ShareID provides a solution to enable businesses to verify the user’s identity attributes in real time. It can be either through onboarding or authentication. With ShareID, businesses can be confident that the person behind the screen is who they say they are. Individuals, on the other hand, can ensure that their personal data is safe and secure while accessing their service providers without having to continually justify their identity. ShareID enables digital trust between businesses and individuals at every transaction that requires identity verification or personal data sharing. The protection of personal data is ShareID’s priority. Privacy is a fundamental right that must be preserved.
As a French company, ShareID refers to French and European legislation. In accordance with the provisions of the General Data Protection Regulation (“GDPR”) of April 27, 2016 and the law of January 6, 1978 relating to Data Processing, Data Files and Individual Liberties, ShareID therefore informs you about the processing of your personal data in this section.
Changes will be effective as of the date of posting.
According to the French National Commission for Information Technology and Civil Liberties ("CNIL"), "personal data" is "any information relating to an identified or identifiable individual". A person can be identified directly (e.g. name, first name) or indirectly (e.g. by an identifier (customer number), a (telephone) number or biometric data).
The identification of a person can be made from a single piece of data (e.g.: social security number, DNA), or from the cross-referencing of a set of data (e.g.: a woman living at such an address, born on such a day, subscribing to such a magazine and being active in such an association).
According to the CNIL, this is a "physical or biological characteristic that makes it possible to identify a person" (such as DNA, hand contour, fingerprints, etc.).
According to the CNIL, personal data processing is "an operation or set of operations concerning personal data, regardless of the process used (collection, recording, organisation, storage, adaptation, modification, retrieval, consultation, use, communication by transmission or dissemination or any other form of provision, matching).
The processing of personal data is not necessarily computerised: paper files are also concerned and must be protected under the same conditions.
Data processing must have an objective, a purpose determined prior to the collection of data and their exploitation."
According to the CNIL, the data controller is "the legal entity (company, municipality, etc.) or individual who determines the purposes and means of a processing operation, i.e. the objective and the way in which it is carried out. In practice and in general, it is the legal person embodied by its legal representative."
The terminal is represented by any computer equipment of the user that can host one of the versions of the ShareID-VID application.
ShareID may act as a subcontractor, as well as a data controller on behalf of its partners.
In the context of its mission of identity verification and personal data authentication, the data collected are processed by the Company "ShareID", SAS, registered in the RCS of Nanterre under the number 884 932 203, whose head office is located at 20 bis, rue Louis Philippe, in Neuilly-sur-Seine (92 200), France, represented by its President Mrs Sara SEBTI.
As a subcontractor for the service providers who have subscribed to one of ShareID’s services, the contractors are responsible for the personal data collected and used in the context of their services.
ShareID collects various personal information that you provide directly to ShareID and that is strictly limited and relevant to the purposes for which it is processed.
In accordance with Article 6(1)(a) of the GDPR, your express consent guides the processing of your data. However, you can stop consenting at any time. Furthermore, you are not legally obliged to provide us with your personal data. However, without it, we will not be able to verify your identity remotely and therefore provide you with our services.
The personal data that may be processed are :
And any other information that is readable on the identity document provided for your onboarding.
In order to perform the identity verification, the user must use his own terminal, through the application of the company he wants to authenticate with and which integrates the ShareID solution - or after being redirected to a ShareID page on the web version of our solution. However, no terminal information is processed or saved by ShareID.
To securely verify your identity, ShareID goes through an initial automatic verification by computer vision algorithms to issue an opinion, and then by a human operator to issue a final verdict in accordance with the french regulatory requirements for remote identity verification. These algorithms are trained on real and fake data sets. However, no use of your biometric data will occur outside of the identity verification phase. Also, no personal data that can be traced back to the user is stored in this log.
ShareID collects your personal data only to the extent necessary for the purposes for which they are processed. In accordance with Article 6 of the GDPR, this processing may be justified by the consent of its users, by law, by legitimate interest or by a contract between ShareID and service providers.
ShareID's main activity is to verify the identity of its customers' users by collecting the user's identification information through two elements, which are (1) a video showing the user's face and, (2) a video of the identity document that the user presents. These videos, sent through a secure channel, will then be checked by artificial intelligence algorithms to issue a first report, identified by "failure", "success" or "doubt". These checks prevent identity fraud. The user's consent is required to collect their information and perform an identity check. Nevertheless, the user has the right to refuse it but ShareID will be unable to provide its services.
In order to verify the identity of its users, ShareID also relies on the consent of its users to access and activate the camera of their device to capture videos.
ShareID also offers a re-authentication service. Once the identity has been verified and integrated into the platform, ShareID issues a reusable digital identity without storing user’s personal data as they are defined by GDPR in accordance with the French National Commission for Information Technology and Civil Liberties ("CNIL"). The user's identification data are encrypted in a way that they can not be exploitable even by ShareID. The only person who can claim these personal data is the owner of the identity. This service is also based on the consent of its users.
