Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Arlo is a New Zealand-based training management and course registration platform used by training organisations, professional associations, and corporate learning teams. New Zealand has an EU adequacy decision, making it one of the most GDPR-compliant non-EU options. Attendee registration data is processed on the basis of contract performance. Cookies from the embedded registration widget require ePrivacy consent.
Arlo is a New Zealand-based training management system (TMS) used by training providers, professional associations, and corporate learning and development teams to manage course catalogues, handle registrations, process payments, and send automated communications to attendees. It provides an embeddable registration widget that can be added to any website, as well as a hosted training website. Arlo handles the full training lifecycle from registration through to post-course evaluation.
Arlo collects attendee name, email address, phone number, organisation, job title, training preferences, payment information, and attendance records. It also collects IP addresses and browser information from the registration widget. Post-course, it may send evaluation surveys and training completion certificates. All attendee records are linked to the individual''s profile in the Arlo system.
New Zealand received an EU adequacy decision in 2013, meaning transfers of EU personal data to New Zealand-based processing are permitted without additional safeguards. This makes Arlo one of the most GDPR-compliant non-EU training management platforms available. The primary GDPR obligations for Arlo users relate to the lawful basis for processing (contract performance for registrations), transparency (privacy notice at point of registration), and data subject rights.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Contract performance covers the processing of attendee registration data necessary to fulfil the training enrollment. Consent is required for non-essential cookies from the registration widget. For marketing emails after a training (additional courses, newsletters), a separate marketing consent must be obtained. Special category data (disability, dietary requirements) requires explicit consent.
Include a privacy notice on the registration page. Obtain ePrivacy consent for widget cookies. Sign a DPA with Arlo. Obtain separate marketing consent for post-training communications. Update your privacy policy noting New Zealand adequacy. Document the processing in your RoPA.
Websites using Arlo must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard training registration use cases given the New Zealand adequacy decision. It becomes advisable when training data includes health, disability, or other special category information, or when large-scale attendee profiling for marketing is implemented.
Sample consent text
This registration form is powered by Arlo (New Zealand). To register for this training, Arlo will collect your name, email address, and organisation details. Data is processed in New Zealand, which has an EU adequacy decision. See our privacy policy for full details.
Third-party domains contacted
arlo.coapp.arlo.coapi.arlo.coCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| arlo_session | session | Session | Session identifier used to maintain the active Arlo training registration flow |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Arlo collects attendee name, email address, phone number, organisation, job title, training preferences, payment information, and attendance records. Post-course, it may collect evaluation survey responses. IP addresses and browser information are also collected via the registration widget.
For registration data, no separate consent is required as contract performance covers the processing. EPrivacy consent is required for non-essential cookies from the registration widget. Attendees must receive a privacy notice before registering identifying Arlo as a processor with New Zealand data storage.
Contract performance (Art. 6(1)(b)) for processing attendee registration data necessary to fulfil the training enrollment. Consent for marketing communications about additional courses. Explicit consent (Art. 9(2)(a)) for special category data such as dietary requirements or disability information collected during registration.
Arlo is a New Zealand company. New Zealand has an EU adequacy decision since 2013, meaning transfers to New Zealand-based processing require no additional safeguard. If Arlo uses Australian infrastructure, Australia does not have an EU adequacy decision and SCCs would apply for that component.
Generally not for standard training registration. A DPIA becomes advisable if Arlo is used for training that collects health or disability data, if automated decisions are made about training eligibility, or if large-scale profiling of training attendance is implemented for HR purposes.
Include a privacy notice on the registration page identifying Arlo and noting New Zealand adequacy. Obtain ePrivacy consent for widget cookies. Sign a DPA with Arlo. Obtain separate marketing consent for post-training communications. Document the processing in your RoPA.
New Zealand has an EU adequacy decision, meaning transfers of EU personal data to New Zealand require no SCCs, adequacy assessments, or Transfer Impact Assessments. This eliminates the primary transfer compliance burden associated with US-based training platforms. It is one of only a handful of non-EU countries with full EU adequacy.
Add a section on training registration data. Describe Arlo as a processor used for course registration and attendee management, list data collected, state the contract performance legal basis, note New Zealand data storage and the EU adequacy decision, and describe how attendees can access or delete their registration data.