New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Comments
Can you point out to the GDPR Article 9 exception that you are using to justify your processing?
Bad example and not even true. It's not at all easy to do this without proper justification and a real objective threat that actually exists, not just a hypothetical one or just a general notion of security. Even with proper justification you need to make sure to notify the data subjects before they enter the perimeter where the camera is recording, failing to do this makes it illegal. It's much less complicated to do just suveillance without the cameras having the possibility of saving the recording at all.
Seriously, doing this as an anti bot measure? I hope this is a joke.
It's not just a gesture, this will fail the consent requirement as you provide incentive, the same is valid for other negative incentives you have to illegaly force the data subjects to consent. I know I asked you the question at the beginning of my post, but it's rather obvious consent is the only exception that is valid in this case.
There is really no such "right" on your side, you can have a legal obligation which you don't or you can have legitimate interest but this needs to be justified with both a legal basis under GDPR aricle 6 and an exception under article 9 and even if you did both properly you would fail under other GDPR provisions as this is clearly not the least intrusive means to acheive your goal, which is your responsibility to prove that it is.
How do you "not store it", you are the controller and Didit is the processor, Didit acts on your instructions and it's your responsibility, you can not delegate this responsibility to Didit as your processor. In case Didit has a data breach or in any way or form unlawfully processes this data that's your responsibility and you can be sure you'll pay for it.
https://didit.me/terms/privacy-policy/#11-anonymized-model-training-and-fraud-detection-your-opt-out
@ymginer where do you ask for consent for this? Do you use the API to delete the verification record? How do you ensure Didit is not processing this between the time the record is created and the time when you call the API? Same for the timeframe untill the "next refresh cycle"?
"the deletion removes the record from training pipelines on the next refresh cycle", so this is processed without a valid consent and there's no possiblity for you to prevent this processing untill the next refresh cycle by looking at how this is written.
So you are claiming that this is a legal obligation? Can you point me to where this is required by law for you to process and where are you listed as an "obliged entity"?
https://manager.ginernet.com/privacy -> "Protecting the platform and preventing fraud, abuse and non-payment: legitimate interest."
So no legal obligation involved here, just legitimate interest and complete ignorance of GDPR article 9 on your part.
Can you point me to those "regulations"?
The period of "10 years" if from AML and anti terrorist financing and has nothing to do with you at all. "Obliged entities" are explicitly listed under article 2(1) so you can not justify this.
The period is actually 5 years + another 5 only if there is a suspicion of serious crime and such and even then it needs a lot of documentation and work to justify.
This is the first company that complains about bots willing to pay for their service 😅
No no, it's not just about bots. @jmginer is lamenting that privacy on the internet is stopping people from being held accountable. Which is, when you think about it, really fucking disturbing coming from a hosting provider rather than a cop.
Not that I trust cops either, but at least holding people accountable is their job.
To go constructive mode:
I think @raindog308's proposition makes more sense and looks much more acceptable. I'd even be willing to give them my landline phone number.
Agreed. Taking a call isn't much of a problem for me. Might need a correction to the number that i usually have on file though. I mean, it's real and all, it's just that there's no phone attached to the SIM card
Landline is sadly not an option for me as i don't have one.
I think netcup once did a address verification by calling me, and asking me about the local hardware store down the street.
There was no hardware store. My confused reply about what store he is talking about was enough verification for them that I know the area enough that I could actually live here.
I still think having any sort of verification for a stupid VPS is total bs.
But if you really have to do it, then doing stuff like this is something I would prefer a lot.
This is much preferable.
Now you are asking me to put pants on and leave the house, this is crossing a line 😅
https://didit.me/terms/verification-privacy-notice/
This is where it is explained. GINERNET needs to determine the retention perior before it begins to process the data.
Retention: "Biometric data retention is in every case subject to, and capped by, applicable biometric-privacy laws and regulations, including the EU General Data Protection Regulation (GDPR) Article 9"
As I mentioned article 9 in my previous post.
Automated processing: "Didit may use automated systems to review document integrity, liveness, face match, fraud indicators, and other verification signals... Except where a specific service states otherwise, the Customer remains responsible for how it uses the verification result in its own business decision-making."
"if biometric verification is part of the configured workflow, the Customer may or may not offer an alternative verification method, depending on the Customer's policies and applicable law."
As I also mentioned in the previous post, no manual review will not do. And alternative method as customers are not required to consent to this. I explained this in the SeFlow therad...
https://didit.me/terms/identity-verification/
Eligibility: "You may only use the Verification Services if: you are legally permitted to do so;... your use of the Verification Services does not violate applicable law, the rights of another person, or the Customer's terms..."
It's all there in various documents and if Didit didn't fuck up somehow, this is designed to sell you the service and take your(GINERNET's that is) money, not their problem if GINERNET is not compliant. But it's not uncommon for processors to fuck up somewhere and the supervisory authority will simply say they are the controllers or joint controllers in that case and fine them both.
This is not correct. GINERNET makes all the decisions regading the data and if Didit did that they would be joint controllers or controllers. Explained here: https://didit.me/terms/privacy-policy/
"We may disclose personal data to: The customer that asked us to perform the verification, ..."
This is needed simply by the fact that GINERNET is the controller.
"GINERNET has no data" sounds as stupid as if I rent a VPS from GINERNET and put my customers data there and then I say "I have no data, GINERNET has it".
They have updated the KYC message. Yet, no additional comments from @jmginer besides the initial comment.

I think everything's already been said in this thread. They're not going back and will force KYC to everyone while trying to paint it with bs bs and more bs.
I believe all the nonsense, changes, and incoherences that @jmginer has already said and done proves how sketchy and scummy this shit is.
Actually i'm surprised they bothered to comment at all. At least in a way that would predictably be picked apart. If i were to ask my crystal ball it would probably say that they simply believe in what they stated (at least the honesty is commendable in my opinion) and there hadn't been much outside input on this up until now, so the pushback wasn't anticipated.
There might be some regrets but actually backpaddling on the whole thing would probably be too much of an ego hit and/or would render too many past decisions void. I mean, it's unlikely they'll be able to just cancel whatever contract they have with Didit without taking some kind of loss, so i figure they'll try riding it out.
I'm not enough of an asshole to wish the guy to take a ton of damage over this but i can't help but hope that the impact will be felt enough to revert the whole thing somewhere in the future.
Edit: Didit storing the picture for 2 years (up to... yeah right...) if the client explicitly opts out of password-recovery-by-face is kind of a bad joke.
The fact that the selfie you upload to Ginernet will be used to train Didit's AI models unless you take action to opt-out is really appalling.
we can all use @vpsric
Yeah, basically the whole handling beyond the actual KYC pretty much is. If you absolutely have to confirm people's identities using a picture the picture becomes useless (in any reasonable sense) once the identity is confirmed and should just be immediately and irrevocably deleted - no strings attached.
As is it's kind of like ordering stuff at IONOS. You know the second you put your guard down and don't analyze everything on a microscopic level they'll sign you into a 5 year business listing contract at $99.99/y.
Should upload dick pics instead then.