Sicherheit als Dienstleistung. Wir sehen, wir entscheiden, wir handeln.

Regulatory framework at a glance

The deployment of an autonomous security robot regularly touches the following frameworks:

• Data protection

  GDPR, BDSG, state data protection laws, § 26 BDSG for employees

• Road traffic law

  StVG, StVO, StVZO – where public traffic areas are concerned

• Machinery and product law

  Machinery Regulation (EU) 2023/1230 (from 20 Jan 2027), Machinery Directive 2006/42/EC (transition), ProdSG, Low Voltage Directive, EMC Directive

• Occupational safety

  ArbSchG, BetrSichV, DGUV rules, BetrVG (co-determination)

• Artificial intelligence

  AI Regulation (EU) 2024/1689

• Cybersecurity

  Cyber Resilience Act (EU) 2024/2847, NIS-2 implementation act, KRITIS umbrella act

• Radio and frequencies

  TKG, BNetzA general assignments, ETSI standards

• Liability

  BGB, ProdHaftG, new Product Liability Directive (EU) 2024/2853, StVG

A · Platform and operation

• 01What does a Darlot Robotics security robot do?+

  The robots perform autonomous patrols on defined routes, detect security-relevant events (intrusion, fire, spilled liquids, abandoned objects, persons remaining motionless), document the state of installations and fences and alert the responsible security control room in real time. The final assessment is always made by a human operator.

• 02What sensors are installed?+

  Depending on the model variant: optical cameras (daylight, wide-angle, PTZ), thermal camera for fire and person detection in darkness, LiDAR and ultrasound for navigation and obstacle avoidance, GNSS / RTK-GNSS for outdoor positioning, IMU and odometry for attitude and travel measurement. Optional: microphone and speaker (only with contractually agreed two-way audio), gas and CO sensors for industrial environments.

• 03What level of autonomy applies?+

  The robots act semi-autonomously on predefined, approved routes. They have obstacle avoidance, stop in unclear situations and hand over to the human operator. Full autonomy in the sense of free route choice in public traffic areas is not provided.

• 04Where are the robots typically deployed?+

  Predominantly on enclosed industrial, logistics and energy sites, i.e. within the operator's domiciliary right. Deployments on public traffic areas are the exception and require a separate legal assessment – particularly under StVO and StVZO.

B · Data protection (GDPR)

• 05What personal data is processed?+

  During operation the following data may arise: moving images of the patrolled areas, thermal images (usually without identification capability), location and movement data of the robot (not of detected persons), event-based metadata (time, location, event class, confidence) and audit/telemetry data of the device. Acoustic data is captured only with activated two-way audio and exclusively during an active operator intervention – not in continuous operation.

• 06What is the legal basis for processing?+

  Regularly the operator's legitimate interest under Art. 6(1)(f) GDPR (protection of property, employees, critical infrastructure), supplemented by § 4 BDSG for publicly accessible areas and § 26 BDSG with regard to employees. For public bodies Art. 6(1)(e) GDPR may apply.

• 07Who is controller, who is processor?+

  The controller within the meaning of Art. 4(7) GDPR is the operator who decides on purposes and means. In the standard constellation, Darlot Robotics acts as a processor under Art. 28 GDPR. Before commissioning, a data processing agreement is concluded covering TOMs, sub-processors, instruction rights and cooperation duties.

• 08Is a Data Protection Impact Assessment required?+

  As a rule, yes. Systematic monitoring with mobile devices that combine moving images and location data typically falls under Art. 35(3) GDPR and the lists of the German Data Protection Conference. Darlot Robotics provides a template DPIA; responsibility for the installation-specific design lies with the controller.

• 09Are biometric data within the meaning of Art. 9 GDPR processed?+

  No – not in the standard configuration. The robots detect persons as an object class without creating biometric templates for identification. Any activation of biometric functions would require a separate legal basis, an additional DPIA and – within the scope of the AI Act – an additional conformity assessment.

