Our Commitment to Personal Privacy

Who we are

Facewatch Limited is a company limited by shares registered in England under company number 7209931 whose registered office is at High Street, Hadleigh, Ipswich, Suffolk IP7 5EA.

If you have any questions, suggestions, concerns or complaints please contact our Data Protection Officer by emailing dpo@facewatch.co.uk or by calling 0207 9303225.

We operate under the Data Protection Act 2018 incorporating the EU General Data Protection Regulations (collectively referred to below as the DPA).

CCTV Camera
What we do

What we do

We provide systems and process personal data for the prevention and detection of crime.

Facewatch are the Data Controller for all personal data we process. Our customers are businesses (Subscribers) who must display signage saying that Facewatch facial recognition is in operation.

The Facewatch Real Time Alerting system uses facial recognition to instantly alert Subscribers when Subjects Of Interest (SOIs) enter their premises. See below for a description of an SOI.

Subscribers are able to report new SOIs through incidents which include a formal witness statement. The Subscriber can only view the watchlist of SOIs that they have uploaded.

The legal position

This privacy notice includes the following information to help you understand clearly how your data is being used:

  • The lawful basis for processing your data
  • Categories of data processed
  • What we do with your personal data

Your rights under the DPA are as follows:

  1. The right to be informed
  2. The right of access (see next paragraph)
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Right of access:
You have the right to submit a Subject Access Request and this can be done here. We will need to obtain proof of your identity before providing you with information we hold about you.

You have the right to submit a complaint to a supervisory authority.

If you require more information about items raised in this notice we would recommend the ICO website.

Explaining AI Decisions

The Facewatch System examines images collected by a customer’s CCTV camera and utilises an AI software application to compare those images to a watchlist of subjects of interest. The output of the application is a recommendation in the form of an alert that an image may match that of a subject of interest. Other information provided is the percentage of certainty that the images are a match and a gallery of images held of the subject of interest.

This information is provided to assist a human review by the person receiving the alert who will have sight of the relevant person and be in a position to decide if they consider the match to be accurate.

If the person receiving alert considers the alert image matches the person subject of the alert, they will implement their organisational procedure for responding to a matched alert. This action can range from no action to an intervention.

If the recipient doesn’t consider the alert is a match they can click “no match.” The alert and biometric data of the face are deleted instantly.

As a transparent data controller, Facewatch will respond to requests for any fuller explanation sought by data subjects.

Whose personal data we process

The data we process is different depending on who you are:

  • Facewatch Users: Individuals who are authorised to use Facewatch by our business subscribers
  • Subjects of Interest: Individuals reasonably suspected of carrying out unlawful acts (evidenced by personal witness or CCTV) who have been uploaded to Facewatch by our business subscribers to our Watchlist.
  • Members of the Public: Individuals who enter and use premises protected by Facewatch
  • General enquiries: Individuals who contact us through our website or by phone for more information
  • Website cookies: We may use cookies to improve and speed up your browsing experience

We explain below how we use your data using the above definitions.

Whose personal data we process
Paul Wilks Budgens

Facewatch Users

When you register to use the Facewatch services we ask you to provide basic information about yourself to ensure that you can be uniquely identified. The information we hold is your Email address and your name.

We need this information so that we can trace who has input, viewed or amended any data on the system for compliance and security purposes.

The lawful basis for processing your data is that you have provided consent to us. You may withdraw consent at any time.

We will not share your personal data with third-parties nor will we transfer it out of the EU.

We will use your email address and name to notify you of important system alerts and notifications.

We will also send out occasional newsletters relating to Facewatch news and system updates which you may opt out of if you wish.

If you would like your personal data removed or amended we (or your corporate administrator) can close your account or amend your data.  If you have requested removal of your personal data this will be deleted from our systems completely within 30 days unless we need to retain your details for audit purposes where you have created an incident report in which case your data will be deleted after a maximum of 12 months, being the maximum period we retain incidents.

