Project of contribution to IDEMIA Public Security France
Project of contribution to IDEMIA Road Safety France

Privacy Policy

Introduction

IDEMIA delivers cutting-edge technologies to the world with the mission to protect the identity of consumers and citizens. Privacy is a core issue for IDEMIA and we aim to secure your Personal data at all times. As security and Privacy are at the heart of augmented identity, the secured digital way of identification we propose, IDEMIA has declared security and Privacy as vital criteria in the pursuit of our mission.

In an increasingly digital world, the boundaries and definition of security are changing. IDEMIA’s security strategy implements the best security standards encompassing both the physical and digital worlds, without forgetting the interwined interconnections between these worlds.

To achieve our requirements, IDEMIA is committed to safeguarding our customers’ business interests and our own by providing comprehensive cybersecurity and information protection services.

The IDEMIA personal data strategy is based on Privacy by default and Privacy by design principles.

Definitions

For the purposes of this document, the following definitions apply:

Anonymization The technical method of de-identification of Personal data in such a manner that the data can no longer be attributed to a specific Data Subject
Confidential Information Any information defined as confidential per the Information Classification Policy.
Cookie A small amount of data generated by a website and saved by your web browser.
Data Controller The person/entity which, alone or jointly with others, determines the purposes and means of the processing of Personal data.
Data Protection All rules and regulations related to Personal data protection in the world.
Data Processor The person or entity which processes Personal data on behalf of the Data Controller.
Data Subject An individual whose personal data is processed manually or automatically.
Data Sharing Agreement Agreement within IDEMIA Group, between two affiliates, enabling Personal data transfer with the same level of data protection.
Data transfer Any data communication, copy, access and/or transmission via network, or from one medium to another, irrespective of the type of medium, outside the European Union (EU), to third countries or international organizations, to the extent that such data are intended for processing by the recipient.
Employee Any person who is or was in an employment relationship with IDEMIA, such as apprentices, trainees or temporary workers, former employees, and contractors.
IDEMIA Group entities All companies of which IDEMIA France, either directly or indirectly, holds more than half of the registered capital and/or companies which IDEMIA France directly or indirectly controls or manages.
IDEMIA Assets All tangible and intangible Assets that IDEMIA has.
Personal data Any information relating to an identified or identifiable natural person (a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person, etc.).
Personal data breach A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal data transmitted, stored or otherwise processed.
Privacy All information and data related to Privacy matters of an individual or of an entity which includes but is not limited to Personal data and Confidential Information, trade secrets, or any information related to Privacy in general.
Processing of Personal data Any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Pseudonymization The processing of Personal data in such a manner that the data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure this.
Purpose of processing The reason for the Personal data processing.
Personal Sensitive data Personal data is considered to be sensitive when revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or it contains genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Regulatory Authority The National Authority established in each State or per country or per zone which is in charge of monitoring the implementations of Personal Data Protection and Privacy Laws.
Standard Contractual Clauses The Standard Contractual Clauses (SCC) issued by IDEMIA at the group level based on the EU Commission or the ad hoc clauses agreed between the Parties and authorized by the Supervisory Authority.
Third country All States that are not members of the EU or European Equivalent Adequate countries, or are not considered by an adequacy decision of the EU Commission as guaranteeing an adequate level of Data Protection.
EEA country EEA=European Equivalent Adequate; States ensuring equivalent protection to Personal data as GDPR protection: Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, and United Kingdom.
Third party Natural or legal person, public authority, agency or body other than the Data Subject, Data Controller/Data Processor, and persons who, under the direct authority of the latter, are authorized to process Personal data.

Purpose

With the increase of the use of Personal data and the use of new technologies, Privacy is key for IDEMIA and as a result, the Group Privacy Policy is important as a reference for the entire world where IDEMIA has its offices, its clients and its employees.

This Group Privacy Policy describes how IDEMIA entities protect Privacy and Personal data. This policy aims to ensure that an adequate level of Data Protection and Privacy is applied throughout IDEMIA around the world.

Scope

Material scope

This policy covers all privacy matters and Personal data processing of IDEMIA. Material scope includes:

  • Human Resources data (past, current employees, job applicant, contractors)
  • Connection data (any data related to a connection to a machine)
  • Localization data
  • Financial data
  • Health data, including medical, genetic and biometric data
  • Economic data
  • Third parties’ Personal data

Territorial scope

This policy applies to all IDEMIA Group entities across the world where IDEMIA is present either by its principal entity or by its affiliates or its joint ventures.
At IDEMIA, we believe that compliance with relevant Privacy laws and Regulations is of utmost importance. IDEMIA Group is compliant with the General Data Protection Regulation EC/2016/679 (“GDPR”) or any corresponding or similar Privacy laws and regulations worldwide.

