2026 Buyer's Guide: Privacy-First People Counting Sensors

Meet Butlr

Discover what spatial intelligence can do for you.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

As offices modernize, accurate people counting becomes essential for space optimization, safety, HVAC control, and hybrid-work planning. In Germany, strict privacy rules and strong employee co‑determination rights make choosing the right sensor technology a legal and operational decision—not just a technical one. This guide helps German facility managers, IT teams, and procurement officers evaluate privacy-first people counting sensors and select a solution that balances accuracy, compliance, and workplace trust.

Why privacy-first matters in Germany

GDPR (EU General Data Protection Regulation / DSGVO) sets strict rules about personal data collection, processing, and retention. People counts can become personal data if linked to identities.
Bundesdatenschutzgesetz (BDSG) complements GDPR at the national level and adds specific employer-related requirements.
Works councils (Betriebsrat) have co‑determination rights under the Works Constitution Act (Betriebsverfassungsgesetz). Monitoring employees typically requires consultation, and often agreement, with the Betriebsrat.
Employee trust and acceptance affect adoption. Devices perceived as "spying cameras" create pushback, legal exposure, and reputational risk.

Privacy-first solutions reduce legal friction by design: they avoid capturing personally identifiable information, minimize data retention, and provide verifiable anonymization.

Common people counting technologies (brief definitions)

Thermal sensor: detects heat signatures; useful for head counts without producing identifiable images.
Camera-based (RGB): uses visible-light images; high accuracy but creates identifiable imagery and strong privacy concerns.
Depth sensor: captures 3D shapes (no color), often better privacy than RGB but can still be re-identifiable in some cases.
Passive infrared (PIR): detects motion and presence, but low spatial resolution and limited counting accuracy.
Wi‑Fi/Bluetooth tracking: infers occupancy from device probe requests or MAC addresses; can be highly invasive unless anonymized robustly.
CO2 sensors: indirect proxy for occupancy by measuring air quality; useful for ventilation control but not precise head counts.
LiDAR: laser-based distance measurements producing point clouds; accurate but potentially re-identifiable if not properly anonymized.

Define: PII (personally identifiable information) — any information that can be used to identify an individual directly or indirectly.

What privacy-first means in practice

Camera-free or non-identifying sensing: no raw RGB imagery or other directly identifiable outputs.
Edge processing: raw sensor data is processed locally (on-device) to produce anonymized counts; raw outputs never leave the device.
No PII collection: the system does not log images, MAC addresses, device IDs, or any fields that could identify individuals.
Strong anonymization and aggregation: counts are aggregated and cannot be backtracked to an individual.
Minimal retention and selective export: only aggregated metrics are stored and for the shortest necessary time.
Encrypted storage and transport: data at rest and in transit is encrypted using modern standards.
Contractual safeguards: a Data Processing Agreement (Auftragsverarbeitungsvertrag / AVV / DPA) that assigns responsibilities under GDPR.
Local data hosting options: EU-only data centers and the option to host on-premises.
Transparency & auditing: privacy documentation, DPIA (Data Protection Impact Assessment) support, and independent verification or certifications (e.g., ISO 27001).

Define: Edge processing — processing sensor data directly on the device rather than sending raw data to the cloud.

Legal and workplace compliance checklist (Germany-specific)

Conduct a DPIA: Required when processing is likely to result in high risk to individuals’ rights. Use the DPIA to document purpose limitation and technical safeguards.
Consult the Betriebsrat early: monitoring-related deployments generally require consultation and can be blocked or limited without agreement.
Sign an AVV/DPA: ensures the vendor complies with GDPR obligations as a data processor.
Host data in the EU: choose vendors who can guarantee EU-only hosting or provide on-premises options.
Limit retention: define precise retention windows for aggregated metrics and purge policies.
Avoid tracking device identifiers: prohibit collection of MAC addresses or other device identifiers unless you can demonstrate legal basis and consent.
Provide employee notice: transparent policy communications about what is collected, why, and how privacy is preserved.
Consider data minimisation: collect only what is strictly necessary for the stated purpose.

Accuracy vs. privacy: trade-offs and expectations

Camera-based systems often claim the highest accuracy (especially in dense flows) but raise the most privacy and legal issues.
Thermal and purpose-built, camera-free sensors typically offer strong accuracy for head counts and flows while preserving anonymity—accuracy may vary with installation conditions (height, mounting angle, room layout).
Wi‑Fi/Bluetooth can track movement over time but produces noisy counts and privacy risks unless thorough anonymization practices are used.
CO2 is a useful complement for ventilation control but should not be used as the sole people-counting method if precise counts are required.

