Privacy Policy for Cameras in Vehicles (EU)

Zendar GmbH (“Zendar” or “We” or “Us”) is a technology company developing high-definition radars and related technology for use in, among other things, autonomous driving vehicles. We equip Zendar-marked test vehicles with radar sensors and cameras to test our radar technology. This Privacy Policy aims to provide information in regards to the processing of personal data collected from camera recordings from Zendar test vehicles operating in private and public spaces.

Zendar considers your privacy a top priority and is committed to protecting your privacy at all times. Terms used but not defined herein have the meanings ascribed to them in Art. 4 of the General Data Protection Regulation (“GDPR”).

1. Who is responsible for the processing of personal data?

Zendar GmbH

Friedrich-Ebert-Strasse 20/1

88239 Wangen im Allgäu, Baden-Württemberg, DE

You can contact our Data Protection Officer by e-mail at [email protected] or by mail at the address shown above.

2. Which data is processed and where does it come from?

Zendar-marked test vehicles are equipped with radar sensors and cameras to test our radar technology. These cameras collect live-stream video footage from private and public grounds where they are driven. The video recordings are used by our engineering team to test and evaluate the safety, accuracy, and functionality of our radars.

While Zendar has no interest in collecting any personal data or identifying individuals in this process, pedestrians, drivers, road markings, cars, motorcycles, bicycles, and other objects in the surroundings of the Zendar test vehicle, as well as their position and movement in relation to the Zendar test vehicles, may be collected and processed. Even though we do not use the recordings to identify individuals, they may contain personal data such as images of individuals or license plates. Due to the technical nature of the described collection and processing, natural persons may therefore become identifiable through our processing activities. The number, range, and level of detail of the cameras are restricted to the degree necessary for testing and evaluation of Zendar’s radar technology and do not go beyond this.

For example, the collected data may contain the following personal data, depending on the individual position to and interaction with the Zendar vehicle:

• Behavior and characteristics (e.g., faces) of individuals in the proximity of the Zendar test vehicles, including those of vehicle drivers, cyclists, and pedestrians
• Behavior and characteristics (e.g., license plates) of vehicles and other objects in the proximity of the test vehicles
• Time and place of the recordings (e.g., GPS data)

3. For which purposes is the data processed and what is the legal basis for this processing?

Zendar uses its test vehicles and the data collected during the drives to test and evaluate the safety, accuracy, and functionality of our radars. The legal basis for processing personal data for these purposes is our legitimate interest (Art. 6 (1) (f) GDPR). The processing serves the legitimate interest of Zendar for the purposes stated above, including without limitation, carrying out research, development, testing, evaluation and validation of our radar technology and ensuring public safety. In addition, in the event of an accident, we may use the data to investigate the cause of the accident, to clarify responsibilities, and to protect the rights, property, or safety of Zendar, our customers, our employees, or others (e.g. in legal proceedings).

In addition, we may process the personal data mentioned under Section 2 when we are required to do so by national or European law (Art. 6 (1) (c) GDPR).

4. How is the data secured?

Zendar has implemented appropriate technical and organizational measures to ensure an appropriate security level for the risk involved. The risk analysis takes into account the risk of infringing against the rights of individuals concerned, the costs for implementation, as well as the type, extent, context and purposes of the data processing.

Zendar’s technical and organizational measures include:

• The raw data from the recordings are written from the cameras directly onto an internal Zendar drive, which can only be accessed by certain Zendar  employees with access credentials and cannot directly be accessed without a Zendar computer. This drive containing raw data is frequently and regularly purged.
• To the extent any data from the recordings are to be stored, they are transferred and kept on internal Zendar drives, which can only be accessed by Zendar employees with access credentials and/or using a Zendar computer, and which are kept in a separate location from other Zendar servers and systems.
• To the extent any data from the recordings are to be backed up or stored for archival purposes, they are transferred and kept on Zendar cloud storage servers, which can only be accessed by certain Zendar employees with access credentials.
• To the extent the recordings (or any portion thereof) are shared with third parties or on publicly-accessible websites (e.g., LinkedIn, YouTube), any decipherable personal data is manually blurred to avoid identification.
• Access to Zendar’s IT systems is monitored in order to detect and prevent misuse.
• Where applicable and commercially reasonable, any personal data obtained from the recordings is encrypted and/or password-protected.
• Zendar’s security measures are continuously tested, assessed, and reviewed to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services in connection with the processing, as well as the effectiveness of the technical and organizational measures for ensuring the security of the processing.

5. With whom will the data be shared?

Zendar treats personal data with care and confidentiality. We only pass data to our affiliates and third parties to the extent described here and within the scope of the purpose limitation under data protection law.

Zendar may disclose personal data as described in this policy to the following categories of recipients:

• To Zendar affiliates: Zendar Inc. is the corporate parent of Zendar GmbH. Due to shared corporate IT systems, and because of the international nature of our business, personal data collected and processed by Zendar GmbH can be shared with or accessed by Zendar Inc. and its subsidiaries for the purposes above.

