UK General Data Protection Regulation (GDPR)

Noah Facial Recognition Pty Ltd ("NoahFace") is committed to privacy and adheres to the requirements of the UK General Data Protection Regulation ("UK GDPR").

You can learn about the UK GDPR from the Information Commissioner's Office.

Definitions

Using the terminology of the UK GDPR:

Principles

NoahFace adheres to the UK GDPR Principles as follows:

Lawfulness, Fairness, and Transparency

NoahFace only uses data in a manner that is both lawful and fair. This is covered further in the Lawful Basis of Processing section.

NoahFace provides complete transparency as to:


These questions are answered in detail in our Privacy Statement.

Purpose Limitations

The NoahFace System stores Personal Data only for the purpose of allowing our Customers to perform the business functions they decide they need, which may include:


NoahFace does not use the stored data for its own purposes, nor does it provide access to the stored data to any third parties for their own purposes.

Data Minimisation

The NoahFace System only stores data that is needed to perform the business functions our Customers decide they need. The NoahFace System provides features to help Customers further minimise stored data. Specifically, our Customers can choose to:

Accuracy

The NoahFace System provides features to synchronise Personal Data from source systems (eg: a payroll system or an access control systems), so that this data is as accurate as these source systems. When capturing event data, the NoahFace System uses automated sources of data (eg: the date/time, the location on a device, or a specific button that was pressed) so that the captured data is accurate.

Storage Limitations

The NoahFace System only retains event data for as long as our Customers decide they need it (or for 90 days by default).

Integrity and Confidentiality

NoahFace has appropriate security measures in place to protect the data held in the NoahFace System. This is covered further in the Security section.

Accountability

NoahFace has appropriate measures and records in place to be able to demonstrate compliance with the UK GDPR. This is covered further in the Accountability and Governance section.

Lawful Basis of Processing

Contract

NoahFace enters into a Contract with our Partners to process data on their behalf. In turn, our Partners enter into a Contract with each of their Customers to process data on their behalf.

Special Category Data

The NoahFace System can capture, store, and process biometric data, which is considered a Special Category of Personal Data under the UK GDPR. The UK GDPR allows for the processing of biometric data when explicit Consent is provided by Data Subjects, as is required by the NoahFace system. This is covered further in the following section.

Consent

Data Subjects are required to provide explicit Consent to the capture and processing of Personal Data, and biometric data in particular. The NoahFace System:

  • Provides a clear and simple explanation of the data it captures and what it is used for.
  • Provides alternative means of identification for individuals who do not grant Consent.
  • Records the date and time that Consent was granted by each individual.
  • Allows Consent to be easily withdrawn.
  • Allows Customers or Partners to extend the privacy statement if additional disclosures are required.


NoahFace App screen shot showing privacy consent.

Individual Rights

NoahFace recognises and supports the fundamental Individual Rights defined by the UK GDPR:


NoahFace has developed specific product features to make it easy for Customers to deliver these rights to individuals.

Right to be Informed

The NoahFace System clearly discloses in the privacy statement (which Data Subjects consent to) what data is captured and what it is used for. Customers can augment this privacy statement if they want to add additional disclosures.

Right of Access

The NoahFace System allows Customers to export all of the Personal Data for an individual. When an individual makes a request for their data, all of their data (including event photos) can be packaged up into a "ZIP" file, which can be easily provided to them.

Right to Rectification

The NoahFace System allows Customers to edit data the Personal Data for an individual.

Right to Erasure

The NoahFace System allows Customers to immediately and permanently erase all of the Personal Data for an individual. This includes all of their profile data (eg: their name), their profile picture, their recorded events and associated photos, and their biometrics.

Right to Restrict Processing

The NoahFace System allows Data Subjects to withdraw their consent. This deletes their biometrics and they will no longer be recognised.

Right to Data Portability

The NoahFace System allows Customers to export all of the Personal Data for individuals.  Data is exported using industry standard file formats (eg: JPEG, CSV, etc) for ease of portability.

Right to Object

The NoahFace System allows Data Subjects to withdraw their consent. This deletes their biometrics and they will no longer be recognised.

Rights Related to Automated Processing

The NoahFace System:

Accountability and Governance

NoahFace is committed to Accountability and Governance as defined by the UK GDPR:

Contracts

NoahFace enters into a Contract with each of our Partners to process data on their behalf. NoahFace has entered into an agreement with its Sub-Processors (ie: Amazon Web Services).

Documentation

NoahFace maintains comprehensive documentation regarding our data processing.

Data Protection Impact Assessment (DPIA)

NoahFace has formally conducted a Data Protection Impact Assessment (DPIA).

Data Protection Officer

NoahFace has formally appointed a Data Protection Officer. If you have any questions or concerns about data protection, please contact our Data Protection Officer at: [email protected]

Data Protection by Design and by Default

NoahFace has designed data protection into our core processes and systems. In particular:

Security

Encryption

The NoahFace System uses appropriate encryption techniques to protect data including:

Passwords

The NoahFace System uses appropriate  password management techniques to protect data including:

International Transfers

The NoahFace Cloud service is hosted on Amazon Web Services (AWS) and utilises an Australian based data centre. As such, when a UK based Customer is utilising the NoahFace service an International Transfer of data takes place.

NoahFace enters into a Contract with each of our Partners to process data on their behalf. This contract incorporates standard data protection clauses recognised or issued in accordance with the UK data protection regime. These are known as ‘Standard Contractual Clauses’ (‘SCCs’ or ‘model clauses’). The SCCs contain contractual obligations on the Partner (the data exporter) and NoahFace (the data importer), and rights for the individuals whose personal data is transferred.

Privacy
Legal
Terms of Use
Contact Us
© NoahFace 2018
.