User Information

1. Privacy statement for 20face user portal and access control

This is the current version dated May 1, 2022. 

We change this statement if necessary. This statement has been made to meet requirements of professionalism and legal obligations, including those of the General Data Protection Regulation (GDPR). 

In this document we describe the system’s operation and how we collect, process and delete personal data. 

2. Company details 20face B.V.

Chamber of Commerce id: 69220085
Address: Hengelosestraat 500 7521 AN Enschede 
General contact details: info@20face.com and +31532032003 

3. The product (service)

The 20face product using facial recognition can be used for access control and similar means. It has been developed with respect for user privacy. Clear and unambiguous information about the operation and only collecting the necessary data are key. Our goal is that users fully understand processing of data and the operation of access control. 

4. Personal data involved and the processing of personal data

4.1 Principle 

We only process personal data for the purpose for which data was provided. 

Technical and organizational measures taken are listed in paragraph 6.

4.2 Data provided by our client 

Authorized employees from our client are given the opportunity to use the 20face application for granting access with facial recognition as an extra option for access through an existing system. 

For this purpose, the client provides 20face with: first and last name, e-mail address and personal ID in the existing access control system. 

20face uses this data to register the authorized user in the 20face system. The client also provides a removal request to 20face with the data of the authorized user to be removed from the 20face system. 

The data is processed from delivery and registration up to and including processing the deletion request. 

4.3 The 20face system 

The invitation

Authorized users from our client will receive an e-mail from 20face. This e-mail is the invitation to participate in the access control based on facial recognition. It contains a link to this document. 20face uses the email address, first name and last name received from the client. 

The registration 

The authorized user invited, can create an account through the link in the invitation using the online registration form in the user portal. He chooses his username (email address) and password. After that he takes a facial picture with the camera of his device. The photo is translated into a vector in the 20face program and afterwards stored in the database. 

The photo is erased from memory and therefore not saved. As a result, the photo cannot be processed for another purpose. The user completes his registration by giving his explicit consent for the processing of his personal data being: the email address, password, image of his face without storage and his face vector. 

Granting access 

The user walks to an entrance equipped with a camera. The camera sends images of the face to the 20face application after a local quality check. The application translates the images into a facial vector. This newly made vector is compared to the vectors of previously registered users for the client’s premise. If the same vector is found, there is a match. 

The personal ID associated with the match is sent to the access control system. The authorization in the access control system determines whether access is granted. 
This is an automated processing of data. 
Images and the newly made facial vector are only used. They are not stored at any time. Therefore they cannot be processed for another purpose. 

Deletion of data

The user can remove one face vector or delete his account. 
As a result, current data is deleted immediately. Data in the backup will have been deleted after all generation backups have been completed. Another result is that consent to the processing has been revoked. 

Maintaining and improving the 20face system 

The facial recognition system is periodically updated to improve security and face recognition based on experiences, new insights and the results of the periodic risk analysis. 
If the facial recognition model has been changed, the user is invited to create a new vector if necessary. 

Reflection 

The registered user periodically receives a reminder e-mail from 20face about the processes of his personnel data. It gives him the opportunity to reconsider his consent and withdraw it. If so, his personal data will be deleted.

5. Roles from 20Face and the client in the processing of personal data

Our client is controller for the processing of personal data. 20Face processes data as agreed with our client.

6. Data sharing

IT service providers from 20faces will process personal data provided by our client and users. In the GDPR definition they are processors, they process the data as described in the concluded contract. 
Data from Google services are stored in their Dutch datacenter.
We share data only if a legal obligation exists.

7. Measures

Data is stored in applications and files secured by 20face in cooperation with our suppliers. 
Measures taken assure that data:

• can only be accessed by authorized personnel;
• remain available and correct;
• is only stored if necessary and no longer than the specified retention period.

Security meets legal requirements and professional standards.
Measures are evaluated once a year and prior to changes in the organization or changes in methods and procedures.

8. Data subject’s rights

A data subject can exercise his right by sending an e-mail to the controller, accompanied by a secure copy of a valid id:

• to access his personal data;
• restrict processing when the specified GDPR conditions are met;
• to request a data transfer to another controller if technically possible.

A response to your request will take four weeks maximum to process.
A user can also access, change and delete his personal data and withdraw consent though his personal account.

9. Questions and complaints

Please send an email to the controller to ask a question or to lodge a complaint. 
You also have the right to lodge a complaint with the Dutch data protection authority.

10. Summary personal data

data item	Personal data?	Supplied by a)	Lawfulness b)	Store	Storage period c)	Processing
First- and last name	Yes	1	1	Yes	1	Yes
Email (business)	Yes	1	1	Yes	1	Yes
Personal ID	Only combined	1	1	Yes	1	Yes
Email (private)	Yes	2	1	Yes	2	Yes
Password	Yes	2	1	Yes	2	Yes
Facial vector subscription	Only combined	n.a.	2	Yes	2	Yes
Facial vector access	Only combined	n.a.	2	Nee	n.a.	Yes
Facial photo subscription	Yes	2	2	Nee	n.a.	Yes
Facial photo access	Yes	2	2	Nee	n.a.	Yes

a) Supplied by

1 client;
2 user.

b) lawfulness

1 executing the contract between controller and processor;
2 explicit consent.

c) determined by

1 client;
2 user.