Global Biometrics Privacy Notice
1. INTRODUCTION TO THIS GLOBAL BIOMETRICS PRIVACY NOTICE
The protection of Biometrics Personal Data is important to Token and its affiliated entities worldwide. Token respects individual privacy and the protection of Personal Data and values the confidence of our customers, job applicants, employees, suppliers, contractors, business partners, and the public. That is why we strive to process Biometrics Personal Data in a manner consistent with the laws of the countries in which we do business, and to protect it against loss, leaks, errors, unauthorized access or unlawful processing.
2. KEY TERMS USED IN THIS NOTICE
"Applicable Data Protection Laws” means Data Protection Laws that apply in a particular jurisdiction and/or to a particular type of data or use of data.
"Biometric Personal Data” means Personal Data of End Users that is processed by Token on behalf of a Customer and contains biometric identifiers and/or biometric information, including: identity documents, including passports and identity cards with the information printed thereon; physical and behavioral attributes, such as facial features, voice patterns, fingerprints, palm prints, finger and palm vein patterns, structures of the eye (iris or retina) or gait; and images, recordings of the sound of the voice or recordings of facial features. Biometric Personal Data also includes biometric templates, which are mathematical representations of features or characteristics from a fingerprint image or recording, to the extent such templates are within the scope of Applicable Data Protection Laws. Unlike most other types of Personal Data, Biometric Personal Data is distinctive, stable over time, difficult to change and largely unique to the individual.
"Biometrics Services" means Token’s platform offering passwordless multi-factor authentication with a biometric component (through various hardware form factors and utilizing multiple software elements) for the identity verification of End Users on behalf of Token Customers based on Biometric Personal Data, among other factors. This platform is designed according to FIDO alliance standards.
“Customer” means any person or entity who enters into a contract with Token to access or use Biometrics Services.
“Data Protection Laws” means 1) the U.S. Data Protection Laws, 2) the GDPR and the laws of non-EU EEA countries that have formally adopted the GDPR, 3) Brazil’s Lei General de Proteção de Dados Pessoais or 4) any other data protection laws applicable to Token’s processing of Personal Data.
“EEA” means the European Economic Area.
“EU” means the European Union.
“End User” means any person who accesses Biometrics Services as an end user via a Customer.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
“Notice” means this Global Biometrics Privacy Notice
“Token” “we”, “us”, or “our” means Token Inc. and its affiliated entities worldwide.
“Personal Data” means personal information and personally identifiable information, as such information may be defined under Applicable Data Protection Laws.
“Privacy Center” means the Token website containing privacy related material at www.tokenring.com or an equivalent successor Token website.
"U.S. Data Protection Laws" means all laws and regulations of the United States of America, including the California Consumer Privacy Act (CCPA), applicable to the processing of Personal Data.
3. WHAT’S IN SCOPE FOR THIS STATEMENT
This Notice applies where Token acts as a “processor”, processing Personal Data of End Users on behalf of our Customers who determine the purposes and means of the processing of Personal Data.
More specifically, this Notice describes the data privacy and protection practices of Token as a processor in the collection, processing, use, storage, transfer, and disclosure of Biometric Personal Data. It explains how we collect, use, disclose, and protect Biometric Personal Data in our Biometrics Services. Please read this Notice carefully to understand our practices regarding Biometric Personal Data with respect to our Biometrics Services solution and your rights in relation to it.
This Notice applies to the extent applicable and not prohibited in your jurisdiction. Token conducts business globally and may reference regulations in this Notice that may not be applicable to your particular use or jurisdiction.
Please read this Notice and the documentation regarding Biometrics Services available at the Privacy Center, in particular the Token Corporate Privacy Statement, the Token Product Privacy Statement and the list of sub-processors for Biometrics Services published therein which form an integral part of this Notice.
If you disagree with Token’s privacy practices, please do not access or use Biometrics Services and do not transfer Biometric Personal Data to Token. By accessing or otherwise using Biometrics Services, you indicate that you have read this Notice and consent to its terms, unless such form of consent is prohibited in your jurisdiction. You are not obliged to disclose your Biometric Personal Data, however you may not be able to use Biometric Services as designed in that case. We remind you that you are responsible for all Biometric Personal Data you provide to us and that we rely on its accuracy.
