CCTV Data Privacy Notice
Auf Deutsch ansehen
Voir en français (Québec)
Weergeven in het nederlands
Prikazati na srpskom
This Data Privacy Notice ("Notice") is designed to help you understand how we handle the personal data we process in connection with the video surveillance ("CCTV") systems on the premises and in the buildings we utilize and to help you understand and exercise your data privacy rights. This Notice uses the Term “we”, “us” or “our”, which refers to the legal entity of the Rivian Automotive group of companies ("Rivian Group") that is responsible for the CCTV system and is the applicable Data Controller, within the meaning of applicable data privacy laws, and may be found in Section 7 ("Identity of the Data Controller") below.
1. PERSONAL DATA WE COLLECT AND LEGAL GROUNDS FOR PROCESSING
The camera systems we use capture images of the immediate environment. We therefore process images of all persons (especially employees, visitors, service providers) who move within the camera's detection range.
We rely on our legitimate interests (Art. 6(1)(f) GDPR) in processing the personal data as specified above. We pursue the following purposes:
- Facility and asset security. We have the interest in protecting our facilities from damage and vandalism.
- Employee safety. We want to ensure the safety of our employees on the company premises and the integrity of their property (e.g. vehicles parked in the parking areas).
- Loss prevention. We want to protect against theft of our company property.
- Investigations. In case of any violations of laws, corporate guidelines, or other regulations, we have an interest in appropriate clarification of such misconducts.
2. OUR DISCLOSURE OF YOUR PERSONAL DATA
We disclose personal data that is subject to this Notice internally with our security division and externally with both data processors and with the following categories of recipients:
- Service Providers. We use data processors for file transmission and storage, such as Amazon Web Services and Genetec. These processors provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the respective legal requirements and ensure the protection of the rights of the data subject.
- Law Enforcement. If we have recorded illegal activities or violations of company policies or other regulations, we may share the video and audio recordings with government law enforcement authorities for prosecution.
- Private Investigators. In addition to government law enforcement agencies, we may also engage private investigators to prosecute misconduct, provided they comply with applicable laws.
3. DATA RETENTION
The usual retention period of personal data that is subject to this Notice depends on the location of the CCTV system and is shown below:
- United States, Canada, The Netherlands, United Kingdom, Serbia: 30 days
- France: 15 days
- Germany: 3 days
If we discover activities on the video recordings that raise reasonable suspicion of a criminal offense, a violation of company policies or other regulations, or are otherwise subject to a legal obligation, we may retain the recordings until the conclusion of the investigation, prosecution, and/or legal obligation.
4. DATA SECURITY
We have in place appropriate security measures intended to prevent your personal data from being accidentally lost or used or accessed in an unauthorized way, including encryption of this information and the implementation of controls designed to limit access to your personal data.
We also have procedures in place to deal with any suspected data security breach. We will notify you and/or any applicable regulator of a suspected data security breach where we are legally required to do so in accordance with applicable legally prescribed timeframes.
Despite our implementation of these measures, posting or transmission of personal data via the internet, including by email or by other electronic means, is not completely secure. We cannot guarantee that personal data that is transmitted to us, particularly by electronic means, will be totally secure. It is possible that third parties may unlawfully intercept or access such data.
5. INTERNATIONAL DATA TRANSFERS
Rivian is a company based in the United States. We may transfer your personal data or store it internationally, including to or in countries that do not have data protection laws equivalent to those in the country where you reside or where your personal data is collected, for the purpose described above.
- For transfers of personal data from the European Economic Area (“EEA”) Member States or UK to countries for which the European Union (“EU”) Commission or the United Kingdom (“UK”) Information Commissioner’s Office has issued an adequacy decision saying the level of data protection is equivalent to the level within the UK or EU, we can rely on those adequacy decisions; this applies, inter alia, for data transfers between the UK and EEA Member States.
- For transfers of personal data from the EEA or UK to countries without an adequacy decision, Rivian has implemented appropriate safeguards to provide the necessary level of data protection, primarily by entering into appropriate data transfer arrangements based on approved standard contractual clauses.
- For transfers of personal data from Serbia to countries (a) which are parties to the Council of Europe Convention 108, for the protection of individuals with regard to the processing of personal data; or (b) for which the EU Commission has issued an adequacy decision saying the level of data protection is equivalent to the level within the EU, we do not need to adopt any special safeguards; this applies, inter alia, for data transfers from the Republic of Serbia to EEA Member States.
- For transfers of personal data from Serbia to countries different to the above, Rivian has observed the relevant rules for transfers of personal data to third countries and implemented appropriate safeguards to provide the necessary level of data protection, primarily by entering into appropriate data transfer arrangements based on standard contractual clauses.
