Close
Privacy and Customer Care Whitepaper
Guidelines for SnapAV Dealers and Installers
Who and what are these guidelines for?
These Guidelines have been produced by SnapAV (referred to as we, us, and our in these Guidelines) for the use of our authorized dealer/installers around the World (referred to as our Retail Partners, you, or your).
The way that our connected Products and the Services work, means that we (and often you) will be collecting personal information from your Customers and End-Users. Some of this information is collected when they make a purchase or sign up for a subscription, some of it is collected as they use the Products and Services. Collecting this sort of information can pose privacy issues for you, us, and the End-users/Customers. We have produced these Guidelines to help all of our Retail Partners, across the globe to get to grips with the privacy implications and obligations that come from selling our Products and providing Services alongside them.
These Guidelines are not a substitute for legal advice, and it is very important that you seek legal support that enables you to meet the responsibilities you have to Customers and End-Users wherever you do business. These guidelines do set out the minimum standards that we expect of all our Retail Partners but they are not specific to a particular country, state, or legal system and it is imperative that you meet all legal requirements that apply to you.
In these Guidelines we use a number of key terms and we have set out what they mean below:
| Key Terms | |
|---|---|
| Applicable Privacy Laws | All laws and regulations governing the use of Personal Data at international, national, state and local level to which any Retail Partner is subject. |
| Collecting | Obtaining Personal Data from, or about, any living person (including Customers and End-Users), whether directly from them or from their use of Products and Services. |
| Controller | A person, company or other organization which, alone or jointly with others, decides how, when, why, to what extent and on what legal basis to Process Personal Data. |
| Customers | Purchasers of our Products and Services, whether on their own behalf, or on behalf or an organisation, or another person, or people, for their own personal use or for that of other End-Users. |
| Data Transfer | A movement of Personal Data from one organization to another. This includes transmission of Personal Data and making it accessible to view and download. Data Transfers may take place between group companies, across state lines, and across international borders. |
| End-Users | Individual Users of Products and/or Services, whether or not they were also Customers. |
| EU Law | means any law in force in the European Union or any law in force in a member state of the European Union including the Applicable Privacy Laws. |
| Personal Data | Information relating to an identified or identifiable individual, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number (like a customer number or vehicle registration number), location data, an online identifier (like an IP address or email address). Also including Special Category Personal Data, which is any information revealing something about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics health, sex life, or sexual orientation. |
| Personal Data Breach | A breach of security (online, physical or both) leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, whether Transferred, stored, or otherwise Processed; |
| Privacy Policy/ Privacy Notice | A document (physical or online) that sets out how an organisation uses Personal Data, including, among other things, details of what Personal Data is Collected, how it is used, who can access it, and (where Applicable Privacy Law requires) what the legal basis for Processing the Data is. |
| Privacy Regulator | A public authority which is established by Applicable Privacy Laws, responsible for regulating the Processing of Personal Data in a country, or region. |
| Privacy Shield | The EU-U.S. Privacy Shield framework. |
| Processing | Anything done with or to Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| Processor | Any person or organisation which Processes Personal data on behalf of a data Controller. |
| Products | Our products, including the connected features that are built into them, enabling End-Users to integrate them into a household or wider network, to interact with other devices and any downloadable software that is provided to End-Users by us or by our Retail Partners, to facilitate their use. |
| Services | Any digital services we or our Retail Partners provide to enable End-Users better to use our Products; any websites and apps (both public and private areas), to which End-Users can be granted access; and any online accounts that End-Users can create to facilitate their ongoing use of the Products. |
If your business has already received other privacy advice, do you still need to read these guidelines?
Yes! We recognize that our Retail Partners come in different shapes and sizes. Some may have extensive privacy programs of their own, with different legal obligations depending upon the jurisdictions in which they operate. However, because you are ambassadors for our Products and Services, it is important to us that you meet certain minimum standards and treat the Personal Data of Customers and End-Users with respect, in addition to your compliance with all Applicable Privacy Laws.
The Basic Commitments
Although the requirements of Applicable Privacy Laws vary, we expect all of our Retail Partners to be able to make the following commitments:
- To Process the Personal Data of Customers and End-Users only at their request, in accordance with an agreement that we or you have with them (such as an End-User Licence Agreement or Terms of Purchase), or as required by law.
- To implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks to Customers and End-Users that are presented by the Processing.
- To take all reasonable steps to ensure that only authorized personnel with suitable training and privacy obligations and restrictions have access to Customer and End-User Personal Data.
- Only to hire third parties to assist in the delivery of Products or the performance of the Services in accordance with Applicable Privacy Laws.
