20face access service using facial recognition

20face provides a service using facial recognition for different purposes, one of them being access control. The service has been designed with respect for the privacy of the users. Plain information about the processing and only collect the necessary information is the base. Needless to say: the users will be given insight.

General Data Protection Regulation (GDPR) requirements must be met as personal data are processed.

20face:

• Delivers plain and complete information about the processing of data;
• Only collects and processes the necessary data;
• Implements adequate measures to safeguard that only authorized employees can access data and safeguard data availability and integrity;
• Does not use your data for other purposes;
• Makes it easy to withdraw your prior consent.

The service details

Conditions to be met before use of the 20face service:

• our customer, a business organization:
  • has decided to use the 20face service;
  • has completed the data privacy impact analyses (dpia) if required;
• employees and their representatives have been informed;
• access management service, 20face services and the interface between the two have been installed;
• user registration has been completed.

User registration

Employees will receive an e-mail with the invitation to register. This message has a link included to this document. 

The second link in the message is to the registration form to choose account name (an email address) and password. The registration continues with taking the facial picture and transforming this picture to a facial vector. The picture is removed from the memory. It has not been stored to disk.

User consent

The user must give his explicit consent for the processing of his personal data for the service because the organization has not made the use of the service mandatory.

In his account the user can, at any time, withdraw his consent, remove his facial vector, or even cancel his registration. 

Access

The registered user approaches the camera equipped entrance. The camera sends images to the 20face application after a local quality check. The application transforms the image to a facial vector to be compared with the facial vectors of registered users. In case of a match the id of the matching entry is send to the access management system. If the id is authorized the barrier will open.

Images and the facial vector based on the images are used and not stored to disk.

The processed personal data

Our customer, an organisation, will provide 20face with first and last name, business email address and access management system id.

20face processes account information (e-mail and password), facial images and facial vectors. 

20face has conducted the mandatory data privacy impact analysis for their processing.

Maintenance and improvement

The facial recognition model will be updated on a regular basis to improve the recognition and security based on experience, new views and results of the recurrent risk analyses.

Users can be asked to renew the facial vector after a service update.

Contact and additional information

• [email protected] for inquiries concerning the registration, information concerning facial recognition and withdrawal of consent
• the organisation delivering the access management system for inquiries concerning access and personal data 20face receives from them.

In the 20face privacy statement additional information can be found on:

• collection and processing of personal data;
• how to execute the right to access.