Published: 02 November 2023

Terms and Conditions

Welcome to Talesso.tech

These terms and conditions outline the rules and regulations for the use of Talesso LTD's Website, located at Talesso.tech.

By accessing this website we assume you accept these terms and conditions. Do not continue to use Talesso.tech if you do not agree to take all of the terms and conditions stated on this page.

The following terminology applies to these Terms and Conditions, Privacy Statement and Disclaimer Notice and all Agreements: "Client", "You" and "Your" refers to you, the person log on this website and compliant to the Company's terms and conditions. "The Company", "Ourselves", "We", "Our" and "Us", refers to our Company. "Party", "Parties", or "Us", refers to both the Client and ourselves. All terms refer to the offer, acceptance and consideration of payment necessary to undertake the process of our assistance to the Client in the most appropriate manner for the express purpose of meeting the Client's needs in respect of provision of the Company's stated services, in accordance with and subject to, prevailing law of cy. Any use of the above terminology or other words in the singular, plural, capitalization and/or he/she or they, are taken as interchangeable and therefore as referring to same.

Cookies

We employ the use of cookies. By accessing Talesso.tech, you agreed to use cookies in agreement with the Talesso LTD's Privacy Policy.

Most interactive websites use cookies to let us retrieve the user's details for each visit. Cookies are used by our website to enable the functionality of certain areas to make it easier for people visiting our website. Some of our affiliate/advertising partners may also use cookies.

License

Unless otherwise stated, Talesso LTD and/or its licensors own the intellectual property rights for all material on Talesso.tech. All intellectual property rights are reserved. You may access this from Talesso.tech for your own personal use subjected to restrictions set in these terms and conditions.

You must not:

• Republish material from Talesso.tech
• Sell, rent or sub-license material from Talesso.tech
• Reproduce, duplicate or copy material from Talesso.tech
• Redistribute content from Talesso.tech

This Agreement shall begin on the date hereof. Our Terms and Conditions were created with the help of the Free Terms and Conditions Generator.

Parts of this website offer an opportunity for users to post and exchange opinions and information in certain areas of the website. Talesso LTD does not filter, edit, publish or review Comments prior to their presence on the website. Comments do not reflect the views and opinions of Talesso LTD,its agents and/or affiliates. Comments reflect the views and opinions of the person who post their views and opinions. To the extent permitted by applicable laws, Talesso LTD shall not be liable for the Comments or for any liability, damages or expenses caused and/or suffered as a result of any use of and/or posting of and/or appearance of the Comments on this website.

Talesso LTD reserves the right to monitor all Comments and to remove any Comments which can be considered inappropriate, offensive or causes breach of these Terms and Conditions.

You warrant and represent that:

• You are entitled to post the Comments on our website and have all necessary licenses and consents to do so;
• The Comments do not invade any intellectual property right, including without limitation copyright, patent or trademark of any third party;
• The Comments do not contain any defamatory, libelous, offensive, indecent or otherwise unlawful material which is an invasion of privacy
• The Comments will not be used to solicit or promote business or custom or present commercial activities or unlawful activity.

You hereby grant Talesso LTD a non-exclusive license to use, reproduce, edit and authorize others to use, reproduce and edit any of your Comments in any and all forms, formats or media.

Hyperlinking to our Content

The following organizations may link to our Website without prior written approval:

• Government agencies;
• Search engines;
• News organizations;
• Online directory distributors may link to our Website in the same manner as they hyperlink to the Websites of other listed businesses; and
• System wide Accredited Businesses except soliciting non-profit organizations, charity shopping malls, and charity fundraising groups which may not hyperlink to our Web site.

These organizations may link to our home page, to publications or to other Website information so long as the link: (a) is not in any way deceptive; (b) does not falsely imply sponsorship, endorsement or approval of the linking party and its products and/or services; and (c) fits within the context of the linking party's site.

