If you have Arlo devices installed in your home
Disclaimer: This guide is for informational purposes only and does not constitute a comprehensive summary of applicable laws and regulations, nor legal advice. Please consult a qualified legal professional for specific legal guidance tailored to your situation.
Arlo devices, including cameras, capture video and audio recordings of individuals. Such data is considered personal data under the General Data Protection Regulation 2016/679 (“GDPR”). Hence, your use of Arlo devices may be subject to the GDPR. As the owner of Arlo devices, you are the data controller and as such you have obligations under the GDPR.
Please note that individuals operating under the so called ”domestic purpose exemption” are exempt from the GDPR, i.e., where a natural person processes personal data for purely private or household purposes.
To determine whether the exemption is applicable to your use of Arlo devices or not, several factors must be considered, and an over-all assessment must be made. You should consider factors such as:
- Which area is captured by the Arlo devices?
- What is your purpose of the use of the Arlo devices?
For example, if your Arlo device captures other areas than your own domestic premises, such as your neighbour’s property or even a small area accessible to the public (such as a street), the exemption rarely applies. However, recording inside the private sphere of your domestic premises normally falls under the domestic purpose exemption. This could be the case even if you, on rare occasions, coincidentally capture someone working in your private sphere (such as a contractor) as long as the purpose of your use of the device is not to monitor this specific person working.
This guide aims to inform you of and help you understand your obligations as a data controller. Additionally, other laws such as laws for the use of recording equipment such as CCTV or smart doorbells may apply. You should always check your national regulator’s guidance on the use recording devices before you start using them.
You must ensure that your use fulfils the fundamental principles of the GDPR
The GDPR (article 5) requires that your processing of personal data complies with certain fundamental principles. Note that you are responsible for understanding and applying these principles when using your Arlo devices. The following is a summary of the fundamental principles and their meaning.
- Your processing must be lawful, fair and transparent
This means that you must ensure that your processing is based on one of the legal bases in article 6 of the GDPR. If you process so called “sensitive personal data” – such as “biometric data” – you also need to ensure that one of the exemptions in article 9 of the GDPR applies. This is the case if you turn on the facial recognition feature. In practice, this means that you must request consent from the individuals who are subject to the facial recognition feature of the Arlo device.
In addition, the processing must be fair, appropriate, reasonable, and proportional in relation to the data subjects (i.e., the individuals captured by your Arlo device).
Further, you must inform the data subjects on how you process their personal data in a clear, understandable, and easily accessible manner. To help you fulfil the transparency requirement we have put together a general privacy guide for visitors, containing information about how personal data is processed by Arlo devices in general. Note that you may need to supplement the Privacy guide for visitors with information tailored to your specific situation and that you are responsible for ensuring that the individuals whose personal data is being processed receive complete and correct information as required under the GDPR.
In addition, many of our Arlo devices are shipped with an Arlo Europe Sticker which includes a QR-code linking to the privacy guide for visitors. You can place the sticker close to where your visitor enters your premises, to ensure that they have access to the information before entering. Also, please note that there may be additional national rules and guidance which, for example, may require certain signage where cameras are installed.
- You need to determine the purpose of your processing and stick to it
You may only collect personal data for specific, explicitly stated and legitimate purposes. You may not use the data for other, incompatible purposes, unless you have the individual’s consent. For example, if the purpose of your use of Arlo devices is to detect and prevent theft burglary, vandalism or other similar purposes, you may not use the data captured by your Arlo device to monitor your neighbour’s property.
- You may not process more data than necessary for your purpose
This means that your camera should be placed in a way that it does not capture more data than necessary for the purpose. For example, if the purpose of your use of the Arlo devices is to detect and prevent theft burglary, vandalism or other similar purposes, the cameras should be directed to the points of entry excluding other areas such as a street available to the public or your neighbour’s garage.
- The data you process must be accurate
You must take all reasonable steps to ensure that the personal data that is processed is accurate, and if necessary, rectify or erase inaccurate data.
- You may not store data longer than necessary
You may only keep personal data for as long as it is needed to fulfil the specific purpose you have previously identified. Generally, video footage may rarely be kept for more than 72 hours. Personal data is stored in your Arlo app for 30 days by default, but you are able to manage the storage period of the captured content including personal data in the Arlo app.
- Your processing must ensure integrity and confidentiality
By employing appropriate security measures, you must protect all personal data that you process so that no unauthorised person can access it and so that it is not used in a prohibited manner. You must also ensure that the personal data is not lost or destroyed. Arlo Europe has security measures in place to ensure the technical security of the personal data, but you should be careful not to share captured content in a way which is not necessary for the purpose of processing, e.g., detection and prevention of theft burglary, vandalism or other similar purposes.
- You are accountable
You are responsible for complying with the fundamental principles and you must also be able to demonstrate that you comply with them and how you do so.
- Contact point for the individuals captured by the devices
Please note that you are the primary point of contact for the individuals captured by the devices. As a data processor, Arlo is not liable or able to provide relevant and complete information to the individuals about how you as a data controller process their personal data.
information about the use of the facial recognition feature
Your Arlo devices may include a facial recognition feature. As facial recognition technology entails processing of biometric data, use of the feature comes with strict legal requirements. Therefore, the feature is turned off by default.
You should be very conscious of how you use the facial recognition feature, for example only activating the feature for cameras inside or in private areas of your garden where no risk of capture outside of your private domestic premises is present. If the domestic purpose exemption does not apply, you must inform the individuals captured by the facial recognition feature about its use and request their explicit consent to use the feature.