Personal data protection principles

IDEMIA personal data strategy is based on privacy by default and privacy by design principles.

Legal Validity

The legal basis of the processing carried out by IDEMIA is straightforward and based on the legitimate interest of our entity. For sensitive data, we always request the individual consent for personal data processing.

Legitimate interest

Data processing is in consideration for the legitimate interests of IDEMIA, either to improve our Customers’ services or the performance of our algorithms or it is demonstrated that the processing is necessary (i.e., there is no better method to measure and evaluate performance that is fair and effective) and proportionate (i.e., only the necessary data is processed).

Proportionality

Proportionality also requires that the advantages of processing the data are not outweighed by the disadvantages to exercise the right, and that the measure is adequate to achieve the objectives. In addition, when assessing the processing of personal data, proportionality requires that only that personal data which is adequate and relevant for the purposes of the processing is collected and processed. These standards are met with the use of IDEMIA services. In addition, policies and processes are applied when using IDEMIA services: the processing of personal data is systematically ensured to be adequate, relevant and limited to what is necessary for the purposes for which they are processed (i.e. data minimization); Customers are given the opportunity to exercise their rights (i.e. access, correction, erasure and restriction of processing) by, where permitted, effecting changes to data held in the systems constituting the sources of IDEMIA’s data; and personal data is protected by appropriate technical and organizational security measures.

Thanks to IDEMIA fundamental rights and privacy rules, employees and customers are properly informed of the processing by referring to our appropriate data protection and security policies.

Processing personal data

In the course of our business, we may collect and process your Personal data for:

  • Enabling identity verifications
  • Enabling payments
  • Managing bank services
  • Providing connected or embedded services
  • Ensuring security on transportation
  • Conducting customer satisfaction surveys
  • Complying with our obligations
  • Generating statistics and reports
  • Marketing purpose with your consent

These processing operations are justified by our legitimate interest or with your consent, to make sure that you enjoy our products and services.

Finally, subject to your prior express consent, we may also use the Personal data you share with us for marketing purposes.

Data retention

When you are an existing customer we will keep your Personal data for as long as our contractual and/or business relationship lasts. We may then store your Personal data in an intermediary database for five (5) years after our contractual and/or business relationship ends.

If you are a prospect with no established contractual and/or business relationship, we will not retain your data for longer than three (3) years after you last contacted us.

If you are an employee, we will retain your data as long as you are in the company and for 10 years after you leave.

Sharing data

We may share Personal data within IDEMIA and also with third parties in the legitimate interest of our customers and partners.

We only share data on the contractual legal basis and only for the purpose to serve our customers. Two types of data transfer exist, one within EU or within IDEMIA Group, the other outside EU.

Transfer within IDEMIA Group

As IDEMIA is a global organization, we have distinct legal entities (e.g., country subsidiaries) in many parts of the world. Therefore, our internal processes and infrastructure are international in scope and nature and generally cross country borders. Accordingly, you should be aware that we may share your Personal data with other entities within IDEMIA and transfer it to countries in the world where we have data centres or otherwise do business, including those located outside the EU. Such data transfers will be covered by our Data Sharing Agreement (DSA) to ensure the same level of data protection within IDEMIA affiliates within IDEMIA group.

Third-party transfers

We also rely on third-party suppliers and partners with which we may share your Personal data for the purposes indicated above, Whenever we rely on such third parties, we make sure that they provide an adequate level of protection of the Personal data they process on our behalf. When such third parties are located outside of the European Union, we apply the European Union Model Clauses (SCC) as adopted by the European Commission into our agreements.

We also may share your Personal data with third parties for marketing purposes, only with your explicit consent.

Judicial, public and/or governmental authorities

We may also be required – by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence – to disclose your Personal data to judicial, public or governmental authorities. We may also disclose your Personal data if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.

We may also disclose Personal data if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our terms and conditions, investigate fraud, or protect our operations or users.

Confidentiality

Confidentiality is key to IDEMIA activities. We care about confidentiality of the information and expect everyone to respect a high standard of confidentiality.

Confidentiality is not only on IDEMIA Intangible Assets but also applies to the Personal data.

All employees, contractors and partners are committed to respect confidentiality and shall sign a Non-Disclosure Agreement, depending on the situation.

Security

Security and Privacy of Personal data are a priority for IDEMIA. Consequently, IDEMIA implements the necessary measures in accordance with our published Group Security Strategy.

IDEMIA implements all physical, technical and organizational measures to adequately safeguard the security and confidentiality of Personal data for Data Subjects against unauthorized and accidental access, unlawful processing, involuntary or unlawful disclosure, loss, destruction or damage.

Cloud

IDEMIA commits to provide the most secure cloud solutions to its customers according to the relevant applicable laws of each country.

