Legal

Suprema GDPR Compliance Statement

Suprema (hereinafter "the Company," or "We") is committed to ensuring the security and protection of personal information handled by the Company, to complying with the Data Protection Regulation, and to providing a consistent approach.

The Company has created this GDPR Compliance Statement to explain its approach to implementing the GDPR Compliance program. It explains the implementation of data protection roles, policies, procedures, controls and measures to consistently comply with GDPR.

The access control products that the Company develop and sell are not the personal information processing system mentioned in the Statement.

What is GDPR?

The EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) went into effect on May 25, 2018 to harmonize data protection regulations throughout the European Union as well as providing greater protection and rights to individual. GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU.

Principle of GDPR

We, at Suprema, recognize and respect the importance of protecting our customers’ personal data.

The principles stated below provide a summary of the basic rules that we follow when processing personal data:

  • We process personal data lawfully, fairly and in a transparent manner.
  • We collect personal data only for specified, explicit and legitimate purposes.
  • We collect and keep personal data only to the extent it is necessary in relation to the purposes for which they are processed.
  • We ensure that the personal data we store is up-to-date and accurate.
  • We merely produce the technology that enables customers to process personal data. We are not a controller nor a processor under the GDPR. When a customer processes personal data using Suprema’s access control products, the customer is a controller under GDPR and is subject to the obligations set out in the GDPR, if the customer fall within the territorial ambit of GDPR.
  • To the extent possible, we implement appropriate technical measures to our products to help our customers comply with GDPR.

Data Subject Rights under GDPR

In regard to the personal data in our custody or control, an individual may request the following information from the Company.
You should bear in mind that this does not apply to an individual who is registered and managed by the customer using our products. The customer shall handle it in accordance with its own policy independently of us.

  • Personal data that we retain regarding individuals.
  • Categories of Personal data that we collect from individuals.
  • Purpose of individual personal data collection and processing.
  • How long personal data will be retained.
  • The procedure to rectify or complete incomplete or inaccurate personal data.
  • The procedure to request deletion of personal data, or to restrict processing of personal data and reject the Company's direct marketing under the Data Protection Regulations, where applicable.
  • Information regarding all automated decision making that we use.

GDPR Compliance Plan

The Company has performed, or will perform, the following steps in order to comply with GDPR.

  • We have performed an analysis of personal information collected through our system.
  • We have put a procedure and a policy in place to restrict personal information processing.
  • We have updated our procedure for handling data breaches and incidents.
  • We have updated our data protection policy, data retention policy, information security policy, cookie policy and personal information protection policy.
  • We have identified the legal basis for personal information processing by reviewing all processing activities, and confirmed whether each legal basis is appropriate for the related activity.

Protection Measures under GDPR

Suprema considers the privacy and security of individuals and personal information extraordinarily important, and takes all reasonable preventive measures to protect personal data handled by the Company.
The Company has the following policies and procedures for information security in place, and takes security measures on various layers in order to protect personal information from unauthorized access, modification, disclosure and destruction.

  • Risk Management.We evaluate and manage any service-related risks as a part of our risk management process. The risk management process is included in the Company's rules.
  • Information Security Management.We retain Information Security Management System (ISMS) in accord with any best practices in the same industry such as ISO 27001 and ISO 27701, which includes security policies, organization, processes and controls that satisfy the regulatory compliance and security requirements identified by us.
  • Individual Security.We implement the employment, maintenance and termination processes of a contract with individual employees. We implement background investigations, continuous security recognition, and physical and logical access management, address and identify risks, and carry out other security activities for each role, with security requirements, legal requirements and restrictions for each role.
  • Assets Management. We handle customer data in accordance with contracts, terms or privacy policies, including any relevant service documents. We may manage an IT resource included in service provision in accordance with our internal categories and processes.
    If any data or assets are set to be deleted and disposed of, we follow an established process to delete from devices and storage mediums appropriately before physical disposal.
  • Access Management.We protect our personal information processing system using a network and logic level security solution. We collect and handle personal information necessary for performing tasks such as sales and technology support, A/S application, purchase consultations, etc. through a website, and use an industry-standard cloud service or SaaS service for this. Only an separately authorized person in charge may access this personal information processing system.
  • Encryption.All network traffic through our Internet or product shall be encrypted and transmitted, and all personal information shall be encrypted and transmitted. Encryption in the cloud service or SaaS service that we use shall comply with the policy of the service provider. The provider information is stated in the Privacy Policy on our website.
  • Physical Security.Our personal information processing system uses the infrastructure services and safe data center of a reliable provider in the industry.
    The infrastructure service provider defines, maintains and manages physical and environmental control of the production environment. The provider retains assurance reports and security verifications related to such control. The provider information is stated in the Privacy Policy on our website.
  • Operation Security.We follow any best practices in the industry, such as automation and the provider's recommendations, which are applicable to creating a safe cloud environment used in the personal information processing system service. In addition, we keep software in use using up-to-date automation and manual activities, and address any reported vulnerabilities.
  • Vulnerability Management.We identify potential vulnerabilities using various methods such as vulnerability screening, security tests, source code analyzers and threat intelligence. We evaluate and solve any reported vulnerabilities using defined processes and activities. We provide an accountable disclosure channel through which security managers may report any problems they find.
  • Security Testing and Audits.We cooperate with a third-party security service company to perform penetration tests on a regular basis. We manage any test results and other results using our vulnerability management processes and activities. Any security test results are treated as confidential and internal.
  • Security Event Management.We identify any events and cases which affect services and data by monitoring the personal information processing environment. Any security events are managed by an operational process from the security department.
  • Business Continuity and Back-up.Customer data is backed up and tested on a regular basis so that our Recovery Point Objective (RPO) and Recovery Time Objective (RTO) can be satisfied, in accordance with our internal rules.
  • Endpoint Security.We inspect and monitor malware in order to detect malicious programs and files in the employee working environment. In addition, we have a function to filter and block any spam and phishing emails in place.

