Privacy Notice for Remote Identification Service

 

1) Identity and contact information of the Data Controller

CSC - Finnish IT Сentre for Science Ltd
P.O. Box 405 (Keilaranta 14)
FI-02101 Espoo
tel. 09 457 2821 (operator)
servicedesk@csc.fi

www.csc.fi

2) Contact person for register-related matters

CSC Service Desk
tel. 09 457 2821 (operator)
servicedesk@csc.fi

CSC's data protection officer

privacy@csc.fi

3) Name of the register

CSC user remote identification service. This register complements the general CSC customer register privacy notice (https://www.csc.fi/customer-register-privacy-policy)

4) Purpose and legal basis for the processing of personal data

The processing of personal data is based on the activities in the purpose of using CSC services or fulfilling of a commercial contract, depending on which role the account use is associated to.

CSC user remote identification service is used to raise the level of assurance of the identity of the person using CSC services. The results of the remote identification can also be used as input when enforcing export restriction policy.

It is based on the consent of the data subject (GDPR 6(1)(a)), our legitimate interests (GDPR 6(1)(f)) and the controllers legal obligation (GDPR 6(1)(c)).

We may use the personal data you provide to uniquely identify the user within CSC's systems. e.g. include it / or combine it with data you have provided via CSC's customer portal [ https://my.csc.fi/ ].

If you decide not to supply personal data that we have requested, then you will be unable to use the remote identification and thus, our services that require medium or high level of assurance of the identity. In this case you have a possibility for alternative ways of proving your identity, please contact the service desk for further information servicedesk@csc.fi

5) Personal data groups in this privacy notice

Based on the on the consent of the data subject

Basic information

  • First name
  • Last name
  • Email
  • Social security number or other national identification code or date of birth
  • Nationality
  • Biometric data used in the identification process (person image or video, passport information), which all will be removed after the identification process has been completed
  • Any personal information the user may input while using the service

Based on controller's legitimate interests

  • Log files related to the remote identification process, which will be automatically removed after one year

Based on processor's legitimate interests

  • Unique device identification code

  • IP addresses

Based on controller's legal obligation

  • Nationality information for enforcing export restriction policy. CSC needs to know the nationality of its customers due to export restrictions set by national and/or international authorities.

6) Information on the source of personal data

Source of personal data:

  • The data subject provides his / her full name when signing up for a CSC account in https://my.csc.fi/
  • The data subject provides his / her information that is stored on the passports NFC chip by using the Candour ID mobile application. The Candour ID mobile application reads the passports data. The Candour ID mobile application also requests the data subject to take a photo of their face. The official passport photo contained on the passports NFC chip and the photo taken by the data subject are compared by an AI algorithm.

7) Recipients and recipient groups of personal data

Candour Ltd, which has no subcontractors for this service.

8) Information on transferring data to third countries

The data will not be transferred or disclosed to parties outside the EU or the European economic region.

9) Retention period of personal data

The data used for remote identification process will be removed two weeks after the identification event. Personal data will be archived when end-user finishes the use of CSC services. The archived data will be deleted after 2 years.

10) How do we protect your data 

The systems that store your personal data are protected using for example firewalls and role based access control. The data is transferred using encrypted channels. 

CSC assures that its contractor (Candour Ltd) provides the service using generally acceptable and effective data security solutions. The User is responsible for the data security of the User’s own systems and devices.

11) Information on the existence of automatic decision making, including profiling


An AI algorithm compares the official passport photo and the photo taken by the data subject and determines if the passport data and photo data match. After successful identification user personal information will be automatically validated by the CSC identity management system and the persons identity assurance level will be raised unless the system indicates that the person is subject to export restrictions. In the latter case the validation process will be continued manually.

12) Principles for the protection of data

The registered data is stored according to the best practices, good information security and legislative regulations so that it is protected from external parties. The register is protected with user identification and passwords as well as structural and group-specific authorization. Registers containing personal data can be accessed only by the members of personnel who require the use of personal data for performing their work tasks. The system can be accessed only through a protected network connection.

An agreement on the terms regarding the processing of personal data, which is in accordance with the EU General Data Protection Regulation, has been made with the system supplier (Candour Ltd).

The use of the service creates log entries which are used for ensuring the information security of the service, developing the technology of the service, and for detecting, preventing, or investigating technical faults or errors (Sections 138,141,144, and 272 of the Information Society Code (917/2014)). The logs are retained for these purposes for the required time period and they will not be used for any other purposes.

13) Rights of the data subject

With respect to the processing of your personal data, you have the following rights:

  • to request confirmation as to whether we are processing personal data concerning you and to access to your personal data
  • to demand the rectification or completion of inaccurate or incomplete data
  • to request the erasure of data, if those are no longer required for the purposes for which they were collected or processed or the data processing is unlawful
  • to request the restriction of processing, under certain conditions

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you.

We will then no longer process the personal data, unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

We will always use best efforts to address and settle any requests or complaints you bring to our attention. Besides contacting us you always have the right to approach the competent data protection authority with your request or complaint:

  • at your habitual residence in the EEA
  • at the place of your work in the EEA or
  • at the place of the alleged infringement in the EEA.

The data protection authority competent for CSC – IT Center for Science Ltd is:

Office of the Data Protection Ombudsman
Postal address: PL 800
00531 Helsinki, Finland
https://tietosuoja.fi/en/contact-information

14) Who should you contact?

If you have any questions about this privacy notice please use the following contact point: servicedesk@csc.fi or contact the person specified in section two (2).

In order to exercise any of your data subject rights, you can send us a request, indicating the right you wish to exercise by e-mailing us at servicedesk@csc.fi

15) Changes to this notice

This privacy notice is valid from as of 24th August 2023. If there are essential changes to this privacy notice, or in how we will process your personal data, we will use reasonable efforts to notify you.

This privacy notice has last been edited on 10th September 2023.