We may consider and approve other link requests from the following types of organizations:

• commonly-known consumer and/or business information sources;
• dot.com community sites;
• associations or other groups representing charities;
• online directory distributors;
• internet portals;
• accounting, law and consulting firms; and
• educational institutions and trade associations.

We will approve link requests from these organizations if we decide that: (a) the link would not make us look unfavorably to ourselves or to our accredited businesses; (b) the organization does not have any negative records with us; (c) the benefit to us from the visibility of the hyperlink compensates the absence of Talesso LTD; and (d) the link is in the context of general resource information.

These organizations may link to our home page so long as the link: (a) is not in any way deceptive; (b) does not falsely imply sponsorship, endorsement or approval of the linking party and its products or services; and (c) fits within the context of the linking party's site.

If you are one of the organizations listed in paragraph 2 above and are interested in linking to our website, you must inform us by sending an e-mail to Talesso LTD. Please include your name, your organization name, contact information as well as the URL of your site, a list of any URLs from which you intend to link to our Website, and a list of the URLs on our site to which you would like to link. Wait 2-3 weeks for a response.

Approved organizations may hyperlink to our Website as follows:

• By use of our corporate name; or
• By use of the uniform resource locator being linked to; or
• By use of any other description of our Website being linked to that makes sense within the context and format of content on the linking party's site.

No use of Talesso LTD's logo or other artwork will be allowed for linking absent a trademark license agreement.

iFrames

Without prior approval and written permission, you may not create frames around our Webpages that alter in any way the visual presentation or appearance of our Website.

Content Liability

We shall not be hold responsible for any content that appears on your Website. You agree to protect and defend us against all claims that is rising on your Website. No link(s) should appear on any Website that may be interpreted as libelous, obscene or criminal, or which infringes, otherwise violates, or advocates the infringement or other violation of, any third party rights.

Reservation of Rights

We reserve the right to request that you remove all links or any particular link to our Website. You approve to immediately remove all links to our Website upon request. We also reserve the right to amen these terms and conditions and it's linking policy at any time. By continuously linking to our Website, you agree to be bound to and follow these linking terms and conditions.

Removal of links from our website

If you find any link on our Website that is offensive for any reason, you are free to contact and inform us any moment. We will consider requests to remove links but we are not obligated to or so or to respond to you directly.

We do not ensure that the information on this website is correct, we do not warrant its completeness or accuracy; nor do we promise to ensure that the website remains available or that the material on the website is kept up to date.

Disclaimer

To the maximum extent permitted by applicable law, we exclude all representations, warranties and conditions relating to our website and the use of this website. Nothing in this disclaimer will:

• limit or exclude our or your liability for death or personal injury;
• limit or exclude our or your liability for fraud or fraudulent misrepresentation;
• limit any of our or your liabilities in any way that is not permitted under applicable law; or
• exclude any of our or your liabilities that may not be excluded under applicable law.

The limitations and prohibitions of liability set in this Section and elsewhere in this disclaimer: (a) are subject to the preceding paragraph; and (b) govern all liabilities arising under the disclaimer, including liabilities arising in contract, in tort and for breach of statutory duty.

As long as the website and the information and services on the website are provided free of charge, we will not be liable for any loss or damage of any nature.

Published: 02 November 2023

Legal Opinion answering the following questions: What are the general provisions/references of GDPR and equivalent legislation regarding:

• Voice Identification
• Face Identification
• Eye Identification
• Fingerprint Identification

Whether there are any differences of the treatment of the law on any of the ones mentioned above.
What are the limitations to use the above technologies in?

• Houses
• Apartments buildings
• Hotels
• Public Street
• Government offices
• Offices of Commercial buildings
• Any other specific provisions in the law regarding other places of usage

Can financial service providers (eg Banks) or other service providers use voice biometrics? What are the legal requirements of a database storage system/place? In which case is it required? Any additional information applicable to the tasks above.

