Privacy Statement Visitor Administration Tool

Welcome to iO! Through this way, iO informs you about the personal data iO processes in the context of Visitor Administration.

Why does iO process your personal data for an appointment?

iO processes your personal data to schedule your appointment and ensure a smooth visit to our campus.

When you arrive in the building, you must sign in and register at iO's reception desk. When you leave, you must sign out. This is necessary so that iO knows who you are and with whom you have an appointment. Also, iO and any emergency services need to know who is in the building at any time in case of unexpected emergencies. Finally, iO processes your personal data for the purpose of watching over your safety and our property.

To make this registration as easy as possible, iO has developed a software tool that automates this process, this is the Visitor Administration Tool.

How and which personal data does the Visitor Administration Tool process?

When visiting the campus, a tablet on the reception desk gives you a choice between a web form for registration with facial recognition or for manual registration:

- If you choose the facial recognition option, you voluntarily provide us with a picture of your face by standing in front of the tablet's camera. You expressly consent to this option by accepting via an on-screen pop-up. The facial recognition software links the image's metadata to your name and a time, after which the photo is immediately deleted. Optionally, you can also enter your e-mail address or company. Your personal data is then linked to a time of day and stored in our database. Upon leaving the premises or a later visit, you can register with the same action.

- If you choose the manual registration option, it is only required to enter your name in a web form. Other details such as your e-mail address or company name are optional to enter. Your personal data will be linked to a time and then stored in our database.

How long does iO keep your personal data?

A visitor is considered inactive if they have not revisited one of our sites for more than two years. After this two-year period, inactive visitor records are deleted from our database.

How are your personal data protected?

iO has taken the necessary technical and organisational measures to protect the processing of (biometric) personal data. These measures are in line with ISO27001 certification that iO holds.

As for the facial recognition app, additional security measures have been implemented. The Microsoft FaceAPI only stores derived data from the photos that are uploaded. Actual images cannot be reconstructed from this data; these are deleted immediately.

With whom do we share data?

The facial recognition app uses Microsoft FaceAPI. The personal data thus collected is not stored on the tablet but is transmitted directly to Microsoft's FaceAPI, where the photo is processed by their AI solution. Only the facial data required for later recognition is retained. Microsoft does not retain the original photo, nor can it be constructed from the facial recognition data. The facial recognition data is stored securely by Microsoft and cannot be viewed or retrieved from them.

On what basis does iO process these personal data?

iO processes personal data on various legal grounds:

- When you register manually, iO has a legitimate interest to process your name, e-mail address, details of the company you work for or any other contact details.

- Registration using facial recognition involves processing biometric personal data. This processing is done only with your explicit consent.

What are your rights in relation to this processing?

You have the right to:

- to request access to all the personal data that we process about you. However, requests for access that are clearly submitted with a view to causing us inconvenience or damage will not be dealt with.

- to request that any personal data about you that is incorrect or inaccurate be corrected free of charge.

- to withdraw previously granted permission for the processing of your personal data. You can always withdraw your permission by sending an email to

- to request that personal data relating to you be removed if this is no longer needed in the light of the objectives that are outlined in this Privacy Policy or if you withdraw your processing permission. However, you must consider that a removal request to us will be assessed in the light of statutory or regulatory obligations or administrative or judicial orders, which may prevent us from removing the respective personal data.

Instead of requesting removal, you can also request that we restrict the processing or your personal data if (a) you dispute the correctness of such data, (b) the processing is unlawful or (c) the data is no longer necessary for the objectives stated but you need it to defend yourself in judicial proceedings.

- to object to the processing of personal data if you can show that there are serious and justified reasons regarding special circumstances warranting such an objection. However, if the envisaged processing is noted as direct marketing, you have the right to object to such processing free of charge and without giving any reason for this.

- If your personal data is processed on the basis of permission or on the basis of a contract where the data is processed automatically, you have the right to receive the personal data provided to us in a structured manner and in a generally used format that can be read by a machine and, if technically possible, you have the right to directly transmit such data to another service provider. We will be the only persons to assess the technical viability of this.

File a complaint

If you have a complaint (or would like more information) about our processing of your personal data, you can always contact us at

If you remain dissatisfied with our response, you are free to lodge a complaint with the competent data protection authority. You can file a complaint by clicking on the following link:

- For The Netherlands: Autoriteit Persoonsgegevens;

- For Belgium: Gegevensbeschermingsautoriteit.

Contact our Data Protection Officer

Maxim Gernay, legal counsel and DPO,