ID Dataweb, Inc. Privacy Policy
Summary
- ID Dataweb, Inc. (“ID Dataweb”) collects personal data, which may include biometric data, of individuals with their explicit consent only on behalf of its clients. The data collected is the minimum deemed necessary to verify the individual’s identity for the purpose of mitigating fraud.
- ID Dataweb may process data about visitors to its website and services (“usage data”). The usage data may include IP addresses, location data, and details about the user’s computer, as well as data about the timing and pattern of their visit.
- If a person contacts us, whether through the contact form on this website or through other means, we may process personal data that that was provided, which may include their name and email address, as well as metadata created by the website associated with the contact web forms.
Definitions
“Data Protection Legislation” means, for the purposes of this Privacy Policy, all applicable data protection laws as now or as may become effective and/or amended, including without limitation the Swiss Data Protection Act, the GDPR, the California Consumer Privacy Act (“CCPA”), the U.S. Health Insurance Portability & Accountability Act of 1996, as amended and implemented (“HIPAA”), and the Canada Personal Information Protection and Electronic Documents Act.
“Biometric data” means personal information collected by ID Dataweb and/or its Processors about an individual’s physical characteristics that can be used to identify that person. As used in this Policy, biometric data includes “biometric identifiers” and “biometric information” as defined in the Illinois BIPA, 740 ILCS § 14/10.
“Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.
“Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on the individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
“Client” means a company that has contracted with ID Dataweb for the purpose of processing personal data, that may include the collection and processing biometric data, for the purpose of verifying identity in order to mitigate fraud.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Personal data” means information that can be used to uniquely identify an individual. Personal data includes biometric data. Personal data includes “Personal information” as defined in the Canadian Personal Information Privacy and Electronic Documents Act (PIPEDA).
“Processor” means a vendor selected or approved by the Client for the purpose of collecting and/or evaluating personal data and providing a response regarding the accuracy and consistency of the biometric data. This Policy does not include the privacy policy of our Processors, also known as Sub-Processors, but the processing and retention of personal data is subject to the terms and conditions contained in contracts between ID Dataweb and its Sub-Processors.
“Transaction” means a series of events in which personal data is collected, transmitted to a processor, a response is returned from the processor, the response is evaluated in combination with other data, and a decision is transmitted to the client. The decision returned to the Client may include the personal information, including biometric data, collected from the individual.
Retaining and Deleting Personal Data
ID Dataweb retains enough metadata about a transaction to be able to identify the transaction and the decision returned. ID Dataweb does not retain personal data about an individual any longer than necessary to complete a transaction. Upon completion of each transaction, all personal data is permanently deleted.
Individual Rights
Individuals who believe that ID Dataweb has processed or possesses their personal data may make requests with respect to their personal data by contacting the company through the general-purpose contact form, located at the bottom of the Home Page at iddataweb.com or by email to compliance@iddataweb.com. The company’s Data Protection Office (“DPO”) will promptly evaluate the request. The company’s validation criteria provide that requests may be rejected in certain circumstances, including where (i) the identity of the requester cannot be authenticated, (ii) the requester fails to provide sufficient information to allow the company to reasonably respond to the request, (iii) the request is overly broad or excessive when balanced with the resource and cost implications of responding to the request, (iv) the request is repetitive of a previous request submitted by, or behalf of, the same requester or (v) the request is clearly intended to circumvent reasonable document production restrictions under legal, administrative or similar proceedings. If the request is rejected during the validation process, the requester will be given reasons and have the opportunity to request reconsideration by the DPO. If the DPO confirms a rejection decision, you will also have an opportunity to appeal to a Privacy Review Panel. The Privacy Review Panel consists of senior company individuals who are independent of the DPO team and who have not been involved in validating, assessing or responding to a request. The Privacy Review Panel will conduct an independent review of any matter brought before it for appeal. Upon completion of its appeal review, the Privacy Review Panel will require the DPO to make available (i) any additional information it determines is appropriate and consistent with the Privacy Policy or (ii) its decision on what actions, if any, should be taken by the company. Decisions of the Privacy Review Panel are final.
Consent and Disclosure
Collection of personal data is performed only with the individual’s consent to collect and process such data. ID Dataweb does not disclose or transfer any personal information, including biometric data, to any third party except to the extent authorized by the Client.
Data Storage and Transmission
ID Dataweb uses a reasonable standard of care to store, transmit, and protect from disclosure any personal data collected. Such storage, transmission, and protection from disclosure is performed in a manner that is the same as or more protective than the way ID Dataweb stores, transmits and protects from disclosure other confidential and sensitive information, including personal data that can be used to uniquely identify an individual.
Geographic Scope of Processing
ID Dataweb processes Personal Data within the geographic boundaries of the data protection legislation applicable to the individual whose Personal Data is being processed whenever possible, in compliance with the GDPR.
When the processing of Personal Data of an EU resident can only be done outside of the EU, ID Dataweb ensures an adequate level of protection through (i) a transfer of personal data only to a country that has an adequate level of protection (Article 45 Paragraph 3 GDPR), (ii) binding corporate rules (Article 46 Paragraph 2 Point b in conjunction with Article 47 GDPR), (iii) Standard Contractual Clauses (Article 46 Paragraph 2 Points c and d GDPR), (iv) Codes of Conduct approved by European Union competent authorities (Article 46 Paragraph 2 Point e in conjunction with Article 40 GDPR) or (v) an approved Certification Mechanism (Article 46 Paragraph 2 Point f in conjunction with Article 42 GDPR).
Data Protection Officer
If you need to reach our Data Protection Officer, his contact information is:
Timothy Snyder
ID Dataweb, Inc.
8330 Boone Blvd,
Suite 400
Vienna, VA 22182
Compliance@iddataweb.com
571-442-6117