If you have Arlo devices installed in your home or business

Disclaimer: This guide is for informational purposes only and does not constitute a comprehensive summary of applicable laws and regulations, nor legal advice. Please consult a qualified legal professional for specific legal guidance tailored to your situation. We also recommend for you to read advice published by your local data protection supervisory authority or Guidelines prepared by the European Data Protection Board on processing personal data through video devices.

Arlo devices, including cameras, capture video and audio recordings of individuals. Such data is considered personal data under the General Data Protection Regulation 2016/679 (“GDPR”). Hence, your use of Arlo devices may be subject to the GDPR as well as other local applicable privacy legislation. As the owner of Arlo devices, you are the data controller and as such you have obligations under the GDPR as well as other local applicable privacy legislation.

Installation and Positioning of the Cameras

The location and positioning of cameras is very important from a data protection perspective. This is because cameras may capture images which people may not expect to be recorded. When setting up your cameras you should position them carefully and should look at how the camera settings can be used to avoid certain areas of view. As the operator of the system, you are ultimately in control of the area being monitored by the cameras and access to it (and thus who may be monitored and recorded). You need to be comfortable with these responsibilities.

If you are installing cameras, some simple principles to bear in mind to ensure they are positioned lawfully are:

- only place cameras in areas where you are concerned about a safety or security risk (e.g. potentially vulnerable entrances, exits or windows);

- limit the camera’s field of view to areas within your property boundaries and avoid monitoring neighbouring premises. Some of the camera settings can help with this by masking certain areas in view;

- do not place cameras in areas where people would not reasonably expect images to be captured;

- avoid locating cameras in areas where there may be sensitivity due to the nature of the space and personal activity taking place there e.g. in or near bedrooms, toilets, spa zones, changing areas or other sensitive spaces that people expect to be kept private;

- do not place cameras in areas which would provide a view of recreational public areas – for example public parks, public benches or outside café tables;

- take particular care when placing cameras in any areas where there are children or vulnerable adults, because such people have additional protections under privacy laws;

- if there are a number of occupiers of the site (e.g. it’s a shared, communal space or building), you are responsible for getting permission to install the system from other owners / occupiers at the premises.

Use of Video Doorbell Cameras

In addition, when (re)configuring or installing a video doorbell camera yourself, you should always seek to minimize coverage of public areas (e.g. street), common areas (eg shared property/ a lobby area) and another person’s property (neighbour’s garden, entrance or house) by:

- Using the angled mount, which is supplied and included in the box of video doorbell, to angle the camera’s field of view;

- adjusting the following camera settings (using the Arlo App & Web) so as to crop the field of view;

o adjust the video pixellation (making the images less detailed);

o adjust the camera’s motion detection settings in order to avoid recording video when motion is detected in such areas.

Use of Audio

Arlo cameras have a built-in microphone which, can capture audio from several metres away. Please take care to avoid breaching any relevant local laws on audio recording. You can turn this feature off at any time

Viewing and Managing Images Captured From the Camera System

Arlo cameras include remote access controls that, depending on the camera type, allow you to capture and store images and/ or audio on your own devices (e.g. via our app). It is important that you use these features selectively, where there is a genuine need to look back at the image – for example, where you are concerned that there has been a security incident at the premises which you would like to review or investigate further. You should not use these features to, for example, continuously monitor an individual or their behaviour at the premises.

You must take care regarding how you use and (if relevant) share any images captured by the Arlo cameras with other people. You should only share images with others where you are comfortable that disclosure is necessary and appropriate and won’t cause embarrassment or harm to anyone captured within the images. Be particularly careful about sharing images in any public or semi-public environment, for example on the internet or social media. We recommend that you do not post images on these platforms unless you have consent from each of the individuals within the images.

Domestic Purpose Exemption

Please note that individuals operating under the so called ”domestic purpose exemption” are exempt from the GDPR, i.e., where a natural person processes personal data for purely private or household purposes. In this case, you won’t have a legal obligation to comply with the responsibilities set out in this guidance note, although you should still use the cameras responsibly to protect the privacy of others.

Please note that the household exemption is limited; the GDPR rules may apply if you:

- monitor the activities of workers or domestic staff working within your household,

- capture images from outside your property,

share images on social or other public mediaTo determine whether the exemption is applicable to your use of Arlo devices or not, several factors must be considered, and an over-all assessment must be made. You should consider factors such as:

- Which area is captured by the Arlo devices?

- What is your purpose of the use of the Arlo devices?

For example, if your Arlo device captures other areas than your own domestic premises, such as your neighbour’s property or even a small area accessible to the public (such as a street), the exemption rarely applies. However, recording inside the private sphere of your domestic premises normally falls under the domestic purpose exemption. This could be the case even if you, on rare occasions, coincidentally capture someone working in your private sphere (such as a contractor) as long as the purpose of your use of the device is not to monitor this specific person working.

