This Data Processing Agreement together with its Schedules (the “DPA”) forms part of the Agreement between the Parties for the Customer’s use of the Services which involves the Processing of Personal Data. The Parties have agreed to enter into this DPA to govern such Processing of Personal Data.
The Parties agree that:
1.1. This DPA regulates the Processing of Personal Data subject to Applicable Data Protection Law for the Services provided under the Agreement.
1.2. Where the Agreement involves the Processing of Personal Data of individuals that is subject to specific local laws, the terms set forth in the relevant local laws Schedules of this DPA shall apply.
1.3. They shall comply with their respective obligations as set out in this DPA.
2.1 The Parties acknowledge and confirm that each Party is responsible for the Processing of Personal Data for its own purposes in the context of the Services specified in the Agreement and as described below:
This section 3 shall only apply where a Customer is a Channel Partner:
For the purposes of this DPA, “Channel Partner” means any organisation, firm, company, or public authority who operates on behalf of the End User who interacts directly with the Data Subject. The naming convention for this will vary across GBG entities and may include Intermediary, Integrated Introducer, Reseller or any organisation, firm, company or public authority who provides the Results to an End User.
3.1 The Parties acknowledge and agree that:
It is agreed that:
4.1 Both Parties shall comply with all obligations set out in Column A (Data Protection Obligations) in the table below.
4.2 Additional processor obligations will also be applicable where a Party has appointed the other Party as their authorised Processor as outlined in the Product Grid set out in Schedule 2 (Product Grid) of this DPA. In such event and in addition to the obligations set out in Column A (Data Protection Obligations), the terms set out in Column B (Additional Processor Obligations) shall apply.
Column A - Data Protection Obligations | Column B - Additional Processor Obligations These terms shall only apply where a Party has appointed the other Party as their authorised Processor. |
|
4.3 Compliance with Applicable Law | Both Parties represent and warrant that they will comply with Applicable Data Protection Laws when Processing Personal Data in the context of the Services, and that they will perform their obligations under this DPA. | A Party, appointed as a Processor shall process the Personal Data strictly in accordance with the documented instructions of the Controller, including with regard to Restricted Transfers of Personal Data to a third country or an international organisation except where otherwise required by any relevant applicable law, in which case the controller shall inform the Processor of that legal requirement before Processing (unless prohibited by that law on important grounds of public interest). The Processor shall immediately inform the Controller if it becomes aware that the Processing instructions infringe Applicable Data Protection Law. |
4.4 Security | Each Party shall implement and maintain reasonable and appropriate technological and organisational measures to protect Personal Data from a Data Breach. Where expressly stated in the Additional Terms, the Customer shall also comply with the additional security provisions in relation to the relevant Supplier Data. Such measures shall include complying with any ’Information Security Requirements’ that are applicable under Schedule 4 of this DPA. | |
4.5 Confidentiality | In addition to the confidentiality provision in the Agreement, the Parties warrant they have taken steps to ensure that any person or entity acting under its authority, who Processes or in any way has access to Personal Data in the context of the Services (including any entity engaged by a Party or any further sub-contractor) is only granted access to Personal Data on a need-to-know basis and is subject to a duly enforceable contractual or statutory confidentiality obligation. | |
4.6 Subprocessors | Either Party may, at its election, appoint a third-party processor, provided that such processing complies with Applicable Data Protection Law. The Party engaging a third-party processor in accordance with this Section 4 will remain liable for any act or omission of that third-party processor. |
The Customer provides general written authorisation to GBG to:
|
4.7 Automated Decision Making |
Each Party hereby represents and warrants that it shall comply with all Applicable Data Protection Law requirements if it uses the Services to make any automated decisions that produce legal effects concerning Data Subjects or otherwise produces similar significant effects on Data Subjects. Each Party shall ensure that (where required under Applicable Data Protection Law):
For the avoidance of doubt, GBG does not make any automated decisions. |
|
4.8 Mutual Assistance | Each Party shall provide reasonable assistance to the other Party, as may be required, in order to enable the other Party to perform its responsibilities under this DPA and Applicable Data Protection Laws, pursuant to any correspondence, inquiry or complaint from a Data Subject, regulator, or Third Party that may be deemed to have a material impact for the other Party. | |
