RFID and Biometric Time and Access Management technology is one of the fastest moving industries in the world today. Keep yourself up to date of the latest news and innovations.


Back to news list
GDPR Legal notice

Published at 6/12/18

Read 766 times

The principle of proactive liability, established in Article 25 of the General Data Protection Regulation (GDPR), obliges responsible parties and those in charge of processing to comply with the principles relating to the processing of personal data and to demonstrate such compliance.

These principles are the principles of availability, integrity, confidentiality, and permanent resilience of the Management systems and services, in this sense, from ZKTeco Europe, S.L. (hereinafter "ZKTeco") we are obliged to process personal data in a manner that ensures adequate security of the same, including protection against unauthorized or illegal Management and against loss, destruction, theft or accidental damage, through the application of appropriate technical or organizational measures, such as pseudonymization and data minimization, in order to meet the requirements of the GDPR and protect the rights of those concerned.
Likewise, from ZKTeco we apply appropriate technical and organizational measures in order to guarantee that, by default, only the personal data necessary for each of the specific purposes of the Management will be processed. At ZKTeco we apply these technical and organizational measures in all our products and services to maintain the high levels of security required by the GDPR and our own clients. These measures are indicated below:

  •  Procedure for control and access to information by ZKTeco employees.
  •  Perimeter firewall and logical isolation, all platforms have security, access to the ERP is restricted to users registered in the system.
  •  Principles for internal use of virtual machines with the softwares that we sell to our clients, to which the databases of said clients can reach, the accesses to these systems are protected by username and password.
  •  Computer access to personal data is done through validation in front of active directory. Likewise, the data in paper are in locked cabinets.
  •  Identification and authentication: all computers have a password to access information systems. Policies have been implemented to change the password that guarantees the security of access to the systems.
  •  Backup copies: Backup copies are made on a NAS every day, another copy is also made that is saved on a portable external hard drive that is kept outside the facilities of ZKTeco. Likewise, a daily copy is made on the Amazon servers located in Dublin (Ireland).
  •  Restricted access through the fingerprint and facial recognition of the company's Data Processing Center (CPD), in an independent and closed room.
  •  Encryption in communications and access to computer applications, under VPN support.
  •  Antivirus installed on all systems of the company.

Because the new regulations do not establish a closed catalog of technical and organizational security measures, these measures have been prepared by us taking into account the GDPR article 32.1 that states that:

Taking into account the state of the technology, the costs of application, and the nature, scope, context and purposes of the management, as well as the varying risks of probability and severity for the rights and freedoms of natural persons, the controller and the processor will apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which in its case includes, among others:
a) the pseudonymisation and encryption of personal data;
b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of Management systems and services;
c) the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of management.

In addition, all of our employees must comply with the following security measures to ensure compliance with GDPR:

  • Functions and obligations in relation to the processing of personal data to which employees have access to be able carry out their duties in the company including the tools they have access to.
  • Confidentiality duties: all employees must understand the importance of confidentiality regarding the data to which they have access, even after termination of employment.
  • All employees are obliged to comply with the security and data protection policies and procedures established by the company, and with the current state and European regulations for the protection of personal data.

Furthermore, regarding the obligations of GDPR, to which ZKTeco is complying, we would point out the following:

  • Registration of Management Activities: ZKTeco, in charge of the management, will keep a record of the management activities carried out on behalf of its clients that contain, among others, the name and the contact data of ZKTeco, the management categories carried out in name of its customers and a description of the technical and organizational security measures implemented to protect the data of its customers. Likewise, ZKTeco also keeps a record of the activities it carries out as the person responsible for this management.
  • Data processing on behalf of third parties: ZKTeco's clients, the responsible party for the management, and ZKTeco, as responsible for providing the services to its clients with access to personal data, will sign a contract for the processing of data on behalf of third party that meets the requirements of GDPR Article 28. Likewise, ZKTeco will also sign a contract with its suppliers with access to data.
  • Privacy Impact Assessment (PIA) ZKTeco, as the person in charge of the management, will give support to its clients to carry out a PIA, if they are obliged to do it in accordance with the provisions of GDPR article 35, as well as to the consultations carried out to the AEPD, when appropriate.
  • Right to information: ZKTeco customers, as responsible for the Management, are obliged to inform the interested parties in accordance with the provisions of article 12 and following of the GDPR. Likewise, ZKTeco informs its own customers, suppliers, employees, etc., of the provisions of the aforementioned GDPR articles.
  • Exercise of rights: ZKTeco has a procedure to deal with data protection rights exercises. In the event that ZKTeco receives any request to exercise data protection rights that must be adhered to by its customers, it will notify them in a timely manner. In this sense, the procedure for receiving rights would be as follows: if a user wishes to exercise any of the rights of access, rectification, deletion, opposition, portability and limitation of the processing of their data, they must do so to ZKTeco Europe, SL, located in Carretera Fuencarral 44, Edificio 1, 28108 of Alcobendas (Madrid), or to the email providing documentation that proves your identity. In this sense, the departments in charge of receiving, managing and guaranteeing the answer of these rights will be the Functional Managers of each of the departments.