International Data Transfer

We may collect personal data necessary for performing tasks such as sales and technology support, AS applications, purchase consultations, etc., either through a website or off-line. Any personal information collected is stored and used in an industry standard cloud service or SaaS service. We inform of the service provider through the Privacy Policy, and notify data subjects and obtain their consent when collecting personal data.
When using our products, the customer collects and/or uses personal data independently of us and we do not have access to any Suprema products or data stored thereof by a customer.

Items prepared in Suprema products to ensure the customer's compliance with GDPR

Our services and products are developed using a R&D process. The development process includes security requirements for each level, such as analysis, development, implementation, test, distribution, etc.
The access control products that we develop and sell are developed in such a way that the following measures are supported.

  • Encrypted Data Communication (TLS) - Communication between access control products uses AES-256 encrypted communication, and if stronger encryption is required, it uses TLS encrypted communication.
  • Storage of Encrypted Data - Our products encrypt and store personal and sensitive information. In addition, we delete all relevant information when deleting such records.
  • Secure Tamper - Our products are made to be installed in a dedicated bracket, and if a product is detached arbitrarily and forcibly, it detects this and provides a function to entirely delete all information within the product.
  • Password Policy - Our products prompt you to set a password which meets a certain level of complexity, and you may set a policy where the password must be changed after a certain period of time.
  • Access Control based on Role - Our products provide methods of authority management by subdividing privileges, so that managers may only access the minimum amount of required information.
  • Enhanced Verification – Our products can use complex verification methods, which prevents the obtaining and use of unauthorized verification methods.

If you have any questions regarding GDPR, please contact us.

If you have any questions regarding this GDPR Compliance Statement or our personal information protection, please contact:

Release Date: May 23, 2022

GDPR Compliance - Questions & Answers

  • What is GDPR?

    The EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) went into effect on May 25, 2018 to harmonize data protection regulations throughout the European Union as well as providing greater protection and rights to individual. GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU.

  • Does Suprema comply with GDPR?

    Suprema complies with the General Data Protection Regulation (Regulation 2016/679) (“GDPR”).

  • What is the role of Suprema under GDPR?

    Suprema may collect and handle personal information through a website to perform tasks such as sales and technical support, A/S applications, purchase consultations, etc. In this case, Suprema is a controller under GDPR and manages personal information safely with legitimate consent and appropriate protection measures.
    Suprema produces and sells the products and solutions for access control. In a relationship with a customer who uses an access control product, Suprema is not a processor under GDPR. Suprema provides various functions and technologies so that the customer can smartly carry out physical control that complies with GDPR.
    Suprema may not access any products or data that the customer uses, and a customer's data is stored in its local system. This also means that it is not stored in a Suprema system.

    However, when BioStar 2 Cloud is activated, it collects one manager's email address to check the effectiveness of BioStar 2 Cloud Subdomain information. Regarding the privacy policy for this, please check the privacy policy of BioStar 2 Cloud. https://api.biostar2.com/v2/docs/#!/privacy_policy

    For Airfob Portal linked to use Mobile Access, please check the policies of Suprema's affiliates. Link: https://www.airfob.com/legal-documents/privacy-policy-en

  • What is the role of a user who uses a Suprema product?

