Last updated: 05/05/2021
Please review this Privacy Policy before using the ID-Art Application (or “the Application”). This Privacy Policy must be read in conjunction with the ID-Art Application Terms of Use.
What is the scope of this Privacy Policy?
This Privacy Policy describes how the INTERPOL General Secretariat (“the General Secretariat” or “we”) collects and processes the personal data of individuals who use the ID-Art Application (collectively, “users” or “you”). The Policy also explains how users can exercise their rights regarding personal data collected through the Application.
What are personal data?
Personal data are any data about an identified individual or an individual who may be identified by means that may reasonably be used.
Why do we process personal data?
The General Secretariat processes some personal data when you download and use the Application to ensure the implementation and effective functioning of the ID-Art Application.
The General Secretariat may process personal data that you provide when using the reporting functionality to ensure international police cooperation in combating crimes relating to cultural property, such as illicit excavation, theft, and international trafficking in cultural property.
What legal bases do we use to process your personal data?
Your personal data are processed on the following legal bases:
- the consent of the data subject (when (i) downloading the Application; (ii) voluntarily submitting personal data through the Application; or (iii) sending an e-mail to the General Secretariat through the reporting functionality and/or transferring personal data to other INTERPOL bodies or national law enforcement authorities);
- the legitimate interests of the Organization (if (i) personal data are processed to protect the integrity of the Application and the services provided through the Application; or (ii) the Application gathers statistics on the use of the Application).
What types of personal data do we process?
The General Secretariat processes the following categories of personal data:
1) Personal data processed when you download and use the Application:
- Searches: the search criteria (manual search) and images (visual search) that you submit for comparison against stolen works of art in the database;
- Log information, including the IP address and date and time of the user’s access, when accessing data from the Stolen Works of Art Database to protect the integrity of the Application and the services provided through the Application;
- Metadata, that are collected for statistical purposes when an image is submitted for comparison (visual search), such as device information, language, operating system, and image size and weight;
- Cookie information for performance and analytical purposes. For more information on the use of cookies, please see the Cookie Policy in the Appendix.
2) Personal data that are processed when you send an e-mail to the General Secretariat using the reporting functionality:
- Personal data concerning the user, including the name and e-mail address;
- Personal data concerning other individuals, when relevant, for the purposes of international police cooperation.
Please note that data processed for purposes of international police cooperation are processed in accordance with INTERPOL’s Rules on the Processing of Data. Personal data processed for other purposes are processed in accordance with the Decision on the Processing of Personal Data for Administrative Purposes.
The Application processes the following types of personal data, locally, on your device, which means that the data cannot be accessed by the General Secretariat:
1) Personal data processed to enhance user experience:
- Location data, based on GPS location (if authorized by the user) or the country associated with the device, to tailor content on the homepage to the user’s location.
2) Personal data that you may store within the Application, as part of your:
- Search history;
- Object ID forms;
- Site Cards.
How do we process your data?
Your personal data are processed in accordance with the following principles:
- Lawful processing
Your personal data are processed based on your consent or in the legitimate interests of the Organization, in compliance with the Organization’s applicable rules and policies on personal data protection.
- Purpose limitation
Your personal data are collected for the purposes listed in this Privacy Policy and are processed in a way that is compatible with these purposes. The further processing of personal data for archiving, statistical or research purposes is considered compatible with the initial purpose.
- Data quality
The General Secretariat aims to ensure that the personal data that it processes are accurate, relevant, not excessive in relation to the purpose for which they were collected and, when necessary, kept up to date.
Users must ensure, to the best of their knowledge, that the data which they submit to the General Secretariat are accurate, relevant, not excessive in relation to the purpose for which they were submitted and, when necessary, kept up to date.
- Transparency
Your personal data are processed in a transparent manner by keeping you informed about why and how the General Secretariat processes your data, as well as the means by which you can exercise your rights.
- Confidentiality
Individuals at the General Secretariat who process personal data during the performance of their duties in relation to the Application, can only access these data on a need-to-know basis. They are also bound by confidentiality obligations.
Users’ personal data are not disclosed to third parties without their prior consent, unless specific circumstances arise under which the General Secretariat is required to do so (see below).
- Security
Your data are kept secure and are protected against risks that would violate their confidentiality, integrity and availability. The General Secretariat implements organizational and technical measures to mitigate the risks of accidental or unlawful data alteration or destruction, accidental loss, unauthorized disclosure or access, and against all other unlawful forms of processing.
- Data Subject Rights
You have the right to access, correct and delete your personal data. These rights are further clarified in this Privacy Policy.
- Accountability
Individuals within the General Secretariat who process users’ personal data in the performance of their duties are accountable for such processing, and must be able to demonstrate that personal data are processed in compliance with the applicable rules and policies of the Organization.
