Our Systems & Privacy



EasySecure International B.V. supplies various services, including:

  • IdentySoft Cloud Software for access control, time recording, and attendance registration
  • BioStar software for access control and time recording


Security and privacy are very high on our agenda. We therefore choose the best security and work with the top hosting parties and latest techniques.

EasySecure has specially trained staff for services relating to privacy, the General Data Protection Regulation (GDPR), and security. We are also a member of the Netherlands ICT and the International Association of Privacy Professionals. EasySecure’s membership entitles it to the assistance of lawyers who advise and provide support on privacy and other issues.

As a provider of cloud and other services for access control, time recording, and attendance registration, personal data can be recorded in our software. Your privacy is very important to us and every feature of our software is developed with this in mind.

As a supplier, we are not responsible for our customers’ compliance with GDPR rules. But you can obviously count on us to deliver your systems with the highest privacy default settings and to equip our products with all the tools required to facilitate compliance. We are also happy to advise you on all possible questions and offer standard agreements providing a full-service solution.

We gladly inform you personally when it is relevant for you. Your interests are our priority!

We pledge:

  • To handle your data carefully. You can rest assured that your data are safe with us and that our organization complies with the applicable legislation.
  • To inform and provide you with the right information and tools to comply with legislation. We advise our customers to limit themselves to recording only the necessary data.
  • To adopt appropriate security measures to protect your personal data.
  • Not to retain your data for longer than necessary. Your privacy is very important to us and every feature is developed with this in mind. A retention period can be entered in our software after which your data are automatically removed from our system.
  • To never transfer your data to third parties, unless this is necessary to provide the requested service. When we share your data due to software integration, we enter into agreements to ensure they are not used for other purposes.
  • That you as the customer will always determine what happens to your data. We respect all the choices you make regarding your privacy. You may always access, rectify, block, and delete your data and you also have the right to data portability. The users of your software environment also have these rights. And we will always assist you in exercising them.


This document contains more information about the GDPR and our biometric systems. In the chapters below, we discuss the use of biometrics for access control and time recording, and all privacy and security measures within our system.

If you would like to know more or if we can help you further with your privacy and security issues, we’ll be more than happy to assist!

By telephone

+31 (0)85 015 000
Contact people: D. Kalkman & E. Hazelhoff

By e-mail

privacy@easysecure.nl

By post

EasySecure International B.V.
Corkstraat 46
3047 AC Rotterdam
The Netherlands


GDPR, Biometrics & Our Systems


The General Data Protection Regulation (GDPR) is a regulation that applies throughout the European Union (EU). Because of the GDPR, personal data protection is regulated in the same way in all EU countries and the same rules apply in each Member State.

The effective date of the General Data Protection Regulation is 25 May 2018. From that date, the same rules apply throughout the EU.

Under the GDPR, ‘biometric data for the purpose of uniquely identifying a natural person’ are considered ‘special personal data’. Processing special personal data is prohibited, unless an exception applies.

In practice, this means the number of available ‘bases’ (exceptions) is more limited, with the most important being explicit consent. ‘Legitimate interest’ can no longer be used as a basis. But explicit consent can.

The European supervisors have written an opinion on consent under the GDPR, also looking at consent in the employer/employee relationship.

The article can be viewed on this page.
In this opinion, the data protection authorities write, among other things:

However this does not mean that employers can never rely on consent as a lawful basis for processing. There may be situations when it is possible for the employer to demonstrate that consent actually is freely given. Given the imbalance of power between an employer and its staff members, employees can only give free consent in exceptional circumstances, when it will have no adverse consequences at all whether or not they give consent. 20 [Example 5] A film crew is going to be filming in a certain part of an office. The employer asks all the employees who sit in that area for their consent to be filmed, as they may appear in the background of the video. Those who do not want to be filmed are not penalised in any way but instead are given equivalent desks elsewhere in the building for the duration of the filming.


The example used here is filming in an office where employees are offered the opportunity to temporarily move to another location. This is very similar to offering the possibility of a fingerprint scan, alongside a card or code.

In short, employers can simply request consent to process biometrics, as long as they also offer a reasonable alternative.

You can always offer your employees an alternative. Our biometric systems can be used with explicit consent. All our scanners are also equipped with a card reader and, if necessary, a keypad.

With our systems, your employees can register their finger or face or work with a card or code. Employees who do not want to carry an extra card or remember a code, can use our convenient encrypted biometric templates instead. The employee has a free choice of authentication method.