Glossary:

GDPR: General Data Protection Regulation 679/2016
Data Subject: a natural person
Personal data: any information relating to an identified or identifiable natural person. This includes any data that directly or indirectly identifies that person. Types of personal data: is a name, an identification number, location data, and an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alternation retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Biometric data: means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images (includes facial recognition, eye identification) or dactyloscopic (meaning fingerprints, footprints) data. Voice recognition is considered a part of biometric data as well.

Cross-border processing: means either:
(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

Question No 1:
What are the general provisions/ references of GDPR and of related legislation regarding:

• Voice Identification
• Face Identification
• Eye Identification
• Fingerprint Identification

Whether there are any differences of the treatment of the law on any of the ones mentioned above.

Answer:

Lawfulness of processing:
Voice, face, eye, fingerprint identification are considered to be part of biometric personal data. Biometric personal data is part of the special categories of personal data for which processing shall be prohibited unless one or more of the following conditions are met.
a) Data subject has given explicit consent to the processing of those personal data for the one or more specified purposes. This means that in order to process that type of data. Data Processor/or Controller must have obtained explicit consent which fits the purposes provided for. Those purposes must be distinct and binding. Which means that they cannot be alternated ad hoc, nor can they be changed without prior knowledge and consent on behalf of the data subject. Any action taken without that consent is liable to legal claims on behalf of data subject against the Data Controller/or Processor.
b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data Controller in respect of the field of employment and social security, social protection law. Which means that this type of data is necessary for the Controller or Processor to fulfil its legal obligations over the domestic law demands for employment, social security etc.
c) Process is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. This applies mostly to individuals with special needs. This article reflects to the only way where personal consent can be put aside for individual that are legally incapable or physically incapable of giving consent (children(0–14), elders etc)
d) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and the personal data are not disclosed outside that body without the consent of the data subjects. This mainly refers to several types of legal entities and in which they might have process of special data of several individuals within the scope of their field.
e) Processing relates to personal data which are manifestly made public by the data subject. This refers to special category of personal data that the individual has made public. It was to be proven that it was public knowledge before the process takes place.
f) Process is necessary for the establishment, exercise or defense of legal claim or whenever courts are acting in their judicial capacity. This means that the existing data can be processed for reasons of legal claims or for courts to act their judicial capacity.

Type of Processing:
Biometric data can be processed as any other type of data that is included in the special category of personal data. This means that any operation automated or not, can perform any type of collection, recording, organization, structuring, storage, adaptation or alternation retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
Principles relating to process of personal data:
The process must be lawful, fair and transparent. It has to be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. That personal data collected should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Furthermore there has to be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
The duration of personal data process should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).
Last but not least personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).

Conclusion:
The current legislation permits the processing of biometric data, as long as the criteria mentioned above, concerning the lawfulness of processing are met. As far as the type of processing is concerned, there are no restrictions as to how to process biometric personal data. However it is strongly recommended to uphold and maintain a high level of security to avoid any type of personal data breach. Furthermore it is recommended that measures should be taken for data stored in data centers after a certain period of time, in which provided consents’ timeline period has expired (e.g. after 5–7 years from the initial reception of consent). In any case data controller is responsible and has to be able to demonstrate compliance with process of personal data.

Question No 2:
What are the limitations to use the above technologies in?

• Houses
• Apartments buildings
• Hotels
• Public Street
• Government offices
• Offices of Commercial buildings
• Any other specific provisions in the law regarding other places of usage

Can financial service providers (eg Banks) or other service providers use voice biometrics?

