Brivo Data Privacy Framework Statement

Last Update and Effective: March 29, 2024

Data Privacy Framework Standards

This Data Privacy Framework Statement (the “Statement”) sets forth the privacy principles followed by Brivo, LLC and our subsidiary Brivo System B.V., (collectively “Brivo”) in connection with the transfer and protection of “Personal Information” received from the European Union (E.U.), United Kingdom and Gibraltar the (UK) and Switzerland and supplement’s Brivo’s Privacy and Security Policy located at https://www.brivo.com/privacy/ and the Brivo Services Statement located at https://www.brivo.com/services-privacy-statement/ (collectively, the ”Brivo Privacy Policies”)

About the Data Privacy Framework

Brivo respects Consumers’ concerns about privacy. As a result, Brivo complies with:

  • the EU-U.S. Data Privacy Framework (the “EU DPF”);
  • the UK Extension to the EU-U.S. DPF (the “UK Extension”); and,
  • the Swiss-U.S. Data Privacy Framework (the “Swiss DPF”).

Collectively, the EU DPF, the UK Extension and the Swiss DPF are referred to as the “DPF.”

Brivo has certified to the U.S. Department of Commerce that (1) it adheres to the EU-U.S. Data Privacy Framework Principles (“EU DPF Principles”) with regard to the processing of Personal Information received from the European Union and the United Kingdom in reliance on the EU DPF and the UK Extension to the EU DPF and (2) that it adheres to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF (“Swiss DPF Principles”) the Swiss DPF Principles, together with the EU DPF Principles are referred to as the “DPF Principles”).

This Statement supplements the Brivo Privacy Policies, and unless specifically defined in this Statement, the terms in this Statement have the same meaning as the ones in Brivo’s Privacy Policy. If there is any conflict between the terms in this Statement or the Brivo Privacy Policies and the EU DPF Principles and/or the Swiss DPF Principles, the respective Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. This Statement describes how Brivo implements the DPF Principles for Consumer Personal Information.

For purposes of this Statement:

“Consumer” means any natural person who is located in the EEA, UK or Switzerland, but excludes any individual acting in his or her capacity as an Employee.

“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Information.

“Customer” means any entity for which Brivo provides products and/or services.

“EEA” means the European Union and Iceland, Liechtenstein, and Norway.

“Processor” means any natural or legal person, public authority, agency, or other body that processes Personal Information on behalf of a Controller.

Types of Personal Information Brivo Collects

Depending upon the context, Brivo may serve as a Controller or as a Processor of Consumer Personal Information.

Controller Activities

As a Controller, Brivo obtains Personal Information about Consumers in various ways. For example, Brivo collects Personal Information from Consumers who visit our websites. Brivo may use Personal Information collected when the Consumer visits our websites for the purposes indicated in Brivo’s Privacy Policies. The Brivo Privacy Policies may be updated from time to time as Brivo changes the types of Personal Information that it collects from Consumers. Brivo also obtains and uses Consumer Personal Information in other ways for which Brivo provides specific notice at the time of collection, such as through the Brivo Mobile Apps.

Brivo also obtains Personal Information from its vendors’ and service providers’ representatives. The information obtained may include contact information and payment or financial account data. Brivo uses this information to manage its relationships with its vendors and service providers, process payments, and carry out Brivo’s obligations under its contracts with these parties.

Processor Activities

As a Processor, Brivo may receive Consumer Personal Information in connection with providing services to its Customers.

Data Privacy Framework Policies

The following privacy principles apply to the transfer, collection, use or disclosure of Personal Information from the E.U., UK and Switzerland by Brivo.

Notice

Brivo provides information in this Statement and Brivo’s Privacy Policies about its Consumer Personal Information practices as a Controller, including:

  • the types of Personal Information Brivo collects;
  • the types of third parties to which Brivo discloses the Personal Information and the purposes for doing so, the rights;
  • the choices Consumers have for limiting the use and disclosure of their Personal Information; and,
  • how to contact Brivo about its practices concerning Personal Information.

When a Customer transfers or authorizes the transfer of Consumer Personal Information to Brivo in the U.S as a Processor, the Customer is responsible for providing appropriate notice to Consumers and ensuring it is collecting such the Personal Information under a lawful basis such as for example, obtaining the Customer’s requisite consent.

Choice

When Brivo collects Consumer Personal Information in its role as a Controller, Brivo generally offers the relevant Consumers the opportunity to choose whether their Personal Information may be (i) disclosed to third-party Controllers or (ii) used for a purpose that is materially different from the purposes for which the information was originally collected or subsequently authorized by the relevant Consumer. Consumers may contact Brivo as indicated below regarding Brivo’s use or disclosure of their Personal Information.

When Brivo obtains Consumer Personal Information in its role as a Processor for its Customers, Brivo’s Customers are responsible for providing appropriate notice to its Consumers and ensuring it provides the relevant Consumers with certain choices with respect to the Customers’ use or disclosure of the Consumers’ Personal Information.

Brivo shares certain Consumer Personal Information with its affiliates and subsidiaries. Brivo may disclose Consumer Personal Information without offering an opportunity to opt out and may be required to disclose the Personal Information:

  • to third-party Processors Brivo has retained to perform services on its behalf and pursuant to it instructions,
  • if it is required to do so by law or legal process, or
  • in response to lawful requests from governmental authorities, including to meet national security, governmental interest, or law enforcement requirements.