In addition, our systems are highly secured and we save encrypted templates instead of fingerprints. These templates can never be reverse-engineered to an image of your fingerprint. For more information, see Chapter 4 of this document.

In our experience, employees often consent to using their biometric template. The template cannot be reverse-engineered to a print of their finger or face and it is very convenient. After all, you can easily lose or forget a card or code and do not always have it handy. But this must be a free choice. The advantages of biometrics are discussed in detail in Chapter 2.

Advantages of biometrics


Convenience:

You always have the key with you. And you need not carry an extra card or remember the code.

Convenience:
The template is encrypted. You can quickly and easily open the doors or register your presence without it being possible to trace these data back to your actual fingerprint. Easy and secure!

Security:         
With biometrics, you always know who is present in the building if there is a theft, fire, evacuation, or other emergency.

Security:         
With biometrics, you always know who has access to which area. Once someone no longer has access to your systems or building, you can block their access at the push of a button. You can also be sure that only people with the right certificates will enter sensitive areas.

Security:         
Cards or tags that have been lost or passed on to others are a major security risk. After all, you never know who has access and where and when an access card may have been lost. With biometrics, the safety of your employees increases and theft decreases.

Security:         
Because access codes are often known to more people than you think, there is no accurate overview of who is in the building and who has access to which area. With biometrics, the safety of your employees increases and theft decreases.

Time savings:             
No paperwork. Large organizations spend many hours managing access control, time recording, and attendance registration. With biometrics, there is no need to spend any more time on issuing new cards and codes and the information is always correct and up to date.

Cost savings
Using biometrics saves you time in managing your access control, time, and attendance systems. As no or fewer access cards need to be purchased and fewer cards are in circulation, this is also better for the environment.

Information:    
You have real-time information available about all your systems. You can immediately check the status of a project, look at attendance, or see if there is a company emergency response team member in your building.

Combining:
The ideal situation for access control, time recording, and attendance registration consists of various components. Use our biometric scanners for sensitive warehouses and server rooms, for example, and our card readers on other doors. All our scanners can be combined with each other.

DPIA & Biometrics


In November 2019, the data protection authority published the definitive DPIA list. This list contains all processing of personal data that requires a data protection impact assessment (DPIA). The use of biometrics has also been added to this list.

This means that if you use or are going to use our biometric systems, you must have a DPIA ready.

The data protection impact assessment (DPIA) is a tool to identify the privacy risks of data processing in advance and to subsequently be able to take measures to reduce the risks.

We have had an example DPIA prepared by our lawyers to assist you with the correct format and the required information. Feel free to contact us to receive the document.

 Telephone

+31(0)85 015 0000 
Contactpersons   D. Kalkman & E. Hazelhoff

 E-mail

privacy@easysecure.nl

 

Securing & Storing


As a provider of cloud and other services for access control, time recording, and attendance registration, personal data can be recorded in our software. Your privacy is very important to us and every feature of our software is developed with this in mind.

As a supplier, we are not responsible for our customers’ compliance with GDPR rules. But you can obviously count on us to deliver your systems with the highest privacy default settings and to equip our products with all the tools required to facilitate compliance. We are also happy to advise you on all possible questions and offer standard agreements providing a full-service solution.

Privacy by Design:      When developing our software, we ensure all the features needed to guarantee your privacy.

Privacy by Default:      Our software is delivered with high privacy settings by default. These include strict password management, automatic deletion of log data, and automatic deletion of inactive users, and can of course be adapted to your wishes.

More information on security and privacy measures can be found in the next chapters.

Security & Hosting


Security and privacy are very high on our agenda. We therefore choose the best security and work with the top hosting parties and latest techniques within our software for access control, time recording, and attendance registration.

Each release of our software goes through a fixed process of development, quality control, and internal testing procedures. We also have an external agency test our software security each year to guarantee quality. The IdentySoft software is hosted in Cyso’s data centres.

  • Dutch company founded in 1997
  • ISO 20000, ISO 27001, NEN 7510, ISO 9001, OHSAS 18001; PCI-DSS, and ISO 14001-certified
  • All data are stored in the Netherlands
  • Only certified and screened employees are employed
  • Continuous security checks
  • Continuous infrastructure checks
  • No single point of failure
  • Various fallback scenarios available


Misuse of your data by malicious parties is a serious threat that must be prevented. We ensure the right measures are adopted to ensure that our software is properly protected.

Want to know more about the security measures we take for security and hosting? Then take a look at the following article: 

 

Communication & Encryption


The communication from our scanners is highly secure. All scanners use 256-bit Advanced Encryption Standard (AES), SHA-256, and MD2 Hash algorithms.

