AI video analytics · Privacy FAQ.

Preamble

Darlot uses AI-supported video analytics to detect security-relevant events in real time. The use of the technology is subject to the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the German Federal Data Protection Act (BDSG), state data protection laws and – progressively applicable since 2026 – the AI Regulation (Regulation (EU) 2024/1689, "AI Act").

This FAQ is intended for customers, data subjects, works councils, data protection officers and supervisory authorities. It complements – but does not replace – the privacy policy, the data processing agreement and the data protection impact assessment prepared for the respective installation (Art. 35 GDPR).

Note: The legal assessment of the specific use depends on the purpose, location and configuration. Binding statements regarding your individual case are contained in the data processing agreement (DPA) prepared for your installation under Art. 28 GDPR.

Frequently asked questions

1. 1. What does Darlot AI video analytics do?

   Darlot AI video analytics evaluates video streams from stationary cameras in real time and detects security-relevant patterns – such as unauthorised entry, persons remaining motionless, tampering with installations or crossing defined security zones. The system generates alarms, not continuous person profiles.

   No tracking of individuals across camera systems, no re-identification in the standard configuration and no behavioural assessment outside the defined security purpose.

2. 2. What personal data is processed?

   Processed are essentially image and video data of persons within the camera detection area. This includes moving images (video streams) of monitored areas, detection metadata (timestamp, camera ID, event type, confidence score), bounding box coordinates of detected objects or persons and technical log data (system status, accesses, audit logs).

   In the standard configuration, no biometric templates within the meaning of Art. 9(1) GDPR are created and no audio recordings are captured. Acoustic capture is technically deactivated and may only be activated with a separate legal basis and contractual agreement.

3. 3. What is the legal basis for processing?

   The legal basis depends on the purpose and the controller. Common bases are Art. 6(1)(f) GDPR (legitimate interest in protecting property, employees, visitors and critical infrastructure with documented balancing of interests), § 4 BDSG for video observation of publicly accessible areas, § 26 BDSG for processing of employees – usually supplemented by a works agreement – and Art. 6(1)(e) GDPR for public bodies.

   Processing based on consent (Art. 6(1)(a) GDPR) is the exception in video environments, since consents in public spaces cannot practically be given freely within the meaning of the GDPR.

4. 4. Are biometric data within the meaning of Art. 9 GDPR processed?

   No – not in the standard configuration. Darlot AI video analytics detects persons as an object class without extracting or storing facial features that would serve to uniquely identify a natural person. No biometric templates are generated.

   Any activation of biometric functions would constitute a special category of personal data under Art. 9 GDPR and would require a separate legal basis, an additional data protection impact assessment and – within the scope of the AI Act – a separate conformity assessment.

5. 5. How does the use relate to the EU AI Act (Regulation (EU) 2024/1689)?

   The AI Act distinguishes AI systems by risk class. Real-time remote identification in publicly accessible spaces by law enforcement (Art. 5 AI Act) is generally prohibited – Darlot does not use any such functions. High-risk AI under Annex III (biometric identification and categorisation systems) is only activated in expressly commissioned configurations; not active by default. For event detection without identification, transparency obligations toward data subjects apply.

   For each delivered system Darlot documents the applicable risk classification and the fulfilment of provider obligations under Art. 16 et seq. AI Act.

6. 6. Who is the controller within the meaning of GDPR?

   The controller within the meaning of Art. 4(7) GDPR is regularly the operator of the camera installation – i.e. the customer who decides on the purposes and means of processing (e.g. the property owner or the operator of a critical installation).

   In the standard constellation Darlot acts as a processor within the meaning of Art. 28 GDPR. Before commissioning, a data processing agreement (DPA) is concluded covering instruction rights, sub-processor relationships, technical and organisational measures, and cooperation in handling data subject rights.

7. 7. Is a Data Protection Impact Assessment (DPIA) carried out?

   Yes. Systematic monitoring of publicly accessible areas on a large scale regularly triggers a DPIA obligation under Art. 35(3)(c) GDPR. Darlot provides the controller with a generic template DPIA and all technical information required to prepare an installation-specific DPIA.

   The final DPIA is the controller's responsibility and is – where required – coordinated with the competent data protection officer and, where applicable, the supervisory authority.

8. 8. How long are video data stored?

   The principles of data minimisation and storage limitation apply (Art. 5(1)(c) and (e) GDPR). Standard tiered retention periods apply: live stream processed in real time without permanent storage; event-based recordings 48 to 72 hours, then automatic deletion; recordings of security-relevant incidents until conclusive resolution, at most within statutory retention periods; audit and log data regularly up to twelve months for IT security purposes.

   Different periods may be agreed contractually but must be proportionate and documented in the DPIA.

9. 9. What technical and organisational measures (TOMs) are in place?

   Darlot meets the requirements of Art. 25 and Art. 32 GDPR through a tiered TOM concept: encryption with TLS 1.3 in transit and AES-256 at rest; role-based access control with multi-factor authentication and complete audit trails; logical and – for edge installations – physical tenant separation; privacy by design with privacy zone masking, dynamic pixelation and local processing where possible; cryptographic signing of event recordings for evidentiary preservation; and backup, recovery and notification processes under Art. 33 GDPR within 72 hours.

