How are ZKTeco Biometrics verification technologies GDPR compliant?

ZKTeco Biometrics & GDPR

The General Data Protection Regulation, commonly referred to as GDPR, came into effect in the European Union in May 2018. Although many organisations have conducted reviews and audits of the data they store across the many systems that they use, when it comes to implementing a biometric system, compliance with GDPR requires additional considerations and answering common concerns for millions of users.

GDPR essentially regulates how organisations manage two types of data: personal data and sensitive data. Personal data is any information relating to an identified or identifiable person. Sensitive data is a ‘special category’ of data, capable of identifying an individual. Understandably, biometric data is categorised as ‘sensitive data’ and thus a ‘special category.’

Biometric Authentication Benefits

There are many reasons why businesses choose to implement biometric authentication for Time Attendance or Access Control Systems. The primary advantage is enhanced security, as only one individual with its unique biometric data characteristic, can be the key of our systems, as opposed to traditional verification methods via key cards and pin code that pose the risk of security breaches.

However, in Biometric verification some of our customers most frequent concerns relate to how the biometric personal data of visitors or employees using our systems is stored or used and whether our biometric technology conforms with GDPR in vigor.

ZKTeco Biometric authentification devices for Access Control and Time Attendance systems are GDPR compliant, meaning users own their biometric data because it is properly secured and stored using encryption methods within the devices.

It is important to understand how biometric data is created, stored and processed. This will help organisations to gain the trust of employees using a biometric system. A common misconception is that images from fingerprints, faces or palms, are stored in a biometric system. Within ZKTeco Time Attendance or Access Control systems, images are never stored. Images are taken and identifiable features (known as data points) are collected from the image. A sophisticated algorithm is used to convert the data points into a biometric template in the form of a digital code.

How are ZKTeco Biometrics technologies GDPR compliant?

ZKTeco Biometrics Algorithms & Templates

As an additional security measure, the biometric template is then further encrypted and the matching process carried out in ZKTeco palm and facial recognition terminals, taking place within the devices, with no treatment outside of them. The acquired data is compared with the database of the terminal device, and the comparison result is output. The comparison result is saved locally and sent to the client through the SSL/TSL encryption algorithm. The encryption algorithm of the sent data is random.

The result is a system which gives the highest level of protection to biometric data, thus ensuring GDPR compliance.

Our templates, thanks to our biometric algorithms, are kept anonymous. Let’s explain in depth how we perform the matching process granting template security and irreversibility.

Pattern recognition method, the image data follows a set of encoding rules (i.e. a set of matrix-based formulas, this formula belongs to non-linear mapping) after sampling and dimensionality reduction processing a fixed dimension is generated. The highly concentrated feature points, there is no space and distance relationship between them.
Deep learning method the image is processed by matrix data, through a convolution downsampling, pooling normalization, non-linear activation mapping, etc. to generate spatial or non-related features and their number is very small. Therefore, the generated template can not be converted into a picture again.

Furthermore, the estimate of the percentage of false positives or false negatives, which depends on the algorithm and tests populations. Fingerprints may be misjudged by one in a million, and rejected by about 1%. Human face recognition may be misjudged by one in 100.000 and rejected by about 1% and lately Palm recognition may be misjudged by one in 100.000 and rejected by about 1%. This is an estimated data, as different algorithm versions are different and different test populations are also different.

When biometric templates and patterns are removed from ZKTeco terminals and devices the system secures complete deletion by erasing the corresponding template in the database and memory and recording the operation log.

This is how the templates or biometric patterns are stored and encrypted, thanks to our algorithms. In our GDPR Compliance Statement, our organization declares our commitment to meeting and upholding the principles of the GDPR.

Why choose Biometrics verification technologies that are GDPR compliant?

Not all companies that manufacture and market biometric recognition equipment and technology provide algorithms like ZKTeco. Our algorithms are owned by ZKTeco, and guarantee that the biometric data collected is anonymous and therefore does not represent any risk or impact on the fundamental rights of the data subject.

ZKTeco is committed to providing biometric technology to comply with the standards and regulations considering all the variety of possibilities it offers us (Facial, fingerprint, vein, palm...). Biometrics is and will continue to be a technology that will coexist with our everyday life in a natural way, making processes more secure and easier.

Treatment of temperature data in ZKTeco Access Control systems

Regarding the treatment of biometric temperature data within ZKTeco systems, we want to clear up a series of topics to help our customers comply with their treatment activity record.

The first thing that we must be clear about is that ZKTeco systems are not medical devices, but terminals that allow the measurement of human’s skin temperature, as a technical measure and within the framework of occupational risk prevention, as an aid to companies for data subjects: workers, outside workers, visitors, users or customers.

There are two main views on this issue:

If temperature data is not stored then this data is not processed and regulated with GDPR.
If the temperature data information is stored then: a health authority should process this data, and the minimum information necessary should be processed.

In ZKTeco systems incorporating body temperature measurement control, the terminals do not store the data. They are contactless systems that can detect the temperature of the skin or who is wearing a mask or not, without storing the data and merely sending an alert in case that abnormal temperature levels are detected so that the temperature can be taken by healthcare personnel for further checking.

ZKTeco recommends performing a Privacy Impact Analysis (PIA) to evaluate the life cycle of the data, the risks of the processing and the technical and organizational measures to ensure that the processing does not pose a risk that would result in an impact on the data subject.

To learn about the different technologies and methods for measuring temperature in the human body, the meteorology institute has published a guide for non-contact temperature measurement in the human body that can help us to know the different margins of error among the different methods currently available.

Do you want a tailored technical training course for your team?

As you might know, ZKTeco Europe offers tailored training courses for distributors, integrators and customers for ZKTeco products, solutions and software with training options to best fit their needs.

If you require a tailored training course or would like to arrange a tour at our Experience Center to meet our team, follow this link:

Schedule a visit

Get the latest updates right in your inbox

Do you want to receive our latest Time Management, Access Control, and Software Solutions in your inbox?

Subscribe now to ZKTeco Europe's Newsletter!

You might also be interested in the following articles:

You are here