PassagePoint Compliance with GDPR

Does PassagePoint Comply with GDPR Data Protection & Privacy Regulations?

All companies that collect or process the personal information of EU residents must ensure they have a compliant GDPR (General Data Protection Regulation) data retention policy.

What is GDPR?
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individual citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.

The GDPR gives every EU citizen the right to know and decide how their personal data is being used, stored, protected, transferred and deleted.

GDPR Data Retention Rules
Article 5 explains that when personal data is collected or processed, it must only be for purposes that are “adequate, relevant, and limited to what is necessary in relation to the purposes for which [data] are processed.” Those purposes must be clearly explained at the time of collection.

Under GDPR, organizations are required to adhere to the minimization principle, which applies to the amount of personal data stored and the length of time the information is retained.

When data needs to be retained, appropriate security controls should be applied to prevent unauthorized access, use, or processing of data and measures should be implemented to prevent accidental loss, destruction, or damage. Efforts must be made to ensure that all data retained remain accurate and are kept up to date and inaccurate data is removed.

GDPR data retention is covered in Article 5(e), which explains that data should only be retained for as long as is required to achieve the purpose for which data were collected and are being processed. The exceptions to this are when data need to be retained “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”

Recital 39 of GDPR explains that when data is retained, strict time limits should be established by the data controller to ensure data is not retained for longer than is strictly necessary. The data controller is required to conduct periodic reviews and ensure that data is securely erased when no longer required. GDPR applies to personal data that could be used to identify an individual. If data is required to be kept for longer, the information should be de-identified to prevent individuals from being identified from the data.

PassagePoint Features Related to GDPR
PassagePoint is on-premise platform, therefore policies and compliance with GDPR is up to the organization that purchases PassagePoint and collects and stores visitor data. However, PassagePoint has built in the following features to allow an organization to configure the system to comply with GDPR privacy regulations.

Security Controls
PassagePoint can be configured to extract only desired information from an ID scan. The extracted data from an ID (drivers license, passport, military ID, etc.) is determined by your organization based on your policies; Personally Identifiable Information (PII) does not have to be extracted. Visitor information can be captured, masked or ignored based on your configuration in the software. ALL visitor information is encrypted in transit and retained in the database on your secure network.

Data Retention
PassagePoint has data retention policies which allow the organization to determine how long they keep visitor information and can automatically delete it after a specified amount of time. This feature will Delete all information of visitors and employees after a certain period of time including reports. 

    • Related Articles

    • What is PII and how does PassagePoint handle this data?

      What is PII? Personally Identifiable Information (PII) includes: (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric ...
    • Decartes Denied party screening (visual compliance) Ports and destination

      PassagePoint can work with Decartes Denied party screen (visual compliance) As passagepoint must make a external call, the following port must be open outbound to : IP address: 192.250.27.175 port: 443 To set up in passagepoint, do Home > configure > ...
    • Auto delete visitors (Purge Data)

      In order to auto delete a scheduled task is set up, and that task is then set to delete records accordingly. Pls see attached "how to" doc.
    • data migration v13 to Global (4.5.x to global)

      data migration v13 to Global On the passagepoint v13 side, need to Move all pro to Enterprise SQL server. if data does not need to be deleted, anything in the v13.292.1 build is fine, however if data needs to be deleted and photos need to be deleted, ...
    • How to purge data from PassagePoint

      It is recommended that a good backup is performed before purging any data. see here: https://support.stopware.com/portal/en/kb/articles/how-do-i-backup-my-database-before-performing-a-passagepoint-upgrade Remember that Data Deleted using this process ...