Letter of Informed Consent
concerning the participation as a volunteer in the iBorderCtrl project
I. Information Sheet
You have been approached to participate as a volunteer in the European research project called iBorderCtrl. iBorderCtrl is an innovative project that aims to enable faster and thorough border control for travellers crossing the land borders of EU Member States with technologies that adopt the future development of the Schengen Border Management, including software and hardware technologies. iBorderCtrl is made of thirteen partners working in H2020 EU-funded project whose profiles can be accessed from the project website: www.iborderctrl.eu. The project is coordinated by European Dynamics Luxembourg SA.The data obtained from you, the participant, will be processed and further analysed for research within the iBorderCtrl project. The details as to how your data will be processed will be outlined below. Please read the following information carefully. After you have carefully read this information sheet, please feel free to ask additional questions in case you have not entirely understood this information sheet as well as if you have further questions regarding the iBorderCtrl project. By clicking the button before registering on the following pages, you provide your valid informed consent as required by Art. 6 (1) lit. a GDPR for the data collection and processing of your data for the purposes outlined below. Please note that your participation is entirely voluntary. If you do not want to participate, you may decline or withdraw your consent at any time without any negative consequences for you. Below you will find more information about the iBorderCtrl project and how the data obtained from you will be protected, including all measures that are being taken to protect your privacy that will enable your informed opinion before deciding.Again, if any points remain unclear, please do not hesitate to ask an iBorderCtrl representative before giving your consent. Should you have any further questions at a later stage, you may also contact firstname.lastname@example.org.
1. Data Controller
The iBorderCtrl system is being developed by various partners of the iBorderCtrl consortium, which will act as joint controllers in accordance with Art. 26 GDPR. These institutions are:
- European Dynamics Luxembourg SA, 12, Jean Engling str. L-1466, Luxembourg. responsible for maintaining and developing the Traveller User Application and Interface, the iBorderCtrl backend system that includes the iBorderCtrl central database, the Document Authenticity Analytics Tool (DAAT), the Risk Based Assessment Tool (RBAT).
- Manchester Metropolitan University, All Saints Building, All Saints, Manchester, M15 6BH, United Kingdom. This party is responsible for maintaining and developing the ADDS system.
- Stremble Ventures Ltd, Christaki Kranou 59, Limassol 4042, Cyprus. This party is responsible for maintaining and developing the Analytics Tool (BCAT), and the ELSI component that realises the connection of the iBorderCtrl system to external databases and the social media (Twitter).
- Everis Aeroespacial y Defensa SL, Avenida de Manoteras, 52, 28050 Madrid, Spain. This party is responsible for maintaining and developing the FMT and BIO (fingerprints) component.
- BioSec Group Ltd., Petzvál József street 37, 1119 Budapest, Hungary. This party is responsible for maintaining and developing the BIO/palm vein component, that makes the matching between a scanned palm vein and a library created and kept by the company
- JAS technologie sp z o.o. (Ltd), Modularna 3A, 02-238 Warsaw, Poland. This party is responsible for the maintaining and developing the Border Guard User Application and Interface, supported by a Portable Unit that integrates all H/W components (scanners, biometric sensors), and the Border Guard backend system that includes the local instances of the iBorderCtrl database.
- Institute of Communication and Computer Systems (ICCS), Patission Str. 42, 10682 Athens, Greece. This party is responsible for maintaining and developing the Hidden Human Detection Tool (HHD).
For exercising your rights as data subject (as further explained in 9.), please contact European Dynamics via email@example.com .
2. Data Protection Officer
If you have any complaints regarding data protection, you can contact the project’s data protection officer:
Pol. Major Zoltán Székely,
3. Aims and scope of the iBorderCtrl project
- Significantly increase the efficiency and security in terms of traveller throughput and fewer illegal crossings respectively.
- Reduced time at the border by utilising the portable traveller devices and portable units.
- Utilise a pre-registration step to better inform travellers of their rights, the travel procedures, data collected and analysed as per EU and national legal requirements.
- Reduce the subjective control and workload of human agents.
- Increase the objective control with automated means that are non-invasive and do not add to the time the traveller has to spend at the border.