Subjects of Interest (SOIs)

We hold personal data about SOIs for the purposes of the prevention and detection of unlawful acts. We do not ask SOIs for consent to process their data or it would prejudice these purposes.

Subscribers upload information about an SOI only when that individual is reasonably suspected of crime or disorder – this is strictly controlled and anyone who uploads any data which is not compliant could be subject to fines or censure by the ICO.

Facewatch maintains a database of SOI facial images and the reasons for their being reasonably suspected of crime or disorder. This is known as a watchlist.

We convert the watchlist of SOI facial images to facial recognition algorithm templates which are used to compare to the facial recognition template of people seen on CCTV entering our Subscribers’ premises and create alerts if there is a potential match. All alerts are verified by the relevant Facewatch User and if no verification is entered the alert is deleted within one hour. If an alert is confirmed as matched we retain it for 2 days at which point it is deleted. If an alert is marked as a no match it is deleted instantly. We do not send alerts to subscribers that do not meet our high accuracy standards. In order to maintain and improve the accuracy of the Facewatch System we retain alerts that are just below our accuracy standard for 48 hours for review.

We only share a subset of SOI personal data with our Subscribers when a facial recognition alert is generated by our system, comprising: facial image(s); alert date and crime category which is the minimum amount of data we believe we can share to achieve the purposes noted above. We do not share personal data when the data subject is, or appears to be, under 18 years of age.

We share the SOI data with Subscriber premises  when a facial recognition alert is generated by our system based on what we believe is adequate, relevant and necessary for achieving the purposes above. A subscriber may only see a watchlist of SOIs that they have uploaded.

The lawful basis for processing SOI personal data is that it is in our legitimate interest and that of our subscribers to do so.

We have to comply with a higher threshold of compliance when processing criminal offence data and using facial recognition algorithms which are deemed to be Special Category data under GDPR. We lawfully process this data because we are able to demonstrate that it is in the Substantial Public Interest for us to do so.

Our legitimate interests for processing personal data are detailed below.

We retain SOI data for a period of 12 months from their last recorded incident (i.e. we delete all incidents over 12 months old). Findings of no crime, not guilty or cessation of proceedings will lead to removal of that incident record against the SOI.

Members of the public

Members of the Public

When you enter a business protected by the Facewatch Real Time Alerting system you will see signage saying that Facewatch facial recognition is in operation (very much like the ubiquitous CCTV in operation signs).

The Facewatch Facial Recognition System works by detecting faces from CCTV sited at our subscriber properties. These images are fully encrypted and transmitted to our highly secure Cloud server where they are converted into a set of facial measurements (we call them Feature Vectors) which are then compared to the Subjects of Interest on our Watchlist. If there is no match the data is instantly deleted thereby protecting the data of anyone not on the Watchlist.

The camera feed is recorded just like normal CCTV but for far less time – we only hold the footage for 72 hours compared to the traditional CCTV retention period of 30 days. We also retain the detected faces from that footage for 72 hours so that images of individuals reasonably suspected of crime or disorder can be uploaded after the event to the Facewatch system.  No biometric data is retained for anything more than an instant other than that of Subjects of Interest.

The lawful basis for processing your personal data is that it is in our legitimate interest and that of our subscribers to do so for the purpose of the prevention and detection of unlawful acts. We have taken every precaution to ensure that it is not disproportionately intrusive on your privacy.

We have to comply with a higher threshold of compliance when processing using facial recognition algorithms which are deemed to be Special Category data under GDPR. We lawfully process this data because we are able to demonstrate that it is in the Substantial Public Interest for us to do so. We never hold your biometric data for more than an instant, and no-one can ever track where you have been using our system.

Other Recipients of Personal Data

Facewatch use AWS UK servers to host our processing operation which includes use of AWS facial recognition software as a service as a secondary check for accuracy alongside our own software. This processing is conducted using a non-storage API operation in which the software does not persist any information discovered about the input image.

