Before that town-hall recording or training video leaves your organisation for an external audience, pixelate every face in it. Footage you filmed for the workforce becomes a new processing purpose the moment the internal-comms or employer-brand team wants it on the careers page or inside a customer case study, and the employees, contractors and visitors in frame never agreed to that. Medianonymizer destroys the face pixels frame by frame, in support of your GDPR obligation, and hands you a single anonymised export you can attach to the processing record. You can anonymise a video right now without an account.
Why reusing internal footage is a new processing purpose
You filmed the quarterly all-hands and the onboarding session for the workforce — perhaps a sales kickoff, a diversity panel, an offsite retreat or a product demo as well. That is one lawful purpose. Cutting the highlights into a recruitment reel, an employer-brand teaser or a public case study is a different purpose entirely, aimed at an audience the colleagues in the room never expected. Under the purpose-limitation principle, further processing for a new purpose needs its own basis and, where relevant, a compatibility assessment; "we already had the tape" satisfies neither. The employees who walked past the lens, the contractor presenting a slide, the visitor in the back row — none of them signed a release for the open internet, and in many jurisdictions the works council expects to be consulted before staff appear in external marketing at all.
The clean way through is to make the footage stop being about identifiable people before it is shared. Once each face is destroyed, the clip no longer carries the identifier that links it to a named individual, and the external distribution is no longer processing their personal data.
A signed release from three presenters does not cover the whole room
The two speakers may have agreed to appear externally. The forty faces behind them did not. Anonymising every face — not only the ones without a release — is what lets you answer to the data protection officer with a straight face. Take them all out before the master file leaves the building.
What Medianonymizer removes from the master file
The tool detects human faces across every frame and pixelates them. That is the scope, stated plainly:
- Faces of everyone in shot — presenters, staff in the audience, contractors, visitors walking through.
- Across the full timeline, not just a chosen thumbnail — a face that reappears in a later scene is pixelated there too.
- Destructively, by overwriting the pixels that made the face recognisable.
It does not read lanyards, redact license plates, strip voices from the audio track, or scrub a name from a slide on screen. It anonymises faces in video. Knowing the exact boundary is what keeps the claim honest.
Covering a face versus destroying it
- A box or overlay sits on top; the pixels underneath survive
- Re-export or a different player can shift the mask off the face
- The original frame can be lifted from a cached copy
- Nothing in your record proves the face is actually gone
- The pixels that formed the face are overwritten in the frame
- There is no separate original stream bundled in the file
- Scrub the timeline and the face is simply not there
- The export itself is the evidence you file
The export belongs in your Article 30 record
Accountability is not a feeling; it is documentation. You get back one new video file whose faces are gone from every frame — there is no companion stream and no hidden master that a subject or an auditor could reconstruct later. That is what makes it useful evidence: attach the file to your record of processing activities, log the reuse against the original recording in your retention schedule, and anyone reviewing the decision can scrub the timeline themselves and confirm that no identifiable employee left the organisation in that clip. The controller keeps the source internally; only the anonymised version travels to the brand team, the agency or the public site.
Where anonymisation sits in the approval chain
In practice the recording passes through several hands: a videographer captures the session, internal communications edits a cut, the employer-branding lead pushes to publish, and you — accountable to the data protection officer — hold the veto. That handoff is precisely where anonymisation belongs. Send the edited cut through Medianonymizer, return the anonymised export to the branding lead, and archive the untouched rushes internally with a dated note of the new purpose. Where your balancing test or a lightweight impact assessment flags the reuse as sensitive, the pixelated version is the mitigation you record. Keep the raw rushes in the corporate media library behind your single sign-on, and let only the pixelated cut reach the content calendar. Where a sub-processor or an outside agency hosts the reel, a data-sharing agreement and a documented lawful basis belong in the same folder; a lightweight DPIA and, if the ICO ever knocks, a dated redaction log close the loop. If a supervisory authority ever asks, it sees a documented, defensible decision rather than a boardroom of exposed colleagues republished across social channels.
What we do not promise
We are precise about scope, because a vague claim is worse than none. This removes faces, and only faces. It does not run your legitimate-interests assessment, certify the licensing of the background music, clear the caption text on a slide, or approve the choice of channel — those governance steps stay with you and your data protection officer. Nor does it add a watermark, burn in subtitles, transcode the container, or maintain your consent register or your records-of-processing spreadsheet. Pixelating the faces is one concrete control in support of your GDPR obligation, not a compliance stamp for the whole campaign. It also does not touch license plates or the audio.
Anonymise the footage before it leaves the building
Upload the master file, let every face be pixelated frame by frame, confirm the price, and download the single anonymised export. Attach it to your processing record, log the new purpose, and share the clip knowing no recognisable employee went out with it. No account, pay only for what you anonymise.
When you need this
Your company filmed an internal town hall and a training session, and now the communications team wants to reuse the footage in an external case study and on the careers page. Employees, contractors and a few visitors are recognisable throughout, and not all of them consented to external use. As the person answering to the DPO, you cannot sign it off with their faces exposed. Run the master file through Medianonymizer and pixelate every face before the footage leaves the building. You get a single anonymised export you can attach to the processing record, so the reviewer sees exactly what was shared and can confirm that no identifiable employee left the organisation in that clip, months later if the reuse is ever questioned.
The compliance angle
Re-using internally-filmed footage for an external purpose is a new processing purpose under the GDPR, and the employees and visitors in frame did not consent to that use. Anonymising their faces before the footage is shared externally removes the identifier that ties the clip to real people, which supports your GDPR accountability duty: you can point to the anonymised export in your processing record. It is a control in support of your obligation, not a certification that the whole distribution is lawful.
What you can verify
The export is a fresh video file with the face pixels overwritten in every frame: there is no companion track or hidden original that a reviewer or a subject could later reconstruct. Attach it to your processing record and anyone auditing it can scrub the timeline and confirm each face is destroyed, not masked. Search the file's frames or metadata and the untouched faces are simply not present.
Frequently asked questions
- Can I attach the anonymised export to our processing record as evidence?
- Yes — that is exactly what it is for. You get back a single anonymised video file with every detected face pixelated frame by frame. Attach it to your record of processing activities, and a reviewer or your DPO can open it, scrub the timeline, and confirm that no identifiable employee left the organisation in that clip. The export is the evidence; there is no separate report to take on trust.
- Does anything in the exported file still hold the original, un-pixelated faces?
- No. The pixelation overwrites the pixels that formed each face inside the frames themselves. There is no companion track, no hidden master and no metadata that keeps the original faces. Scrub the file frame by frame and the untouched faces are simply not present — that is what destroyed, not covered, means.
- Does this make our whole video GDPR-compliant, or only remove the faces?
- Only the faces. We are deliberately precise here: pixelating faces is one concrete control in support of your GDPR obligation, not a certificate that the entire distribution is lawful. Consent for the speakers, music licensing, on-screen text and your choice of channel are still yours to handle. What we remove is the facial identifier that ties the footage to real people.
- Can it handle a long town-hall recording with many people in frame?
- Yes. Detection runs across the full timeline, frame by frame, and pixelates every face it finds — a room full of employees, contractors and visitors, and faces that reappear in later scenes. There is no manual box-drawing per person; you upload the master file and download one anonymised export.
- Do you store our corporate footage after it has been processed?
- The workflow is built around not holding onto your material. You upload the file, it is processed, you download the anonymised export, and the source is not kept as a corporate archive on our side. You pay per job with no account, so there is no library of your footage sitting in a profile.