If you are a business user, or if you use the system outside the scope of the household exemption, you will need to comply with the legal responsibilities set out in the GDPR which apply to a ‘controller’ of personal data. In these cases, it is important that you familiarise yourself with your legal responsibilities under the GDPR as failure to install and use the system properly could cause significant legal risk. You may find it helpful to consult information provided by your local data protection supervisory authority regarding your responsibilities as a controller.

This guide aims to inform you of and help you understand your obligations as a data controller. Additionally, other laws such as laws for the use of recording equipment such as CCTV or smart doorbells may apply. You should always check your national regulator’s guidance on the use recording devices before you start using them.

You must ensure that your use fulfils the fundamental principles of the GDPR

The GDPR (article 5) requires that your processing of personal data complies with certain fundamental principles. Note that you are responsible for understanding and applying these principles when using your Arlo devices. The following is a summary of the fundamental principles and their meaning.

· Your processing must be lawful, fair and transparent

This means that you must ensure that your processing is based on one of the legal bases in article 6 of the GDPR. If you process so called “sensitive personal data” – such as “biometric data” – you also need to ensure that one of the exemptions in article 9 of the GDPR applies. This is the case if you turn on the Person Recognition. i.e. biometric recognition feature. In practice, this means that you must request consent from the individuals who are subject to the biometric recognition feature of the Arlo device (see further details below under section “Information about the use of Arlo Secure 5.0 features – Person Recognition).

In addition, the processing must be fair, appropriate, reasonable, and proportional in relation to the data subjects (i.e., the individuals captured by your Arlo device).

Further, you must inform the data subjects on how you process their personal data in a clear, understandable, and easily accessible manner. This is typically done by warning notices/signs at the premises to help people understand the area is being monitored. The notices/signages must be visible to people before they enter the monitored area. They should include basic information to explain that a monitoring system is in place, that you are the operator of the system and the purposes for which you will use any data that is captured (e.g. security of the premises). If you are using the system within the scope of the household exemption (described above), it is still advisable that you let members of the household and visitors know that you have cameras in operation at your home.

To help you fulfil the transparency requirement we have put together a general privacy guide for visitors, containing information about how personal data is processed by Arlo devices in general. Note that you may need to supplement the Privacy guide for visitors with information tailored to your specific situation and that you are responsible for ensuring that the individuals whose personal data is being processed receive complete and correct information as required under the GDPR.

In addition, our Arlo devices are shipped with an Arlo Europe Sticker which includes a QR-code linking to the privacy guide for visitors. If you did not receive a sticker you can contact customer care for support.

You can place the sticker close to where your visitor enters your premises, to ensure that they have access to the information before entering. Also, please note that there may be additional national rules and guidance which, for example, may require certain signage where cameras are installed.

· You need to determine the purpose of your processing and stick to it

You may only collect personal data for specific, explicitly stated and legitimate purposes. You may not use the data for other, incompatible purposes, unless you have the individual’s consent. For example, if the purpose of your use of Arlo devices is to detect and prevent theft burglary, vandalism or other similar purposes, you may not use the data captured by your Arlo device to monitor your neighbour’s property.

· You may not process more data than necessary for your purpose

This means that your camera should be placed in a way that it does not capture more data than necessary for the purpose. For example, if the purpose of your use of the Arlo devices is to detect and prevent theft burglary, vandalism or other similar purposes, the cameras should be directed to the points of entry excluding other areas such as a street available to the public or your neighbour’s garage.

· The data you process must be accurate

You must take all reasonable steps to ensure that the personal data that is processed is accurate, and if necessary, rectify or erase inaccurate data.

· You may not store data longer than necessary

You may only keep personal data for as long as it is needed to fulfil the specific purpose you have previously identified. Generally, video footage may rarely be kept for more than 72 hours. Personal data is stored in your Arlo app for 30 days by default, but you are able to manage the storage period of the captured content including personal data in the Arlo app.

· Your processing must ensure integrity and confidentiality

By employing appropriate security measures, you must protect all personal data that you process so that no unauthorised person can access it and so that it is not used in a prohibited manner. You must also ensure that the personal data is not lost or destroyed. Arlo Europe has security measures in place to ensure the technical security of the personal data, but you should be careful not to share captured content in a way which is not necessary for the purpose of processing, e.g., detection and prevention of theft burglary, vandalism or other similar purposes.

· You are accountable

You are responsible for complying with the fundamental principles and you must also be able to demonstrate that you comply with them and how you do so.

· Contact point for the individuals captured by the devices

Please note that you are the primary point of contact for the individuals captured by the devices. As a data processor, Arlo is not liable or able to provide relevant and complete information to the individuals about how you as a data controller process their personal data.

Additional Actions

Preparing a privacy risk assessment before installing and using the system to demonstrate that you have made an informed decision about why you have installed the system and how and why it is necessary and appropriate to capture and use data from the cameras. There will be a particular issue if the area includes vulnerable people or those who are required to spend time in the area (e.g. employees).