When evaluating accuracy claims, request independent test results and real-world pilot data from spaces similar to yours (ceiling height, lighting, traffic patterns).

Practical deployment considerations

Mounting and coverage: ceiling height, field of view, and multiple mounting points affect accuracy. Sensors designed for office ceilings are preferable.
Room types: open-plan areas, narrow corridors, lobbies, meeting rooms, and stairwells each present different challenges.
Integration: support for standard building and IT protocols (BACnet, Modbus, MQTT, REST APIs) enables use with BMS, scheduling, and analytics platforms.
Power and connectivity: PoE (Power over Ethernet) simplifies deployments; Wi‑Fi-enabled devices reduce cabling but require robust network security.
Environmental factors: HVAC vents, reflective surfaces, and temperature variations can affect thermal sensors—ask vendors about compensating algorithms.
Maintenance and calibration: sensor drift and occlusions happen; plan for periodic checks and firmware updates.
Pilot phase: run a trial for 4–8 weeks to evaluate accuracy, uptime, and employee feedback before full roll-out.

Procurement checklist — what to ask vendors

Technical

Sensor type and how it protects privacy (camera-free? edge anonymization?).
Accuracy metrics in comparable office scenarios (true positive/false positive rates).
Coverage per sensor (square meters) and recommended mounting heights.
Integration options (APIs, protocols) and data formats (aggregated only? raw data?).

Privacy & legal

Do you support a DPA/AVV? Where is customer data hosted (region)?
Can the vendor provide a DPIA template and evidence of privacy-by-design?
Does the system store any raw images, point clouds, or device identifiers?
Retention policies and ability to purge data on demand.

Security & compliance

Certifications (ISO 27001, SOC 2) or third-party security assessments.
Encryption standards for data in transit and at rest.
Authentication, role-based access controls, and audit logs.

Operational & commercial

Trial/pilot options and success criteria.
Installation support and documentation in German.
SLAs for uptime and support response times.
Total cost of ownership (hardware, installation, licensing, cloud fees, maintenance).

Vendor transparency

Independent verification or published whitepapers about anonymization methods.
References from German office deployments and customer case studies.
Willingness to engage with internal legal, IT, and Betriebsrat stakeholders.

Evaluating vendors: a step-by-step approach

1. Define objectives: occupancy analytics, HVAC control, desk booking, or safety counts—different goals require different accuracy and latency.
2. Shortlist vendors based on privacy posture and EU hosting capability.
3. Request privacy documentation, DPIA support, and a standard DPA template.
4. Run an on-site pilot in representative zones with agreed KPIs (accuracy, uptime, latency).
5. Engage legal and the Betriebsrat during the pilot to capture concerns early.
6. Review pilot results, staff feedback, and operational costs.
7. Negotiate contract terms emphasizing privacy, security, and local support.

Why thermal, camera-free sensing is often the best fit for German offices

Thermal, camera-free sensors combine reliable head-counting capability with strong privacy protections because they detect heat patterns rather than producing identifiable images. When paired with edge processing and EU data hosting, they reduce legal complexity and workplace concerns.

Vendors focusing exclusively on thermal, camera-free technology typically provide clearer compliance pathways, better acceptance from employees and works councils, and simpler DPIAs. Companies like Butlr specialize in privacy-first thermal, camera-free people sensing and spatial intelligence for buildings, offering solutions designed to avoid raw imagery and reduce privacy risk. For buyers who need a vendor that emphasizes anonymization and integration, look for similar commitments and verifiable technical details.

Final recommendations

Prioritize privacy-by-design: choose sensor technologies and vendors that never produce or transmit identifiable imagery or device IDs.
Involve stakeholders early: legal, IT, facility management, and the Betriebsrat should be part of scoping and pilots.
Insist on documentation: DPIAs, DPAs/AVVs, security certifications, and EU data residency.
Test in your environment: real-world pilots are the only reliable way to verify accuracy and acceptance.
Balance ROI with trust: a less invasive sensor that delivers slightly lower counts may yield better long-term value because it avoids legal and cultural obstacles.

Choosing a privacy-first people counting solution in Germany requires balancing accuracy, integration needs, legal compliance, and employee trust. With careful vendor evaluation, transparent processes, and a short pilot, you can deploy a system that powers smarter offices while respecting privacy and regulatory obligations.

2026 Buyer's Guide: Privacy-First People Counting Sensors for Offices in Germany