GDPR / DSGVO and TalkingID - SmartBiometrics

Go to content

GDPR / DSGVO and TalkingID

Informative > Useful Clarifications
Why is TalkingID doing everything right regarding the GDPR (General Data Protection Regulation) requirements ?


First of all for understanding
Data protection and the question of how to deal with personal data is a current and explosive issue which also provided for a revision of the paragraphs in the legislation. Therefore, the previous regulation at EU level in the form of the "Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data" and also the Federal Data Protection Act (BDSG) in Germany will be replaced by the DSGVO & GDPR from May 25, 2018. And by the way GDPR is the german acronym for DSGVO.


Responsibility under data protection law in accordance with the DSGVO
The main responsibility for compliance with the requirements of data protection law lies with the person who "determines the purposes and means of the processing of personal data" (i.e. the so-called "controller" within the meaning of Art. 4 No. 7 DSGVO). The authority to decide on the "whether" and "how" of the specific use of our products lies with our B2B customers. For the data processing by our products, the customer (bank, financial institution, merchant) is therefore the responsible party in the sense of data protection law.

We expect our B2B customers to set up and use our products in a data protection-compliant manner. The extent to which the individual configuration carried out by the respective B2B customer and the specific use of our products satisfies the requirements of data protection law requires an examination taking into account the circumstances of the specific individual case. Our B2B customer is responsible for the execution and documentation of this check as well as for all other data processing carried out by him and will seek legal advice if necessary.


This is how our solution works
Generally, SmartBiometrics' solution does not provide for voice recording of individuals. SmartBiometrics only stores the voice imprint of a voice recording with a key that is defined by the respective company and linked to the individual at the company.

Each voice imprint is an individual string of voice characteristics that cannot be traced back. This imprint is used exclusively for matching with voice imprints to be verified. In doing so, TalkingID always has total control over the security aspects on the server and in the TalkingID app, since it generates and manages all "keys" itself at all relevant key hierarchy levels (key hierarchy: master terminal, session and block keys). Without knowledge of the exact correlation algorithm of the voice, these "keys" are thus absolutely secure. Which of the information extracted from the spoken words is then relevant for voice verification and which is not taken into account and is therefore irrelevant is only decided after the features separated out by the TalkingID app have also been encrypted and transferred to the server on which the reference features are stored.

Here, using different methods of artificial intelligence, such as predication and imprinting, the decision about the speaker verification is made, and on this server the unification of "voice identification " and "voice verification" then also takes place. This verifies that the person speaking has given the correct voice signature i.e. randomly used words (no password memorization required!) in a way that is typical of that person. To protect the voiceprints, they must never refer to the individual's name, but must have a token defined by the respective company (identification company, bank, merchant). Any personal data is stored by our B2B clients, who are subject to the GDPR just like SmartBiometrics. The B2B customer will also provide written consent for the storage and management of personal data.


Processing of personal data when using our products
Insofar as data collected and generated when using our products can be assigned to individual persons, this information is personal data. This may include, for example, the following categories of personal data:

  • Biometric voice imprints.
  • Conversation IDs to voice imprints (SessionID)
  • Logged voice activities (authentication attempts and results)
  • Optional meta-data on voice imprints

The amount and type of data collected varies depending on the different requirements of different customers and the resulting individual customer configuration. As a result of the wide range of individual configuration and application options, it is not possible to make general statements about which specific personal data is affected and for which specific purposes our customers process this data using our products.



Back to content