This Notice was last updated on the date set forth below. We may update this Notice from time to time to reflect changes to Token’s processing of Biometric Personal Data. We encourage you to review the Notice on a regular basis and whenever you elect to provide personal information to Token by visiting the Privacy Center. You will be notified of material revisions to this Notice electronically or by other means that Token deems reasonably sufficient to reach your attention, such as a prominent post on our website.
4. FROM WHOM DOES TOKEN PROCESS PERSONAL DATA AS A CONTROLLER?
This Notice applies to Biometric Personal Data of End Users of our Biometrics Services. These End Users are individuals who agree to have their identity authenticated by a Token Customer (such as a corporate employer or other organization) in the context of a Customer’s identity and access management process. The Token Customer uses the Biometrics Services to authenticate the End User. The End User is asked by the Token Customer to agree to and perform uploading of certain Personal Data for authentication purposes, including certain Biometric Personal Data.
Token may collect and process the following types of regular Personal Data relating to the End User in connection with a Customer’s use of our Biometrics Services:
- Identification data such as full name.
- Information from identity documentation, such as an identity card, passport, driver’s license or Customer provided identification information, if required by Customer.
- E-mail address.
- Mobile telephone number.
Token may also collect and process Biometric Personal Data relating to End Users in connection with a Customer’s use of our Biometrics Services, including the following:
- Biometric identifiers contained in fingerprint scans.
- Biometric data related to whether a wearable device is in fact being worn by the End User.
- Biometric templates: Mathematical representations of features or characteristics from a fingerprint scan, image or recording.
- Certain metadata as explained in section 5 below.
Biometric Personal Data is compared by algorithms. To perform this comparison (matching), it is stored in the form of templates or mathematical representations on the secure element portion of our devices. In the enrollment process, the source data is collected, the template is created, and then stored in a database as reference data on the secure element. The secure element utilizes encryption technology and is tamper resistant both in its digital design and physical manufacture.
The fingerprint itself is not stored on our devices nor transferred to any other system. The reference template remains on the secure element and is not transferred to your mobile device, our mobile application, our web services, nor your computer. The End User may delete the template by performing a factory reset of the device. Because of these factors, under certain data protection laws such as the Illinois BIPA, our system is considered outside the scope of the law meaning that we do not collect, store nor process biometric personal data.
Biometric Personal Data or other Personal Data that prospective customers or Customers elect to submit to use for a product demonstration, testing, proof of concept or other agreed purposes may be processed for demonstrations or trials. Biometric Personal Data and other Personal Data submitted for these purposes will only be used for demonstration, testing, proof of concept or other purposes agreed up front with you. The Biometric Personal Data and other Personal data provided will be erased after the conclusion of the product demonstration, testing, proof of concept or other agreed purposes.
5. HOW DOES TOKEN USE THE PERSONAL DATA?
Upon instruction and on behalf of the Customer, Token will access, process, and store the End User’s Biometric Personal Data for the purpose of providing the Biometrics Services. These Biometrics Services are used to authenticate the End User.
Metadata related to the above types of Biometric Personal Data are used as follows:
- Timestamps are used to log the time and date when the Biometric Personal Data was collected and used.
- Device Information provides information about the device used for the data collection, like the brand or model of a device or an identifying numerical code for the device.
Token will not sell, lease, or trade the Biometric Personal Data processed on behalf of the Customer.
6. WHAT IS THE LEGAL BASIS FOR PROCESSING?
Our processing of Biometric Personal Data of End Users is based on the instruction given by the Customer, which is responsible for obtaining the consent of the End User.
Biometric Personal Data are processed on behalf of the Customer, who acts upon the request of the End User only and is responsible for obtaining the End User’s explicit informed consent prior to the collection and processing of Biometric Personal Data. To the extent that the Customer and End User are the same, this policy also serves as informed consent upon use of our devices and platform which refers to this policy.
The Customer is responsible for ensuring that the consent given by the End User to the Customer extends to the transfer of the Biometric Personal Data to Token as well as to further processing of the Biometric Personal Data for identity authentication purposes only.
