Pursuant to Article 13 of Regulation (EU) 2016/679

With this notice, provided pursuant to Article 13 of Regulation (EU) 2016/679 (the “Regulation” or “GDPR”), Keyless Technologies S.r.l. wishes to explain the purposes for which it collects and processes your data, the categories of data that are processed, the rights you are granted under the data‑protection legislation, and how they may be exercised.

Who is the Data Controller

Keyless Technologies S.r.l., with registered office in Viale Luca Gaurico 9-11, 00144 - Rome, P.IVA 14880901005 - owned by Keyless Technologies Limited, a company incorporated under English law with registered office at 85 Great Portland Street, London, United Kingdom, W1W 7LT, P.IVA GB324663602 - is the controller of your personal data (“Keyless”, the “Controller” or the “Company”).

The Controller can be contacted by email at gdpr@keyless.it or by ordinary mail at Keyless Technologies S.r.l., Viale Luca Gaurico 9-11, 00144 - Rome.

Keyless’ DPO

Keyless has appointed a Data Protection Officer (“DPO”), who can be contacted by email at dpo@e-lex.it.

Categories of personal data processed by Keyless as part of the Data Collection Campaign

Keyless is a cybersecurity company that has developed an innovative technological solution which allows the recognition of an individual (for example, in order to access certain premises) on the basis of anonymised biometric data and, therefore, not attributable to the individual.

The above solution is based on a privacy‑preserving system and, specifically, on so‑called “untraceable biometrics” technology which-starting from a fingerprint or the shape of the face-prevents any given data from being traceable back to the person to whom it belongs and, consequently, to that person’s identity.

In this context, Keyless has launched a data collection campaign to train the privacy‑preserving biometric algorithms (so‑called machine learning) on which the system developed for biometric authentication on smartphone devices is based (the “Data Collection Campaign”).

In this context, Keyless processes the following categories of personal data relating to you:

1. ordinary personal data (such as email address, age and gender);
2. special categories of data pursuant to Article 9 of the Regulation (formerly sensitive data) and, in particular, your face captured from different angles and/or under different lighting conditions, and the dynamics relating to the movement of the phone (so‑called behavioural biometrics).

The personal data indicated above will be processed by Keyless exclusively for the purpose indicated in the following paragraph.

Purposes and legal basis of the processing

As part of the Data Collection Campaign, Keyless has developed a smartphone application (“APP”) through which you-as a user who decides to join the Data Collection Campaign-can carry out test sessions aimed at collecting the information needed to develop the biometric models referred to in paragraph 3 above, which are necessary for training the algorithms developed by the Company.

The legal basis for processing your personal data is your prior, specific and explicit consent to the processing.

Categories of recipients to whom the personal data may be disclosed and purposes of the disclosure

Your data will be processed, within the Controller’s organisation, by collaborators and/or employees of Keyless as persons authorised to process the data, as well as by the members of the Company’s Board of Directors, for the performance of their duties and institutional functions.

In addition, Keyless may disclose some of your personal data to third parties it uses for activities connected with the purpose referred to in the preceding paragraph, including external companies that provide the Company with administrative and logistics services and/or external consultants. These parties will process your personal data as processors pursuant to Article 28 of the Regulation.

The list of processors is available from the Controller and may be requested by writing to the contacts indicated in paragraph 1 above.

Your data will not be disseminated to unspecified recipients.

Retention period

Your personal data indicated above will be processed by Keyless for the time necessary to carry out the activities connected with the purpose referred to in paragraph 4 above and, in any case, for no longer than one year from their collection.

Subsequently, the data will be anonymised through an irreversible process.

Transfer of data outside the European Union

Keyless will not transfer your personal data outside the European Union.

If applicable, the Company will carry out the aforesaid transfer by using the standard contractual clauses adopted by the European Commission by Decision 2010/87/EU and any subsequent amendments or, alternatively, on the basis of an adequacy decision of the Commission or another suitable instrument under the GDPR.

You may obtain information on the place to which your data have been transferred and a copy of such data by writing to the contacts indicated in paragraph 1 above.

Rights of data subjects

We inform you that, as a data subject, you have the rights provided for by Articles 15 et seq. of the GDPR and, in particular:

• the right of access to personal data and, in particular, to access and to request and obtain information on the existence of personal data relating to you in the Controller’s possession;
• the right to rectification and, in particular, to request and obtain the amendment and/or correction of your personal data if you consider them to be inaccurate or incomplete;
• the right to request, where the circumstances under the Regulation apply, the erasure of personal data or the restriction of processing of the same;
• the right to request, where applicable, the portability of personal data.

To exercise your rights, please contact the Controller or the DPO at the addresses indicated in paragraphs 1 and 2 above, respectively.

Finally, we inform you that, under the applicable rules, you may lodge any complaints regarding the processing of your personal data with the Italian Data Protection Authority.