GDPR & PII Information

Undestanding GDPR
Understanding PII
MachineSense Privacy, PII and GDPR position

Understanding GDPR

GDPR is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

GDPR replaced the 1995 Data Protection Directive. The regulation was adopted on 27 April 2016. It became enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it did not require national governments to pass any enabling legislation, and is thus directly binding and applicable.

GDPR was created with several fundamental principles in mind, including:

  • Data Protection by Design and by Default: GDPR requires organizations to integrate data protection measures into their products, services, and processes from the very beginning. It emphasizes the importance of privacy in the development and operation of systems and services.
  • Lawful Processing: Personal data can only be processed if there is a lawful basis for doing so. GDPR provides several legal bases for processing data, including consent, contract performance, legal obligations, vital interests, legitimate interests, and public tasks.
  • Consent: Obtaining clear and informed consent is a critical aspect of GDPR. Individuals must be informed about how their data will be used, and they have the right to withdraw their consent at any time.
  • Data Subject Rights: GDPR grants individuals a range of rights over their personal data, including the right to access, rectify, erase, and object to the processing of their data. Data subjects also have the right to data portability, which allows them to receive their data in a structured, machine-readable format.
  • Data Protection Impact Assessments (DPIAs): Organizations are required to conduct DPIAs for data processing activities that are likely to result in a high risk to individuals' rights and freedoms. DPIAs help organizations identify and mitigate potential data protection risks.
  • Security Measures: GDPR mandates that organizations implement appropriate security measures to protect personal data. This includes encryption, access controls, and regular security assessments.
  • Data Breach Notification: Organizations are obligated to report data breaches to the appropriate supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.

The GDPR applies to processing carried out by organizations operating within the EU. It also applies to organizations outside the EU that offer goods or services to individuals in the EU. The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal or household activities.

The regulation applies regardless of where the data processing takes place, and the location of the data subject, i.e. EU citizens and residents outside the EU. Organizations in breach of GDPR can be fined up to 4% of their annual global turnover or €20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

One of the key aspects of GDPR is the protection of Personally Identifiable Information (PII).

Understanding Personally Identifiable Information (PII)

Personally Identifiable Information, commonly referred to as PII, is a critical concept in the realm of data protection and privacy. PII refers to any information that can be used to identify an individual directly or indirectly. This information is sensitive in nature and requires special care and protection under data privacy laws such as GDPR. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.

PII encompasses a wide range of data elements, including but not limited to:

  • Name: Full name, maiden name, or any variations of the name that could lead to identification.
  • Contact Information: Addresses, phone numbers, email addresses, and even social media usernames that can link back to an individual.
  • Government-issued Identifiers: Social Security numbers, passport numbers, driver's license numbers, and other official identification numbers.
  • Financial Information: Credit card numbers, bank account details, and financial transaction history that can identify an individual's financial status.
  • Biometric Data: Unique physical or behavioral characteristics, such as fingerprints, facial recognition data, retinal scans, and DNA profiles, that can be used for identification or authentication.
  • Medical and Health Records: Information related to an individual's health, medical history, or treatment that can identify them or reveal sensitive health conditions.
  • Employment Information: Employee ID numbers, job titles, and other details related to an individual's employment that can lead to their identification.
  • Online Identifiers: Usernames, IP addresses, and device identifiers that can be linked to a specific individual's online activities.

MachineSense Privacy, PII and GDPR position

MachineSense is a company that is very much aware of the importance of privacy and protection of personal data. We are also aware of the importance of compliance with the GDPR and other privacy regulations.
As such, we have implemented a number of measures to ensure that our customers and partners are able to use our services in a way that is compliant with the GDPR and other privacy regulations.
We have also implemented a number of measures to ensure that our own internal processes are compliant with the GDPR and other privacy regulations.

In all biometric and KYC areas, we are by default not storing any face-prints, voice-prints or KYC-related data on our side, we only process the input-data (imagery, voice utterances, document images or encrypted digital data) and send all the relevant information to you, the customer, while retaining non of it on our persistent storage. On our side, all the processing is done in RAM, in real-time and then forever discarded. This is a rather unique feature of MachineSense, and unique approach to biometric processing, which is different from most of the other biometric providers.

Hence, it's your data and your responsibility on how you store it. We provide only the methods of processing, but we do not store any data on our side.

Concerning PII - face-prints and voice-prints are vectors (arrays of numbers) which on itself do not contain any personal data. They are non-PII (non-personally-identifiable information), although they are still sensitive in may aspects. Please see above for the definition of PII and please consult more literature on what you are allowed to do with voice-prints and face-prints, also relating to your local legislative rules.

MachineSense will only provide you the biometric- and other face- document- or voice-processing methods, which are operating simply as remote real-time functions, and we will not inject ourselves between you and your users. This means also that all the privacy- and GDPR- related measures you might be implementing will not be disturbed anyhow by our services.

If you opt for externally hosted storage of the data mentioned (processed by us), we can assist you in finding the best (licensed) partner to perform that duty. Please contact us for more information.