- Create a fifth tier for the four-tier access control model of the Integrated Border Management System involving bona fide travellers and regular travellers into a Schengen-wide frequent traveller programme.iBorderCtrl consists of two stages. The first stage covers registration before travelling. The second stage covers the actual control procedure at the border crossing. Please find an overview of the workflow of the iBorderCtrl system below. Note that not all information mentioned in the following must be provided by volunteers. Some of the information will be anonymised data or randomly generated data, in order to train the iBorderCtrl system and its software modules. Personal data of the participants will be only used where required to properly test the functionalities of the iBorderCtrl system.
iBorderCtrl consists of two stages. The first stage covers registration before travelling. The second stage covers the actual control procedure at the border crossing. Please find an overview of the workflow of the iBorderCtrl system below. Note that not all information mentioned in the following must be provided by volunteers. Some of the information will be anonymised data or randomly generated data, in order to train the iBorderCtrl system and its software modules. Personal data of the participants will be only used where required to properly test the functionalities of the iBorderCtrl system.
a) Pre-Travel (First Stage)
The Pre-Travel Stage is designed to gather information regarding the participant (hereafter referred to as traveller) through the Traveller User Application (TUA). This application will enable the travellers to enter and update their personal information, upload travel-related documents (such as VISA, passport), travel information (hotel reservation, vehicles data, etc.) and undertake an avatar interview. The traveller may initiate the registration phase by accessing the iBorderCtrl web-application through his/her desktop computer and laptop or through his/her smartphone by downloading the iBorderCtrl mobile application. First-time visitors to the application (web or mobile) must create a new user account by providing some initial required information such as name, surname, gender, username, password, etc. The TUA will verify that all mandatory information has been provided, and if successful, will send an email to the traveller with a link for activation/verification of the requested account and a link for the cancelation of account on request. TUA will store the provided information in the iBorderCtrl database. If the traveller decides not to activate the account, TUA will revoke the whole procedure and will delete all information stored in the database after 24 hours. If the traveller decides to activate the account, TUA will activate the relevant user account and will display the login screen for the subsequent login after providing the required credentials. Subsequent logins could be used to register a new trip. Following this procedure, the traveller is requested:
- to fill in travel-related information for every country he/she will visit (i.e. the length of stay, the purpose of the trip, expected date of arrival at the borders etc.).
- to declare the travel document/s (passport or ID, visa, residence permit) he/she is going to use in each country and to enter respective information about these travel documents.
- to follow the instructions to upload scanned copies or take a photo snapshot of the above-registered travel documents using the camera of his/her mobile phone/ tablet/laptop / PC.
- to declare, if he/she is going to use a private vehicle during the trip and enter related information (i.e. license plate, ownership, driver license number etc.).
- to follow the instructions to upload scanned copies or take a snapshot photo of the driver’s licence using the camera of his/her mobile phone/ tablet/laptop / PC.
TUA will verify that the traveller has entered all the mandatory information, check the authenticity of the uploaded travel documents and will store all information in the iBorderCtrl database. As a next step, the traveller will go through an interview with a virtual border agent (avatar) conducted by the Automatic Deception Detection System (ADDS). The avatar is an artificial figure which represents a border guard. During the avatar interview, a set of traveller and travel related questions will be asked. Such questions are the same questions an actual border guard may ask travellers in a real-life border crossing scenario. The avatar interview is designed to detect false answers as it observes non-verbal behaviour. This means that the traveller will be filmed using his/her video camera while computer software observes facial (micro) gestures of the participant to detect deceptive behaviour. In the following step, a face matching will be conducted in which the traveller’s passport photo will be compared to a short video sequence of the traveller that was gathered during the avatar interview. Please note that the pre-travel registration intends to involve checks against some law enforcement databases such as the VIS, SIS II etc., as well as publicly available information of the traveller from socia media (twitter) to verify the information he/she provided as well as whether the traveller poses any public security risks. Note that for the purpose of the test pilots, the system will not be connected to any law enforcement databases. Instead, randomly generated data which follows the same structure will be used. This ensures that the participation in the test pilots cannot lead to any negative consequences, such as entries in real law enforcement databases. However, data of participants might be used in these dummy-databases to allow testing the proper functioning of the system. Based on such database entries, the documents, the traveller has provided, the answers he/she has given in the avatar interview, the outcome of the face matching procedure and his/her gestures that occurred during the interview a risk classification for the particular travel will be calculated by the Risk Assessment Software Tool (RBAT). This risk assessment result will not be released to the traveller. The risk assessment includes profiling and supports the decision-making of the border guard. Once the avatar interview is completed, TUA will generate a QR code which includes the traveller user and travel ID. The generated QR code will also be sent via email to the traveller and as well, displayed on the screen of the traveller’s mobile phone/ tablet/laptop / PC. The traveller will need to download the QR code to be presented at the border when crossing and it will serve as a personal identification to facilitate the actual border check (Second Stage). Please note that throughout the pre-registration procedure, the traveller can revoke the whole procedure and withdraw his/her consent. In this case, TUA will immediately delete all information stored in the iBorderCtrl database.
