Purpose of the processing
YRIS is an identity provider that allows you to create and use a digital identity.
The resulting treatment consists of 2 complementary operations:
- Verification of the user’s identity by means of partially automated controls, reviewed, completed and validated by a human operator;
- Management of the user’s identity life cycle (in particular management of user requests: support, revocation, etc.).
According to the CNIL, the categories of data collected in the context of the use of YRIS are the following:
- Marital status, Identity, Identification data, Images ► image of the identity document, videos of the identity document, information extracted from it and video challenge
- Login data ► email address and phone number
- Internet ►cookie consent and browsing data on this site only.
Mandatory nature of data collection: the collection of the first two categories of data is mandatory to create a YRIS identity. However, the collection of navigation data is not compulsory: the user can refuse the deposit of a cookie in his browser on his first visit to the site, used exclusively for audience measurement purposes.
Automated decision-making: provides the possibility of automated decision making, if the user so chooses.
The data processing concerns any user who wishes to create an YRIS digital identity.
Recipients of the data
The data is collected by the company ARIADNEXT, which acts here as a Data Controller in the sense of the General Data Protection Regulation (GDPR). In order to improve its machine learning and deep learning technologies, the first category of data mentioned above is exploited exclusively by the ARIADNEXT R&D team.
The storage of (fully anonymized) audience measurement data is provided by the company Google. Google acts as a subcontractor on behalf of ARIADNEXT and processes the data in accordance with ARIADNEXT guidelines. In this sense, we retain full rights to collect, access, store and delete your data at any time.
Duration of data retention
ARIADNEXT applies the RGPD’s retention period limitation principle to data processed in connection with the provision of the service:
- Information extracted from the identity document: 5 years, in accordance with the requirements of the European eIDAS regulation
- Email address and phone number: 5 years
- Title images and video challenge: 96 hours
- Consent cookie: 13 months, in accordance with French law
In accordance with the RGPD, ARIADNEXT and all subcontractors under its responsibility are bound by a security obligation. The following measures – non-exhaustive list – are therefore implemented:
- The protection (“encryption”) of your data exchanged between your browser and our services is provided by HTTPS
- Duplication of data so that it remains available in the event of a disaster
- ISO 27001:2017 security certification for the data center used by ARIADNEXT hosting users’ digital identity, as well as for the systems, applications, personnel, technology, processes and data centers on which Google Analytics relies.
Your rights concerning you
What the law says: You can access and obtain a copy of the data concerning you, object to the processing of this data, have it rectified or deleted. You also have the right to limit the processing of your data.
Exercising your rights: ARIADNEXT’s Data Protection Officer (DPO) is your contact for any request to exercise your rights regarding this processing.
- Contact the DPO electronically: firstname.lastname@example.org
- Contact the DPO by mail: ARIADNEXT DPO, 122 rue Robert Keller, 35510 Cesson-Sévigné, France
If you feel, after contacting us, that your rights regarding your data are not being respected, you may submit a complaint to the Commission Nationale de l’Informatique et des Libertés.