10. 10. Where are the data processed? Are data transferred to third countries?

    Processing takes place primarily on edge devices at the installation site or in certified data centres within the European Union or European Economic Area.

    A transfer to third countries within the meaning of Chapter V GDPR does not occur in the standard configuration. Should a third-country reference arise in individual cases – e.g. for maintenance or remote support – the mechanisms of Art. 46 GDPR (Standard Contractual Clauses 2021/914) and supplementary safeguards (Transfer Impact Assessment) apply.

11. 11. What rights do data subjects have?

    Data subjects can assert the following rights against the controller: access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR – where applicable), objection (Art. 21 GDPR – particularly relevant where processing is based on legitimate interests) and complaint to the competent supervisory authority (Art. 77 GDPR).

    Darlot supports the controller in handling data subject requests through suitable technical tools, e.g. for time- and camera-based retrieval of relevant image sequences.

12. 12. Is automated decision-making carried out?

    No. The system generates alarms and indications – the final assessment and decision on measures lies with human decision-makers, regularly in a security control room. There is no purely automated decision with legal effect within the meaning of Art. 22 GDPR.

    This human-in-the-loop principle is organisationally anchored and corresponds to the requirement of human oversight under Art. 14 AI Act.

13. 13. How is the information obligation under Art. 13 GDPR fulfilled?

    The controller posts clearly visible signage in the detection area. This includes: notice of video monitoring with AI-supported analysis; name and contact data of the controller and the data protection officer; purposes and legal basis of processing; retention period and recipient categories; reference to data subject rights and the right to lodge a complaint with the supervisory authority.

    Comprehensive information is provided via a QR code, URL or display at reception. Darlot provides reviewed signage templates that comply with the standard of the German Data Protection Conference (DSK).

14. 14. How is employee data protection ensured?

    Where employees are recorded, § 26 BDSG applies. Where a works or staff council exists, co-determination under § 87(1)(6) BetrVG must be observed. Before commissioning, a works agreement is regularly concluded covering: purpose limitation and exclusion of performance and behavioural monitoring; permitted detection classes; retention and deletion periods; access rights and four-eyes principle for analyses; procedures for suspected cases and evidence preservation.

15. 15. What happens in the event of a personal data breach?

    In the event of a personal data breach a documented incident response procedure is triggered. Darlot reports incidents to the controller without undue delay – at the latest within 24 hours of becoming aware – so that the controller can comply with its notification obligation under Art. 33 GDPR within the 72-hour deadline to the supervisory authority.

    Where required, data subjects are additionally notified under Art. 34 GDPR. All incidents are documented in an audit-proof register.

16. 16. Are sub-processors used?

    Where sub-processors are engaged – e.g. for hosting, maintenance or remote support – this takes place exclusively on the basis of an agreement under Art. 28(4) GDPR. The current list of engaged sub-processors is part of the DPA and is communicated to the controller before changes. A right to object to the use of new sub-processors is contractually provided.

17. 17. How is non-discrimination of the models ensured?

    Darlot reviews the deployed models prior to commissioning for statistical bias, particularly with regard to protected characteristics under § 1 AGG. Training data is documented; test datasets cover different lighting conditions, clothing types and personal characteristics.

    Models are continuously monitored in operation for drift, false positive rates and fairness metrics. Results feed into quality and risk management under Art. 9 AI Act.

18. 18. Whom can data subjects contact?

    Data subjects primarily contact the controller, whose contact data can be found on the signage or the published privacy notice.

    Privacy enquiries concerning Darlot as a processor may additionally be directed to Darlot's data protection officer. Contact data is published on the website under "Privacy". Independently, the right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR) exists at any time.

19. 19. Are data used for training or marketing purposes?

    No. Image and video data from operational use are processed exclusively for the agreed security purpose. They are not used for model training, benchmarking or marketing – unless the controller has expressly authorised this and the data has previously been effectively anonymised so that there is no longer any personal reference.

20. 20. How is conformity demonstrated?

    Darlot operates an integrated compliance management under GDPR and AI Act and undergoes external audits as required. On request, the following documentation is provided to the controller: Records of Processing Activities (Art. 30 GDPR – software extract); TOM description as DPA annex; template DPIA and supporting materials; model factsheet with technical documentation under Annex IV AI Act – where applicable; certifications of deployed data centres (e.g. ISO 27001, C5).

Notes on the use of this FAQ

This FAQ is for information and does not replace individual legal or data protection advice. It reflects the legal status as of the date stated above. Due to the ongoing concretisation of the AI Act through delegated acts and guidelines of the European Data Protection Board, adjustments may occur. For an in-depth legal assessment of your specific deployment scenario, our data protection officer and legal contacts are available.

Privacy contact

Darlot – Data Protection Officer
Email: datenschutz@darlot.co
Postal address: Quarero Robotics Deutschland GmbH, Hornbergstrasse 49, 70794 Filderstadt, Germany
Web: darlot.co/datenschutz