• 10How long are recordings stored?+

  Tiered retention periods apply, following the principle of storage limitation (Art. 5(1)(e) GDPR): routine patrols without an event – live processing, subsequent deletion typically within 48 to 72 hours. Security-relevant incidents – retention until conclusive resolution, at most within statutory retention periods. Audit and telemetry data – regularly up to twelve months.

• 11How is the information obligation under Art. 13 GDPR fulfilled?+

  Notice signs are installed at access points and – where relevant – along patrol routes. In addition, the robots carry visible labelling ("Video recording – Darlot Robotics"). Comprehensive information is provided via QR code, URL or display at reception. Templates follow the standard of the German Data Protection Conference (DSK).

• 12What rights do data subjects have?+

  Data subjects can assert the rights under Art. 15 to 22 GDPR against the controller and lodge a complaint with the competent supervisory authority under Art. 77 GDPR. Where processing is based on legitimate interests, the right to object under Art. 21 GDPR is particularly relevant.

C · Road traffic law (StVG / StVO / StVZO)

• 13Is a security robot a vehicle within the meaning of the StVO?+

  Classification depends on the location and design. On enclosed, non-publicly accessible industrial premises, StVO and StVZO generally do not apply; the operator's domiciliary right combined with occupational safety law applies. If the area is in fact accessible to anyone or to an indeterminate group of persons (e.g. freely accessible parking lots, station forecourts), public traffic area may exist – with the consequence that StVG, StVO and StVZO apply. In practice: the decisive criterion is not ownership but actual public accessibility. An industrial site behind fence and gate is regularly not public. A supplier parking lot without access control may be public.

• 14Does the robot need registration or a licence plate?+

  On private, non-publicly accessible premises – no. As soon as public traffic area is touched, the design must be examined: motor-driven land vehicles are deemed motor vehicles within the meaning of § 1(2) StVG and are generally subject to registration (§ 3 FZV). Depending on top speed, design and permitted passenger transport, exceptions may apply. The local registration authority provides binding information.

• 15May the robot drive on pavements?+

  Pavements are reserved for pedestrians (§ 25 StVO). Driving by motorised devices is generally inadmissible unless a special permit exists or the device qualifies as "other means of transport" within the meaning of § 24 StVO. For autonomous delivery robots, corresponding discussions and country-specific pilots exist; this privileging is generally not transferable to security robots. On industrial premises the question is moot.

• 16At what speed do the robots drive?+

  The factory-configured top speed is regularly 6 to 8 km/h, i.e. walking pace. In sensitive areas (doors, narrow passages, person traffic) it is automatically reduced. The top speed is part of the machinery risk assessment.

• 17How is the robot illuminated and marked?+

  The devices carry visible front lights, reflectors and – when moving – an optical warning signal. Clear external marking indicates the operator, the function and the presence of video recording. Acoustic warning signals are set to be perceptible without violating noise protection rules.

• 18Who is liable in a road accident with the robot?+

  For damage in public road traffic, holder liability under § 7 StVG applies, plus – when a motor vehicle is being driven or transported – driver liability under § 18 StVG. Producer liability under ProdHaftG may apply, e.g. for design or manufacturing defects. On industrial premises, the general liability rules of the BGB apply. On the insurance side, depending on constellation, business, product and where applicable motor third-party liability insurance is in place.

• 19What insurances must be in place?+

  Minimum standard: business liability insurance of the operator that expressly covers the robot deployment; product liability insurance of the manufacturer; motor third-party liability insurance for use in public traffic, where the device qualifies as a motor vehicle within the meaning of § 1 PflVG; cyber insurance to cover the consequences of an IT security incident (recommended).

D · Machinery and product safety

• 20Which conformity is demonstrated by the robot?+

  The devices carry the CE marking. They meet the relevant requirements of: Machinery Directive 2006/42/EC (until 19 January 2027), Machinery Regulation (EU) 2023/1230 (applicable from 20 January 2027), Low Voltage Directive 2014/35/EU and EMC Directive 2014/30/EU, Radio Equipment Directive 2014/53/EU including delegated regulation (EU) 2022/30 on cybersecurity, relevant harmonised standards in particular DIN EN ISO 13482 (personal care robots) and DIN EN ISO 3691-4 (driverless industrial trucks).

