IDEMIA delivers cutting-edge technologies to the world with the mission to protect the identity of consumers and citizens. Privacy is a core issue for IDEMIA and we aim to secure your Personal data at all times. As security and Privacy are at the heart of augmented identity, the secured digital way of identification we propose, IDEMIA has declared security and Privacy as vital criteria in the pursuit of our mission.
In an increasingly digital world, the boundaries and definition of security are changing. IDEMIA’s security strategy implements the best security standards encompassing both the physical and digital worlds, without forgetting the interwined interconnections between these worlds.
To achieve our requirements, IDEMIA is committed to safeguarding our customers’ business interests and our own by providing comprehensive cybersecurity and information protection services.
The IDEMIA personal data strategy is based on Privacy by default and Privacy by design principles.
For the purposes of this document, the following definitions apply:
|Anonymization||The technical method of de-identification of Personal data in such a manner that the data can no longer be attributed to a specific Data Subject|
|Confidential Information||Any information defined as confidential per the Information Classification Policy.|
|Cookie||A small amount of data generated by a website and saved by your web browser.|
|Data Controller||The person/entity which, alone or jointly with others, determines the purposes and means of the processing of Personal data.|
|Data Protection||All rules and regulations related to Personal data protection in the world.|
|Data Processor||The person or entity which processes Personal data on behalf of the Data Controller.|
|Data Subject||An individual whose personal data is processed manually or automatically.|
|Data Sharing Agreement||Agreement within IDEMIA Group, between two affiliates, enabling Personal data transfer with the same level of data protection.|
|Data transfer||Any data communication, copy, access and/or transmission via network, or from one medium to another, irrespective of the type of medium, outside the European Union (EU), to third countries or international organizations, to the extent that such data are intended for processing by the recipient.|
|Employee||Any person who is or was in an employment relationship with IDEMIA, such as apprentices, trainees or temporary workers, former employees, and contractors.|
|IDEMIA Group entities||All companies of which IDEMIA France, either directly or indirectly, holds more than half of the registered capital and/or companies which IDEMIA France directly or indirectly controls or manages.|
|IDEMIA Assets||All tangible and intangible Assets that IDEMIA has.|
|Personal data||Any information relating to an identified or identifiable natural person (a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person, etc.).|
|Personal data breach||A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal data transmitted, stored or otherwise processed.|
|Privacy||All information and data related to Privacy matters of an individual or of an entity which includes but is not limited to Personal data and Confidential Information, trade secrets, or any information related to Privacy in general.|
|Processing of Personal data||Any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|Pseudonymization||The processing of Personal data in such a manner that the data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure this.|
|Purpose of processing||The reason for the Personal data processing.|
|Personal Sensitive data||Personal data is considered to be sensitive when revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or it contains genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.|
|Regulatory Authority||The National Authority established in each State or per country or per zone which is in charge of monitoring the implementations of Personal Data Protection and Privacy Laws.|
|Standard Contractual Clauses||The Standard Contractual Clauses (SCC) issued by IDEMIA at the group level based on the EU Commission or the ad hoc clauses agreed between the Parties and authorized by the Supervisory Authority.|
|Third country||All States that are not members of the EU or European Equivalent Adequate countries, or are not considered by an adequacy decision of the EU Commission as guaranteeing an adequate level of Data Protection.|
|EEA country||EEA=European Equivalent Adequate; States ensuring equivalent protection to Personal data as GDPR protection: Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, and United Kingdom.|
|Third party||Natural or legal person, public authority, agency or body other than the Data Subject, Data Controller/Data Processor, and persons who, under the direct authority of the latter, are authorized to process Personal data.|
This policy covers all privacy matters and Personal data processing of IDEMIA. Material scope includes:
This policy applies to all IDEMIA Group entities across the world where IDEMIA is present either by its principal entity or by its affiliates or its joint ventures.
At IDEMIA, we believe that compliance with relevant Privacy laws and Regulations is of utmost importance. IDEMIA Group is compliant with the General Data Protection Regulation EC/2016/679 (“GDPR”) or any corresponding or similar Privacy laws and regulations worldwide.
IDEMIA personal data strategy is based on privacy by default and privacy by design principles.
The legal basis of the processing carried out by IDEMIA is straightforward and based on the legitimate interest of our entity. For sensitive data, we always request the individual consent for personal data processing.
Data processing is in consideration for the legitimate interests of IDEMIA, either to improve our Customers’ services or the performance of our algorithms or it is demonstrated that the processing is necessary (i.e., there is no better method to measure and evaluate performance that is fair and effective) and proportionate (i.e., only the necessary data is processed).
Proportionality also requires that the advantages of processing the data are not outweighed by the disadvantages to exercise the right, and that the measure is adequate to achieve the objectives. In addition, when assessing the processing of personal data, proportionality requires that only that personal data which is adequate and relevant for the purposes of the processing is collected and processed. These standards are met with the use of IDEMIA services. In addition, policies and processes are applied when using IDEMIA services: the processing of personal data is systematically ensured to be adequate, relevant and limited to what is necessary for the purposes for which they are processed (i.e. data minimization); Customers are given the opportunity to exercise their rights (i.e. access, correction, erasure and restriction of processing) by, where permitted, effecting changes to data held in the systems constituting the sources of IDEMIA’s data; and personal data is protected by appropriate technical and organizational security measures.
