Hi All,
Just wanted to get a reading on what everyone elses experience is. Our Avigilon rep has recently started requiring us to submit end-user details, no matter how big the order. Even if it's not for registered pricing.
Don't get me wrong. We're very confident that our customers will stay with us but, what's the deal with this? This is new and it feels like an opening to a sinister approach in the long run.
I'm curious whether you're based in the EU? I experienced something similar like this with a brand (not Avigilon) with EMEA HQ in Germany that required us to submit End User details for sales outside the EU (e.g. South Africa or Turkey). At first it was for thermal products, then all sales. It was explained as an additional requirements by a German government agency and there were specific forms submitted to the agency that I saw in person so I don't think it was some long con or aggressive lead generation effort. Unfortunately, it was unsustainable not to mention in conflict with privacy laws of the non-EU countries, so we parted ways.
While reading your comment I first thought it may be something Avigilon is asking for to create case studies or similar marketing use. But if they require it for every sale then barring some government mandate, the least nefarious thing I can think of is generating leads for Motorola reps to go in and sell radios and whatnot. I don't know where it falls in the nefariousness scale but it does smell a bit!
Strange! Have you reached to the seniors of the Avigilon representative who has asked for details?
I've asked Avigilon for comment.
Related, in 2014, something similar happened or was requested, see: Avigilon To Require Disclosing Who 'Your' End User Is
It's been this way for a couple of years. When you submit your PO you must include the customer info.
Mike, thanks. Related, any concerns that Avigilon is or would share this with Motorola and their own integration division?
How useful have Motorola leads been to you so far?
For me we have received two Avigilon leads in the past 2-3 years. Both were bid opportunities. Yay, we get to justify someone else's number! It has been a one-way street.
Its been a great partnership. Can you tell me how many installers Motorola has on the ground for install and service? 50, 100, 10K+?
Motorola did $780 million in 'integration services' according to their 2017 10K (see p4 of the financial report). Motorola did not detail how many employees but $780 million makes Motorola's integration business as big as Convergint. Indeed, that $780 million is just for services and does not include product sales which is accounted separately.
I asked you how many Motorola leads you have been provided and you responded by calling it a 'great partnership'. Does that mean Motorola has not provided you any leads and you are avoiding the question or? If not, please answer it directly.
Avigilon started requiring end-user details for orders at least 3 years ago, IIRC. I'm a little surprised you are only just now being asked for that info.
For those asking what region we're in, we are in southeast asia region. we haven't checked with our agent's immediate superior, but this smells fishy to be honest.
An interesting angle within the EU would be whether Avigilon is complying with GDPR requirements. The integrator has no right to supply client details to a third party without the express permission of the client.
In this instance I would refuse on the basis that Avigilon does not have a legitimate reason that can be justified under GDPR to hold end user information. The agreement must be directly between Avigilon and the end user - end of, if they want this degree of privacy intrusion.
This is a classic case of Avigilon just information gathering without actually thinking about why they are doing it. Yes it may useful at some stage, but that is no justification and has no legitimacy under GDPR where the end user has no knowledge that their personal information is being passed around like it has no relevance or value. It will be on Avigilons CRM, their reps PC's and memory sticks, marketing mailshots, marketing case study and any lead generation process. In honesty, it's a full on case of data abuse and misuse and the very essence of why GDPR was implemented.
NSA rules don't apply I'm afraid.....data hoarding without end-user knowledge and consent is illegal.
An interesting angle within the EU would be whether Avigilon is complying with GDPR requirements.
What part pf GDPR applies to collecting the name of a company a product is sold through to? Avigilon is not asking for "end user details" in the sense of specific data about the individual that signed the purchase order, they want to know which company or organization a product was sold to. Maybe there are some edge-case issues for residential installs, but even then the data collected would be essentially public info, not personal data.
Hm, interesting case... first of all, it depends what is meant by "end user details."
It's important to remember that the GDPR only regulates personally-identifiable information or what it terms "personal data", i.e. "any information relating to an identified or identifiable natural person," (Article 4.) That means info like a human being (within the EU)'s home address, or full name, or personal cellphone number, or passport photo, etc.
So if the integrator is simply sending to Avigilon the names and addresses of companies or other impersonal entities and how much equipment they've ordered, that information isn't even covered by GDPR in the first place. No GDPR issue.
However if the integrator is actually sending the names or addresses of individual persons to Avigilon... that's personal data. Therefore the integrator must, at minimum, disclose "the recipients or categories of recipients of the personal data" to the end user and, if that data is getting sent to a "third country" like the US, disclose that as well. (See Article 13, sections 1e and 1f.)
Because this kind of processing would most likely be construed as based on consent (see Article 6, Lawfulness of Processing) you would also likely also need clear consent from these end users that their data is being shared with Avigilon as well as yourself. This consent request must "be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language" (Article 7.)
So if integrators are sending the personal data of people within the EU to Avigilon without disclosing it or asking for end users' consent, it could definitely be construed as GDPR violations of Article 6 (consent) and Article 13 (disclosing who you share personal data with / which country is getting that data.)
That's would be my understanding also. Bearing in mind that by saying "sending" this would refer to any of the personal information (data) being transferred and hosted on a server that would most likely be in the US.
I think we need to establish is what information, specifically, is being requested and to initiate a formal complaint to Avigilon to garner a response regarding GDPR compliance. In fairness, this would apply to a whole host of manufacturers - but as this thread is based on Avigilon, it would good to use this as a test case in the same way as John has done with IFSEC.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