7. HOW WE SHARE BIOMETRIC PERSONAL DATA FOR BUSINESS PURPOSES
We may share or disclose Biometric Personal Data with sub-processors agreed to by our Customers in their contracts with us. These sub-processors are third-party service providers that assist us in the provision of our services, and they may process Biometric Personal Data on our behalf.
The list of sub-processors for our Biometrics Services solution, which forms an integral part of this Notice, is available on our website.
We may disclose Biometric Personal Data if required by law, regulation, legal process, or governmental request. In the event of a merger, acquisition, sale of substantially all our assets, or other corporate transaction, Biometric Personal Data may be transferred as part of the assets involved.
8. HOW LONG DO WE KEEP BIOMETRIC PERSONAL DATA?
Token retains Biometric Personal Data only for as long as necessary to fulfill the purposes outlined in this Notice or as required by applicable laws and regulations (for instance, minimum or maximum retention periods required by law). If there is an indication of fraud, we will keep related Biometric Personal Data for as long as necessary to resolve the situation. After that, we will permanently delete the Biometric Personal Data. To that end, we have implemented the following data retention practices to ensure that Biometric Personal Data is securely deleted or anonymized when no longer needed. The End User has control over the template representation of their fingerprint data on the device and can delete it by performing a factory reset. If an End User returns a device to us with a loaded template, we delete it during our return processing.
Token’s Customer, the controller of the Biometrics Data, who received the biometric information of the End User will delete the Biometric Personal Data as per the Customer’s own deletion policies, for which the Customer is solely and entirely responsible.
9. INTERNATIONAL TRANSFER OF BIOMETRIC PERSONAL DATA
We may transfer Biometric Personal Data to countries outside of the jurisdiction of the End User for the purposes outlined in this Notice. The list of sub-processors for our Biometrics Services solution, which forms an integral part of this Notice, contains the jurisdictions in which Biometric Personal Data may be processed and/or stored. This list can be found in the privacy section of our website.
We will ensure that any such international transfers comply with applicable data protection laws, including implementing appropriate safeguards.
10. HOW IS BIOMETRIC PERSONAL DATA SECURED?
We maintain appropriate technical and organizational measures to protect Biometric Personal Data against unauthorized access, loss, or alteration. These measures include encryption, tamper resistant chips, access controls, regular audits, and employee training on data protection and security.
Information about technical and organizational measures may be further requested by sending an email message to firstname.lastname@example.org
11. YOUR RIGHTS
Individuals whose Biometric Personal Data is processed, may have certain rights under Applicable Data Protection Laws, which may include:
- Right to Access: You can request access to the Biometric Personal Data we hold about you.
- Right to Rectification: You have the right to request the correction of inaccurate or incomplete Biometric Personal Data.
- Right to Erasure: You can request the deletion of your Biometric Personal Data under certain circumstances.
- Right to Restrict Processing: You have the right to request the limitation of processing your Biometric Personal Data.
- Right to Data Portability: You can request the transfer of your Biometric Personal Data to another controller.
- Right to Object: You have the right to object to the processing of your Biometric Personal Data on grounds relating to your particular situation
- Right to Withdraw Consent: If processing is based on your consent, you have the right to withdraw your consent at any time.
To exercise your rights or seek further information about our data processing activities, please contact us using the contact details in Section 12, “Contacting Token”.
12. CONTACTING TOKEN
We make every effort to handle your Personal Data in a careful and legitimate manner in accordance with the applicable regulations. Nevertheless, if you believe that your rights have been violated and if you do not find an answer to your concerns with Token, you are free to contact an appropriate supervisory authority that may be competent to handle a complaint regarding a purported violation of Applicable Data Protection Laws.
If you believe that Personal Data has been used in a way inconsistent with this Notice, or if you have further questions, comments or suggestions related to Token’s handling of Personal Data, please contact Token by emailing email@example.com. For data subjects located in the EU/EEA or another jurisdiction requiring a data protection officer, written inquiries to the Token EU Data Protection Officer may be emailed to firstname.lastname@example.org or addressed to:
Token Data Protection Officer
4545 East River Rd, Suite 310
West Henrietta, NY 14586
For data subjects located outside of the EU/EEA, written inquiries may be sent to the same address above.