Thanks to IDEMIA fundamental rights and privacy rules, employees and customers are properly informed of the processing by referring to our appropriate data protection and security policies.
In the course of our business, we may collect and process your Personal data for:
These processing operations are justified by our legitimate interest or with your consent, to make sure that you enjoy our products and services.
Finally, subject to your prior express consent, we may also use the Personal data you share with us for marketing purposes.
When you are an existing customer we will keep your Personal data for as long as our contractual and/or business relationship lasts. We may then store your Personal data in an intermediary database for five (5) years after our contractual and/or business relationship ends.
If you are a prospect with no established contractual and/or business relationship, we will not retain your data for longer than three (3) years after you last contacted us.
If you are an employee, we will retain your data as long as you are in the company and for 10 years after you leave.
We may share Personal data within IDEMIA and also with third parties in the legitimate interest of our customers and partners.
We only share data on the contractual legal basis and only for the purpose to serve our customers. Two types of data transfer exist, one within EU or within IDEMIA Group, the other outside EU.
As IDEMIA is a global organization, we have distinct legal entities (e.g., country subsidiaries) in many parts of the world. Therefore, our internal processes and infrastructure are international in scope and nature and generally cross country borders. Accordingly, you should be aware that we may share your Personal data with other entities within IDEMIA and transfer it to countries in the world where we have data centres or otherwise do business, including those located outside the EU. Such data transfers will be covered by our Data Sharing Agreement (DSA) to ensure the same level of data protection within IDEMIA affiliates within IDEMIA group.
We also rely on third-party suppliers and partners with which we may share your Personal data for the purposes indicated above, Whenever we rely on such third parties, we make sure that they provide an adequate level of protection of the Personal data they process on our behalf. When such third parties are located outside of the European Union, we apply the European Union Model Clauses (SCC) as adopted by the European Commission into our agreements.
We also may share your Personal data with third parties for marketing purposes, only with your explicit consent.
We may also be required – by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence – to disclose your Personal data to judicial, public or governmental authorities. We may also disclose your Personal data if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.
We may also disclose Personal data if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our terms and conditions, investigate fraud, or protect our operations or users.
Confidentiality is key to IDEMIA activities. We care about confidentiality of the information and expect everyone to respect a high standard of confidentiality.
Confidentiality is not only on IDEMIA Intangible Assets but also applies to the Personal data.
All employees, contractors and partners are committed to respect confidentiality and shall sign a Non-Disclosure Agreement, depending on the situation.
Security and Privacy of Personal data are a priority for IDEMIA. Consequently, IDEMIA implements the necessary measures in accordance with our published Group Security Strategy.
IDEMIA implements all physical, technical and organizational measures to adequately safeguard the security and confidentiality of Personal data for Data Subjects against unauthorized and accidental access, unlawful processing, involuntary or unlawful disclosure, loss, destruction or damage.
IDEMIA commits to provide the most secure cloud solutions to its customers according to the relevant applicable laws of each country.
Violations of personal data is managed by our data breach procedure. If the reported breach could potentially damage the rights and freedoms of a Data Subject in a serious way, the Data Protection Officer will notify the relevant national Data Protection authority and, if necessary, inform the concerned Data Subject.
IDEMIA undertakes to notify the relevant Regulatory Authority of any violation of Personal data, as soon as possible, and if possible, within 72 hours after becoming aware of it, except when this violation of Personal data is not likely to create a risk for the rights and freedoms of natural persons.
IDEMIA undertakes to communicate to the Data Subjects any breach of Personal data as soon as possible, where such breach is likely to create a high risk for the rights and freedoms of the natural person so that he/she can take the necessary precautions.
This communication will describe, as far as possible, the nature of the violation of Personal data and make recommendations to the concerned natural person to mitigate potential negative effects. This communication is made in compliance of the Data Protection Authority recommendations.
In general, IDEMIA does not communicate to the concerned persons when:
IDEMIA commits to contracting only with sub-processors who provide sufficient guarantees with regards to privacy compliance rules. The carrying out of processing by a sub-processor must be governed by a contract or legal act binding the sub-processor in accordance with the local privacy rules.
IDEMIA commits to respond to requests from Data Subjects without undue delay.
Each Data Subject has the following rights:
Requests from Data Subjects must be sent to the local Data Protection Officer, where the Data Subject is located. These requests can be addressed by postal mail, e-mail or a form available on the intranet site.
The Data Subjects have the right to obtain, within a reasonable period of time, confirmation that their Personal data concerning them are processed or not. The response shall include:
The Data Subject can also send a request to the Group Data Protection Officer at firstname.lastname@example.org.
If the Data Subject’s request is rejected, the Data Subject has the right to lodge a complaint.
When the Data Subject has not been satisfied with the response, the Data Subject can submit a complaint or a claim to the Data Protection Authority or to the courts where he/she is located.
IDEMIA will cooperate with the relevant Regulatory Authority for any questions relating to the interpretation of this policy and will undertake to respond to any queries regarding this policy and its implementation within a reasonable period of time.
IDEMIA undertakes the processing of Personal data in accordance with this policy and any applicable Privacy laws. This policy should be interpreted in the light of any Privacy laws of the country in which IDEMIA is established.
This policy is binding on all IDEMIA entities, its employees, contractors and partners. Each IDEMIA entity shall ensure that the implementation of this policy is properly enforced and that it is binding on all its employees and partners.
This policy is available in English and may be translated into the local language as required.