Suprema (hereinafter "the Company," or "We") is committed to ensuring the security and protection of personal information handled by the Company, to complying with the Data Protection Regulation, and to providing a consistent approach.
The Company has created this GDPR Compliance Statement to explain its approach to implementing the GDPR Compliance program. It explains the implementation of data protection roles, policies, procedures, controls and measures to consistently comply with GDPR.
The access control products that the Company develop and sell are not the personal information processing system mentioned in the Statement.
What is GDPR?
The EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) went into effect on May 25, 2018 to harmonize data protection regulations throughout the European Union as well as providing greater protection and rights to individual. GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU.
Principle of GDPR
We, at Suprema, recognize and respect the importance of protecting our customers’ personal data.
The principles stated below provide a summary of the basic rules that we follow when processing personal data:
Data Subject Rights under GDPR
In regard to the personal data in our custody or control, an individual may request the following information from the Company.
You should bear in mind that this does not apply to an individual who is registered and managed by the customer using our products. The customer shall handle it in accordance with its own policy independently of us.
GDPR Compliance Plan
The Company has performed, or will perform, the following steps in order to comply with GDPR.
Protection Measures under GDPR
Suprema considers the privacy and security of individuals and personal information extraordinarily important, and takes all reasonable preventive measures to protect personal data handled by the Company.
The Company has the following policies and procedures for information security in place, and takes security measures on various layers in order to protect personal information from unauthorized access, modification, disclosure and destruction.
International Data Transfer
We may collect personal data necessary for performing tasks such as sales and technology support, AS applications, purchase consultations, etc., either through a website or off-line. Any personal information collected is stored and used in an industry standard cloud service or SaaS service. We inform of the service provider through the Privacy Policy, and notify data subjects and obtain their consent when collecting personal data.
When using our products, the customer collects and/or uses personal data independently of us and we do not have access to any Suprema products or data stored thereof by a customer.
Items prepared in Suprema products to ensure the customer's compliance with GDPR
Our services and products are developed using a R&D process. The development process includes security requirements for each level, such as analysis, development, implementation, test, distribution, etc.
The access control products that we develop and sell are developed in such a way that the following measures are supported.
If you have any questions regarding GDPR, please contact us.
If you have any questions regarding this GDPR Compliance Statement or our personal information protection, please contact:
Release Date: May 31, 2022
The EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) went into effect on May 25, 2018 to harmonize data protection regulations throughout the European Union as well as providing greater protection and rights to individual. GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU.
Suprema complies with the General Data Protection Regulation (Regulation 2016/679) (“GDPR”).
Suprema may collect and handle personal information through a website to perform tasks such as sales and technical support, A/S applications, purchase consultations, etc. In this case, Suprema is a controller under GDPR and manages personal information safely with legitimate consent and appropriate protection measures.
Suprema produces and sells the products and solutions for access control. In a relationship with a customer who uses an access control product, Suprema is not a processor under GDPR. Suprema provides various functions and technologies so that the customer can smartly carry out physical control that complies with GDPR.
Suprema may not access any products or data that the customer uses, and a customer's data is stored in its local system. This also means that it is not stored in a Suprema system.
However, when BioStar 2 Cloud is activated, it collects one manager's email address to check the effectiveness of BioStar 2 Cloud Subdomain information. Regarding the privacy policy for this, please check the privacy policy of BioStar 2 Cloud. https://api.biostar2.com/v2/docs/#!/privacy_policy
For Airfob Portal linked to use Mobile Access, please check the policies of Suprema's affiliates. Link: https://www.airfob.com/legal-documents/privacy-policy-en
Customers who use a Suprema product have all authorities and responsibilities for product installation and operation, data processing and such, and are a controller under GDPR.
Customers are in charge of any measures necessary for handling data, such as registering user information and using it, etc. when using a Suprema product.
When GDPR is applied to customers, they shall evaluate carefully and need to satisfy themselves that they have a lawful basis for processing their end-users’ personal data in light of the purposes they are seeking to achieve and implement appropriate measures for data security, in order to ensure and prove that data processing is performed in compliance with GDPR requirements. Such requirements are related to principles such as legitimacy, fairness and transparency, accuracy, purpose restriction, data minimization, storage restriction, integrity and confidentiality. In addition, it is related to exercising an individual's right regarding personal data.
Customers shall determine whether our product is one which can handle personal information safely (including assessing the impact of personal information, etc.), and operate the system safely using the protection functions that we provide.
We encourage the use of two or more authentication methods for safe access management of the product.
Suprema and customers who use a Suprema product have the relationship of a seller and a buyer. Suprema and customers do not have the relationship of a controller and a processor under GDPR.
Suprema may not access any data stored in a product or the product after the product is installed by the customer and shall not be involved in data management. Suprema may not have any effect on the personal information that you retain.
However, when BioStar 2 Cloud is activated, it collects one manager's email address to check the effectiveness of BioStar 2 Cloud Subdomain information. Regarding the privacy policy for this, please check the privacy policy of BioStar 2 Cloud. https://api.biostar2.com/v2/docs/#!/privacy_policy
For Airfob Portal linked to use Mobile Access, please check the policies of Suprema's affiliates. Link: https://www.airfob.com/legal-documents/privacy-policy-en
Suprema may not access any of the products used by a customer, and shall neither collect nor handle the customer data.
A Suprema product may store IDs, names, passwords, PIN numbers, card IDs, phone numbers, emails, profile pictures, fingerprint/face templates, access logs, image logs, etc., to function as an access control device. Personal information may differ depending on the product type or the information registered by customers.
However, when BioStar 2 Cloud is activated, it collects one manager's email address to check the effectiveness of BioStar 2 Cloud Subdomain information. Regarding the privacy policy for this, please check the privacy policy of BioStar 2 Cloud. https://api.biostar2.com/v2/docs/#!/privacy_policy
For Airfob Portal linked to use Mobile Access, please check the policies of Suprema's affiliates. Link: https://www.airfob.com/legal-documents/privacy-policy-en
The face recognition product stores face templates, warped images (FaceStation F2), last posture images (FaceStation 2, FaceLite), and the fingerprint recognition product stores fingerprint templates. This is essential information for using the functions of the product.
In addition, Suprema models with a built-in camera make it possible to shoot image logs by a specific log event using a visual camera. It is used when the system manager identifies what actually occurred on the scene based on logs from afterward.
Suprema BioStar 2 software has an option in place so that a safe storage site for enckey file storage data encryption keys can be used according to the user's choice. Suprema products encrypt and store all personal and sensitive information and provide an encrypted communication function (https) during transmission. Encryption algorithm uses verified algorithms. (One-way encryption: sha256, Two-way encryption: aes256, TCP communication: TLS1.2)
In addition, the Secure Temper function is applied to protect information from physical breaches. It also provides various functions such as access authority classifications, audit logs, etc.
With Suprema BioStar 2 software, you may set the level of a log-in password and its change period. You may also set the allowable number of failed passwords and changes. The customer or a system manager who uses the product shall set and manage to access the device menu.
Suprema BioStar 2 software supports a setting that can restrict access by software menu.
Event logs record time, event type, user ID, etc., regarding events that occurred on the device. This information may be seen in the BioStar 2 log-in > monitoring menu.
Suprema BioStar 2 software supports setting a storage period for event logs stored in a system database through the settings. (Setting>Server>User/Device Management>AC event log storage duration)
However, the system manager shall delete logs stored in the device themselves. The log for creating BioStar 2 TA Reports does not support the storage period function.