Privacy guide for visitors of homes protected by Arlo devices
Disclaimer: This guide is for informational purposes only and does not constitute a comprehensive summary of applicable laws and regulations, nor legal advice. Please consult a qualified legal professional for specific legal guidance tailored to your situation.
Arlo devices, including cameras, capture video and audio recordings of individuals. Such data is considered personal data under the General Data Protection Regulation 2016/679 (“GDPR”). Hence, the use of Arlo devices may be subject to the GDPR. Additionally, other laws such as laws for the use of recording equipment such as CCTV or smart doorbells may apply.
An exemption from the GDPR may apply for owners of Arlo devices operating under the so called ”domestic purpose exemption”, i.e., where a natural person processes personal data for purely private or household purposes.
If the domestic purpose exemption does not apply, the owner of the Arlo devices is responsible (i.e., the data controller) for how your personal data (such as video and audio) is collected and processed. Below, you can find general information about how your personal data can be processed in those situations. Please note that your personal data may be processed in other ways than described below. If you want to know what applies in your specific situation, please contact the owner of the Arlo devices.
INFORMATION ON HOW YOUR DATA MAY BE PROCESSED
1. DATA CONTROLLER
The operator of the Arlo devices, usually the owner of the Arlo devices (the “Owner”) is typically the data controller – i.e., responsible for how your personal data is processed by the Arlo devices.
2. PERSONAL DATA BEING PROCESSED
2.1 Arlo devices will capture video and audio recordings of anyone visiting the monitored premises.
2.2 In addition, if the Owner activates the facial recognition feature, biometric information about the persons within the captured area is processed. A picture of you, including biometric information, is saved in a “known-faces” gallery available to the Owner, together with a “known face”-tag, allowing the Arlo device to recognise you when you enter the area captured by the device in the future. The Owner will be notified (by automatic means) that you have entered the area. Arlo Europe does not have access to the gallery of “known faces”.
3. WHY AND BASED ON WHICH LEGAL BASIS YOUR PERSONAL DATA IS PROCESSED
3.1 In most situations, Arlo devices are used to detect and prevent theft, burglary, vandalism or other similar purposes. This is often based on the Owner’s legitimate interest of property protection and crime prevention. If you want to know how the Owner has balanced his/her interests against your interests and rights, please contact the Owner.
3.2 If the facial recognition feature is turned on by the Owner, the Owner should seek your consent to process this data.
3.3 If you are uncertain as to which legal basis the Owner as a data controller applies, make sure to ask the Owner.
4. DATA RECIPIENTS AND THIRD COUNTRY TRANSFERS
Arlo Europe processes personal data in the EU/EEA. In some circumstances Arlo Europe may transfer personal data to a country outside of the EU/EEA (“Third Country”). In case personal data is transferred to a Third Country, Arlo Europe will ensure that the personal data will continue to be subject to an essentially equivalent level of protection as in the EU/EEA.
Arlo transfers personal data to recipients in the United Kingdom and Switzerland which are subject to EU Commission’s adequacy decision. This means that the EU Commission has assessed that the level of data protection in these countries are essentially equivalent to that of the EU/EEA and that it is therefore possible to transfer personal data to these countries without additional safeguards. If the recipient of personal data processes personal data in the United States and participates in the EU-US Data Privacy Framework, we rely on the EU Commission’s adequacy decision for such transfers.
When we transfer personal data to a Third Country which is not subject to an adequacy decision, or where the recipient is not subject to the EU-US Data Privacy Framework we apply a relevant transfer mechanism, that is applicable safeguard to ensure that an essentially equivalent level of data protection is ensured in the Third Country, specified in the table below.
Country outside of the EU/EEA: | Appropriate safeguards: |
USA | Standard Contract Clauses. |
STORAGE
Personal data should only be stored for as long as it is needed for the purpose. Generally, the personal data is deleted every 30 days by default. The Owner determines the exact storage period of your personal data. Thus, for information about the specific storage period in your particular case, please ask the Owner.
5. YOUR RIGHTS
If your personal data is processed by the Owner, you have certain rights as a data subject vis-à-vis the Owner acting as a data controller. In this section, those rights are described. Please contact the Owner in case you would like to exercise your rights.
5.1 Your right to access, rectification, erasure and restriction
5.1.1 You have the right to request:
a) Access to your personal data. This means that you have the right to request access to personal data that the Owner holds about you. You also have the right to be provided, at no cost, with information about which personal data the Owner are processing about you. The Owner has the right to charge a reasonable administration fee if you request further copies.
b) Rectification of your personal data. At your request, the Owner must correct, anonymise, delete or complete data that the Owner knows to be inaccurate, incomplete or misleading. Also, you have the right to complete any incomplete personal data if something relevant is missing.
c) Erasure of your personal data. You have the right to request that the Owner erases your personal data if there is no compelling reason for the Owner to continue processing the data. Compelling reasons for use to continue processing may be:
i. Processing is necessary for the right of freedom of expression and information,
ii. Processing is necessary to comply with a legal obligation,
iii. Processing is necessary for reasons of public interests in the area of public health,
iv. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or
v. Processing is necessary for the establishment, exercise or defence of legal claims.
5.1.2 Your personal data should be erased if none of the circumstances above are applicable and if
i. The personal data is no longer needed for the purpose for which the Owner collected them,
ii. The Owner processes your personal data based on your consent and you withdraw your consent,
iii. You object to the Owner processing your personal data which is based on a legitimate interest assessment, and the Owner has no compelling interests that overrides your interests or rights and freedoms,
iv. The Owner has processed the personal data unlawfully or
v. The Owner has a legal obligation to erase the personal data.
d) Right to restrict processing. This means that the Owner temporarily restricts the processing of your data. You have the right to request restriction when:
i. you consider your data to be inaccurate and you have requested rectification, while the Owner establishes the accuracy of the personal data,
ii. the processing is unlawful, and you do not want the data to be erased,
iii. as the personal data controller, the Owner no longer needs to process the personal data for the processing purposes, but you need them to be able to establish exercise or defend a legal claim, or
iv. you have objected to processing while waiting for our assessment of whether the Owner’s legitimate interests override yours.
5.1.3 The Owner should take all reasonable measures possible to notify everyone who has received personal data if data have rectified, erased or restricted – if you so request.
5.2 Your right to object to processing
5.2.1 You have the right to object to the processing of your personal data if the processing is based upon legitimate interest or performance of a task carried out in the public interest. If you object to such processing, it should only continue if the Owner has compelling reasons for doing so that override your interests or rights and freedoms or if the processing is necessary for the establishment, exercise or defence of legal claims.
5.2.2 If you do not wish that the Owner uses your personal data for direct marketing purposes, you always have the right to opt out.
5.3 Your right to withdraw consent
If personal data is processed based on your consent, you always have the right to withdraw your consent. You can do this at any time by contacting the Owner.
5.4 Your right to data portability
5.4.1 You have right to data portability when your personal data is processed based on your consent or performance of a contract.
5.4.2 Right to data portability means that you have the right to receive the personal data processed about you in machine-readable format which allows you to transfer these personal data to another data controller. You may also request to have the personal data transferred directly to another data controller.
5.5 Your right to complain to the supervisory authority
You have the right to lodge a complaint with the Data Protection Authority where you live or work or where your believe an infringement of the GDPR has taken place.
6. PLEASE CONTACT THE OWNER OF THE ARLO DEVICES FOR FURTHER INFORMATION
The Owner of the Arlo devices is responsible for providing you with all relevant information about the processing of your personal data. Please contact the Owner for further information.