If the camera system impacts staff working in the area, you should explain to them directly how the system works. You should also take extra care to ensure the system operates in accordance with applicable employment laws and working practices.

Ensuring you have appropriate processes in place to limit access to the cameras to those who need to monitor the system on a ‘need to know basis’ and only share data with others under strict controls. If you store images, do so in a secure and confidential manner with clear retention policies in place to remove or delete safely after an appropriate period of time. You must respect the legal rights that individuals have for example to request access to, delete or restrict use of their data under the GDPR. You should know who your data protection supervisory authority is and be responsible for communicating with them about any concerns or complaints that may be raised in relation to operation of the system, including any data breaches. Ensure you regularly review the camera system to make sure it is working properly and that you are using it aligned to the principles set out above.

Information about the use of the Arlo Secure 5.0 features

Person Recognition

Your Arlo devices may include the Person Recognition feature. As this feature entails biometric recognition, use of the feature comes with strict legal requirements. Therefore, the feature is turned off by default.

When you activate the Person Recognition feature, you can add pictures of “known faces” you want to introduce, in a gallery only available to you, together with a “known face”-tag. When a “known face” enters the area captured by your Arlo device in the future, you will be notified (by automatic means) that the person has entered the area. Arlo Europe does not have access to the gallery of “known faces”.

Person Recognition’s technology is based on the appearance of the faces. There is no measurement of any metric distance, or curvature, or geometry, corresponding to any actual element of the geometry or shape of a face. The only information in the photograph for the deep neural network used by the technology is the color values of the pixels in the photograph.

You should be very conscious of how you use the Person Recognition feature before turning the feature on, for example only activating the feature for cameras inside or in private areas of your garden where no risk of capture outside of your private domestic premises is present. Setting up your designated privacy zones may also help with you to stay within these limits as Person Recognition feature is prevented from operating within designated privacy zones. To read more about privacy zones please see here: Privacy Zones FAQ & What are Arlo Privacy Zones and how do I create them?

If the domestic purpose exemption does not apply, you must comply with the GDPR as explained above and conduct a data privacy impact assessment (DPIA) to assess the risks of your use of this feature. Based on the outcome, should you decide to use it, you should inform the individuals captured by the biometric recognition feature about its use such as via the Arlo Europe Sticker which includes a QR-code linking to the privacy guide for visitors and request their explicit consent to use the feature, before capturing their data. The feasibility of doing this and obtaining explicit consent will be your responsibility as the data controller. You should assess this carefully, if you are using the Person Recognition feature as part of your commercial use or your use goes beyond the domestic purpose exemption.

Smart Audio Detection

Arlo cameras have a built-in microphone which, can capture audio from several meters away. You must take care to avoid breaching any relevant local laws on audio recording. Some of the camera settings can help reducing the audio detection sensitivity, disable the audio detection or disable the microphone.

The Smart Audio Detection feature will only function if you have enabled audio detection and enabled the microphone for your Arlo device.

Audio recordings will only be generated for the Audio AI feature if the decibel level of the detected sound is beyond a specific threshold, to be determined by you. If noise above this threshold is detected, this would be classified as an event and an audio file is recorded. As the recorded audio files will contain personal data, the feature is turned off by default.

You are responsible for complying with any relevant local laws on audio recording as well as broader personal data protection legislation should you turn this feature on. You should conduct a data privacy impact assessment (DPIA) to assess the risks of your use of this feature. Based on the outcome, should you decide to use it, you should inform the individuals such as by the Arlo Europe Sticker which includes a QR-code linking to the privacy guide for visitors.

Vehicle Recognition

With the Vehicle Recognition feature, Arlo devices will be able to recognize specific vehicles, and send you alerts when they are identified within the designated areas. As vehicles can be linked to individuals, they can be considered as personal data. Therefore, the feature is turned off by default.

When you activate the Vehicle Recognition feature, you may add pictures of “known vehicles” you want to introduce, in a gallery only available to you, together with a “known face”-tag. Based on this, Arlo devices will be able to recognize the “known vehicle” (based on color and model of your vehicle), and the Owner will be notified (by automatic means) that the “known vehicle” have entered the area. Your number plate will not be captured. Arlo Europe does not have access to the gallery of “known vehicles”.

If you activate the feature only for cameras in private areas of your garden/garage where no risk of capture outside of your private domestic premises is present, you may be able to remain within the limits of the domestic purpose exemption. Setting up your designated privacy zones may also help with you to stay within this limits as Vehicle Recognition feature is prevented from operating within designated privacy zones. To read more about privacy zones please see here: Privacy Zones FAQ & What are Arlo Privacy Zones and how do I create them?

If you operate the feature beyond these limits, you must comply with the GDPR as explained above.