본문 바로가기 주메뉴 바로가기

Legal Notices

HOME > Legal Notices

Xperix GDPR Compliance Statement

Xperix ("we") is committed to ensuring the security and protection of the personal information we process, complying with regulations on data protection, and providing a compliant and consistent approach to data protection.

We have written this GDPR Compliance Statement to explain our approach to implementing a GDPR compliance program. We explain the implementation of our roles, policies, procedures, controls, and measures for protecting data to ensure continued GDPR compliance.

The scanner products developed and sold by us do not fall under the personal information processing system mentioned in this Statement.


What is the GDPR?

The EU General Data Protection Regulation (Regulation 2016/679) (EU GDPR) went into effect on May 25, 2018 to harmonize data protection regulations throughout the European Union as well as providing greater protection and rights to individual. GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU.


Data Protection Principles

We, at Xperix, consider the privacy and security of individuals and personal data to be very important.
The principles stated below provide a summary of the basic rules that we follow when processing personal data:

  • · We process personal data lawfully, fairly and in a transparent manner.
  • · We collect personal data only for specified, explicit and legitimate purposes.
  • · We collect and keep personal data only to the extent it is necessary in relation to the purposes for which they are processed.
  • · We ensure that the personal data we store is up-to-date and accurate.
  • · We merely produce the technology that enables customers to process personal data. We are not a controller nor a processor under the GDPR. When a customer processes personal data using Xperix’s access control products, the customer is a controller under GDPR and is subject to the obligations set out in the GDPR, if the customer fall within the territorial ambit of GDPR.
  • · To the extent possible, we implement appropriate technical measures to our products to help our customers comply with GDPR.

Rights of Data Subjects under the GDPR

In regard to the personal data in our custody or control, an individual may request the following information from the Company;
You should bear in mind that this does not apply to an individual who is registered and managed by the customer using our products. The customer shall handle it in accordance with its own policy independently of us.

  • · Personal data that we retain regarding individuals
  • · Categories of Personal data that we collect from individuals
  • · Purpose of individual personal data collection and processing
  • · How long personal data will be retained
  • · The procedure to rectify or complete incomplete or inaccurate personal data
  • · The procedure to request deletion of personal data, or to restrict processing of personal data and reject the Company's direct marketing under the Data Protection Regulations, where applicable
  • · Information regarding all automated decision making that we use

GDPR Compliance Plan

To comply with the GDPR, we have taken, and will take, the following steps:

  • · We have performed an analysis of the personal information collected by our solutions;
  • · We have established procedures and policies to restrict the processing of personal information;
  • · We have updated our data infringement and incident response procedures;
  • · We have updated our data protection policy, data retention policy, information security policy, cookies policy, and privacy policy; and
  • · We have reviewed all processing activities to identify the legal bases for the processing of personal data, and have ensures that each basis is appropriate for the activity involved.

Protective Measures under the GDPR

Xperix considers the privacy and security of individuals and personal information to be very important, and takes all reasonable and precautionary measures to protect the personal data we process.
In order to protect personal information from unauthorized access, alteration, disclosure or destruction, we have the following information security policies and procedures as well as several layers of security measures:

  • · Risk Management   We evaluate and manage the risks associated with services as part of our risk management process. The risk management process is included in our regulations.
  • · Information Security Management   We maintain an Information Security Management System (ISMS) consistent with good industry practices. It includes security policies, organizations, processes and controls that meet the compliance and security requirements we have identified.
  • · Personal Security   We have implemented a process for hiring, retaining and terminating contracts with individual employees. We have implemented background checks, ongoing security awareness, and physical and logical access management, and we identify and address risks, perform other security activities for each role, and comply with all legal requirements and restrictions.
  • · Asset Management   We process customer data in accordance with contracts, terms and conditions, privacy policies, and related service documents. We manage the IT resources involved in the provision of our services according to our internal classifications and processes. When data or assets are set to be deleted and disposed of, we follow the established processes to ensure that equipment and storage media are properly removed prior to physical disposal.
  • · Access Management   Our personal data processing system is protected using network and logical-level security solutions. We provide the processed personal information necessary for sales and technical support, inquiries, etc., through our website, and use an industry-standard cloud service or SaaS. The personal data processing system can be accesses only by the staff in charge to whom the authority has been separately granted.
  • · Encryption   All the network traffic of our personal data processing system is encrypted and transmitted, and personal data is all stored encrypted. In addition, encryption in the cloud service or SaaS used by us is subject to the policy of the service provider. Supplier information can be found in our privacy policy, which is available on our website.
  • · Development Security   Our products and services are developed according to our R&D development process. The development process includes step-by-step security requirements and procedures, including analysis, development, implementation, testing, and deployment.
  • · Physical Security   Our personal data processing system uses an industry-standard cloud service or SaaS. The cloud service or SaaS provider defines and maintains physical and environmental controls over the production environment. The provider has warranty reports and security certifications that cover such controls. Supplier information can be found in our privacy policy, which is available on our website.
  • · Operational Security   We follow good industry practices, such as applicable automation, as well as the provider’s recommendations to configure cloud environments that can be used securely by our personal data processing system. We also use automated and manual activities to keep our software up-to-date and address reported vulnerabilities.
  • · Vulnerability Management   We use several methods to identify potential vulnerabilities, such as vulnerability scanning, security testing, diagnostics of source codes, and threat intelligence. The reported vulnerabilities are assessed and addressed using defined processes and activities. We provide a responsible public channel for security administrators to report issues they discover.
  • · Security Testing and Auditing   We carry out security checks in accordance with our internal procedures for products and services, conduct a security audit regularly, and manage the results with internal confidentiality.
  • · Security Event Management   We monitor the environment of the personal data processing system to identify events and incidents affecting our services and data. Security events that become issues are managed in accordance with the operating processes of the management division and the security division.
  • · Business Continuity and Backup   We back up and regularly test customer data to ensure that our recovery point objective (RPO) and recovery time objective (RTO) are met in accordance with our internal regulations.
  • · Endpoint Security   We scan and monitor for malware activities in our employees' work environment to detect malicious programs and files. We also have the ability to filter and block spam emails and fraudulent emails.

