CCTV Data Privacy Notice
How we use footage to protect our people, facilities and assets.
Auf Deutsch ansehen
Weergeven in het nederlands
Prikazati na srpskom
We have installed video surveillance (“CCTV”) systems on the premises and in the buildings we utilize. This Data Privacy Notice (“Notice”) is designed to help you understand how we handle the personal data we process in connection with CCTV systems, and to help you understand and exercise your data privacy rights.
1. IDENTITY OF THE DATA CONTROLLER
The identity of the data controller depends on the location of the CCTV system and is shown in the list below:
- The Netherlands. Location of CCTV system: 2.01 & unit 2.02, herengracht 433, 1017 BR, Amsterdam and 5 Mechie Trommelenweg, Waalwijk, The Netherlands. Identity of the data controller: Rivian Netherlands B.V.
- Germany. Location of CCTV system: Gutenbergstraße 1, 85748 Garching bei München, Germany. Identity of the data controller: Rivian GmbH.
- Germany. Location of CCTV system: Fuggerstraße 7, 3 OG. 41468 Neuss, Germany. Identity of the data controller: Rivian GmbH.
- UK. Location of CCTV system: Unit 6, 8th Floor, Albion House, High Street, Woking, GU21 6BG and Unit 7, Eagle Park Drive, Warrington WA2 8JA, UK Manchester, UK. RIV UK Engineering Limited.
- Serbia. Location of CCTV system: Tadije Sondermajera 11 and 11A, 11070, New Belgrade, Serbia. Identity of the data controller: Rivian SE Europe d.o.o. Beograd.
2. PERSONAL DATA WE COLLECT
The camera systems we use capture images of the immediate environment. We therefore process images of all persons (especially employees, visitors, service providers) who move within the camera's detection range.
3. 3. LEGAL GROUNDS FOR PROCESSING OF YOUR PERSONAL DATA
We may rely on our legitimate interests (Art. 6(1)(f) GDPR) in processing the personal data as specified above. In particular, we pursue the following purposes:
- Facility and asset security. We have the interest in protecting our facilities from damage and vandalism.
- Employee safety. We want to ensure the safety of our employees on the company premises and the integrity of their property (e.g. vehicles parked in the parking areas).
- Loss prevention. We want to protect against theft of our company property.
- Investigations. In case of any violations of laws, corporate guidelines, or other regulations, we have an interest in appropriate clarification of such misconducts.
4. OUR SHARING OF YOUR PERSONAL DATA
We share personal data that is subject to this Notice internally with our security division and externally with both data processors and with the following categories of recipients:
- Law Enforcement. If we have recorded illegal activities or violations of company policies or other regulations, we may share the video and audio recordings with government law enforcement authorities for prosecution.
- Private Investigators. In addition to government law enforcement agencies, we may also engage private investigators to prosecute misconduct, provided they comply with applicable laws.
We will only use data processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the respective legal requirements and ensure the protection of the rights of the data subject.
Beyond that, we will only disclose personal data to third parties if we are legally obliged to do so.
5. DATA RETENTION
The usual retention period of personal data that is subject to this Notice depends on the location of the CCTV system and is shown in the list below:
- The Netherlands: 30 Days
- Germany: 3 Days
- United Kingdom: 30 Days
- Serbia: 30 Days
Deviating from this, if we discover activities on the video recordings that raise reasonable suspicion of a criminal offense, a violation of company policies or other regulations, we may retain the recordings until the conclusion of the investigation and prosecution.
6. DATA SECURITY
We have in place appropriate security measures intended to prevent your personal data from being accidentally lost or used or accessed in an unauthorized way, including encryption of this information and the implementation of controls designed to limit access to your personal data.
We also have procedures in place to deal with any suspected data security breach. We will notify you and/or any applicable regulator of a suspected data security breach where we are legally required to do so in accordance with any legally prescribed timeframes.
Despite our implementation of these measures, posting or transmission of personal data via the internet, including by email or by other electronic means, is not completely secure. We cannot guarantee that personal data that is transmitted to us, particularly by electronic means, will be totally secure. It is possible that third parties may unlawfully intercept or access such data.
