We comply with the RGPD UE 2016/679 and the LOPD GDD 3/2018

The use of a system based on Artificial Intelligence allows us to offer guarantees of precision, security and data protection in the sense required by the principles of privacy by default and from the design.

BIOMETRY

100% private and 100% secure

The facial technology used by das-Nano is developed by its subsidiary Veridas Digital Authentication SL and is continually evaluated by the United States National Institute of Standards and Technologies (NIST).

The vector generated from the user’s photo or selfie is irreversible. From the vector, you can never get to the image from which it was created.

The vector generated from the user’s photo or selfie does not contain any sensitive information, so the loss of a vector does not pose a risk to either the user or the client.

Authentication of a user is done by comparison of vectors and not biometric characteristics.

Use of biometric data

in employee access control

The Spanish Data Protection Agency (AEPD) publishes, on May 18, 2021, the “Data protection in labor relations” guide..

This guide is intended to be a practical tool to help public and private organizations to properly comply with the legislation on this matter.

Among all the considerations contained in this guide, those referring to the use of biometric data to manage the employment relationship are of great interest. It establishes a series of guidelines whose principles can also be applied to the processing of biometric data in other areas.

Does biometric data always imply a special category of data treatment?

The guide confirms that not all biometric data processing involves the processing of special categories of data. de datos.

Article 4.14 of the General Data Protection Regulation (GDPR) defines biometric data, broadly, as the «Personal data obtained from a specific technical treatment, related to the physical, physiological characteristics or the behavior of a physical person data that allows or confirms the unique identification of the said person, such as facial images or fingerprint data.»

Article 9.1 of the GDPR, which defines the special categories of data, only includes one type of use of biometric data: “biometric data aimed at uniquely identifying a person.”.

From the reading of these two precepts and under the guidelines of the White Paper on Artificial Intelligence, the AEPD clearly concludes in this guide a guideline that it had already given in its latest resolutions:
not all treatment of biometric data should be considered a treatment of special categories of data or sensitive data..

What is the difference between verification and biometric identification?

There are two ways to perform biometric recognition: verification and identification.
Based on the characteristics of these two types of system, the AEPD guide concludes that “in general, biometric data are only considered a special category of data in the cases in which they are subjected to technical treatment aimed at identifying biometric (one-to-many) and
not in the case of biometric verification/authentication (one-to-one) ”.

  • Biometric verification or authentication: The purpose is to check if individuals are who they say they are, comparing the individual’s data only with other data associated with the claimed identity (one-on-one, 1: 1).
  • Biometric identification: The purpose is to know if a particular individual is one of the members of a predetermined group, comparing the individual’s data to be identified with the data of each and every individual included within that group to check if he is one of them. (one-to-many, 1: N).

The AEPD recommends the use of biometric verification but does not prohibit biometric identification; on the contrary, it expressly contemplates it to control access and registration of employees’ working hours, provided that the rest of the requirements established in the GDPR.

When is the processing of biometric data legitimate?

Personal data can only be processed if any of the legitimizing bases provided in article 6 of the GDPR concur.

In special categories of data, their treatment is prohibited unless there are any exceptions in article 9.2 of the GDPR. In addition to the legitimizing basis for its treatment, one of the exceptions must be present.

The user’s consent constitutes both a legitimate basis for any data processing and
one of the assumptions provided for the treatment of special categories of data. Therefore, if the person consents to this treatment, it can be carried out.

The AEPD now emphasizes that, within the framework of an employment relationship, the implementation of an access control system for employees and registration of working hours that uses biometric data can be based on the fulfillment of the obligations and the exercise of the rights that labor, security, and social protection legislation provides for the employer. Therefore, without the need for the consent of the workers.

Is any facial recognition system valid?

The AEPD recalls that biometric systems must always comply with the requirements established in the GDPR, among which are:

  1. Clear and transparent information to the users of the system. The worker must be informed about the treatment.
  2. Data protection “from the design” of the system.
  3. Preferential storage of biometric vectors instead of raw data (e.g., facial image, audio, etc.). In addition, its storage on personal devices will be preferred rather than centralized ones.
  4. Biometric vectors not interoperable with other systems. This is an intrinsic characteristic of using current biometric systems, which are based on Artificial Intelligence, such as those used by dasGate.
  5. To guarantee that the data is not used for another purpose.
  6. Adequate protection of biometric data through encryption technology.
  7. Possibility of revoking the identity link. In this sense, reference should be made to the irreversibility of vectors in biometric systems based on Artificial Intelligence, such as those used by das-Nano.
  8. Purpose of the treatment limitation.
  9. If a biometric identification system is used, an impact assessment must be carried out.

FREQUENTLY ASKED QUESTIONS

related to biometrics

Should I be calm when my photo or selfie is recorded for facial recognition?

Of course. It will only be used for the purposes for which you have been informed, and, as we have explained, the use of the vector is minimal and controlled.

Can my face be used for a purpose other than access control?

No, your data will only be processed for the specific purpose you were informed of and consent to.

Why is access with facial recognition better than one with a proximity card or QR?

And if someone has access or steals my biometric vector, can they use it?

No, no one will be able to access the service where you are registered even if they know your vector. To grant access, one vector is always compared against another (in this case, taken from a photo of you taken at the time of entry), so it would be useless.

What is biometrics?

How biometrics can be used?

What are the origins of biometrics?

TYPES OF APPLICATION

of facial biometrics

Biometric technology can be applied in two different ways:

For identification purposes. This is the method known as 1: N, since it compares an individual against a group (that is, against each of the people that make up that group). The purpose is to know if that individual is one of those belonging to that group.

For authentication or verification purposes. This method is based on a 1: 1, since the individual’s data is compared against other data associated with that same individual. The goal, in this case, is to verify your identity, that is, that you are who you say you are.

FROM BIOMETRICS

to an irreversible vector

Whether for authentication or identification, a biometric recognition system must always start from the capture of the individual’s data. These data are the biometric characteristics (e.g., facial image, voice, etc.).

The data will be processed by a biometric engine to, from them, produce a template or vector
biometric, that is, a digital reference to a set of characteristics used for the authentication or identification of an individual.

Once you have the vector of the individual to be identified or authenticated, you can proceed to the comparison with another vector/s. It is important to note that the comparison is always made between vectors, between digital references, and not between biometric characteristics.

Artificial intelligence biometrics

The mathematical vector generated by Veridas is not a representation of the points of the biometric characteristics of the subject.

As a consequence, not even the skilled engineer who has designed the system can interpret the mathematical vector to extract information from the individual who lent their data.

Therefore, having a vector cannot extract information from the individual to which it belongs or identify it. Consequently, having this vector does not mean that the biometric data has been compromised or that it can no longer be canceled.

How we train our facial recognition motor

For the training of the systems, Veridas uses public databases intended for these purposes or, failing that, of private databases created by the entity seeking the consent of the subjects for this specific purpose.

In no case the data being is processed by the biometric engine used to provide the identification or authentication service in production for the automatic training of the system.
There is no system training during the identification or authentication of users in production.

Cumplimos

el RGPD UE 2016/679 y la LOPD GDD 3/2018

For more information

If you want to arrange a demo or request specific information about the solution that best suits your business, leave us your details.

    dasGate will use your data to respond to your request and contact you. Additionally and if you consent, we will send you commercial communications electronically related to our products and services. You have the possibility to exercise your rights of access, rectification, deletion, portability, limitation or opposition to the processing of your data.