What is the GDPR?
GDPR stands for General Data Protection Regulation. It is a new EU wide set of data protection regulations that were introduced on May 25th 2018. It supersedes existing regulations with an aim to make things more unified and more comprehensive.
We recognize that we form a crucial part of your business and we take our responsibility very seriously. As part of that, we’ve put together this page so you can understand how Arlo and you can work together to achieve GDPR compliance.
We use Arlo. What is our relationship with Arlo with respect to the GDPR?
You are the Data Controller for the data you store and process using Arlo, and Arlo is the Data Processor.
We need a Data Protection Agreement (DPA) with Arlo. How do we get one?
When you start your trial with Arlo, or sign up to go live, your use of the service is covered by our Master Subscription Agreement (MSA).
Our DPA is an integral part of the MSA, it automatically applies to your use of the service. You do not need to execute a separate DPA with Arlo.
How can Arlo help you achieve your compliance as a Data Controller?
- By storing customer data in Arlo you benefit from Arlo’s best practice compliance with respect to data storage and security. All data in Arlo is encrypted at rest and stored in AWS, a provider that is fully compliant with GDPR. Read more at https://aws.amazon.com/compliance/gdpr-center/.
- We’re building tools into our application to help you stay GDPR compliant while continuing your business activities. For example, we're adding explicit configurable consent fields into our registration and leads process to allow you to capture and store specific consent for data processing activities.
- The right to be informed - you can add privacy information to your terms that are displayed as part of the registration and/or leads process.
- The right of access - we're developing a self-service portal for your contacts, but until then, you can use our rich data-export tools to export data, to help service right of access requests.
- The right to rectification - you can use Arlo's CRM to change user's data in order to service a right to rectification request, or if you're using our Salesforce plugin, you can update their Salesforce record and have it flow down into Arlo.
- The right to erasure - email firstname.lastname@example.org and we can assist you in servicing these requests.
- The right to restrict processing - you can add a field in our CRM to indicate that a user has exercised their right to restrict processing, then incorporate that flag as part of your data processing flows.
- The right to data portability - Arlo has rich CSV data-export functionality that can be used to service these requests.
What has Arlo done to ensure its own GDPR compliance?
- We’ve reviewed all our data processing flows at Arlo and, where necessary, updated them to be compliant with GDPR best practice.
- All key staff receive specific training relating to their obligation with respect to data privacy.
- We’ve arranged for DPAs with all of our data processors.
- Privacy and data security form a core part of our product development process.
Where can I get a list of Arlo’s sub-processors?
A list of Arlo’s sub-processors is available here.
Can one person grant consent on behalf of another in the Arlo checkout?
Arlo doesn't allow contacts to provide consent on behalf of others in the checkout.
While GDPR does not prevent a third party acting on behalf of an individual to indicate their consent, you need to be able to demonstrate that the third party has the authority to do so. In practice, it is likely to be difficult in most cases to verify this, which could result in breaking the GDPR mandate.
This is why in Arlo's checkout, a user must select who they are when providing consent (e.g. one of the registrants or the order contact) and the system will capture consent for that person only.
In some cases, you may still be able to market to customers who have not provided consent, if you can prove legitimate interest (in your product or service), e.g. registration or lead. This is a decision that is up to you and we suggest seeking legal advice on this matter if you are not sure if you can or not.
You can learn more information about this on our blog.
Can I make providing consent mandatory in Arlo?
Consent cannot be relied upon as a legal basis to process customers' data for marketing or other purposes if the customer has had no choice to opt-out.
From GDPR Article 6(1) Recital 42:
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
GDPR mandates that consent must be freely given and so this precludes our team from being able to make a consent field mandatory.
Am I allowed to share registrant details with my presenters using Arlo for Mobile?
Using "Execution of a contract" as the legal basis for sharing PII of registrants with presenters through the mobile app is OK, as the ability of the presenter to record attendance and contact registrants can be viewed as a necessary part of delivering the service.
It's advisable to have a section in your Arlo Terms & Conditions that registrants fill out that lists what PII of the registrant is being processed, and who has access to that PII.