Our Legitimate Interests

The legitimate interest for processing a Watchlist of persons reasonably suspected of committing unlawful acts is the compelling justification for us to provide a service to protect our customers, their customers, staff and business assets from unlawful acts. Our Legitimate Interest Assessment is as follows:

It is our legitimate interest to be able to minimise the impact of unlawful acts by processing personal data to identify persons in our subscriber premises who are reasonably suspected of having committed crime and thereby enable reasonable and proportionate action to prevent crime. It is our legitimate interest to help prevent crimes against subscribers who currently just capture on CCTV crime that has taken place and report to police.

The processing of personal data, special category data and criminal offence data is necessary to achieve our legitimate purpose as it allows us to provide facial recognition services to quickly and accurately identify individuals who are reasonably suspected of having committed crime, and to notify relevant subscribers so as to take reasonable and proportionate action in the circumstances. Without processing information in this way we would be unlikely to effectively identify such persons as they enter subscriber premises, making them less likely to prevent unlawful acts, and therefore more likely to experience crime, even with existing tactics including security staff and/or CCTV monitoring which records a crime that has already happened.  Reporting crime to police is similarly less effective than the use of Facewatch as this is post event rather than preventative.

In pursuit of our legitimate purpose, through our policy and procedures, we balance our legitimate interest with the rights, interests and freedoms of all affected data subjects by enabling their privacy rights and facilitating their general interest to be protected from crime. We distinguish those individuals reasonably suspected of having committed unlawful acts from all other persons entering subscriber premises by the use of Watchlists and Facial Recognition Alerts. There is always human involvement by the subscriber to verify any possible match between an individual entering their premises and an image on a Watchlist or Facial Recognition Alert.

We prevent function creep and ensure data quality and minimisation by requiring adherence to the terms and conditions of the use of the Facewatch System and Facewatch data sharing agreement.

Our privacy notice reflects the use of the Facewatch System and thereby informs individuals on what happens to their personal data. It is important to note that the Facewatch System protects the privacy of individuals and only alerts subscribers to the presence of individuals whose image matches that of individuals reasonably suspected of having committed crime in a defined area relevant to the subscriber.

Facewatch Ltd is a distinct data controller and we have a data sharing agreement with Subscribers.

General Enquiries/Communications

If you complete a survey or a form on our website requesting information or call us or submit a subject access request we will retain that data for a maximum of 6 years and use it to follow up with you. We delete any proof of identity information provided for fulfilment of a subject access request as soon as your identity is verified.

We will retain your email address and name for marketing purposes only if you have opted into this service but this will not be shared with any other organisations.

You can opt out of marketing emails at any time and request us to delete your information at any time using the SAR process explained above.

Your telephone calls and e-mails to us may be recorded in our contact management system and may be retained for up to 6 years.  We may also intercept communications made to individual members of staff at Facewatch when this is required for business purposes.

The lawful basis for processing your personal data is that it is both necessary and in our legitimate interest and that of those who communicate with us to do so for the purpose of the efficient conduct of our business.

We balance our legitimate interest against the individual’s interests, rights and freedoms and only use such personal data for the efficient conduct of our business.

General enquiries


This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website.

To see the full Cookie Declaration and manage Cookies, click here

Changes to the Privacy Notice

From time to time we may amend the way in which we process personal data. This may lead to changes in how we collect and/or use your personal information.

We may amend the terms of this Privacy Policy at any time but if this is material, we will endeavour to notify you. Please check this page periodically as your subsequent use of this Website or submission of personal information to us following any such changes will be deemed to signify your acceptance to the changes.

Changes to privacy notice

Other Websites

Our Website contains links to other websites. We are not responsible for the privacy policies and practices or the content of any websites which are linked to our Website.

Contact us

If you have any queries relating to this Privacy Notice, please contact us by e-mail at: enquiries@facewatch.co.uk or call 0207 9303225.