Personal data policy

ARIADNEXT is committed to ensuring that the processing of your personal data from the Remote Identity Verification Service (« PVID Service ») complies with national and European personal data protection legislation.

The purpose of this policy is to explain to you in an understandable and accessible way the processing implemented to understand the reasons for this collection and the conditions under which your data is processed based on the Requirements Framework published by the ANSSI on March 1, 2021 and applicable to Remote Identity Verification Providers (hereinafter the « PVID Framework »).

For this part of the processing, the person responsible for processing your personal data is ARIADNEXT. For more information, please consult the legal notice.

Purpose

As part of the services provided to our clients, ARIADNEXT is required to process your personal data in order to verify your identity in two stages:

  • 1st purpose: to verify the validity of the identity document that you are presenting and that you are the legitimate bearer, based on a selfie type video compared with the photo of the identity document presented via an automatic and manual check.
  • 2nd purpose: constitution of an evidence file containing the data from the first processing operation with a view to resolving a dispute, in the event of investigations or for the purposes of providing evidence in court.

Data processed

ARIADNEXT applies the principle of data minimisation when processing your data.

The categories of data processed for the two treatments are as follows:

  • identification data: gender, surname, first name, date of birth, place of birth, facial image, nationality, municipality of residence, address of residence, identity document number, address at the time of issue of the identity document;
  • the content of DG1, DG2 and DG11 of the security component if applicable;
    biometric data: video of the user’s face;
  • connection data: IP address, logs.

Data Recipients

On the basis of the contracts established with our clients, the only recipients of your personal data are the business departments of our client for whom we provide the PVID Service.

It is possible that we may query an identity document validation service operated by the State issuing the document.

Otherwise, the data is only processed by our company ARIADNEXT.

The data is not intended for any other organisation.

Furthermore, no data is transferred outside the European Union.

Duration of data retention

Depending on the purpose, the length of time your personal data is kept varies.

For the identity verification process, as of the transmission of the result to the client’s business department, the data is kept for ninety-six (96) hours in order to be able to respond to a possible challenge or appeal.

The evidence files are subject to intermediate archiving on the basis of the PVID Repository. The period of retention of evidence files is ten (10) years in principle. This period may be adjusted according to the legal and regulatory requirements of our clients, but may not exceed 15 years.

In the event of identity theft returned by the PVID Service, ARIADNEXT reserves the right to retain the personal data associated with the case of identity theft in order to analyse it for the duration of the analysis. This period may not exceed one (1) year.

Security

In accordance with the RGPD, any organisation processing personal data is bound by a security obligation. Thus, the following security measures have been put in place:

  • Confidentiality obligation signed by the employees processing our clients’ data;
  • Data encryption protects personal data both in storage and in transit;
  • Protection (« encryption ») of evidence file data in AES256 with a file-specific key protected by asymmetric encryption with the private key offline;
  • Protection (« encryption ») of data exchanged between the terminal and the ;
  • The protection (« encryption ») of data exchanged between the terminal and the ARIADNEXT services is provided by the HTTPS protocol. The same is true between the business service and ARIADNEXT services;
  • Regular security audits carried out by specialised third-party companies.

ARIADNEXT is ISO 27 001 certified and hosts the personal data collected.

Your rights regarding your data

The regulations applicable to personal data provide that you have the right to access, rectify, delete incomplete or inaccurate personal data concerning you, limit the processing, and request portability.

However, the requirements of the VID Reference Framework limit these rights. In the context of the VID Service, you only have the right of access to your data but not the right of rectification, nor the right to portability of your data, nor the right to deletion of personal data contained in the transmitted result or in the evidence file.
You do not have the right of access to data that has been subject to processing, whether automated or manual, the knowledge of which could inform you of the nature of the checks carried out by the service for the purpose of detecting identity theft.

However, the exercise of certain rights is conditional on the existence of one or more reasons provided for in the regulations on the protection of personal data. Understand your data protection rights.

If you feel, after contacting us, that your rights regarding your data are not being respected, you can submit a complaint to the CNIL.

Exercise your rights

ARIADNEXT’s Data Protection Officer (DPO) is your contact for any request to exercise your rights regarding this processing.

Contact the DPO electronically:

Contact the DPO by post:

122 Rue Robert Keller
35510 Cesson-Sévigné
France

You can also send your requests via the website:

https://support-pvid.ariadnext.com 

logo-ariadnext-by-idnow