7. INTERNATIONAL DATA TRANSFERS
Rivian is a company based in the United States. We may transfer your personal data or store it internationally, including to or in countries that do not have data protection laws equivalent to those in the country where you reside or where your personal data is collected, for the purpose described above.
- For transfers of personal data from the European Economic Area (“EEA”) Member States or UK to countries for which the European Union (“EU”) Commission or the United Kingdom (“UK”) Information Commissioner’s Office has issued an adequacy decision saying the level of data protection is equivalent to the level within the UK or EU, we can rely on those adequacy decisions; this applies, inter alia, for data transfers between the UK and EEA Member States.
- For transfers of personal data from the EEA or UK to countries without an adequacy decision, Rivian has implemented appropriate safeguards to provide the necessary level of data protection, primarily by entering into appropriate data transfer arrangements based on approved standard contractual clauses.
8. YOUR PRIVACY RIGHTS
Based on the nature of the processing, the legal requirements applicable, and subject to any legal restrictions or exceptions, you may have certain choices and rights described below.
- Access/Know. Request confirmation from us as to whether or not your personal data is being processed by Rivian and, if so, access to such data and/or the more detailed circumstances of the data processing.
- Correction/Rectification. Request that we correct any inaccurate personal data relating to you without undue delay. In this context, taking into account the purposes of the processing, you may also have the right to request the completion of incomplete personal data - also by means of a supplementary declaration. If you signed up for an account with Rivian, you may update the information associated with your account at any time by contacting us or logging into your account.
- Deletion/Erasure. Request that your personal data be deleted without undue delay. In certain circumstances, it may not be possible for us to accept your request, for example, when the processing is necessary to comply with a legal obligation, or if the processing is necessary for the performance of a contract.
- Restriction of Processing. Request that we restrict processing of your personal data. In certain circumstances, it may not be possible for us to accept your request, for example, when the processing is necessary to comply with a legal obligation, or if we can demonstrate compelling legitimate grounds otherwise.
- Data Portability. Request that we provide a copy of the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and transfer this data to another controller without hindrance from us. Insofar as this is technically feasible, we will transfer the data directly to the other controller.
- Object to Processing. Object, on grounds relating to your particular situation, to our processing of personal data concerning you which is (i) necessary for the performance of a task carried out in the public interest, (ii) carried out in the exercise of official authority vested in us, or (iii) processed by us on the basis of our legitimate interest. In this case, where applicable, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
- Automated Individual Decision-Making. Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Note that this right shall not apply if such a decision is necessary as part of a contract we have with or want to conclude with you, we have your consent, or we are permitted by law to engage in such automated decision making. In these cases, we will implement measures to safeguard your rights and freedoms and legitimate interests and you may contest the decision by contacting us as set forth in “Contact Us” below. Please note that we do not conduct automated individual decision-making based on the processing described herein.
Complaints. You also have the right to lodge a complaint with a supervisory authority at any time if you are of the opinion that the processing of personal data relating to you violates applicable law. If the complaint relates to provisions of the GDPR, you can lodge such complaint with a supervisory authority in particular in the Member State of your place of residence, your place of work or the place of the alleged infringement. You may identify the applicable lead supervisory authority based on your location on the European Data Protection Board website. If the complaint relates to provisions of the UK GDPR, you can lodge such complaint with the Information Commissioner’s Office.
To get more information about or to exercise the above privacy rights, please contact firstname.lastname@example.org.
We will acknowledge and coordinate these requests as timely as possible. Initially, we will respond to and fulfill any such requests within one month or in accordance with applicable laws. In case we cannot comply with a request or cannot fulfill a request within that timeframe, we will generally provide you with the reason for this. We may request specific information from you to help us confirm your identity and your rights. Applicable laws may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data, we will generally inform you of the reasons why, subject to any legal or regulatory restrictions.
We will not discriminate against you for exercising any of your privacy rights.
9. CONTACT US
If you have any questions or concerns about our processing of your Personal Data, this Notice or would like to exercise your privacy rights, please contact us by email at email@example.com or by writing to Rivian, attn. Data Protection Officer, Herengracht 433, Unit 2.01 and 2.02, 1017 BR Amsterdam, The Netherlands.