• 21Is a risk assessment in place?+

  Yes. For each configuration there is a risk assessment under Annex I of the Machinery Directive or Annex III of the Machinery Regulation. It is updated before commissioning if location, speed, route or sensors change materially.

• 22Which safety functions are built in?+

  In particular: redundant obstacle avoidance with staggered protection fields; emergency stop on the device and via the control room; automatic safety stop on loss of localisation or sensor errors; collision energy limitation per DIN EN ISO 13482; manual override option by the operator; acoustic and optical warning signal when starting and at narrow passages.

• 23What happens with battery, fire or weather hazards?+

  The batteries are tested per UN 38.3, secured against thermal runaway and equipped with their own fire monitoring. The devices have IP protection for the defined outdoor use and automatically retreat to the docking station in extreme weather (heavy rain, hail, storm warning) where this is provided in the route plan.

E · Occupational safety and works council

• 24Is the deployment subject to co-determination?+

  Yes – in several respects. A security robot is a technical facility objectively suitable for monitoring conduct and performance of employees. § 87(1)(6) BetrVG therefore applies. In addition: § 87(1)(7) BetrVG (co-determination in occupational safety matters), § 87(1)(1) BetrVG (rules of conduct), §§ 90, 91 BetrVG (information and consultation in workplace design). For material effects on the workforce, an operational change under §§ 111 ff. BetrVG may also apply, e.g. when jobs in security services are permanently relocated.

• 25What should a works agreement cover?+

  A robust works agreement typically covers: purpose limitation (security purpose only) and exclusion of performance/behaviour monitoring of individual employees; defined detection classes that may be activated; route, exclusion zones, patrol break times; recording and deletion periods; access rights and four-eyes principle for analyses; procedures for suspected cases, evidence preservation and disciplinary proceedings; training of employees and information of new staff; evaluation and termination clauses.

• 26What duties arise from occupational safety law?+

  Before commissioning, a risk assessment under § 5 ArbSchG must be carried out, including the robot as part of the working environment. Employees must be instructed under § 12 ArbSchG. Where robot and human share the same movement space, organisational separations, collaborative safety functions or protected areas must be provided. The benchmark is in particular DGUV rule 1 and the relevant Technical Rules for Operational Safety (TRBS).

• 27Are jobs replaced by the robot?+

  The robots complement the work of human security staff, particularly on long patrols, monotonous or weather-exposed routes and at night. The specific personnel impact is decided by the controller and is subject to co-determination. Darlot Robotics provides data and experience but does not take personnel planning decisions.

• 28How is employee data protection ensured?+

  § 26 BDSG and the principle of proportionality apply. No covert surveillance takes place; routes, times and detection classes are disclosed to the works council. Recordings showing individual employees identifiably without a security event are automatically deleted or anonymised.

F · AI Regulation (EU) 2024/1689

• 29What risk class does the system have under the AI Act?+

  Classification depends on the specific function: prohibited practices (Art. 5 AI Act) – e.g. real-time remote biometric identification in public spaces by law enforcement – not activated. High-risk AI (Annex III) – biometric identification and categorisation systems – only in expressly commissioned configurations, deactivated by default. Safety component of a machine (Annex I) – where the AI performs a safety-relevant function of a product itself subject to harmonised sector legislation. Limited risk – standard case of event detection without identification – with transparency obligations toward data subjects.

• 30Which provider obligations does Darlot Robotics meet?+

  Where the system is classified as high-risk AI, the obligations of Art. 8 to 17 AI Act are met in particular: risk management, data governance, technical documentation under Annex IV, recording obligations, transparency, human oversight, accuracy, robustness and cybersecurity. A conformity assessment is completed before placing on the market; an EU declaration of conformity is issued.

• 31How is human oversight designed?+

  Operator stations in the security control room are intervention-capable at all times: they can stop, override and switch the robot to manual mode. Alarms are not automatically translated into measures; an exclusively automated decision with legal effect within the meaning of Art. 22 GDPR does not occur.