4.9 Data Breach | Upon becoming aware, each Party must notify the other Party of a Data Breach that relates to Personal Data Processed in the context of the Service and for which the other Party is a Controller, without undue delay, and not later than 72 hours. The Parties will assist each other, in accordance with Applicable Data Protection Law, in complying with their obligations to provide the Data Breach notification. | |
4.10 Transfers |
To the extent the Customer’s use of the Service involves a Restricted Transfer, the Exporter of the Personal Data shall notify the other Party of any such Restricted Transfer prior to the Processing and both Parties shall agree a lawful means for the Processing of the Restricted Transfer. In the event the Parties are unable to establish or agree upon a lawful means, the Exporter acknowledges and agrees it is prohibited from transferring Personal Data in a manner that would violate a Restricted Transfer. Schedule 5 of this DPA shall apply where Standard Contractual Clauses have been established as the lawful means for processing. To the extent the Customer’s use of the Service requires an onward transfer mechanism to lawfully conduct a Restricted Transfer of Personal Data from a restricted jurisdiction to a third party within the same jurisdiction or to another jurisdiction, then the Exporter shall ensure a lawful means for processing under Applicable Data Protection Laws is put in place with the third party. In the event a jurisdiction’s Applicable Data Protection Law requires and accepts the Standard Contractual Clauses as appropriate safeguards under their data protection laws, the Standard Contractual Clauses (Schedule 5) shall be deemed applicable and any amendments required by such a jurisdiction’s regulator shall be deemed to be made to the Standard Contractual Clauses as necessary to comply with the Applicable Data Protection Law. |
|
4.11 Data Disclosures | The Parties represent and warrant that they will only disclose Personal Data to a Third Party in accordance with Applicable Data Protection Law, this DPA and the Agreement. |
Processor shall provide reasonable and timely assistance to the Controller to enable it to respond to:
Where the Processor is contacted directly and expressly in relation to Processing it performed for the Controller, the Processor shall promptly notify the Controller upon becoming aware of such request and shall provide full details if and to the extent required by Applicable Data Protection Laws. |
4.12 Deletion or return of data | Upon termination or expiry of this DPA, the Processor shall (at the Controller’s election) destroy or return to the Controller within 30 days, all Personal Data. This requirement shall not apply to the extent that the Processor is required by any applicable law to retain some or all of the Personal Data, in which event the Processor shall isolate and protect the Personal Data from any further processing except to the extent required by such law until deletion is possible. Until the Personal Data is deleted or returned, the Processor shall continue to ensure compliance with this DPA. | |
4.13 Limitations | Processor acknowledges and agrees that it is not permitted to:
|
5.1 Customer Representations and Warranties. Customer hereby represents and warrants the following:
5.2 Customer’s Retention of Evidence. Where applicable, the Customer shall retain evidence of having acquired the necessary Consents and/or provided the transparency required under this DPA and Applicable Data Protection Law and shall, on reasonable request from GBG, provide evidence in a machine portable manner. The Customer shall retain such evidence for the duration required under Applicable Data Protection Law.
5.3 Where relevant, the Customer is responsible for identifying and communicating its Customer Use Case to GBG. The Customer represents, warrants and undertakes that it shall only use the Software, Service and Results in accordance with the Customer Use Case it has selected on the Order Form and shall not change its Customer Use Case without first agreeing, in writing, such change with GBG. The Customer shall regularly review its Customer Use Case and notify GBG without undue delay if it determines a change in its Customer Use Case is likely to be required.
The Parties agree that:
6.1 Where applicable and included on the Order Form, GBG will, subject to section 6.3 below collect Customer Data into a Data Network where it will combine and match data to generate Insights about specific data attributes, individuals or a location. The Customer acknowledges and agrees that GBG may transfer Personal Data from one GBG Entity to another for the purposes of utilising it in the Data Network. Such Insights may be available to Customers as an address, risk score, fraud or identity alert via GBG’s products and services.
6.2 The Data Network may utilise profiling as defined under Applicable Data Protection Law.
6.3 GBG confirms that information held in the Data Network:
Last updated: 25/04/24
1.1 Capitalised terms not otherwise defined herein have the meaning given to them elsewhere in the Agreement. Except as modified below, the terms of the Agreement remain in full force and effect.
1.2 The following terms have the meanings set out below for this DPA:
“Agreement” means a written services agreement, an Order or any other relevant agreement between the Parties which involves the Processing of Personal Data of individuals subject to Applicable Data Protection Laws.