b) Border Crossing (Second Stage)
Travellers arriving at the border crossing point shall be asked to provide their QR code, which has been generated during pre-travel registration, as well as all travel documents that are relevant for the border crossing. Travellers must present their QR codes and the border guard will, by scanning the QR code via a portable unit, access traveller’s personal information gathered during pre-travel registration, as well as the risk assessment score. The border guard will then validate the authenticity of the travel documents using a portable scanning device. After that, he will validate vehicle information (e.g. registration, plate number etc.) and proceed to match the fingerprint reference with the traveller. Provided that the fingerprints match, travellers can move on to have their vehicle searched for hidden humans. Further biometric validation will be performed if the fingerprints don’t match or if travellers’ behaviour and/or information provided has led the border guard to suspect that they have given false information about their identity. This includes the use of facial recognition and palm vein technologies. Through the facial recognition technology, the facial image of the traveller will be captured using a camera on the portable unit. The video sequence of the face image will then be compared with the photo stored on the traveller’s passport or visa and with the short video sequence of the traveller that was gathered during the avatar interview at the pre-registration phase. Furthermore, the border guard could use a portable palm vein reader, offer travellers to capture and store an image of their palm vein for future reference. Once the reference is stored, it may be used to validate the identity of the traveller in future trips. Border check would then move on to the hidden human detection (applicable only in the case where the traveller crosses the borders using his/her private car). All the information gathered will be analysed to provide an overall risk level to assist the border guard in deciding about the individual traveller. Whereupon the final decision regarding the traveller will be made and entered into the system by the border guard.
4. What type of data is collected?
During these two stages described above, personal information shall be collected. Such data can be categorised as follows: (1) Personal data such as name, surname, address, nationality, sex, vehicle registration, answers to the avatar interview questions, etc. and, (2) special categories of data such as biometric data - fingerprints, palm vein images, facial images and (facial) gestures. The data collected includes in particular:
- information on the travel (origin, destination, length of stay, contact information, hotel reservation, purpose of the trip, expected date of arrival, expected time of arrival, expected date of departure, means of travel to destination, information on who pays for the travel/stay, availability of a health insurance, prior refusals to enter the Schengen area as well as removals from the Schengen area),
- the countries to be crossed to reach the final destination,
- information on the travel documents (such as document number, country issuing the document, expiration date, issuing date, document issuing office),
- information on the visa (such as visa number, country issuing the visa, visa expiration date and visa issuing office),
- information on a resident permit (such as the residence permit number, country issuing the residence permit, residence permit expiration date),
- vehicle data (such as license plate, insurance policy, ownership, driver license number and issuing country) and
- a scanned copy or snapshot of travel-related documents.
Please note that wherever feasible, data will be anonymised or replaced with mock-up data for the testing of the systems. However, while data of the first category may be completely anonymised, the nature of biometric information makes it difficult to replace or anonymise them. Biometric information such as palm vein patterns, fingerprints, face photos will be only processed and no personal or event related information will be stored. More specifically, the palm vein sensor generates only an encrypted hash code (which is a sequence of numbers instead of, e.g. a scanner image) and as a result, no images or any other user related information will be stored in any part of the system. The fingerprints check module will compare the captured image from the traveller fingerprints and the sample (retrieved from external databases such as VIS or SIS II or the biometric information stored in travel documents) to provide a result and subsequently will delete all fingerprint-related information. The same also applies to the face matching module.