How long do we store your data?
The General Secretariat stores the following types of personal data:
1) Personal data processed when you download and use the Application:
- Searches: the images (visual search) which you submit for comparison against stolen works of art in the database are stored for 15 days with a service provider in France;
- Log information, including the IP address and date and time of the user’s access, when accessing data from the Stolen Works of Art Database to protect the integrity of the Application and the services provided through the Application, are stored on our servers for a period of 24 months.
- Metadata, that are collected for statistical purposes when an image is submitted for comparison (visual search), such as device information, and the language and operating system, are stored as statistics with a service provider in France;
- Cookie information, collected for performance and analytical purposes, are retained on Google servers for a maximum period of 20 months. For more information on the use of cookies, please see the Cookie Policy in the Appendix.
2) Personal data that are processed when you send an e-mail to the General Secretariat, using the reporting functionality:
- Personal data concerning the user, including the name and e-mail address, are stored for a period of 5 years, or until the purpose has been met;
- Personal data concerning other individuals, when relevant for the purposes of international police cooperation, are stored in accordance with the retention period set out in INTERPOL’s Rules on the Processing of Data.
3) Personal data stored in the Application, such as your saved search history, Object ID forms or Site Cards, will be stored locally on your device until you delete the data from the Application or until you delete the Application.
Who may access your personal data?
For the purposes of managing the Application, handling incoming reports and ensuring compliance, the following individuals and entities may have access to the data that are processed:
- officials in the relevant departments at the General Secretariat responsible for ensuring the effective functioning of the ID-Art Application and handling of reports;
- INTERPOL’s service providers, whose task is to implement, secure and improve the Application;
- INTERPOL’s Data Protection Officer;
- INTERPOL’s Chief Information Security Officer;
- officials in charge of information security, internal audit and oversight services at the General Secretariat; and
- the Commission for the Control of INTERPOL’s Files: the independent body responsible for ensuring that the processing of personal data by INTERPOL is in compliance with its regulations.
Do we disclose your personal data?
As a general rule, your personal data will not be forwarded to third parties without your prior consent. Nevertheless, there may be circumstances under which the General Secretariat is required to disclose your personal data (see below):
- to fulfil a legal obligation to which the Organization is subject;
- for the protection and integrity of the Application and the services provided through the Application, and other legitimate interests of the Organization;
- to protect users’ vital interests and those of other individuals;
- for public health and safety reasons;
- for the establishment, exercise or defence of the Organization against any legal claims; or
- the performance of a contract.
Please note that when you send an e-mail to the General Secretariat using the reporting functionality, you consent to your personal data potentially being shared with INTERPOL’s National Central Bureaus and relevant national law enforcement agencies.
What are your rights as a data subject?
- Right to access your personal data
You have the right to request access to your personal data processed by the General Secretariat and to obtain a copy of those personal data, unless access to your personal data infringes:
(a) the rights and freedoms of other individuals;
(b) INTERPOL’s Confidentiality Regime; or
(c) the legitimate interests of the Organization.
- Right to rectify and update your personal data
You may request the rectification of your inaccurate, incomplete or obsolete personal data.
- Right to request the deletion of your personal data
You may request the deletion of your personal data. The General Secretariat shall delete your personal data, unless they are necessary for:
(a) the entering into or performance of a contract;
(b) the performance of a legal obligation to which INTERPOL is subject;
(c) the legitimate interests of the Organization; or
(d) the protection of users’ vital interests and those of other individuals.
Please note that you can edit or delete data that you have stored in the Application yourself and that by deleting the Application, you will also delete the data that you have stored in the Application.
How can you exercise these rights?
Requests for the exercise of the above-mentioned rights can be sent by e-mail to the INTERPOL Data Protection Officer at: ID.Art.privacy@interpol.int.
How does INTERPOL process police data?
In the event that you were to use the reporting functionality, please note that data processed for purposes of international police cooperation are processed in accordance with INTERPOL’s Rules on the Processing of Data.
What happens when you click on a link to a third-party website or application?
When you click on a link or a button that redirects you to a third-party website or application, the General Secretariat is not responsible for the collection of your personal data on that website or application. Consequently, this Privacy Policy no longer applies and you should familiarize yourself with the privacy policy of the website or application that you are accessing.
How will you be informed of updates to this Policy?
In the event that this Privacy Policy is modified or updated, the date of modification or update will be clearly indicated. Changes to this Privacy Policy will be effective immediately.
If an update to the Privacy Policy pertains to a significant change to the way in which your personal data are processed, you will be given a reasonable amount of time to assess the updated Privacy Policy and its impact, before the Policy takes effect.