“Applicable Data Protection Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Customer Data (as defined below) including, as applicable, (i) Regulation 2016/679 (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any and all applicable national law made under or pursuant to (i) or (ii); (iv) the EU GDPR as it is saved and incorporated into UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); and (v) the California Consumer Privacy Act of 2018 and its corresponding regulations, as amended by the California Privacy Rights Act (collectively the “CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and any other comprehensive US state privacy laws; (vi) Biometric Information Privacy Act of Illinois (“BIPA”); and (vi) any amendment, consolidation or re-enactment thereof, any legislation of equivalent purpose or effect enacted, and any orders, guidelines, guidance and instructions issued under any of the above or by any other relevant national authorities.
“Authorised Subprocessor” means a Subprocessor who is either (i) set out in Schedule 3 which are hereby deemed to be approved by the Customer or (ii) otherwise authorised to Process Customer Data on behalf of GBG pursuant to section 4 of this DPA.
"Biometric Data” shall have the meaning set out in the relevant Applicable Data Protection Law. For the avoidance of doubt, it shall include ‘biometric identifiers’ and ‘biometric information’ as defined under US biometric privacy laws, including BIPA.
“Consent” shall have the meaning set out in the relevant Applicable Data Protection Law. For the avoidance of doubt, under GDPR it shall mean any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her. The term “Consent” shall be interpreted to include any additional requirements, including obligations relating to collecting consent via written or electronic form, under Applicable Data Protection Laws.
“Controller” means the person or entity, which alone or jointly with others, determines the purposes and means of the Processing of Personal Data. The term “Controller” shall be interpreted to include the meaning of the term “controller” as such term is defined by the GDPR, and similar designations under and regulated by Applicable Data Protection Law(s). Additionally, the term “Controller” shall also be interpreted to mean “Business” as defined under the CCPA, where applicable.
“Customer Audit Trail” means an electronic record of the Transactions carried out using the Service, including any Results generated.
“Customer Data” means any and all data (which may include Personal Data) provided by the Customer to GBG, or by the Channel Partner to GBG on behalf of an End User, for processing in accordance with the terms of the Agreement and this DPA;
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data or Meta Data (as may be applicable in the context) transmitted, stored or otherwise processed.
“Data Network” means separate and individual data pools that consist of information (including Personal Data) that GBG receives from its customers and/or End Users. The information held by GBG in the Data Network may be used to create Insights in accordance with section 6 of this DPA.
“Data Subject” means an identified or identifiable natural person to whom Personal Data, which is being processed by GBG to perform its services under the Agreement, relates.
“De-Identified Data” means an action by GBG to remove identifying characteristics from Customer Data necessary for compliance with Applicable Data Protection Laws
"EEA" means the Member States of the European Economic Area.
“End User” means an End User who is licenced by the Channel Partner for the use of GBGs products and services.
"Exporter means any Controller or Processor located in a regulated jurisdiction processing Personal Data which transfers Personal Data outside the regulated jurisdiction in which it is located.
“GBG Audit Trail” means a copy of the Customer Data and Results of a Service which is retained by GBG for 12 months for the sole purpose of responding to Data Subject rights.
"Importer” means any Controller or Processor processing Personal Data who receives Personal Data from the Data Exporter under a Restricted Transfer.
“Insights” means data that is created by GBG as part of the provision of the Service, from the collection, storage and analysis of any data relating to the Customer's (or End User's as the case may be) use of the Service.
“Meta Data” means the Channel Partner’s End User’s name, search date, time stamp, and Data Subject’s name, this may include Personal Data.
“Personal Data” shall have the meaning set out in the Applicable Data Protection Law and shall be applied to all Data Subjects being processed under the Agreement; provided however, where this term is not defined, it shall mean any information relating to a Data Subject; who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, adaptation, or alteration, retrieval, consultation, use, modification, storage, disclosure, restriction, erasure or destruction.
“Processor” shall have the meaning set out under the Applicable Data Protection Law. The term “Processor” shall be interpreted to include the meaning of the term “processor” as such term is defined by the GDPR and similar designations under and regulated by Applicable Data Protection Law. Additionally, the term “Processor” shall also be interpreted to mean “Service Provider” as defined under the CCPA, where applicable.
"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018; (iii) where the Swiss Federal Act on Data Protection (“FADP”) applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
“Standard Contractual Clauses” means (i) where EU GDPR applies, the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”).
“Subprocessor” means other Processor(s) engaged by a Processor to Process data on its behalf.
“Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR.
"Third Party” for the purpose of this DPA means any organisation who is not GBG or a GBG Group Company; and
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK’s Information Commissioner’s Office in accordance with s119A of the Data Protection Act 2018.
1.3 References to sections refer to terms of the Data Processing Agreement of this DPA.
1.4 References to paragraphs are to terms of the Schedules to this DPA.
Last updated: 25/04/24
See spreadsheet here.
Last updated: 30/10/24
GBG's role is dependent upon the jurisdiction which is detailed in Schedule 2 (Product Grid).
View here.
Last updated: 30/10/24
Where applicable, both Parties shall comply with the following Information Security Requirements in addition to any security requirements that are also required under Applicable Data Protection Laws:
1. Physical Access Control
Both parties shall implement and maintain physical controls to prevent unauthorised access, damage and interference to data processing systems.
Measures shall include and not limited to:
2. System Access Control
Both parties shall ensure that it reviews and maintains a formally documented access control policy to prevent data processing systems from being used by unauthorised persons.
Measures shall include and not limited to:
3. Data Access Control
Both parties shall ensure that only persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorisation.
Measures shall include and not limited to:
4. Pseudonymisation
Where appropriate to do so both Parties shall adopt pseudonymisation measures. This means the Processing of Personal Data in such a manner that the data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to corresponding technical and organisational measures.
5. Transfer Control
Both parties shall ensure that there is no unauthorised reading, copying, modifying or removal of data during electronic transmission or transport.
Measures shall include and not limited to:
6. Availability Control
Both Parties shall put in place protection against accidental or deliberate destruction or loss.
Measures shall include and not limited to:
7. Disclosure Control
Both parties shall ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed.
Measures may include and not limited to:
8. Entry Control
Both parties shall invoke measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing system.
Measures shall include and not limited to:
9. Separation Control
Both parties shall ensure that Personal Data collected for different purposes can be processed separately.
Measures may include and not limited to:
10. Control of Instructions
Both parties shall ensure that Personal Data are processed solely in accordance with the instructions of the Controller.
Measure may include and not limited to:
11. Both Parties shall implement processes for regularly testing, assessing, and evaluating security measures
Measures shall include and not limited to:
12. Information Security Management and Policy
Both parties shall ensure that:
Last updated: 25/04/24
The following terms as set forth in Schedule 5 of this DPA shall apply, in addition to the applicable terms set out in the DPA, when GBG Processes Personal Data originating in Europe or the United Kingdom.
1. EEA Restricted Transfer
To the extent that Exporter transfers Personal Data originating from the EEA to Importer located outside the EEA, unless the Parties may rely on an alternative transfer mechanism or basis under the Applicable Data Protection Laws, the EU SCCs will be deemed entered into by the Parties, and incorporated into this DPA by reference, and completed as follows:
1.1 Module One (controller to controller) of the EU SCCs annexed to Commission Implementing Decision (EU) 2021/914 shall apply where Exporter acts as the Controller of Personal Data and Importer acts as a separate Controller.
1.2 Module Two (controller to processor) of the EU SCCs annexed to Commission Implementing Decision (EU) 2021/914 shall apply where Exporter acts as the Controller of Personal Data and Importer acts as a Processor.
1.3 Module Three (processor to processor) of the EU SCCs annexed to Commission Implementing Decision (EU) 2021/914 shall apply where Exporter acts as a Processor of Personal Data and Importer acts as a Subprocessor.
Population of the EU SCCs:
1.4 For Module One, where applicable:
1.5 For Module Two and Module Three, where applicable:
1.6 Population of the Annexes to the EU SCCs:
2. UK Restricted Transfers
The EU SCCs also apply in the context of UK Restricted Transfers as varied by the UK Addendum. For data transfers from the United Kingdom that are subject to the UK Addendum, the UK Addendum will be deemed entered into by the Parties and incorporated into this DPA by reference as follows:
2.1
2.2 For the purposes of the UK Addendum:
3. Swiss Restricted Transfers
The EU SCCs apply to Swiss Restricted Transfers, subject to the following amendments and additional provisions:
4. Conflict. To the extent there is any conflict or inconsistency between this Schedule 5, and any other terms in this DPA or the Agreement, this Schedule 5 will prevail.