Data Protection Officer (DPO): ZKTeco has appointed a DPO in the company, thus complying with to what is established in GDPR article 37, for this, the contact details of the DPO are as follows:

Address: Carretera Fuencarral 44, Edificio 1, 28108 of Alcobendas (Madrid)
Telephone: +34 916 532 891

• International Data Transfers: ZKTeco, in order to resolve incidents to our customers, can share data with its parent ZKTeco Co. Ltd. located in China or with any of its subsidiaries worldwide, within and outside the European Economic Area. However, with those companies that are not within the European Economic Area or do not have a level of protection comparable to the European, ZKTeco has signed a contract that includes the standard contractual clauses established by the European Commission and that guarantee compliance with the data protection regulations. The list of all these companies that would form the ZKTeco group can be found here.

Special reference should be made to the Management of specially protected data, in this sense, ZKTeco is a company specialized in the production and development of multibiometric and proximity systems, both for time and attendance and for access control. That is why, among the data collected by ZKTeco, you could have access to specially protected data, such as biometrics for time and attendance and access control. In this sense, GDPR Article 9 establishes that this is specially protected data: "(...) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation."

However, all the devices (fingerprint, facial, palm, etc.) that ZKTeco manufactures only collects certain characteristic points and never complete images of the characteristic and, therefore, it is not possible to restore or obtain the original biometric data.

 We indicate below a statement of the Management of the biometric templates:
ZKTECO Europe SL, company organized under the laws of Spain is an established and reputable manufacturer and solution provider of workforce management and integrated security systems based on RFID and multi-biometric technology, we are proud to pay strict attention to the compliance with the laws related to Human Rights and Data Protection Privacy in every country. Therefore, we hereby state the following declaration:

  1. All of our multi-bio (fingerprint and facial) recognition devices for civil use only collect the characteristic points of multi-bio instead of the multi-bio images, and, therefore, no privacy issues are involved.
  2. The characteristic points of multi-bio collected by our products cannot be used to restore the original multi-bio images, and, therefore, no privacy issues are involved.

How do our Biometric scanners work?

The match is determined using points of interest (minutia) on the fingerprint, such as ridge bifurcations and ridge endings, and only these specific characteristics, which are unique to every fingerprint, are filtered and saved as an encrypted biometric key or mathematical representation. No image of a fingerprint is ever saved, only a series of numbers (binary code), which is used for verification. The algorithm cannot be reconverted to an image, so no one can duplicate the fingerprint.

The proportion of the orbit against its external side, the proportion of the length of the bridge of nose against the width of the wing of nose and so on—these proportional relations determined by the facial bones constitute numerous nodes. Statistical calculation is then conducted in accordance with these nodes to set up a data model and parse the face of a person into a matrix composed of numbers, which, in turn, are transformed into the language readable by the computer. In this way, the person’s face is transformed into numbers with aid of the computer, which are calculated bit by bit and a group of characteristic data is finally extracted to express the entire face of the person. This group of data can also be called face lines. The face lines that are acquired are stored, compared, searched and handled to constitute the major application fields for current facial technology. The face identification system measures these nodes in accordance with the rules to acquire images and produce a numeric code. A common face identification system needs the data of about 22 nodes to complete the identification process.

At last we stress once again that biometrics, as an advanced recognition technology, will be applied in a lot of sectors including e-commerce, banking, insurance and legal affairs. Every year people around the globe suffer from great loss due to the insecurity of passwords. The biometric products actually provide adequate protection for your identity under a high security environment.

REF.: Patent for the devices which have the facial and fingerprint identification function
➢ Patent for human face recognition online software development system
➢ Patent for master and slave face recognition device
➢ Software copyright registration
➢ Patent for face and fingerprint multimodal identification algorithm
➢ Patent for face and fingerprint T&A and access control device
➢ Patent for facial door lock
➢ Patent for face and fingerprint network encrypted device

All our distributors sign a contract for the processing of data on behalf of third parties, under GDPR Article 28, in which we commit ourselves to make a correct use of the data we manage and, as security is everyone's responsibility, all distributors commit to apply our recommendations as a supplier of the systems with which the distributor commercializes to guarantee the principles of confidentiality, integrity, availability and resilience established in the GDPR regarding the Management of data contained in said systems. In this sense, the requirements established to our distributors and final customers when installing their systems are the following:

  • Generation of corresponding users to control access to the software that manages the data of our solutions (applicable to the ZKTeco software).
  • Enable permissions to administrative users by password in order to limit and protect the information contained in the terminal, guaranteeing the confidentiality and integrity of the data (applicable to the ZKTeco hardware).
  • Encryption and pseudonymisation as a necessary technical measure established by GDPR Article 38 for the transfer of data by telematic means between different physical locations (telecommunications protocol ZKTeco).
  • Set communication password to protect the communication between devices and software (telecommunications protocol ZKTeco).
  • Back up of all the information, thus guaranteeing the availability and resilience of the data (applicable to ZKTeco software and hardware).

For all the above from ZKTeco we are absolutely committed to GDPR compliance, given that our systems already comply with the technical and organizational measures needed to handle and manage the risks arising from the data processing we perform, being in continuous development and improvement in order to optimize the security of our data Managements. Furthermore, ZKTeco is in the process of implementing ISO 27001.