What are the differences between primary and secondary processing in SALT?

There are many different operations taking places when a remote biometric verification is carried out through an eID using the SALT-solution. A live image (facial image/selfie) of the user is captured through a mobile application on the user’s device. Before generating a biometric template, a “pre-processing” will be performed on the image. This “pre-processing” consists of different operations e.g., image quality check, presentation attack detection, deepfake detection and morphing attack detection. These operations are performed to make sure that the presented facial image is genuine.

When the facial image has passed the “pre-processing”, a protected template is created and matched with the reference template, resulting in a similarity score.

In the sandbox it has been discussed whether this set of operations could be deemed to be covered by the definition of “processing” in Article 4(2) GDPR. In this respect, it should be noted that Article 4(2) defines “processing” as:

Common to the operations mentioned above, is that they all relate to the execution of a single verification request. When assessing whether these operations qualify as a single processing under Article 4(2) GDPR, it is natural to look at the main purpose of the processing. In this case, the main purpose is to perform a remote identity verification.

The operations described as “pre-processing” are necessary in order to ensure that the facial image to be matched with the reference image is genuine. This is not specific to remote verification. As an example, when a verification is carried out in person, for example in a bank, the bank employee will automatically check if the person standing in front of him or her is genuine, i.e., not wearing a mask etc.

We consider the “pre-processing” operations as a natural part of the verification process, and strictly necessary in order to achieve the purpose of identity verification. Against this background, we believe that it is natural to see the “pre-processing”, the template creation-phase and the comparison of the protected template with the reference template, as “a set of operations” carried out for the main purpose of performing a remote identity verification.

Mobai considers that it qualifies as a processor when executing an identity verification request. Mobai will, however, also process personal data collected during both the onboarding and verification process to train and improve their machine learning models (prediction accuracy for capture module, face comparison and fraud detection algorithms and measures, including training of algorithms that contribute to improvements within mentioned areas of interest), in addition to security and general improvements of the service. For the execution of these processing operations Mobai considers that it qualifies as a controller.

Unlike the operations described as “pre-processing”, the training and improvements of the machine learning models and the system as such will be performed after the completion of the identity verification. At this stage the user has already had his or her identity confirmed or rejected by the system. Thus, the processing carried out for training and improvements do not have the same link to the execution of a single verification operation as the “pre-processing” operations. These processes do however have a close connection with the main function of the service, as the training and improvements are necessary processes for the AI-models used in the SALT-solution to function as intended over time. However, the processing is not carried out for the purpose of completing an identity verification but for various purposes related to improvements on the algorithms and the system as such. We therefore consider this processing for secondary purposes.

As already mentioned, Mobai considers that it qualifies as a controller for the secondary processing purposes related to improvements on the algorithms and the system as such, while it qualifies as processors for the primary processing (the enrolment and execution of a verification request). Mobai cannot be both controller and processor for processing activities that falls under the same purpose. This is also an argument that supports the conclusion that the processing related to improvements on the algorithms and the system as such, do not fall under the primary purpose.