ANNEX A – DESCRIPTION OF THE TRANSFER
Description of the Restricted Transfer in relation to Customer Data and Results.
|
Customer Data |
Results |
Categories of Data Subjects whose Personal Data is transferred |
The Personal Data transferred concern the following categories of Data Subjects: The Customer’s customers or End Users including employees and contractors, and the Data Subjects. |
The Personal Data transferred concern the following categories of Data Subjects: The Customer’s customers or End Users including employees and contractors, and the Data Subjects. |
Purpose(s) of the data transfer and further Processing |
The transfer is made for the following purpose: In accordance with the Customer Use Case and the Agreement.
|
The transfer is made for the following purpose: To permit the Customer to use the Supplier Data and/or Results in accordance with their Customer Use Case and the Agreement. |
Categories of Personal Data transferred |
contact information, employment information, demographics, financial, location, personal identification, user account information. |
contact information, employment information, demographics, financial, location, personal identification, user account information. |
Sensitive data transferred (if applicable) |
In accordance with the Agreement. |
In accordance with the Agreement. |
Frequency of transfer |
In accordance with the Agreement. |
In accordance with the Agreement. |
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period |
In accordance with the Agreement. |
In accordance with the Agreement. |
Last updated: 25/04/24
The following terms as set forth in this Schedule 6 shall apply, in addition to the applicable terms set out in the DPA, when GBG Processes Personal Data pertaining to US residents that is subject to applicable US privacy law.
1. GBG Processor Obligations.
1.1 GBG shall comply with all applicable Processor terms set out in section 4 of this DPA, in accordance with the obligations, rights, and restrictions imposed on it as a Processor under the relevant Applicable Data Protection Law.
1.2 GBG agrees that, to the extent that relevant Applicable Data Protection Law requires:
2. Scope of Processing by GBG as a Processor.
2.1. The Parties agree that the following applies where GBG is acting as a Processor:
Product |
Data Subjects' Data Processed under the relevant Product |
ID3global |
Personal Identification: Driving license number, Date of Birth, National Identification Number, National identity card details, Passport Number, Full Name, Photo User Account Information: Account Number Browsing Information: IP Address Contact Information: Home Address, Previous Residence Address, Phone Numbers, Email, Contact details Financial Information: Bank account information Geolocation: Country |
IDScan Enterprise (web) |
Personal Identification: National Identification Number, Date of Birth, National identity card details, Signature, Gender, Photo, Age, Marital Status, Citizens Status, Full Name, Nationality, Physical Characteristics, Government Identification Document (e.g. driver’s license or passport, and all personal information contained therein) Contact Information: Home Address Family Information: Relationships, Parents’ Names Information that could be deemed Sensitive Personal Information, depending on the jurisdiction: Biometric data, Racial or Ethnic Origin, Driving license number, Social Security Number, Passport Number |
Loqate Verify |
IP address, Postal Address, Geocode (only at your affirmative selection) |
Loqate Capture |
IP address, Postal address, and Geolocation (only at your affirmative selection) |
Loqate Storefinder |
IP address, Postal address, and Geolocation (only at your affirmative selection) |
Loqate Data Maintenance |
May include the following (as set out in your Order Form): name, address, email, phone number |
Loqate Phone/Email Validation Services |
May include the following (as set out in your Order Form): phone number, email |
ExpectID/ExpectID Age/ExpectID with International Data/ExpectID IQ/ExpectID Customer Based Authentication |
Name, postal address, country. May also include the following (as set out in your Order Form): social security number (4/9), date of birth, IP address, email address, shipping or alternative address |
ExpectID GeoTrace |
IP address |
GBG Trust USA |
Name, postal address, email address, social security number (9), IP address, phone number |
ExpectID Scan Onboard/ExpectID Barcode Scan |
Document Image front/back. May also include the following (as set your in your order form): selfie |
ExpectID Scan Verify |
Document image front/back, name, postal address, date of birth, social security number (9), May also include the following (as set out in your Order Form): selfie |
ExpectID Name to Phone |
Name, postal address, phone number |
ExpectID Death Scrub |
Social security number (9) |
ExpectID Number Verification/ExpectID Mobile Attributes/ExpectID Secure One Time Verify |
Phone Number |
ExpectID Email |
Email address |
ExpectID PA |
Name. May also include the following (as set out in your Order Form): Country, date of birth |
3. Customer Reviews and Audits.
GBG shall make available to the Customer all information necessary to demonstrate compliance with its obligations under Applicable Data Protection Laws in accordance with the audit rights set out in the Agreement.
