GDPR

Legal Opinion Regarding Usage of VisionLabs Products According to the Rules and Principles of the GDPR

There are 7 principles regarding data protection under Chapter 2 Article 5.1-5.2 of the GDPR:

  1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject;
  2. Purpose limitation— You must process data for the legitimate purposes specified explicitly to the data subject when you collected it;
  3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified;
  4. Accuracy — You must keep personal data accurate and up to date;
  5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose;
  6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. through the use of encryption);
  7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

According to Chapter 1 Article 4 (Definitions) of the GDPR, computer software, which VisionLabs’ products are, do not need to comply with the GDPR and there are no procedures for certifying the computer software to comply with the GDPR. It is the organization/company using the software that is considered the Processor of the personal data, including biometric data, that must comply to the GDPR.

VisionLabs’ products are the tools allowing the data processor to collect the data. The European Regulation is very broad and there are not many court decisions or arbitrations relevant to this topic. Chapter 1 article 4 (Definitions) of the GDPR specifies personal data as:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic (‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question), biometric (biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data), mental, economic, cultural or social identity of that natural person”.

VisionLabs may sell you a license to utilize our software under a Partner non-exclusive agreement, under which you can become a Licensee. In becoming the Licensee, you and your company will be solely responsible for complying with the GDPR, and you and your company will be liable in the event that you would obtain any personal data of a European Union citizen using our software without the consent of the data subject. For example, in a situation where our software were to be used by your team in a non-EU country, and you then happen to obtain the personal data of a European Union citizen, you now have an obligation to comply with the GDPR.