Answer:

There are no limitations concerning the processing of biometric personal data in any of the given examples. However there is legislation that has to be applied in certain circumstances. In particular as far as houses, apartments, buildings, hotels and any other private equity holdings are concerned, the current GDPR and LAW 125(I) of 2018 legislation that applies provides a no limit environment for installation and use of that kind of equipment and/or services. Given the fact that the data subjects are aware, have granted their consent in the process of their personal data, and the processing is being performed in a lawful manner (as per the provisions of the GDPR legislation), no grounds for valid legal claims exist. As far as the installation of video cameras and recording devices that monitor several areas on the perimeter of premises, which may include visual record, voice record of publicly accessible places (e.g. public streets), then a Data Protection Impact Assessment should be carried out. A Data Protection Impact Assessment should be carried out, where a type of processing which uses new technologies, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. The controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. Data Protection Impact Assessment is required in the case of a systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing (including profiling), which produces legal effects concerning the natural persons or similarly significantly affect the natural persons. It is also required when processing on a large scale of special categories of personal data. Finally when there is a systematic monitoring of a publicly accessible area on a large scale. By introducing the «large scale» criteria we need to point out that there are ways to measure the extent of data processing scale, such as number of data subjects, volume of data, duration, and geographical extent. As far as Public Streets are concerned, Data Protection Impact Assessment is mandatory and potential assignment of Data Protection Officer might be examined.
For Government offices and Offices of Commercial buildings apply the same restrictions and obligations mentioned above, meaning that there is no limit of possible provided services and equipment installation in regards to the processing of personal data. However a high level of security and maintenance should be upheld, while performing the said processing. Data Protection Impact Assessment is mandatory.
As far as the financial services providers are concerned, there is no limit on what equipment or services may be installed / provided. However a Data Protection Impact Assessment is mandatory.

Question No 3:
What are the legal requirements of a database storage system/place? In which case is it required?

Answer:

Depending on the nature, scope, context and purposes of processing combined with the varying risks for the rights and freedoms of data subjects (natural persons), the data controller and the data processor shall implement appropriate technical and organizational measures to ensure a high standard of security appropriate to the risk.
Measures must be implemented to achieve that level of security. Several types of measures can be applied, such as pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident and/or a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing (procedures).
The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
The level of security is asserted by the risks that are presented by processing in particular from accidental or unlawful destruction, loss, alteration of personal data. Processing that may include unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
The aforementioned clauses impose upon the data controller and data processor the responsibility to receive all necessary and proportionate measures to mitigate/alleviate possible risks in respect a miss process or an unlawful process. The proportionality criterion refers to the scale of processing, the type of personal data and the potential risks that arise from such processing.
The controller and processor shall take steps to ensure that any natural person, acting under the authority of the controller or the processor, who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by the Cypriot legislation.

Geographical Scope of the GDPR Legislation:
GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Furthermore it applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are connected with the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or monitoring of their behavior as far as their behavior takes place within the Union. Storage of personal data is a matter of high importance. This can be divided into accessing personal data and store personal data.

Transfer and store personal data to for a cross- border processing, usually applies when processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State. In this case contracts are a safeguard to ensure the existence of legal safe net. Contract between Data Controller and Data Processor combined with Non-Disclosure Agreements.
For a transfer of personal data to a third country meaning a country outside EU or EEA, the European Commission has to have decided that the third country, a territory or one or more specified sectors within that third country, ensures an adequate level of protection. Such a transfer shall not require any specific authorization. This means that a transfer of data into a third country is lawful only if this country is approved by the European Commission. Additionally, Standard Contractual Closes (SCC) must to be in place between the contracting parties, depending on the nature of the contract. For example, if the contracting parties are an EU controller and a non EU or EEA controller, then Decisions 2001 497/EC and Decision 2004/915/EC should be applied. If the contracting parties are an EU controller and a non-EU or EEA processor then Decision 2010/87/EU should be applied. Additional safeguard protection can be provided by contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization.

Data stored inside a member state shall follow the Standard Contractual Closes which refer to Non-Disclosure Agreements, legally binding parties on the manner of processing of data with further contractual obligations between the controller or processor and the controller, processor or recipient of the personal data.
For a process between Data controller and data processor, the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law. Meaning that courts and local authorities, in their respective jurisdiction, can access and process the data, if such processing falls within the scope of their powers. Furthermore Data Protection Impact Assessment is considered as a mandatory assessment to outline the risks of processing of personal data for data subjects.

Published: 19 October 2023