4. GBG Data Networks
4.1 Sale of Data to GBG (CCPA Third Party Contract Requirements):The terms set out in paragraphs 4.1 through 4.9 shall apply when GBG contributes Customer Data into its Data Network under section 6 of the DPA. The term “third party” in this Schedule 6 shall have the meaning set out in the CCPA. The Customer acknowledges and understands that GBG will only pool Customer Data into its Data Network unless the Customer opts-out from such Processing under its corresponding Order Form(s). GBG’s Data Network Processing will be denoted as follows in the Order Form(s):
4.2 The Customer acknowledges and agrees that:
4.3 The Customer understands and acknowledges that the processing under this paragraph 4 may be construed as a sale of Personal Data from the Customer to GBG, provided that no exception to the sale of Personal Data applies in accordance with the CCPA and Applicable Data Protection Law. GBG will not sell the Personal Data provided by Customer under the Agreement onward to any Third Parties.
4.4 The limited and specified purpose(s) for which the Customer Data is made available to GBG under the Agreement is to provide services to the Customer to verify Customer’s Data Subjects’ data, provide fraud detection and prevention, and conduct data analytics, which includes combining the Personal Data that it receives from, or on behalf of, the Customer with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject, as detailed in this paragraph 4, in accordance with the CCPA and Applicable Data Protection Law. GBG may retain and utilize the Customer Data held in its Data Networks for its own commercial purposes outside of the direct business relationship with the Customer, to improve and develop GBG’s existing and future products it provides and offer those improved services to other business customers, and to provide GBG’s professional services offerings in connection to fraud.
4.5 The Customer is making the Customer Data available to GBG only for the limited and specified purposes set forth above and within the Agreement and requires GBG to use it only for those limited and specified purposes.
4.6 GBG must comply with all applicable sections of the CCPA, including with respect to the Customer Data that the Customer makes available to GBG providing the same level of privacy protection as required of businesses by the CCPA.
4.7 GBG grants the Customer the right with respect to the Customer Data that the Customer makes available to GBG to take reasonable and appropriate steps to ensure that GBG uses it in a manner consistent with the Customer’s obligations under the CCPA.
4.8 GBG grants the Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Data made available to GBG.
4.9 GBG shall notify the Customer after it makes a determination that it can no longer meet its obligations under the CCPA.
4.10 GBG Trust USA and Velocity: For the avoidance of doubt, the “GBG Trust USA" and “Velocity” data solutions and their networks, which may be utilized in conjunction with our ExpectID Solutions, fall outside the scope of paragraphs 4.1 through 4.9 and, therefore, shall not constitute a sale of data. The Parties agree that GBG’s processing under the GBG Trust USA” and “Velocity” data solutions and their networks shall be performed by GBG as Customer’s Processor and will be subject to paragraphs 1-3 of this Schedule 6. The Customer Data is made available to GBG under the Agreement for the permitted Business Purpose(s) of verifying Customer’s Data Subject’s information for fraud and risk purposes in accordance with Customer’s risk appetite as configured by Customer within the GBG Product, as further detailed in the Agreement. The performance of such services includes retaining and utilizing Customer Data in the GBG Trust USA and/or Velocity, and combining Customer Data that GBG receives from, or on behalf of, its customers with Personal Data that it receives from, or on behalf of, its other persons to perform fraud prevention and risk services for GBG’s customers when providing matches for velocity or anomaly in relation to any data attribute(s) queried by Customers for a specific transaction, as permitted by the CCPA. All data pooled into the GBG Trust USA and/or Velocity is pseudonymized, encrypted in transit and at rest, and masked upon receipt and will not itself be appended or provided outright to any other business customer. Instead, it is used to derive fraud alerts in accordance with Customer’s rules engine configuration to enable our customers’ risk assessment regarding risk, transactions, and fraud.
4.10.1 The Parties agree as follows in regards to the Processing performed under paragraph 4.10 above:
4.10.1.1 GBG may process Customer Data as reasonably necessary and proportionate to achieve the Business Purpose(s) for which the Personal Data was collected or processed;
4.10.2 Customer is responsible for customizing and maintaining all rules, which will determine GBG’s Processing;
4.10.3 Customer understands the network’s Processing and instructs GBG to contribute the Personal Data into the relevant GBG Trust USA and/or Velocity data network;
4.10.4 Customer is making the Personal Data available to GBG for the limited purpose of enabling GBG to perform the services it is instructed to perform by the Customer; and
4.10.5 Any and all exchange of Personal Data under the Agreement is necessary to enable GBG to provide its services to Customer.
