ACCOUNTABILITY
Developer of the App is Touchless Biometric Systems AG, Rietbrunnen 2, 8808 Pfaeffikon, Switzerland (hereinafter "TBS").
HOW THE ONBOARDING APP WORKS
TBS is the provider of a biometric system comprised of these components:
- TBS BIOMANAGER Biometric Server (hereinafter "TBS Server")
- TBS biometric devices to authenticate users (hereinafter "TBS Readers")
- TBS Onboarding App (hereinafter "App")
While TBS provides this biometric system, its operation, including the user management, is the sole responsibility of the entity operating it (hereinafter "Operator").
The Operator can register biometrics of new users by enrolling them on the TBS Readers installed in their premises. In addition, the Operator can register a new user by sending them an e-mail invitation, in which the Operator defines the access zones to which the user data will be synchronized and defines when the invitation will expire.
After receiving the invitation e-mail, users will install the App, scan the QR Code received with the e-mail, fill in their personal data, capture two pictures of their face (and hand, optional) and send these data to the TBS Server. The App therefore, allows users to self-enroll their biometrics on their personal device, at the place and time of their convenience. An invitation QR Code can only be used once.
PROCESSED DATA
While using the app, the user personal data will be sent to the TBS server. It can be either located locally ('On-premise' scenario) or hosted in the TBS Cloud.
The following data are submitted:
- IP address of the accessing mobile phone
- The operating system of the mobile phone
- App version
- Unique App ID (Android: App Set ID, iOS: Identifier for Vendor)
- Surname of the user
- Name of the user
- Either one or both of (the user is required to submit at least one biometric modality):
- 2-face pictures of the user
- 1 hand picture of the user
- User avatar (portrait picture that will be displayed to the user during authentication, optional)
- Date and time of submitting the data
USER PICTURES ARE TRANSFORMED INTO BIOMETRIC TEMPLATES
The TBS Server will transform the received pictures into a binary code called ‘biometric template’ and encrypt these templates. The TBS Server never stores images, but only encrypted templates. It is not possible to reconstruct your picture from this template.
The biometric template creation follows this process:
When using a biometric reader, the same process is repeated: the reader creates a new ’live template‘, searches the user database for the matching template and thus identifies the user. A person can only be recognized if her/his face was registered before.
The TBS system protects biometric data at the highest level and ensures compliance with international data privacy regulations.
USER DATA STORED ON TBS SERVER
The TBS Server stores this data in the user record, if provided by the user:
- Surname
- Name
- Either one or both (the user is required to submit at least one biometric modality):
- 1 or 2 face templates (selectable by the user)
- 1 hand template
- User avatar (optional)
DELETION OF USER DATA
If a user is inactive for a certain time, the TBS Server automatically deletes all his/her biometric data. The duration of this inactivity period can be configured for each TBS Server. The user will be informed about the inactivity period set for their TBS Server with the invitation e-mail. By default, the inactivity period is defined as 12 months. If a user presents his/her biometrics during this time, TBS considers this a willing consent to prolong the data storage of his/her biometrics until the defined inactivity period is reached.
PURPOSES OF PROCESSING PERSONAL DATA
The submitted data will be processed on the server side as part of the biometric registration process. If data processing succeeded, it will be stored in the installation-specific database and optionally distributed to other connected TBS biometric devices.
This enables the user to subsequently authenticate on TBS biometric readers in the installation, featuring the enrolled biometric modalities.
By performing the onboarding process, the user documents his explicit consent to register the personal data he willingly provided to the App, that these data are transmitted to the TBS Server and will remain stored there until he revokes his consent or ends his contractual relation with the company operating the TBS Server, at which time the Operator is legally obliged to delete the biometric data.
The legal interest of the Operator to collect and operate the biometric system must be declared by each Operator individually to the users they intend to register in their system, and whom the Operator will invite to download and use the App. The user will know the purpose of the further use of their personal data before using the App, as all Operators will embed the App usage into a specific workflow within their IT infrastructure. This means the invitation e-mail will be customized by each Operator, clarifying the purpose of the invitation and further use of the data.
RECIPIENT OF THE PERSONAL DATA
The submitted personal data is stored solely on the TBS Server. The Operator has no possibility to extract the biometric data from the TBS Server and thus cannot pass it on to third parties.
PERSONAL RIGHTS OF THE USER
Users can contact TBS via the contact form on the TBS website to request information about TBS services. In addition to the voluntary information and message content, TBS asks to provide the following information as required:
- Name
- E-mail address
- Company
- Phone number
TBS needs this information to process the request and to send the user the requested answer. Requests received via the contact form on our website are stored in the TBS CRM system. The CRM system is regularly checked to see whether data can be deleted. Should data no longer be required in the context of a customer or prospective customer relationship, or should the customer's interests to the contrary prevail, TBS will delete the data concerned, provided that this does not conflict with statutory retention obligations.
Legal Note
This privacy policy is governed by the laws of Switzerland and complies with the General Data Protection Regulation (GDPR) of the European Union. TBS reserves the right to amend this policy in accordance with legal or operational requirements. For any questions related to data protection, please contact tbs@tbs-biometrics.com.