• To IT and collaboration service providers and other service providers: For technical reasons, we use external IT and related collaboration service providers who provide server infrastructure, IT maintenance tasks, IT solutions (such as cloud services), and/or software solutions on behalf of Zendar. We also use other service providers to support our business. These service providers may have access to the personal data to the extent necessary to perform such services for Zendar. When disclosing your personal data to third parties that will process your personal data on Zendar’s behalf, your personal data will only be disclosed to carefully selected data processors acting on the basis of Zendar’s instructions to comply with the applicable legal and contractual obligations. Such service providers will process the data on our behalf in accordance with this policy as “processors.”

• If Zendar is under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect the rights, property or safety of Zendar, its customers or others. This includes exchanging personal data with public authorities (including judicial and police authorities) or insurance companies, in the event of, for example, a cyber security incident.

Zendar does not share, sell, rent, or trade personal data for any promotional purposes.

6. Where is the data stored and is it transferred outside of the EU?

Data collected from the camera recordings in Germany is stored in Germany or otherwise within the European Economic Area (“EEA”). Data collected from the camera recordings in the United States is stored in the United States and, specifically, within the State of California.

Due to shared corporate IT systems, and because of the international nature of our business, personal data collected and processed by Zendar GmbH may be shared with, accessed by, and/or stored with Zendar GmbH’s corporate parent, Zendar Inc. and its subsidiaries and service providers, outside of the EEA and UK, including the United States of America (and, specifically, within the State of California). Conversely, personal data collected and processed by Zendar Inc. may be shared with, accessed by, and/or stored with Zendar Inc.’s subsidiary, Zendar GmbH and its service providers, outside of the United States, including the EEA and UK (and, specifically, within the Germany).

Where personal data is transferred and/or stored outside of the EEA and the UK, Zendar guarantees compliance with the current standard contractual clauses of the European Commission. Appropriate safeguards are thus established to ensure an appropriate level of data protection outside the European Union as well.

If you wish to receive more information relating to the transfers of your personal data outside the EEA and the UK and/or the safeguards that have been implemented, you can contact the Zendar Data Privacy Officer or [email protected].

7. How long is the data stored?

Zendar will not retain your personal data for longer than is allowed under the applicable data protection laws and regulations or for longer than is justified for the purposes for which it was originally collected. As a basic principle, the data collected will be stored for the duration of the testing, research, and/or development projects. Zendar will delete the personal data when we no longer need it for the purposes for which it was collected.

8. What rights do data subjects have?

In the context of the processing of personal data, data subjects are entitled to the following rights under GDPR:

• Right of access: The right pursuant to Art. 15 GDPR to obtain information from the data controller as to whether or not personal data conercing you are being processed. Where that is the case, you have the right to obtain access to the personal data and information on how they are processed.
• Right to rectification: The right pursuant to Art. 16 GDPR to obtain from the controller without undue delay the rectification of inaccurate personal data as well as the right to have incomplete personal data completed.
• Right to erasure (“right to be forgotten”): The right to pursue Art. 17 DSGVO to obtain from the controller the erasure of personal data concerning you without undue delay, if the conditions of this provision are met.
• Right to object: The right pursuant to Art. 21 GDPR to object at any time to processing of personal data which is based on legitimate interests pursuant to Article 6 (1) 1 (f) GDPR. In case of an objection to the processing, the personal data will no longer be processed for these purposes, unless compelling legitimate grounds for the processing can be demonstrated which override the interests, rights, and freedoms of the data subject.
• Right to restriction of processing: The right pursuant to Art. 18 GDPR to obtain restriction of processing, if the conditions of this provision are met.
• Right to data portability: The right pursuant to Art. 20 GDPR to receive the personal data in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller, if the conditions of this provision are met.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, the data subject that considers the processing of personal data relating to him or her infringes the General Data Protection Regulation has the right pursuant to Art. 77 GDPR to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement.

You can exercise the foregoing rights at any time by contacting us (see contact details above under Section 1).

9. Right to object

You also have the right to object to the processing of your personal data that we process based on legitimate interests as described in Section 3 above. If you file an objection, we will, based on the information provided, re-evaluate the grounds for the processing and whether they outweigh your interests, rights and freedoms or the processing, e.g. where the processing is necessary to assert, exercise, or defend legal claims or to fulfill a legal obligation, and, if possible, stop further processing and delete your data if this is not the case. You can exercise this right by contacting us (see contact details above under Section 1).

10. Does Zendar use automated decision making (including profiling)?

Zendar does not use automated decision making in the sense of Art. 22 GDPR.

11. Is there an obligation to provide personal data?

Our test vehicles record the immediate surroundings. You are not obliged to provide us with your personal data and no consequences will arise from not providing it.

12. Contact

If you have any questions regarding your data or if you would like to exercise your rights as a data subject, please do not hesitate to contact us at [email protected] or otherwise as described under Section 1.