5. GBG Trust Core
5.1 When GBG provides Customer with Insights via the GBG Trust Core, GBG is making Insights available to Customer only for the limited and specified purposes of Customer’s compliance with regulatory requirements, for fraud prevention and detection, or both, and includes verifying the identity of an individual. As such, Customer acknowledges and agrees with the following: (i) Customer shall comply with Applicable Data Protection Laws, including—with respect to any Insights that GBG makes available to the Customer—providing the same level of privacy protection as required under Applicable Data Protection Laws, (ii) Customer shall grant GBG the right with respect to any Insights that GBG makes available to Customer to take reasonable and appropriate steps to ensure that Customer uses it in a manner consistent with Customer’s Use Case; and (iii) Customer shall notify GBG after it makes a determination that it can no longer meet its obligations under Applicable Data Protection Laws.
5.1.1 Customer may use GBG’s Trust Core product only to confirm a Data Subject’s identity—that is, to determine whether the Data Subject is in fact who they claim to be and not an identity thief or fraudster—Customer may only use GBG’s Insights only for the limited and specified purposes as set forth in paragraph 5.1 above. For the avoidance of doubt, Customer may not use GBG’s Trust Core to assess an individual’s eligibility to receive its services, including any permissible purposes covered under the FCRA.
5.2 For the avoidance of doubt, GBG may provide such Insights to any of its business customers who are also contributing information into the Data Networks. All of GBG’s business customers (or their End Users) to whom Insights may be provided to by GBG, including the Customer, are in direct privity with the relevant Data Subject, who is intentionally interacting with them to obtain goods or services. As such, Customer understands and acknowledges that the Processing under the paragraphs 5.1-5.2 Section 5 shall not be construed as a sale of Personal Data from GBG to the Customer, as Customer is not a Third Party. Moreover, GBG will not sell Insights to any Third Parties.
6. Customer/End User’s Disclosure of Data to Approved Third Party Supplier
6.1 The terms set out in this paragraph 6 shall apply where Customer purchases either: (1) "GBG's ExpectID Email" solution, or (2) "0408 Email Intelligence (ID Number 201622) via ID3global" solution as set out in Customer’s Order Form.
6.2 The Expect ID email verification service GBG provides involves transferring Customer Data consisting of email addresses to Customer authorized supplier: Lexis Nexis Risk Solutions (“LexisNexis”). As part of the Processing, LexisNexis may retain Customer Data in its own proprietary network consortium to derive insights and provide its email verification services to other customers, subject to the contractual limitations imposed on third parties in accordance with the CCPA. GBG is acting solely as an intermediary between LexisNexis and Customer and therefore does not retain Customer Data nor process it for any other purposes beyond those permitted under paragraph 1 of this Schedule 6.
6.3 The Customer acknowledges and agrees that where GBG transfers Customer Data to LexisNexis it does so solely at the request of and on behalf of Customer as its Processor. GBG does not receive any consideration, monetary or otherwise, and there is no sale of data by GBG to LexisNexis. GBG shall follow Customer’s instructions as its Processor.
6.4 Customer shall ensure that it notifies and obtains any required express or implied consents (including consent to LexisNexis’ applicable privacy notice and/or policy) from Customer’s Data Subjects whose personal data LexisNexis receives as a Third Party / Controller, arising out of any use of the LexisNexis services including, without limitation, any transmission of such information to LexisNexis in accordance with the applicable LexisNexis processing notice, available at https://risk.lexisnexis.com/group/processing-notices (as updated from time to time, the “LN Processing Notice”) and/or the privacy notice made available by LexisNexis by any other means and/or format. The terms of the LexisNexis Risk Solutions Group Data Protection Addendum at https://risk.lexisnexis.com/group/dpa will apply.
7. Biometric Processing
7.1 If the Customer uses GBG’s Services to Process Biometric Data, the Customer shall, prior to collecting, using and disclosing the Biometric Data:
7.2 GBG will process Biometric Data following the Customer’s documented instructions (as described in the Agreement), which shall include the ability to disclose the Biometric Data to GBG’s relevant Subprocessors and protect the Biometric Data in accordance with Schedule 4 of the DPA, as appropriate.
