1. Controller information
The European Border and Coast Guard Agency (Frontex), as an EU agency, is the data controller who collects and further processes personal data in accordance with the provisions of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (the “Data Protection Regulation”).
This Privacy Notice relates to the data processing activity that takes place during the pilot testing phase of the Quick Border Application from 15 to 18 April 2024 at the Schiphol Airport (the Netherlands).
Controller’s contact information:
● Address: European Square 6, 00-844 Warsaw, Poland
● E-mail: frontex@frontex.europa.eu
2. Data Protection Officer
If you have any query relating to processing of your data you may at any time consult Frontex Data Protection Officer (dataprotectionoffice@frontex.europa.eu).
3. Data collection and processing purposes
We collect your personal data directly from you, when you are the person using the Quick Border Application and filling out the border check-in questionnaire.
We may also collect your personal data indirectly, when you are a “co-traveller” and another person, authorized by you, fills out the border check-in questionnaire in the Quick Border Application on your behalf.
We process your personal data to test a mobile application - Quick Border Application - whose aim will ultimately be to facilitate cross-border flow of passengers arriving to the Schengen Area.
During the pilot testing phase of the Quick Border Application, we will process personal data of passengers arriving at the Schengen Area at the Schiphol Airport for the below listed specific purposes:
● to
confirm your identity using a biometric assessment (liveness check)
(legal basis: Article 10 par. 2 let. a of the Data Protection
Regulation - your explicit consent)
● to
provide you with an electronic service in the form of the Quick Border
Application
(legal basis: Article 5 par. 1 let. c of the Data Protection
Regulation - the processing is necessary for the performance of a contract to
which you are a party)
● to perform automatic monitoring of user activity (such as performance of different modules in the Quick Border Application; for example, success rates for passport reading and liveness detection) and to prepare anonymised statistics for research purposes. The monitoring will be carried out with the use of a tool approved by the European Commission - Dynatrace (legal basis: Article 5 par. 1 let. d – your consent).
4. Third parties
Your personal data will be shared with the following recipients:
● Provider of hosting services which enables the functioning of the Quick Border Application - NetCompany Intrasoft.
● Providers of the biometric assessment services (liveness check) – InverID, Veriff and iProov.
5. Data transfers
With the exception in the following paragraph, your data will not be transferred outside the European Economic Area.
Authorised sub-processors (InverID and IProov) will process personal data in the UK. The UK is considered as providing adequate protection of personal data (Commission Implementing Decision (EU) 2021/1772).
6. Data subject rights
You, as a data subject, have the right to:
a) Access: You can request confirmation from us whether or not we are processing your personal data and information on purposes of processing, categories of personal data, the recipients of your personal data, the envisaged retention period, whether you can request rectification, erasure, restriction of processing or object to the processing of your personal data, the right to lodge a complaint with the European Data Protection Supervisor, the source of collection of data as well as whether there occurs automated decision-making, including profiling;
b) Rectify: You can request rectification of inaccurate personal data so that we possess the correct information about you;
c) Erase: In some circumstances, you can request that we erase your personal data that we collect and process, for example if your personal data is no longer necessary for achieving the purposes for which it is processed. You can delete your data from the Quick Border Application any time by deleting journey(s) from the Quick Border Application or removing the entire Quick Border Application from your mobile device. The data stored in Quick Border Application’s Backend are deleted after one (1) day since they are created;
d) Restrict: In some circumstances, you can request us to restrict the processing of your personal data, for example if you contest the accuracy of your personal data;
e) Data portability: In some circumstances, you can receive from us a copy of your personal data, that you have shared with us, in a structured, commonly used and machine-readable format so that you can use this information set for other purposes and, where technically feasible, to transmit those data to another controller. You may exercise this right by using “Export local data” function of the Quick Border Application under the “Settings” option and “Local data” submenu.;
f) Withdraw consent: When we process your data based on your consent, you can withdraw your consent at any time by deleting journey(s) from the Quick Border Application or removing the entire Quick Border Application from your mobile device. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The withdrawal will result in immediate deletion of the data from your Quick Border Application, but the data stored in Quick Border Application’s Backend will be deleted in 24 hours.
g) Lodge a complaint: You can lodge a complaint with a supervisory authority - the European Data Protection Supervisor.
Automated decision-making or profiling will not take place during the pilot testing phase of the Quick Border Application.
7. Data retention
Your data is stored in your device until you delete them from the device or remove the Quick Border Application. Frontex will retain some data, e.g. travel itinerary information, Information whether you have: a reception certificate or an accommodation reservation, sufficient means of subsistence for the planned stay and medical insurance valid for the entire duration of the trip, a scanned picture of your passport, NFC chip reading of your passport and live facial image in the Quick Border Application’s Backend for no longer that one (1) day, and will delete them after this period.
8. Processed data categories
We will process the following data categories:
●
Mobile device ID,
● PIN code (user defined),
●
Travel itinerary information, such
as:
○
whether you are arriving in or
departing from the EU/Schengen Zone,
○
airport of arrival at the Schengen
Zone,
○
date of arrival or departure from the Schengen Zone,
●
Traveler information:
○
Information whether you possess a
visa / residence permit / you are
an EU national,
○
Information whether you have:
■
a reception certificate or an
accommodation reservation,
■
sufficient means of subsistence
for the planned stay,
■
medical insurance valid for the
entire duration of the trip,
○
A scanned picture of passport,
○
NFC chip reading of passport,
○
Passport information, including:
■
First name,
■
Middle name,
■ Last name,
■ Country issuing the passport,
■ Birthdate,
■ Country of birth,
■ Expiration date of the passport,
■ Nationality,
■ Passport number,
■ Sex,
■ Document type,
■ Document subtype,
■ Image of biographical page (VIS
Image),
○
Live facial image.
9. Final Provisions
The participation in the pilot project of the Quick Border Application and provision of personal data in it is voluntary. However, for the proper functioning of the Quick Border Application in a device provided by Frontex, you must set at least one pin code. If the app will be installed in your device you will need to set a pin code, use the password code that will be provided to you and use a direct link to download the app.