5. How will the data be used?
The purpose of obtaining and processing personal data from participants of the test pilots is to test and further improve the iBorderCtrl system including the various software subsystems and their algorithms. This aims at improving the accuracy and reliability of the software modules. Data gathered for this project will be stored to verify later whether software modules and the underlying algorithms have processed the data correctly. Personal data obtained on this consent form will only be stored to ensure legal compliance. But note that personal data provided for this research project will not be used for any other purpose such as to facilitate real border crossings or other law enforcement purposes.
6. What are the risks associated with data obtained?
Any processing of data entails a risk of breach of confidentiality (and in particular the possibility of identifying the data subject).
7. How will the risks associated with data obtained be mitigated and data protected?
The iBorderCtrl project is aware that data protection and the right to privacy are of high importance. The project, therefore, follows strict legal and ethical guidelines which are fully compliant with European data protection legislation. For the test pilots, the rules imposed by the General Data Protection Regulation (GDPR) will be applied. To avoid that any negative consequences arise for further travels, the iBorderCtrl test system is completely separated from any other systems used for border checks. In particular, it is not connected to any law enforcement database or system. To minimise the risk of breach of confidentiality, iBorderCtrl will take all appropriate technical and organisational measures according to the current state of technology to protect privacy and personal data. This applies in particular to biometric data you have provided in the course of the project. This also means that personal details will be obtained anonymously (identification of the data subject is not possible) or anonymised at a later stage, if possible. Access to the data you have provided in the course of the research project will be restricted only to partners of the iBorderCtrl project. For a partner list, please see: https://www.iborderctrl.eu/#Project-Participants. The project is coordinated by European Dynamics SA (12, Jean Engling str. L-1466 Luxembourg). To ensure that the data is processed and stored safely, the following IT-security measures are being implemented: Encryption is applied to all components whenever feasible, such as using “https” for the ADDS component, securing the radio network using 802.11 transmissions and authentication using WPA2-PSK AES, or physically securing transmission devices in lockable rooms or facilities. Further measures implemented are in line with European Dynamics’ (ED) corporate certified security services (ISO 27001), which apply to the main server which is hosted by ED, but also all other partners being involved in the development of the iBorderCtrl system. More specifically, data isolation techniques are being used, according to which information remains private within a system unless to be shared. Sub-systems will not share internal information with each other. Anonymity is achieved, as a QR-code is exchanged between sub-systems, thus concealing any personal user information from being exchanged, unless it is required to do so. Database encryption is assured through MySQL (embedded) Transparent Data Encryption.
8. How long will my personal data be stored?
All data obtained in the iBorderCtrl test pilots will be either anonymised or deleted with the end of the project on 31 August 2019.
9. Will data be transferred to third parties?
Data obtained in the test pilots might be shared among the partners of the iBorderCtrl consortium, which you can find here: https://www.iborderctrl.eu/#Project-Participants .
10. What rights do you as a participant in the test pilots have and what does your right of withdrawal include?
Concerning the personal data processed by the iBorderCtrl consortium, you have the following rights:
- Right to access according to Art. 15 GDPR
- Right to rectification according to Art. 16 GDPR
- Right to erasure (‘right to be forgotten’) according to Art. 17 para. 1 GDPR
- Right to restriction of processing according to Art. 18 GDPR
- Right to data portability according to Art. 20 GDPR and
- Right to object according to Art. 21 GDPR
You are also free to withdraw your consent to the processing of your data at any time without providing a reason for your decision. Your decision to withdraw your consent will not have any negative impact. In the case of withdrawal, personal data will be immediately deleted and no longer be processed by iBorderCtrl. Any data that could be reconnected to you will be deleted. Please note that personal information that was anonymised in the course of the project cannot identify you and therefore will not be deleted.
For withdrawal, please contact:
According to art. 77 GDPR, you also have the right to lodge a complaint with a supervisory authority in particular in the Member State of your habitual residence. These are, for instance:
- National Authority for Data Protection and Freedom of Information, H-1125 Budapest, Szilágyi Erzsébet fasor 22/C, www.naih.hu
- Data State Inspectorate of the Republic of Latvia, Blaumana Street 11/13-11, Riga, LV-1011, http://www.dvi.gov.lv
- Hellenic Data Protection authority, Kifissias 1-3, 115 23 Athens, http://www.dpa.gr/