International Data Transfer

We may collect the personal data necessary to conduct business activities such as sales, technical support, and inquiries. The collected personal information is stored and used in an industry-standard cloud service or SaaS. We inform our service providers through our Privacy Policy, and when we collect the personal data of users, we notify and obtain consent from the data subject. We do not have access to any products and data stored thereof by a customer who use Xperix products.


If you have any questions about the GDPR, please contact us.

If you have any questions about this GDPR Compliance Statement or our privacy policy, please contact us at:

  • Email: marketing@xperix.com

Release Date: 2023.6.15


GDPR Compliance - Questions & Answers

Q. What is the GDPR?
A. The EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) went into effect on May 25, 2018 to harmonize data protection regulations throughout the European Union as well as providing greater protection and rights to individual. GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU.
Q. Is Xperix GDPR-compliant?
A. Xperix complies with the General Data Protection Regulation (Regulation 2016/679) (“GDPR”).
Q. What is the role of Xperix under the GDPR?
A. Xperix may collect the personal data necessary to conduct activities such as sales, technical support, and inquiries. In cases such as this, Xperix is a controller under the GDPR, and manages personal data safely by applying legitimate consent and appropriate protective measures. You can find our policy for processing personal data under Privacy Policy (link added) on our website.
  • Xperix manufactures and sells scanner products.
  • Xperix is not the processor under the GDPR in its relationship with customers who use Xperix scanner products.
  • Xperix provides the functions and technology to enable customers to use its scanner products smartly, in compliance with the GDPR.
  • Xperix cannot access the products and data used by its customers, and the data of its customers is stored in the their local systems. This means that data is not stored on Xperix's system.
Q. What is the role of the users who use Xperix products?
A. Customers who use Xperix products have all the rights and responsibilities for product installation and operation, data processing and such, and are controllers under GDPR.
Customers are in charge of any measures necessary for data processing, such as registering user information and using it, etc. when using Xperix products. When GDPR is applied to customers, the customers shall evaluate carefully and need to satisfy themselves that they have a lawful basis for processing their end-users’ personal data in light of the purposes they are seeking to achieve and implement appropriate measures for data security, in order to ensure and prove that data processing is performed in compliance with GDPR requirements. Such requirements are related to principles such as legitimacy, fairness and transparency, accuracy, purpose restriction, data minimization, storage restriction, integrity and confidentiality. In addition, it is related to exercising an individual's right regarding personal data.
Customers shall determine whether our product is one which can handle personal information safely (including assessing the impact of personal information, etc.), and operate the system safely using the protection functions that we provide.
Q. What is the relationship between Xperix and the product users?
A. The relationship between Xperix and the customers who use Xperix products is that between a product seller and buyer.
  • Xperix and its customers are not in a relationship between a controller and processors under the GDPR.
  • Xperix does not have access to the product or the data stored in the product after the customer installs the product and does not participate in data management.
  • Xperix cannot influence the personal information or data held by the customer.
Q. Does Xperix access the Xperix product user's system or manage the user’s data?
A. Xperix does not have any access to the product the customer is using, and does not collect or process any customer data.
Q. What personal data is processed by Xperix products?
A. As scanner devices, Xperix products can process the following personal information, depending on the function:
  • - Fingerprint scanner: Fingerprint, fingerprint template
  • - ID scanner: Passport information, resident registration card, name on the driver's license, resident registration number, driver's license number, address, etc.
Xperix scanner devices without a storage function transmit and store the scanned information to the system the customer connects to. It is not stored on the device.
However, fingerprint templates are stored on the devices with a storage function, such as the Biomini Slim 2S and Biomini Slim 3.
Q. What sensitive information is processed by Xperix products?
A. Fingerprints are sensitive information when used to identify individuals using Xperix's fingerprint scanner product.
After the fingerprint scanner recognizes the fingerprint, the fingerprint template is transmitted to the system connected by the customer for storage, or for a device with a storage function, is safely encrypted and stored on the device.
Q. What protection measures are applied to Xperix products to protect personal data?
A. When data is stored on Xperix scanner products with a storage function, an encryption algorithm (aes256) whose safety has been verified is used.
If data is stored on a system connected by the customer, the customer must secure the system according to the customer's own policies. It is recommended that safety measures be implemented for these systems, such as access restrictions, access rights, password complexity, and MFA.
Inquiry Inquiry TOP