Personal data breach

Violations of personal data is managed by our data breach procedure. If the reported breach could potentially damage the rights and freedoms of a Data Subject in a serious way, the Data Protection Officer will notify the relevant national Data Protection authority and, if necessary, inform the concerned Data Subject.

Communication to the Regulatory Authority

IDEMIA undertakes to notify the relevant Regulatory Authority of any violation of Personal data, as soon as possible, and if possible, within 72 hours after becoming aware of it, except when this violation of Personal data is not likely to create a risk for the rights and freedoms of natural persons.

Communication to Data Subjects

IDEMIA undertakes to communicate to the Data Subjects any breach of Personal data as soon as possible, where such breach is likely to create a high risk for the rights and freedoms of the natural person so that he/she can take the necessary precautions.
This communication will describe, as far as possible, the nature of the violation of Personal data and make recommendations to the concerned natural person to mitigate potential negative effects. This communication is made in compliance of the Data Protection Authority recommendations.
In general, IDEMIA does not communicate to the concerned persons when:

  • We have implemented appropriate technical and organizational protection measures and these measures have been applied to Personal data affected by the violation, in particular, measures which render Personal data incomprehensible to any person who is not authorized to have access to them, such as encryption.
  • We have taken further steps to ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialize.
  • It would require disproportionate efforts to communicate with the concerned persons. In this case, a public communication or similar measure is carried out which allows Data Subjects to be informed just as effectively.

Sub-contracting

IDEMIA commits to contracting only with sub-processors who provide sufficient guarantees with regards to privacy compliance rules. The carrying out of processing by a sub-processor must be governed by a contract or legal act binding the sub-processor in accordance with the local privacy rules.

Data subjects rights

IDEMIA commits to respond to requests from Data Subjects without undue delay.
Each Data Subject has the following rights:

  • To receive a report on his/her Personal data in our possession
  • To rectify Personal data concerning him/her when inaccurate or incomplete
  • To delete his/her Personal data
  • To restrict the processing of his/her Personal data
  • To object to the processing of his/her Personal data
  • To ask for data portability according to local privacy laws
  • To be excluded from being the subject of an automated individual decision, including profiling

Data subjects’ requests

Requests from Data Subjects must be sent to the local Data Protection Officer, where the Data Subject is located. These requests can be addressed by postal mail, e-mail or a form available on the intranet site.

The Data Subjects have the right to obtain, within a reasonable period of time, confirmation that their Personal data concerning them are processed or not. The response shall include:

  • The purpose of processing
  • The categories of Personal data concerned
  • Recipients or categories of recipients
  • The data retention period or otherwise the criteria for determining this period
  • The existence of the right to rectification, erasure, and restriction of the processing of their data, and the right to object to such processing
  • The right to lodge a complaint with the Regulatory Authority
  • The existence of automated decision making, including profiling
  • Information about the appropriate safeguards we have in place when the Personal data is transferred outside EU

The Data Subject can also send a request to the Group Data Protection Officer at dpo@idemia.com.
If the Data Subject’s request is rejected, the Data Subject has the right to lodge a complaint.

Complaints

When the Data Subject has not been satisfied with the response, the Data Subject can submit a complaint or a claim to the Data Protection Authority or to the courts where he/she is located.

Cooperation with regulatory authority

IDEMIA will cooperate with the relevant Regulatory Authority for any questions relating to the interpretation of this policy and will undertake to respond to any queries regarding this policy and its implementation within a reasonable period of time.

Conflicts of laws

IDEMIA undertakes the processing of Personal data in accordance with this policy and any applicable Privacy laws. This policy should be interpreted in the light of any Privacy laws of the country in which IDEMIA is established.

When there is a conflict of laws between local laws and IDEMIA Group Privacy Policy, this conflict shall be brought to the attention of Group Data Protection Officer at dpo@idemia.com, as soon as possible.

Implementation and review of this policy

This policy is binding on all IDEMIA entities, its employees, contractors and partners. Each IDEMIA entity shall ensure that the implementation of this policy is properly enforced and that it is binding on all its employees and partners.
This policy is available in English and may be translated into the local language as required.

This Group Privacy Policy is a living document that may be periodically updated by IDEMIA.

IDEMIA
IDEMIA

Subscribe to our newsletter

Receive our key news and keep up with the trends in our markets by subscribing to our newsletter.

By clicking on the "Subscribe" button, you confirm that you agree to IDEMIA’s Terms of Use and Privacy Policy, and agree to the processing of your personal data and acknowledge your related rights, as described therein.

Your email address will be used exclusively by IDEMIA to send you newsletters related yo your selected topics of interest. In accordance with the law, you have rights of access, rectification and erasure of your personal data, as well as opposition of processing, which can be exercised by writing to dpo@idemia.com.