Measuring the rate of mask wearing in Transport

The purpose of this personal data protection policy (the "Policy") is to describe, in a clear and concise manner, the way in which Datakalab ("Datakalab", "we", "us") is likely to process, on behalf of a Data Controller, your image in the context of the implementation of the device for measuring the rate of wearing of respiratory protection masks in transport (the "Device").
The Device is subject, in particular, to the French Data Protection Act of 6 January 1978 in its latest version, to the General Data Protection Regulation ("GDPR") and to the notices and recommendations of the CNIL relating thereto (together, the "Applicable Regulations").
Capitalized terms in the Policy have the meanings expressly defined therein or ascribed to them by the Applicable Regulations.

1. Datakalab - Who are we?

Datakalab is a simplified joint stock company, with its head office at 7 Passage du PuitsBertin - 92110 CLICHY, registered with the Nanterre RCS registered under number 818 830 275. (more information https://www.datakalab.com and legal notice).
Datakalab is a French Artificial Intelligence start-up that has, among other things, developed a technology capable of detecting the wearing of respiratory protection masks, based on a video stream, in order to support the decontamination and collective health security effort, with the aim of helping to contain the spread of the Covid-19 virus.
Datakalab has appointed a Data Protection Officer (DPO), Mr. Lucas Fischer, who may be contacted for any questions relating to the Device and the Policy, as well as for the exercise of your rights as set forth in Article 9.
Mr Lucas Fischer, DPO Datakalab - email: moc.balakatad%40olleh

2. On what occasions is your image processed?

If you pass by a Device, your image may be processed by the Device in order to compile statistics on the number of people wearing or not wearing a respiratory protection mask.
The Device is implemented in accordance with Decree No. 2021-269 of 10 March 2021, which regulates the installation of the Device in vehicles or spaces accessible to the public and used for public passenger transport.
An information board is displayed at any location where the Device is deployed to inform you, in a visible and clear manner, of its existence and of the limitation of your rights.

3. The personal data we process

Datakalab takes into account the principles of minimisation and data protection from the design of projects and by default (privacy by design and privacy by default). Consequently, only relevant, adequate and limited information is collected in relation to the purposes for which it is processed.
For this reason, only your image is processed within the framework of the Device, to the exclusion of any other personal data.
Your image is anonymised at very short notice: that is, it is transformed in real time into a completely anonymous (non-identifying) data line. This data is stored and aggregated as it happens on the local computer's RAM before being sent to Datakalab's secure servers.
This strict process of image anonymisation and data aggregation makes it impossible to identify you directly or indirectly.

4. Purpose of the processing

The sole purpose of the Device is to determine the number of people passing in front of the camera and, among them, the percentage of people wearing masks, in public transport and in spaces dedicated to these services.
These statistics are intended to be used by the Data Controller in order to:
● improve transparency on the percentage of mask use in transport by reporting on aggregate mask use rates;
● allow the broadcasting of announcements in places where an insufficient average rate of mask wearing is observed;
● redeploying information officers to raise awareness of users' obligations in places where the average rate of mask wearing is insufficient.
The legal basis for the Processing is the public interest, defined in Article 6.1.e) of the GDPR as "(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;".
The interest is manifestly valid in regard of the law, it is determined in a sufficiently clear and precise manner and, finally, it is real and present for the organisation concerned, and not fictitious.
Datakalab has taken care to develop a Device that is the least intrusive possible, so that the Processing does not infringe the rights and interests of the persons whose data is processed and that sufficiently strong guarantees are implemented to ensure this.
For more information, please refer to the privacy policy of the Data Controller.

5. Data retention period

Your image is not kept by Datakalab or by the Data Controller, it is only processed "on the fly" and anonymised in less than a second (a few milliseconds), then aggregated at the level of the local computer.
Aggregated anonymised data is stored on servers for as long as it is needed and then deleted. This data is not personal data (i.e. data that can be used to identify individuals directly or indirectly).

