Privacy Policy Data Capture

Privacy Policy Data Capture


Pursuant to Article 13 of the Regulation (EU) 2016/679

With this policy notice, provided pursuant to Article 13, Regulation (EU) 2016/679 ("Regulation" or "GDPR"), Keyless Technologies S.r.l. aims to provide you with the purposes of collecting and processing your data, which categories of data are processed, what are your rights granted by the data protection legislation and how can be exercised.

You can find the original Italian version of this document here.


Who is the Data Controller

Keyless Technologies S.r.l., with registered office in Viale Luca Gaurico 9-11, 00144 - Rome, VAT no. 14880901005 - owned by Keyless Technologies Limited, a company incorporated under UK law with registered office in Milton Gate 60 Chiswell Street EC1Y 4AG, London, UK, VAT no. GB324663602 - is the controller of your personal data ("Keyless", the "Data Controller" or the "Company").

The Data Controller can be contacted by e-mail at gdpr@keyless.it or by regular mail at Keyless Technologies S.r.l., with registered office in Viale Luca Gaurico 9-11, 00144 - Rome.


Keyless’ DPO

Keyless has appointed a Data Protection Officer ("DPO") who can be contacted by email at dpo@e-lex.it.


Categories of personal data processed by Keyless within the Data Collection Campaign

Keyless is a cybersecurity company that has developed an innovative technological solution allowing individuals recognition (e.g. for the purpose of accessing certain premises), starting from anonymised biometric data and, therefore, not linkable to the same individual.

The aforementioned solution is based on a "privacy preserving" system and, specifically, on a so-called "untraceable biometrics" technology, which allows - starting from the fingerprint or the shape of the face - to prevent the traceability of a certain data to the subject to whom it belongs and, consequently, to his/her identity.

Against this background, Keyless has launched a data collection campaign for the training of biometric privacy-preserving algorithms (so-called "machine learning") on which the system developed for biometric authentication on smartphone devices is based (the "Data Collection Campaign").

In this context, Keyless processes the following categories of personal data relating to you:

  • common personal data (such as, for example, age and gender);
  • particular categories of data pursuant to Article 9 of the Regulation (formerly, the so called "sensitive data") and, in particular, your face recorded from different angles and/or at different levels of light exposure and the dynamics relating to the movement of the phone (so-called behavioural biometrics).

The aforementioned personal data will be processed by Keyless exclusively for the purpose indicated in the following paragraph.


Purpose and legal basis of processing activities

As part of the Data Collection Campaign, Keyless has developed an application for smartphones through which you - as a user who decides to participate in the Data Collection Campaign - can carry out test sessions aimed at collecting the information necessary to elaborate the biometric models referred to in paragraph 3 above, which are necessary for training the algorithms developed by the Company.

The legal basis for the processing of your personal data is to be identified in your prior, specific and express consent.


Categories of entities to whom personal data may be communicated and purposes of communication

Your personal data will be processed within the Data Controller's structure by collaborators and/or employees of Keyless in their capacity as persons authorised to process data, as well as by members of the Company’s Board of Directors, for the purpose of carrying out their institutional tasks and functions.

Furthermore, Keyless may disclose some of your personal data to third parties that the Company uses to carry out activities related to the purposes set out in the previous paragraph, including external companies that provide Keyless with administrative and logistical services and/or external consultants. These entities shall process your personal data as data processors pursuant to Article 28 of the Regulations.

The list of data processors is available from the Data Controller and can be requested by writing to the addresses indicated in paragraph 1 above.

Your personal data shall not be disseminated.


Data retention period

Your personal data will be processed by Keyless as long as necessary to carry out the activities related to the purpose set out in paragraph 4 above.

At the end of the machine learning activities, your data will be stored for a period of 1 year and then permanently deleted from Keyless’ systems.


Transfer of data outside the European Union

Keyless shall not transfer your personal data outside the European Union.

Where appropriate, the Company shall carry out the aforementioned transfer through the use of standard contractual clauses adopted by the European Commission or, alternatively, on the basis of a Commission adequacy decision or other appropriate instrument under the GDPR.

You may obtain information on the place where your data has been transferred and copies of such data by writing to the contact details set out in paragraph 1 above.


Data subjects’ rights

Please note that you - as a data subject - have the rights provided for in Articles 15 et seq. of the GDPR and, in particular:

  • the right of access personal data and, in particular, to obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data;
  • the right to rectification and, in particular, to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning you;
  • the right to be forgotten, i.e. the right to obtain, where applicable, from the Data Controller the erasure of personal data concerning you without undue delay;
  • the right to request, where applicable, the portability of your personal data.

To exercise your rights, please contact the Data Controller or the DPO at the addresses indicated in paragraphs 1 and 2 above, respectively.

Finally, please note that, pursuant to the applicable regulations, you may lodge any complaints regarding the processing of your personal data with the Italian Data Protection Authority.