November 14, 2018

Privacy Policy

EN | FI

PassTrace privacy policy and description of the register

1. Register maintained by

Prime Authentication Solutions Finland Oy
Hallikkalanmutka 6
40520 Jyväskylä
Finland
p. +358 45 600 5991
support@passtrace.net
VAT number: FI28453052

2. Contact person for the register

Lauri Lehtovaara
lauri@passtrace.net
p. +358 45 600 5991

3. Name of the register

PassTrace Customer Register

4. Purpose of maintaining the register

The information collected to the register is used to

  1. verify authenticity of a documents (verification database),
  2. prevent and investigate document counterfeits (log database),
  3. prevent and investigate cyberattacks (log database), and
  4. investigate and correct technical and human errors (log database).

In addition, the information is used to attend the customer relationship between the service provider and the customer organisations, to follow user activities, and for anonymised statistics.

5. Information content of the register

PassTrace -service includes two databases: verification database and log database.

Verification database. A unique identification code of each verifiable document, anonymized and encrypted data of the document, and timestamp of the entry are stored to the verification database. The anonymized and encrypted data, that is stored to the database, cannot be read without its encryption key. The encryption key is not located in the database. It is located in the protected document as a QR-code. The holder of the protected document must deliver the encryption key each time a verification process is performed. The encryption key is used only during the verification process and it is deleted from the verification service, when the verification procedure has been completed.

Log database. IP addresses of all devices connecting to the PassTrace -service are recorded to the log database. This information will be used to prevent and investigate cyberattacks, and in addition, for anonymous statistics.

In the case that verification of a document fails, the complete URL of the corresponding internet request is stored to the log database. If the verification failed because of a counterfeited information, the URL contains name and date of birth as presented in the counterfeited information. Name and date of birth appearing in in the counterfeited information are stored for internal investigation of the counterfeiting, and for the possible criminal investigation.

In the unlikely case, that the verification of a document fails because of technical or human error, the data, that is stored to the log database, contains full name and date of birth for the person related to the failed verification attempt. The data is stored to investigate and correct the error, to inform the issuing institution, and to inform the person related to the document if possible. The data is stored until the error is investigated and corrected. The data will be removed when the situation is resolved.

The PassTrace -service follows principles of information minimisation and pseudonymisation: no additional personal information is gathered unless it is required for completing the tasks mentioned above in “the purpose of maintaining the register”.

6. Regular sources of information

The verifiable document information stored in the register is provided by the client organizations of PassTrace service (institutions and companies) or their representatives. The IP addresses are logged each time when user accesses PassTrace service.

7. Regular disclosure of information and provision of information to areas outside the EU or the European Economic Area

Information is not regularly rendered to third parties. Data is not transmitted outside the EU or EEA. Individual document entries are accessible globally only if the correct encryption key for the document is provided.

8. Protection of the register

All data provided by the Finnish customer organizations of PassTrace service are stored inside Finland. Internet traffic is encrypted. No outside parties have access to the information in this register, and only the technical administrators of PassTrace service have access to the databases.

 9. Right to inspect information and realisation of this right

An individual has the right to check their own information once a year free-of-charge. An inspection request must be issued in writing to the register’s contact person.

10. Correction of information

Personal data will be corrected and altered according to notifications provided by the individual in question. A correction request must be issued in writing to the register’s contact person.