6. Persons having access to the data

Your image captured by the Device is processed in real time by algorithms on a local computer and is not stored. Consequently, neither Datakalab nor any other person has access to your image.
Only anonymised (non-identifying) and aggregated (every twenty minutes) data are accessible to Datakalab and the Data Controller, in accordance with the provisions of Article 8 of the Policy.
The Data Controller may decide to communicate publicly on the statistical data resulting from the Device, as part of its transparency and public information efforts. Reference is made to the Data Controller's confidentiality policy.

7. Data security

Datakalab applies strict confidentiality measures to prevent data from being distorted, damaged, destroyed or disclosed to unauthorised third parties.
As mentioned above, your image is anonymised via 'on-the-fly' processing on the local computer RAM in real time. The anonymised data is aggregated as it goes along, to avoid any risk of individualisation.
In accordance with the Applicable Regulation, Datakalab has conducted a Privacy Impact Assessment (PIA) to ensure that the measures it puts in place are sufficient and appropriate.

8. Responsibility for data processing

In the context of the Scheme, Datakalab shall act as a Subcontractor.
In accordance with Article 28 of the RGPD, Datakalab acts on the specific instructions and under the control of the Data Controller.
The Data Controller will directly provide all the information required by the Applicable Regulations.

9. The rights you have

9.1. LIST OF YOUR RIGHTS
Subject to the conditions set out in the Applicable Regulations and the information provided by the Controller, you have the following rights with respect to your Personal Data:
● Right to information about the processing of your Personal Data
The Device is systematically displayed by the Data Controller, informing you in clear and simple terms:- The identity of the Controller(s);- From the Treatment in place ;- Limitation of your rights.
● Right of access, rectification and erasure ("right to be forgotten") and right tolimit processing
The exercise of these rights requires the possibility to identify the Data Subject in order to communicate the Personal Data to you, to erase them, to limit their use or to rectify them.
However, in the case of the Device, the Data is anonymised at very short notice (less than one second), the exploitation of the Data does not, by nature, allow the identification of the Data Subjects. These rights are therefore not applicable to the Processing.
● Right to object
Pursuant to Decree No. 2021-269 of 10 March 2021 on the use of intelligent video to measure the rate of mask wearing in transport, which can be accessed here, the right to object is not applicable in the context of the Device.
The possibility of limiting the right to object by regulatory measure is expressly provided for in Article 23 of the RGPD and Article 56 of the "Informatique et Libertés" law.
● Right to lodge a complaint with a supervisory authority
If, despite the efforts of the Data Controller and Datakalab to preserve the confidentiality of your data and protect your privacy, you feel that your rights have not been respected, you have the right to lodge a complaint with a Supervisory Authority.
A list of Supervisory Authorities is available on the European Commission's website. The French supervisory authority is the Commission Nationale de l'Informatique et des Libertés (CNIL).

9.2. EXERCISING YOUR RIGHTS
To exercise your rights or to ask any questions about the Device, you should first contact the Data Controller. 
If you have any questions about Datakalab's activities, you can contact Datakalab's DPO, either electronically or by post, by sending a letter specifying your identity and the purpose of your request to Mr Lucas Fischer, DPO Datakalab:- By email: moc.balakatad%40olleh- By post: 114 boulevard Malesherbes, 75017 Paris
Datakalab undertakes to reply as soon as possible, and at the latest within one month of receiving your request.
If necessary, this period may be extended by two months, taking into account the complexity and number of requests sent to Datakalab. In this case, you will be informed of the extension and the reasons for the postponement.
If your application is submitted electronically, the information will also be provided to you electronically where possible, unless you expressly request otherwise.
If Datakalab does not comply with your request, it will inform you of the reasons for its inaction and you will be given the opportunity to lodge a complaint with a Supervisory Authority and/or to seek legal redress.

10. Transfer outside the European-Union

No data is transferred outside the European Union. Personal Data is anonymised within a short period of time and stored on servers located in the European Union.

11. Changes to the privacy policy

The Controller and Datakalab may change the Processing, within the limits of compliance with the Applicable Regulations, and Datakalab undertakes to update this Privacy Policy accordingly.

12. Applicable law and dispute resolution

This Policy is subject to French law. In the event of a dispute and in the event that an amicable agreement cannot be reached, the competent court will be the one determined according to the applicable rules of procedure.