6. YOUR PRIVACY RIGHTS
Based on the nature of the processing, the legal requirements applicable, and subject to any legal restrictions or exceptions, you may have certain choices and rights described below.
- Access/Know. Request confirmation from us as to whether or not your personal data is being processed by Rivian and, if so, access to such data and/or the more detailed circumstances of the data processing.
- Correction/Rectification. Request that we correct any inaccurate personal data relating to you without undue delay. In this context, taking into account the purposes of the processing, you may also have the right to request the completion of incomplete personal data - also by means of a supplementary declaration. If you signed up for an account with Rivian, you may update the information associated with your account at any time by contacting us or logging into your account.
- Deletion/Erasure. Request that your personal data be deleted without undue delay. In certain circumstances, it may not be possible for us to accept your request, for example, when the processing is necessary to comply with a legal obligation, or if the processing is necessary for the performance of a contract.
- Restriction of Processing. Request that we restrict processing of your personal data. In certain circumstances, it may not be possible for us to accept your request, for example, when the processing is necessary to comply with a legal obligation, or if we can demonstrate compelling legitimate grounds otherwise.
- Data Portability. Request that we provide a copy of the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and transfer this data to another controller without hindrance from us. Insofar as this is technically feasible, we will transfer the data directly to the other controller.
- Object to Processing. Object, on grounds relating to your particular situation, to our processing of personal data concerning you which is (i) necessary for the performance of a task carried out in the public interest, (ii) carried out in the exercise of official authority vested in us, or (iii) processed by us on the basis of our legitimate interest. In this case, where applicable, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
- Automated Individual Decision-Making. Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Note that this right shall not apply if such a decision is necessary as part of a contract we have with or want to conclude with you, we have your consent, or we are permitted by law to engage in such automated decision making. In these cases, we will implement measures to safeguard your rights and freedoms and legitimate interests and you may contest the decision by contacting us as set forth in “Contact Us” below. Please note that we do not conduct automated individual decision-making based on the processing described herein.
- Complaints. You also have the right to lodge a complaint with a supervisory authority at any time if you are of the opinion that the processing of personal data relating to you violates applicable law. If the complaint relates to provisions of the GDPR, you can lodge such complaint with a supervisory authority in particular in the Member State of your place of residence, your place of work or the place of the alleged infringement. You may identify the applicable lead supervisory authority based on your location on the European Data Protection Board website. If the complaint relates to provisions of the UK GDPR, you can lodge such complaint with the Information Commissioner’s Office.
To get more information about or to exercise the above privacy rights, please contact us as set forth in Section 8 (“Contact Us”) below.
We will acknowledge and coordinate these requests as timely as possible. Initially, we will respond to and fulfill any such requests within one month or in accordance with applicable laws. In case we cannot comply with a request or cannot fulfill a request within that timeframe, we will generally provide you with the reason for this. We may request specific information from you to help us confirm your identity and your rights. Applicable laws may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data, we will generally inform you of the reasons why, subject to any legal or regulatory restrictions.
We will not discriminate against you for exercising any of your privacy rights.
Residents of California may also have additional rights pertaining to their personal information, as described in Section 10 ("California Privacy Rights”) of our main Data Privacy Notice.
7. IDENTITY OF THE DATA CONTROLLER
The applicable data controller and CCTV system locations are shown below:
- The Netherlands (Rivian Netherlands B.V.)
- 2.01 & unit 2.02, herengracht 433, 1017 BR, Amsterdam
- 5 Mechie Trommelenweg, Waalwijk, The Netherlands
- Germany (Rivian GmbH)
- Gutenbergstraße 1, 85748 Garching bei München, Germany
- Fuggerstraße 7, 3 OG. 41468 Neuss, Germany
- Leipziger Str. 20, 14612 Falkensee, Germany
- Serbia (Rivian SE Europe d.o.o. Beograd.)
- Tadije Sondermajera 11 and 11A, 11070, New Belgrade, Serbia
CCTV systems in the U.S. and Canada are under the control of Rivian, LLC. See our Legal Entities page for more information.
8. CONTACT US
If you have any questions or concerns about our processing of your Personal Data, this Notice or would like to exercise your privacy rights, please contact us as follows:
- U.S: By email at privacy@rivian.com, by telephone at (888) RIVIAN1 (748-4261), or by mail at Attn: Privacy Office, 14600 Myford Road, Irvine, CA 92606.
- Canada: Attn: Privacy Office and/or Quebec Privacy Officer, by email at privacy@rivian.com, by telephone at (844) RIVIAN1 (748-4261) or by mail at 1038 Homer Street, Vancouver, BC V6B 2W9.
- EU/UK/Other: By email at dpo@rivian.com or by writing to Rivian, attn. Data Protection Officer, Herengracht 433, Unit 2.01 and 2.02, 1017 BR Amsterdam, The Netherlands.