For the purpose of identity fraud prevention, the processing of your data is also motivated by the legitimate interest of ShareID in the management of the company and its services, to ensure the security and trust of its users and to comply with legal requirements. In addition, an evidence file containing all the data used to validate the digital identity is kept for legal reasons, in case of litigation.
The contact form allows you to make a complaint, ask a question or answer a message. Through this form, data can be processed to establish a commercial relationship with users or to receive feedback on our services. Its use is based on the consent of its users, and the legitimate interest of ShareID in managing its services. ShareID may also process data related to the use of its platform, such as connection data or IP address, in order to respond to requests for assistance made by users.
Finally, ShareID may act as a subcontractor for service providers. In this case, the transmission of users' personal data is motivated by the performance of its contracts, in accordance with Article 6, paragraph 1, point b of the GDPR.
When a user intends to authenticate himself with a service provider, the data available on the identity document provided by the user can be transmitted to the business after the user’s consent. In General, the informations below are required by the business :
Still, some businesses may require other information available on the identity document provided by the user when verifying his identity. The transmission of this information is done only when the user consents to the sharing.
No personal data collected will be transmitted to commercial actors without your consent.
Only persons authorised to access personal data and who have received the necessary training in the protection of personal data, have access to the processing of such data for remote identity verification.
In the case of assistance sent via the contact form, only persons authorised to access personal data have access to the processing of such data.
All our servers on which your data is stored and those of the service providers used to exchange and store this data are located in Europe. However, in the event that a transfer of data would take place in a third country, ShareID undertakes and ensures that the necessary data protection measures are put in place and comply with the provisions of the GDPR and Data Processing, Data Files and Individual Liberties Act.
In accordance with Article 32 of the GDPR, ShareID commits to "implement all appropriate technical and organisational measures to ensure a level of security appropriate to the risk".
In doing so, ShareID does not make any copy of documents and media that may contain personal data entrusted to it other than in the strict context of the execution of its customer contracts. Unless otherwise stipulated in the customer contract, ShareID will not use or exploit documents and media that may contain personal data for purposes other than those specified in the contract.
ShareID takes all measures to prevent any breach of personal data, including unauthorised access, destruction, loss, alteration, unauthorised disclosure, or misuse of personal data. Your personal data is stored on our servers and is subject to strict protection.
ShareID implements all measures to ensure that the system it deploys at its customers' premises and the data processed are protected against external intrusions.
In case of subcontracting, ShareID undertakes to ensure that its subcontractor, whatever its nature, presents the same sufficient guarantees as to the appropriate technical and organisational implementation so as to meet the requirements of the European Data Protection Regulation. If the subcontractor does not fulfil its data protection obligations, ShareID shall remain fully liable to the Controller for the performance by the other subcontractor of its obligations.
An account is suspended after three years of inactivity and its data is completely deleted.
Business traces, such as account registration or user authentication with a service provider, are deleted after three years of generation.
In the case of static and dynamic automated facial recognition, the photograph of the user and the video taken by the user with its electronic communications terminal equipment are deleted as soon as the facial recognition is completed.
The videos that allowed the human operator to validate the artificial intelligence report are deleted as soon as the validation is completed.
The validity status of the secure identity document and the status of qualification at the enhanced level of the electronic component of this document for high guarantee level electronic identifications, processed for the sole purpose of verifying the validity of the document and the status of qualification at the enhanced level of its electronic component, are deleted as soon as these verifications are completed.
Data that may be transmitted to a service provider when a user intends to authenticate with that service provider, processed for the sole purpose of transmitting the information necessary for his electronic identification, shall be erased as soon as such transmission is completed.
The evidence file is an audit trail allowing the competent authorities in case of legal dispute to verify the data used to validate a remote identity. It contains all the data used to validate the digital identity (such as videos, the order of the challenges, the user's device identifier or the email address...). The evidence file is protected in confidentiality and authenticity. It is kept on a security server designed for this purpose and respecting the security standards for archiving servers for this type of information. Accessible only in case of litigation, it is destroyed five years after its creation.
In accordance with the provisions of the GDPR, you can exercise your rights on your personal data and decide on their fate :
However, this right is not absolute. When using our services, an evidence file is created containing all the data used to validate the digital identity. This file cannot be modified, completed or updated for auditing purposes and for preservation in case of legal disputes.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
If, after having contacted us, you feel that your rights regarding your personal data are still not respected, you can send a complaint to the CNIL at the following address : https://www.cnil.fr/fr/plaintes
Or, you can send them a letter at :
Commission Nationale de l’Informatique et des Libertés (CNIL)
3 Place de Fontenoy,
75334 PARIS CEDEX 07