This means that all communication is encrypted and can never be traced back to your personal data from the scanner.

Want to know more about our security measures and the communication and encryption of our scanners? Then take a look at the following article:

 

Biometrics, Templates, and Privacy


When we refer to privacy and biometrics, we immediately need to consider which system is being referred to. Government systems (such as the police or for your passport) are based on a system in which images are stored. And if these systems fall into the wrong hands or are misused, people’s privacy can be violated.

EasySecure’s commercial systems, such as IdentySoft and BioStar, use an algorithm and cannot be traced back to a real print.

Our systems scan a fingerprint or face and this image is already transformed into a template in the scanner. This template results from an algorithm and consists of a number of 364 positions. Besides being patented, the algorithm is also protected by encryption (AES256).


Even if the code were cracked, the algorithm would still have to be cracked. And even if the algorithm were cracked, it is still impossible to make an original print from the saved result.

It is therefore impossible to use a template stored in our systems to create an image of a fingerprint that can then be compared with another database or an encountered image.

Want to know more about your privacy and our biometric templates? Then take a look at the following article:

 

Provision to third parties


EasySecure will never transfer your data to third parties, unless this is necessary to provide the requested service. This could be the case, for example, if you wish to set up software integration between two packages.

Our software can be integrated with various packages for planning, locker management, or reservation systems. If desired, we can establish a link for our customers based on an agreement.

If we provide your data to a third party, we ensure (by agreement) that your data will not be used for other purposes. We also ensure that your data are always processed with the highest level of security. For more information, see the chapter ‘Security & Storing’.

Cookies


Our software uses cookies. These are small text files stored on your device. Cookies allow us to save your preferences and settings and allow you to log in.

This includes the automatic completion of certain forms in your software environment so you do not have to enter the same data over and over again. By default, your internet browser has a range of options to manage and block cookies.

Access to and rectifying your data


You always decide what happens to your own personal data. We respect all the choices you make regarding privacy. You may always access, rectify, block, and delete your data and you also have the right to data portability. You can submit a request to us using the contact details below.

As a software supplier, we have incorporated features that enable our customers to retrieve stored data directly from a user. It is also possible to remove all stored personal data directly from the system.

As a user of our software, if you have received a request for access, rectification, blocking, portability, or removal, and have questions about this, we would be happy to assist you!

You can get in touch with us using the contact details below.

 By telephone

+31 (0)85 015 000
Contact people: D. Kalkman & E. Hazelhoff

 By e-mail

privacy@easysecure.nl

 By post

EasySecure International B.V.
Corkstraat 46
3047 AC Rotterdam
The Netherlands


To prevent misuse, we will contact you after a request to verify your identity.

 

Dutch Data Protection Authority (Autoriteit Persoonsgegevens)


We will naturally be happy to assist you if you have complaints about the processing of your personal data. But should we not be able to reach consensus, you are also entitled under privacy legislation to submit a complaint to the privacy supervisor, the Dutch Data Protection Authority.

You can contact the Dutch Data Protection Authority for this purpose.

Processing agreement


A processing agreement regulates the responsibilities for processing personal data when one company engages another company for processing. A processing agreement is a concept from the General Data Protection Regulation (GDPR).

The GDPR is a privacy regulation that applies throughout the European Union (EU). Because of the GDPR, personal data protection is regulated in the same way in all EU countries and the same rules apply in each Member State.

Under GDPR legislation, the personal data controller must make arrangements with the processors of these data. As a supplier, we offer support on our software and can log into/view your software environment, if necessary. We are therefore a processor of your data.

A processing agreement is the agreement between you as the controller and the processor. Among other things, this agreement documents how the processor must deal with the personal data and what kind of security measures are to be applied.

And we wish to come up with a full-service solution for you in this regard too, which is why we have drawn up standard agreements you can use.

If you would like to receive our standard agreement or have further questions, we’ll be happy to assist!

 By telephone

+31 (0)85 015 000
Contact people: D. Kalkman & E. Hazelhoff

 By e-mail

privacy@easysecure.nl

 By post

EasySecure International B.V.
Corkstraat 46
3047 AC Rotterdam
The Netherlands

 

Amendments to this statement


We may amend this statement on security and privacy occasionally. Amendments will be published on our website and included in our software. It is therefore advisable to consult this privacy statement regularly so that you are aware of any amendments.

Effective date


This renewed statement entered into effect on 25 June 2019.

 

Contact us



T: +31(0)85 01500 00
E: info@easysecure.com
E: support@easysecure.nl