    Customers who use a Suprema product have all authorities and responsibilities for product installation and operation, data processing and such, and are a controller under GDPR.
    Customers are in charge of any measures necessary for handling data, such as registering user information and using it, etc. when using a Suprema product.
    When GDPR is applied to customers, they shall evaluate carefully and need to satisfy themselves that they have a lawful basis for processing their end-users’ personal data in light of the purposes they are seeking to achieve and implement appropriate measures for data security, in order to ensure and prove that data processing is performed in compliance with GDPR requirements. Such requirements are related to principles such as legitimacy, fairness and transparency, accuracy, purpose restriction, data minimization, storage restriction, integrity and confidentiality. In addition, it is related to exercising an individual's right regarding personal data.
    Customers shall determine whether our product is one which can handle personal information safely (including assessing the impact of personal information, etc.), and operate the system safely using the protection functions that we provide.
    We encourage the use of two or more authentication methods for safe access management of the product.

  • What is the relationship between Suprema and product users?

    Suprema and customers who use a Suprema product have the relationship of a seller and a buyer. Suprema and customers do not have the relationship of a controller and a processor under GDPR.
    Suprema may not access any data stored in a product or the product after the product is installed by the customer and shall not be involved in data management. Suprema may not have any effect on the personal information that you retain.
    However, when BioStar 2 Cloud is activated, it collects one manager's email address to check the effectiveness of BioStar 2 Cloud Subdomain information. Regarding the privacy policy for this, please check the privacy policy of BioStar 2 Cloud. https://api.biostar2.com/v2/docs/#!/privacy_policy
    For Airfob Portal linked to use Mobile Access, please check the policies of Suprema's affiliates. Link: https://www.airfob.com/legal-documents/privacy-policy-en

  • Does Suprema access the systems of Suprema product users? Or does it manage data?

    Suprema may not access any of the products used by a customer, and shall neither collect nor handle the customer data.

  • What personal information does a Suprema product handle?

    A Suprema product may store IDs, names, passwords, PIN numbers, card IDs, phone numbers, emails, profile pictures, fingerprint/face templates, access logs, image logs, etc., to function as an access control device. Personal information may differ depending on the product type or the information registered by customers.
    However, when BioStar 2 Cloud is activated, it collects one manager's email address to check the effectiveness of BioStar 2 Cloud Subdomain information. Regarding the privacy policy for this, please check the privacy policy of BioStar 2 Cloud. https://api.biostar2.com/v2/docs/#!/privacy_policy
    For Airfob Portal linked to use Mobile Access, please check the policies of Suprema's affiliates. Link: https://www.airfob.com/legal-documents/privacy-policy-en

  • What sensitive information is handled by Suprema products?

    The face recognition product stores face templates, warped images (FaceStation F2), last posture images (FaceStation 2, FaceLite), and the fingerprint recognition product stores fingerprint templates. This is essential information for using the functions of the product.

    In addition, Suprema models with a built-in camera make it possible to shoot image logs by a specific log event using a visual camera. It is used when the system manager identifies what actually occurred on the scene based on logs from afterward.

  • Which protection measures do Suprema products use to protect personal information?

    Suprema BioStar 2 software has an option in place so that a safe storage site for enckey file storage data encryption keys can be used according to the user's choice. Suprema products encrypt and store all personal and sensitive information and provide an encrypted communication function (https) during transmission. Encryption algorithm uses verified algorithms. (One-way encryption: sha256, Two-way encryption: aes256, TCP communication: TLS1.2)
    In addition, the Secure Temper function is applied to protect information from physical breaches. It also provides various functions such as access authority classifications, audit logs, etc.

  • What is the password policy when accessing a Suprema product?

    With Suprema BioStar 2 software, you may set the level of a log-in password and its change period. You may also set the allowable number of failed passwords and changes. The customer or a system manager who uses the product shall set and manage to access the device menu.

  • Can a Suprema product provide role-based access control (RBAC)?

    Suprema BioStar 2 software supports a setting that can restrict access by software menu.

  • Can Suprema BioStar 2 set a storage period for event logs?

    Event logs record time, event type, user ID, etc., regarding events that occurred on the device. This information may be seen in the BioStar 2 log-in > monitoring menu.
    Suprema BioStar 2 software supports setting a storage period for event logs stored in a system database through the settings. (Setting>Server>User/Device Management>AC event log storage duration)

    However, the system manager shall delete logs stored in the device themselves. The log for creating BioStar 2 TA Reports does not support the storage period function.