Brivo also reserves the right to transfer Consumer Personal Information in the event of an audit or if Brivo sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution, or liquidation).

Accountability for Onward Transfer of Personal Information

This Statement and Brivo’s Privacy Policies describe Brivo’s sharing of Consumer Personal Information.

To the extent Brivo acts as a Controller, except as permitted or required by applicable law, Brivo shall provide Consumers with an opportunity to opt out of sharing their Personal Information with third-party Controllers. Brivo requires third-party Controllers to whom it discloses such Consumer Personal Information to contractually agree to

(i) only process the Personal Information for limited and specified purposes consistent with then consent provided by the relevant Consumer,

(ii) provide the same level of protection for Personal Information as is required by the DPF Principles, and

(iii) notify Brivo and cease processing Personal Information (or take other reasonable and appropriate remedial steps) if the third-party Controller determines that it cannot meet its obligation to provide the same level of protection for Personal Information as is required by the DPF Principles.

With respect to transfers of Consumer Personal Information to third-party Processors, Brivo

(i) enters into a contract with each relevant Processor,

(ii) transfers Personal Information to each such Processor only for limited and specified purposes,

(iii) ascertains that the Processor is obligated to provide the Personal Information with at least the same level of privacy protection as is required by the DPF Principles,

(iv) takes reasonable and appropriate steps to ensure that the Processor effectively processes the Personal Information in a manner consistent with Brivo’s obligations under the DPF Principles,

(v) requires the Processor to notify Brivo if the Processor determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles,

(vi) upon notice, including under (v) above, takes reasonable and appropriate steps to stop and remediate unauthorized processing of the Personal Information by the Processor, and

(vii) provides a summary or representative copy of the relevant privacy provisions of the Processor contract to the Department of Commerce, upon request.

Brivo remains liable under the DPF Principles if Brivo’s third-party Processor onward transfer recipients process relevant Personal Information in a manner inconsistent with the DPF Principles, unless Brivo proves that it is not responsible for the event giving rise to the damage.

Security

Brivo takes reasonable and appropriate measures to protect Consumer Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration, and destruction.

Data Integrity and Purpose Limitation

Brivo seeks to ensure that any Personal Information held about E.U., UK and Swiss individuals is accurate, complete, current, and otherwise reliable in relation to the purposes for which the information was obtained. Brivo collects Personal Information that is adequate, relevant, and not excessive for the purposes for which it is to be processed. E.U., UK and Swiss individuals are responsible for assisting Brivo in maintaining accurate, complete, and current Personal Information about them. Subject to applicable law, Brivo retains Consumer Personal Information in a form that identifies or renders identifiable the relevant Consumer only for as long as it serves a purpose that is compatible with the purposes for which the Personal Information was collected or subsequently authorized by the Consumer.

Access and Correction

To the extent Brivo acts as a Controller, and upon written request to Brivo as set forth below, Brivo will (i) provide E.U., UK and Swiss individuals with reasonable access to their Personal Information and (ii) will take reasonable steps to allow E.U., UK and Swiss individuals to review their information for the purposes of correcting their information. There are certain limitations to the Access and Correction right, as set forth on the DPF website.

When Brivo obtains Consumer Personal Information in its role as a Processor for its Customers, Brivo’s Customers are responsible for providing Consumers with access to the Personal Information and the right to correct, amend or delete the information where it is inaccurate or has been processed in violation of the DPF Principles, as appropriate. In such circumstances, Consumers should direct their questions to the appropriate Brivo Customer. When a Consumer is unable to contact the appropriate Customer, or does not obtain a response from the Customer, Brivo will provide reasonable assistance in forwarding the Consumer’s request to the Customer.

Recourse, Enforcement and Liability

Brivo has developed internal mechanisms in order to adhere to the DPF Principles.

In compliance with the EU DPF and the UK Extension to the EU DPF and the Swiss DPF, Brivo commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of Personal Information received in reliance on the EU DPF and the UK Extension to the EU DPF, and the Swiss DPF should first contact Brivo using the contact information in the “How to Contact Brivo” section of this Statement.

If a Consumer’s complaint cannot be resolved through Brivo’s internal processes, Brivo will cooperate with JAMS pursuant to the JAMS DPF Program, which is described on the JAMS website at https://www.jamsadr.com/eu-us-data-privacy-framework. JAMS mediation may be commenced as provided for in the JAMS rules. Following the dispute resolution process, the mediator or the Consumer may refer the matter to the U.S. Federal Trade Commission, which has DPF investigatory and enforcement powers. Under certain circumstances, Consumers also may be able to invoke binding arbitration to address complaints about Brivo’s compliance with the DPF Principles.

When Brivo obtains Consumer Personal Information in its role as a Processor for its Customers, Consumers may submit complaints concerning the processing of their Personal Information to the relevant Customer, in accordance with the Customer’s dispute resolution process. Brivo will participate in this process at the request of the Customer or the Consumer.

How to Contact Brivo

To contact Brivo with questions or concerns about this Statement or Brivo’s Consumer Personal Information practices or to file a complaint:

Write to:

Brivo Systems LLC
ATTN: Privacy
7700 Old Georgetown Road, Suite 300
Bethesda MD, 20814 USA
privacy@brivo.com
+1 301-664-5277