G · IT and cybersecurity

• 32What cybersecurity standard does the system meet?+

  The devices follow a security-by-design approach and meet the essential requirements of the Cyber Resilience Act (Regulation (EU) 2024/2847). This includes: secure default configuration with hardening profile, encrypted communication (TLS 1.3) and cryptographic device identities, signed firmware and secure boot chain, regular security updates over the entire product lifetime, software bill of materials (SBOM) and CVE monitoring, and reporting obligations under CRA and where applicable NIS-2.

• 33How does the deployment relate to NIS-2 and KRITIS?+

  If the robot is deployed in a critical installation falling under NIS-2 or the KRITIS umbrella act, it is part of the operator's protection concept. Darlot Robotics provides the information required for the risk analysis, including SBOM, protection requirement analysis and network segmentation requirements.

• 34What happens with a security vulnerability?+

  A documented Coordinated Vulnerability Disclosure process applies. Security researchers can report vulnerabilities via a contacted channel. Critical vulnerabilities are remedied with priority; operators receive immediate mitigation guidance. The statutory reporting deadlines under CRA and NIS-2 are observed.

H · Radio, frequencies, noise and environment

• 35What radio technologies are used?+

  Depending on configuration the devices use WLAN (IEEE 802.11), mobile networks (4G/5G), Bluetooth Low Energy and GNSS. All radio modules meet the Radio Equipment Directive and the relevant ETSI standards. The frequency bands used are covered by general assignments of the German Federal Network Agency; special uses are applied for individually where required.

• 36Which noise levels are observed?+

  Operating noise is typically below 60 dB(A) at one metre distance and thus well below machinery noise hazard values per LärmVibrationsArbSchV. Optical and acoustic warning signals are set to be perceptible without violating TA Lärm.

• 37How are batteries handled at end of life?+

  Batteries are taken back under Battery Regulation (EU) 2023/1542 and given to specialist recycling. Darlot Robotics is registered in the relevant national register and participates in an authorised take-back system.

I · Incidents, liability and evidence preservation

• 38What happens in case of personal injury?+

  A graduated procedure applies: immediate stop of the device, securing the accident site, informing the security control room, evidence preservation of sensor data, notification of insurers and accident insurance institution and – where required – notification of the market surveillance authority under the Machinery Regulation. Serious incidents are additionally reported under product safety law.

• 39What is the evidence position in case of damage?+

  The robots store sensor and telemetry data in audit-proof form. These data are available to investigate damage. With the entry into force of the new Product Liability Directive (EU) 2024/2853, eased burden-of-proof rules apply for injured parties; the necessary technical documentation is kept available.

• 40What is the relation to GDPR in an incident?+

  Where personal data is affected in an incident, Darlot Robotics, as a processor, immediately reviews the reporting obligations under Art. 33 and 34 GDPR and supports the controller in timely notification to the supervisory authority. Incidents are documented in a register.

• 41Whom can employees or third parties contact?+

  First point of contact is the controller, whose contact data appears on the signage or privacy information. Privacy enquiries concerning Darlot Robotics as a processor may be directed to the data protection officer. Security-relevant notices are received via a published Coordinated Disclosure channel. Independently, the right to lodge a complaint with the competent supervisory or market surveillance authority exists at any time.

Notes on the use of this FAQ

This FAQ is for information and does not replace individual legal advice. It reflects the legal status as of the date stated above. Due to ongoing concretisation – particularly through delegated acts on the AI Act, the entry into force of the Machinery Regulation in January 2027 and the implementation of NIS-2 – updates are to be expected. For an in-depth legal assessment of your specific deployment scenario, our data protection officer, security officers and legal contacts are at your disposal.

Contact

Data Protection Officer: datenschutz@darlot.co
Security / CVD contact: security@darlot.co
Compliance / Legal: compliance@darlot.co
Postal address: Quarero Robotics Deutschland GmbH, Hornbergstrasse 49, 70794 Filderstadt, Germany
Web: darlot.co/datenschutz · darlot.co/sicherheit