- To avoid doing anything that may place you, us or Customers in breach of applicable Privacy Laws and will tell us if our instructions to you run contrary to what the Applicable Data Privacy Laws permit.
- To assist us to fulfil any requests received by Customers or End-Users to exercise their rights under Applicable Privacy Laws, or to respond to any requests or queries from Privacy Regulators; including cooperating any request from a by a Customer or End-User to remove your access to any project, system or any other mechanism by which Person Data is collected, to delete any Personal Data in your possession that, and to cooperate with us in doing the same;
- To inform us immediately of any Data Breach or suspected Data Breach that might compromise Customer or End-User Personal Data or put it at risk;
- To ensure that Data transfers always take place subject to appropriate legal safeguards.
What information should Retail Partners provide to Customers and End-Users?
When a Customer purchases a Product from you it is essential that you provide them with a copy of any Privacy Policy/Notice that we have given to you to pass on; it will explain our responsibilities as a Data Controller to the Customer.
If you are Collecting and Processing any Personal Data from Customers or End-Users, other than to pass directly to us, you will be a Data Controller of that Personal Data and you should also have a Privacy Policy/Notice. The contents of your Privacy Policy/Notice will vary depending upon where you are based and the requirements of Applicable Privacy Law.
For example, we expect that any Privacy Policy/Notice would be compliant with Applicable Privacy Laws and should, at a minimum contain the following things:
- Your identity and contact details, and, if you have one the details of your Data Protection Officer or head of privacy.
- The purpose for the organization to process an individual’s Personal Data and its legal basis (see below under Where to go for more information).
- Any recipient or categories of recipients of an individual’s Personal Data (this might be us in some cases).
- The details regarding any Data Transfer and the safeguards taken for international transfers.
- The retention period or criteria used to determine the retention period of Personal Data.
- The existence of each Individual's legal rights under Applicable Privacy Law.
- The right to lodge a complaint with you and/or a Privacy Regulator.
Rights of Customers and End-Users
The rights of Customers and End-Users will vary significantly depending upon which Applicable Privacy Laws you are bound by and you should find out what these are.
In the EU all Customers and End-Users, whose Personal Data you Collect and Process, will have the following rights, and many other jurisdictions, have similar rights, so we expect our Retail Partners to meet these high standards even if not currently selling in the EU:
- The right to be informed that you are Processing their Personal Data;
- The right of access to certain information about your Processing and in some cases to a copy of the Personal Data in your possession or control;
- The right to insist that you rectify any inaccurate Personal Data about them in your possession or control;
- The right to request the erasure of out of date or superfluous Personal Data in your possession or control;
- The right to restrict Processing in some circumstances;
- The right to data portability (to move data to an alternative supplier of a service);
- The right to object to direct marketing (e.g. email, phone, and text marketing); and
- Certain other rights in relation to automated decision-making and profiling.
If they apply to you under Applicable Privacy Laws, you must implement processes for dealing with the right to access, the right to object and the right to erasure.
Security and Legal Safeguards
Security Standards and expectations vary across the world but we expect our Retail Partners to meet high standards when it comes to protecting Personal Data and, as a minimum, you must comply with any standards set down by Applicable Privacy Law. This means that:
- Access to the personal data is restricted to those on a need-to-know basis.
- Access to Personal Data is monitored and recorded (e.g. by keeping an access log).
- Up to date and adequate technical measures are taken to protect Personal Data including, by example only, password protected systems and equipment, firewall use and virus scanning.
Robust physical measures are in place to protect Personal Data including, by example only, locked doors, alarms, appropriate security surveillance, enforced ID and access policies.
Data requests from Customers and End-Users
You may receive queries from Customers and End-Users about how you or we use their Personal Data. How you reply will depend upon the Applicable Privacy Law you are bound by. You should always provide a response within at least 30 days. This is required by EU law, and is good practice elsewhere.
If you receive a query from a Customer or End-User that relates to how we (SnapAV) use their Personal Data, you must forward the query to us immediately by email legal@control4.com.
Managing Data Breach Situations
If you become aware of a Data Breach or suspected Data Breach involving Customer or End-User Personal Data you must inform us immediately so that we can determine whether we need to take steps to safeguard Personal Data and/or take other steps. You can report a Data Breach or suspected Data Breach to us via this email address: dpo@control4.com.
We also recommend that you take immediate independent legal advice and, where necessary, technical advice, to manage the situation. You may need to notify the Customers and End-Users of the situation and may have to make a report to your Privacy Regulator.
Where to go for more information
Your local counsel or Privacy Regulator will be able to provide you with information about your obligations under Applicable Privacy Law.
Who to contact at SnapAV
If you have any questions about these Guidelines then please get in touch with us at dpo@control4.com.
