User Information

1. Privacy statement for 20face user portal and access control

This is the current version dated May 1, 2022. 
We change this statement if necessary. This statement has been made to meet requirements of professionalism and legal obligations, including those of the General Data Protection Regulation (GDPR). In this document we describe the system’s operation and how we collect, process and delete personal data.

2. Company details 20face B.V.

Chamber of Commerce id: 69220085
Address: Hengelosestraat 500 7521 AN Enschede 
General contact details: info@20face.com and +31532032003

3. The product (service)

The 20face product using facial recognition can be used for access control and similar means. It has been developed with respect to user privacy. Clear and unambiguous information about the operation and only collecting the necessary data are key. Our goal is that users fully understand processing of data and the operation of access control. 

4. Personal data involved and the processing of personal data

4.1 Principle 

We only process personal data for the purpose for which data was provided. 
Technical and organizational measures taken are listed in paragraph 6.

4.2 Data provided by the client 

Authorized employees from our client are given the opportunity to use the 20face application for granting access with facial recognition as an extra option for access through an existing system. 
For this purpose, the client provides 20face with: first and last name, e-mail address and personal ID in the existing access control system. 

20face uses this data to register the authorized user in the 20face system. The client also provides a removal request to 20face with the data of the authorized user to be removed from the 20face system. The data is processed from delivery and registration up to and including processing the deletion request. The basis for the processing is the fulfillment of the agreement between 20face and the client. 
The client is the controller as defined in the GDPR. 

4.3 The 20face system

The invitation

Authorized users from our client will receive an e-mail from 20face. This e-mail is the invitation to participate in the access control based on facial recognition. It contains a link to this document. 20face uses the e-mail address, first name and last name received from the client. 

The registration 

The authorized user invited, can create an account through the link in the invitation using the online registration form in the user portal. He chooses his username (email address) and password. After that he takes a facial picture with the camera of his device. The photo is translated into a vector in the 20face program and afterwards stored in the database. 

The photo is erased from memory and therefore not saved. As a result, the photo cannot be processed for another purpose. The user completes his registration by giving his explicit consent for the processing of his personal data being: the email address, password, image of his face without storage and his face vector. 

Granting access 

The user walks to an entrance equipped with a camera. The camera sends images of the face to the 20face application after a local quality check. The application translates the images into a facial vector. This newly made vector is compared to the vectors of previously registered users for the client’s premise. If the same vector is found, there is a match. 

The personal ID associated with the match is sent to the access control system. The authorization in the access control system determines whether access is granted. 
This is an automated processing of data. 
Images and the newly made facial vector are only used. They are not stored at any time. Therefore they cannot be processed for another purpose. 

Deletion of data

The user can remove one face vector or delete his account. 
As a result, current data is deleted immediately. Data in the backup will have been deleted after all generation backups have been completed. Another result is that consent to the processing has been revoked. 

Maintaining and improving the 20face system 

The facial recognition system is periodically updated to improve security and face recognition based on experiences, new insights and the results of the periodic risk analysis. 
If the facial recognition model has been changed, the user is invited to create a new vector if necessary. 

Reflection 

The registered user periodically receives a reminder e-mail from 20face about the processes of his personnel data. It gives him the opportunity to reconsider his consent and withdraw it. If so, his personal data will be deleted.

The lawful basis for the processing of personal data for the registration and granting access is the explicit consent from the data subject. The controller for the processing is 20face.

5. Data sharing

IT service providers from 20faces will process personal data provided by our client and users. In the GDPR definition they are processors, they process the data given the instructions on the concluded contract. Data from Google services are stored in their Dutch datacenter.

We share data only if a legal obligation exists.

6. Measures

Data is stored in applications and files secured by 20face in cooperation with our suppliers. 
Measures taken assure that data:

• can only be accessed by authorized personnel;
• remain available and correct;
• is only stored if necessary and no longer than the specified retention period.

Security meets legal requirements and professional standards.
Measures are evaluated once a year and prior to changes in the organization or changes in methods and procedures.

7. Data subject’s rights

By sending an e-mail to privacy@20face.com, accompanied by a secure copy of a valid id a data subject can exercise his right:

• To access his personal data;
• restrict processing when the specified GDPR conditions are met;
• to request a data transfer to another controller if technically possible.

A response to your request will take four weeks maximum to process.
A user can also access, change and delete his personal data and withdraw consent though his personal account.

8. Questions and complaints

A message to privacy@20face.com can be used to ask a question or lodge a complaint. 
A response will take four weeks maximum.
You also have the right to lodge a complaint with the Dutch data protection authority.

9. Summary

data item	Personal data?	Supplied by a)	Contractual role client b)	Contractual role 20facec)	Lawfulness d)	Store	Storage period e)	Processing
First- and last name	Yes	1	1	2	1	Yes	1	Yes
Email (business)	Yes	1	1	2	1	Yes	1	Yes
Personal ID	Only combined	1	1	2	1	Yes	1	Yes
Email (private)	Yes	2	n.a.	1	1	Yes	2	Yes
Password	Yes	2	n.a.	1	1	Yes	2	Yes
Facial vector subscription	Only combined	n.a.	n.a.	1	2	Yes	2	Yes
Facial vector access	Only combined	n.a.	n.a.	1	2	Nee	n.a.	Yes
Facial photo subscription	Yes	2	n.a.	1	2	Nee	n.a.	Yes
Facial photo access	Yes	2	n.a.	1	2	Nee	n.a.	Yes

a) Supplied by

1 client;
2 user.

b) in contract with 20face

1 Controller;
2 Processor.

c) in contract with client or user

1 Controller;
2 Processor.

d) lawfulness

1 executing the contract between controller and processor;
2 explicit consent.

e) determined by

1 client;
2 user.