPR definitions. No DPIA is required for the sensor output data. No works council approval is needed for anonymous aggregate data. The compliance burden is fundamentally different from camera or Wi-Fi approaches.

Works Councils and Employee Relations

In Germany, France, and several other European countries, works councils (Betriebsrat, comité d’entreprise) have significant influence over workplace technology deployment. Camera-based monitoring systems almost always require works council negotiation, which can delay deployment by months.

Edge AI sensors that produce only anonymous, aggregate data typically do not trigger works council requirements for employee monitoring. This significantly accelerates deployment timelines in regulated European markets.

Practical Compliance Checklist

When evaluating occupancy sensors for GDPR-regulated workplaces, ask: Does the sensor capture images? If yes, DPIA required. Does the system track devices or MAC addresses? If yes, personal data processing rules apply. Where does data processing occur? On-device processing is preferable to cloud processing. What data leaves the sensor? If only anonymous aggregate data, compliance is straightforward. Can the output data identify individuals? If no, GDPR personal data rules may not apply.

The Bottom Line

You do not have to choose between occupancy data and GDPR compliance. Edge AI technology gives European workplace teams the spatial intelligence they need — precise headcounts, area heatmaps, desk-level data — with a privacy architecture that keeps compliance simple.

 

Operating in GDPR-regulated markets? PointGrab’s edge AI architecture was built for privacy-first workplace sensing. Talk to us about deploying in European offices.

Frequently Asked Questions

What is privacy-first occupancy sensing?

Privacy-first sensing detects occupancy without identifying individuals or capturing visual data, focusing on anonymous presence detection.

How does occupancy sensing comply with GDPR?

GDPR-compliant sensors don’t capture personal data, focus on aggregate occupancy metrics, and provide transparency about data collection.

Are occupancy sensors considered personal data collection?

It depends on the sensor type. Edge AI devices that don’t store or transmit PII, such as an individual identifiable image, fall outside GDPR’s personal data scope.

What privacy concerns do occupancy sensors raise?

Common concerns include tracking employee location, identifying specific individuals, recording behavioral patterns, and data security.

How do organizations ensure privacy with occupancy data?

Best practices include using privacy-first sensors, implementing data retention policies, providing transparency to employees, and apply data security best practices.

What’s the difference between presence sensing and activity tracking?

Presence sensing detects only that a space is occupied, while activity tracking monitors what specific identifiable indeviduals do, raising greater privacy concerns.

Do employees need to consent to occupancy sensors?

Practices vary by jurisdiction, but transparency and consent are best practices, especially in EU organizations subject to GDPR.

Can occupancy data be re-identified to track individuals?

With proper data governance, aggregate occupancy data shouldn’t reveal individual identity or movements, technical safeguards prevent re-identification.