Self Service Passport Control
This privacy statement explains how the Royal Netherlands Marechaussee processes your personal data if you choose to use self service passport control (SSPC). The SSPC system allows travellers to cross the border by using facial recognition. The General Data Protection Regulation (GDPR) applies to data processing in the SSPC system.
The Royal Netherlands Marechaussee is responsible for border control in the Netherlands. The Royal Netherlands Marechaussee carries out this task under the Ministry of Defence and under the authority of the Ministry of Justice and Security. The Ministry of Defence is the controller for the personal data processed during border control activities in the Netherlands.
What personal data do we process?
The Royal Netherlands Marechaussee processes the following data during automated passport control:
- Biometric personal data (passport photo from travel document and live photo of the face).
- Personal data from the travel document (full name, date and place of birth, nationality, sex, height, signature, document reference number, citizen service number (BSN) or similar personal number, country of issue, validity date).
How and on what legal basis do we obtain your personal data?
You will only provide your personal data to the Royal Netherlands Marechaussee in the SSPC eGates if you choose to do so voluntarily. If you do not wish to provide biometric personal data, you can choose to cross the border by going through manual border control without facial recognition. You will, however, still be required to provide the other personal data there.
If you choose to cross the border via SSPC, your personal data will be processed due to necessity for the fulfilment of a task of substantial public interest, namely carrying out border control as assigned to the Royal Netherlands Marechaussee in Section 4, subsection 1 under f of the Police Act 2012, Section 46, subsection 1 under a of the Aliens Act 2000 and Article 8 of the Schengen Borders Code.
What do we use your personal data for?
In SSPC, your personal data will be used for border control by means of facial recognition. An algorithm compares a live photo of your face to the photo in your travel document to verify your identity.
Your personal data are also used for all regular border control, as required by the Schengen Borders Code. This includes verifying the authenticity and validity of your travel document, as well as checking national and European police databases.
Your personal data will not be sold, leased or used for any other commercial purpose. Your personal data will not be shared with third parties, unless required or permitted by relevant legal requirements.
How and for how long do we store your personal data?
The Royal Netherlands Marechaussee has taken appropriate and organisational measures to protect personal data. We use an integrated security system made up of physical, informational and human security measures. The full set of security measures is detailed in the Defence Security Policy.
Your personal data will be stored for a maximum of 24 hours after you have crossed the border, after which they will be destroyed.
Your personal data will be stored for longer than 24 hours only when necessary to carry out criminal investigations or any other police tasks. In that case, the Police Data Act applies instead of the GDPR.
Only very rarely, personal data from SSPC will be kept for longer than 24 hours for the purpose of research to verify the correct and ethical functioning of the system's algorithm. This only concerns the personal data strictly necessary for such research. In addition, this data will remain subject to the security measures of the Defence Security Policy and the personal data will be destroyed as soon as possible.
Personal data in SSPC may be processed by the following organisations on behalf of the Royal Netherlands Marechaussee. Processing agreements have been concluded with these organisations, which oblige them to abide by the terms of the Royal Netherlands Marechaussee in accordance with this privacy statement.
- Schiphol Netherlands B.V. (processor)
- Vision-Box Soluçoes de Visao por Computador, S.A. (sub-processor and supplier)
What are your rights?
The Royal Netherlands Marechaussee wishes to make you fully aware of your rights regarding your personal data. Each traveller has the following rights:
Right of access/disclosure — You have the right to request copies of your personal data.
Right to rectification — You have the right to request changes to personal data that you consider to be inaccurate or incomplete.
Right to erasure — You have the right to request the erasure of your personal data. This request will only be granted if the personal data have been obtained unlawfully or improperly or if the retention period has expired.
Right to restriction of processing — You have the right to request the restriction of processing of your personal data. This request will only be granted if the personal data have been obtained unlawfully or improperly.
Right to object — You have the right to object against the processing of your personal data. This request will only be granted if the personal data have been obtained unlawfully or improperly.
Right to portability — You have the right to request our organisation to provide your personal data to another organisation.
If you have any questions about this privacy statement or about the processing of your personal data, or if you want to exercise the above-mentioned rights, please contact us through the website listed below or by post. The GDPR gives us a period of one month, which can be extended conditionally by another two months, to respond to your requests.
Netherlands Ministry of Defence
Royal Netherlands Marechaussee
PO Box 20701
2500 ES, The Hague, Netherlands
Complaints to the supervisory authority
If you wish to complain about the processing of your personal data, or if you believe that the Royal Netherlands Marechaussee has not handled a request with regard to this correctly, you can contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Dutch Data Protection Authority
PO Box 93374
2509 AJ, The Hague, Netherlands