PassagePoint Compliance with GDPR

Does PassagePoint Comply with GDPR Data Protection & Privacy Regulations?

All companies that collect or process the personal information of EU residents must ensure they have a compliant GDPR (General Data Protection Regulation) data retention policy.

What is GDPR?
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individual citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.

The GDPR gives every EU citizen the right to know and decide how their personal data is being used, stored, protected, transferred and deleted.

GDPR Data Retention Rules
Article 5 explains that when personal data is collected or processed, it must only be for purposes that are “adequate, relevant, and limited to what is necessary in relation to the purposes for which [data] are processed.” Those purposes must be clearly explained at the time of collection.

Under GDPR, organizations are required to adhere to the minimization principle, which applies to the amount of personal data stored and the length of time the information is retained.

When data needs to be retained, appropriate security controls should be applied to prevent unauthorized access, use, or processing of data and measures should be implemented to prevent accidental loss, destruction, or damage. Efforts must be made to ensure that all data retained remain accurate and are kept up to date and inaccurate data is removed.

GDPR data retention is covered in Article 5(e), which explains that data should only be retained for as long as is required to achieve the purpose for which data were collected and are being processed. The exceptions to this are when data need to be retained “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”

Recital 39 of GDPR explains that when data is retained, strict time limits should be established by the data controller to ensure data is not retained for longer than is strictly necessary. The data controller is required to conduct periodic reviews and ensure that data is securely erased when no longer required. GDPR applies to personal data that could be used to identify an individual. If data is required to be kept for longer, the information should be de-identified to prevent individuals from being identified from the data.

PassagePoint Features Related to GDPR
PassagePoint is on-premise platform, therefore policies and compliance with GDPR is up to the organization that purchases PassagePoint and collects and stores visitor data. However, PassagePoint has built in the following features to allow an organization to configure the system to comply with GDPR privacy regulations.

Security Controls
PassagePoint can be configured to extract only desired information from an ID scan. The extracted data from an ID (drivers license, passport, military ID, etc.) is determined by your organization based on your policies; Personally Identifiable Information (PII) does not have to be extracted. Visitor information can be captured, masked or ignored based on your configuration in the software. ALL visitor information is encrypted in transit and retained in the database on your secure network.

Data Retention
PassagePoint has data retention policies which allow the organization to determine how long they keep visitor information and can automatically delete it after a specified amount of time. This feature will Delete all information of visitors and employees after a certain period of time including reports.