7.3 The Customer warrants that the Data Subjects’ Consent must comply with relevant Applicable Data Protection Law and, at a minimum, must record Data Subject’s acknowledgement that they have read and agreed to the Customer’s biometric privacy policy in addition to the more specific notice regarding the collection and use of Biometric Data, including the Customer’s ability to disclose their Biometric Data with any service provider or third party vendors.
8. De-Identified Data
8.1 The terms set out in this paragraph 8 shall apply when GBG Processes De-Identified Data under the Agreement:
9. Conflict
To the extent there is any conflict or inconsistency between this Schedule 6, and any other terms in this DPA or the Agreement, this Schedule 6 will prevail.
Last updated: 05/08/24
The following terms as set forth in this Schedule 7 shall apply, in addition to the applicable terms set out in the DPA, when GBG Processes Personal Data originating in Canada or Latin America.
1. Customer’s Obligations.
1.1 The Customer represents and warrants that in accordance with Applicable Data Protection Laws it shall:
1.2 Where GBG’s Processing of Customer Data requires Data Subject’s consent for GBG to lawfully Process Personal Data under the Agreement, the Customer shall:
2. GBG’s Obligations.
2.1 When acting as a Processor, GBG shall, in accordance with Applicable Data Protection Laws:
3. GBG’s Data Network.
3.1 The terms set out in this Paragraph 3 shall apply when GBG contributes Customer Data into its Data Network under section 6 of the DPA, where Processing of Customer Data is compatible with the context in which the Personal Data was initially collected by Customer, including combining and matching Personal Data. The Customer acknowledges and understands that GBG will contribute Customer Data into its Data Network provided Customer affirmatively authorizes such Processing under its corresponding Order Form(s). GBG’s Data Network Processing will be denoted as follows in the Order Form(s):
3.2 Customer acknowledges and agrees that:
3.3 GBG Trust USA and Velocity: For the avoidance of doubt, the “GBG Trust USA” and/or “Velocity” data solutions and their networks, which may be utilized in conjunction with our ExpectID Solutions, fall outside the scope of paragraphs 3.1 through 3.2 and, therefore, shall not constitute a data transfer for further processing as GBG continues to act on Customer’s instructions. The Customer Data is made available to GBG under the Agreement for the limited purposes of verifying Customer’s data subject’s information for fraud and risk purposes in accordance with Customer’s risk appetite as configured by Customer within the GBG Product, as further detailed in the Agreement. The performance of such services includes retaining and utilizing Customer Data in the GBG Trust USA and/or Velocity, and combining Customer Data that GBG receives from, or on behalf of, its customers with Personal Data that it receives from, or on behalf of, its other persons, to perform fraud prevention and risk services for GBG’s customers when providing matches for velocity or anomaly in relation to any data attribute(s) queried by Customers for a specific transaction, as permitted by Applicable Data Protection Laws for the prevention of fraud. All data pooled into the GBG Trust USA and/or Velocity is pseudonymized, encrypted in transit and at rest, and masked upon receipt and will not itself be appended or provided outright to any other customer. Instead, it is used to derive fraud alerts in accordance with Customer’s rules engine configuration to enable our customers’ risk assessment regarding risk, transactions, and fraud.
3.3.1 The Parties agree as follows in regard to the Processing performed under paragraph 3.3 above:
3.3.1.1 GBG may process Customer Data as reasonably necessary and proportionate to achieve the purposes for which Personal Data was collected or processed;
3.3.1.2 Customer is responsible for customizing and maintaining all rules, which will determine GBG’s Processing;
3.3.1.3 Customers understands the network’s Processing and instructs GBG to contribute the Personal Data into the relevant GBG Trust USA and/or Velocity data network;
3.3.1.4 Customer is making the Personal Data available to GBG for the limited purpose of enabling GBG to perform the services it is instructed to perform by Customer; and
3.3.1.5 Any, an all exchange of Personal Data under the Agreement is necessary to enable GBG to provide its service to Customer.
4. Restricted Transfers of Personal Data by Adopting Countries.
4.1 Except as otherwise set forth in this paragraph, Schedule 5, the EU SCCs will apply to (i) any Transfer of Personal Data that is subject to the laws of a country outside the EEA/UK in which the competent data protection authority has approved the use of the EU SCCs (each, an “Adopting Country”), or otherwise requires certain privacy safeguards, model contractual clauses, or any other contractual privacy provisions for the Transfer of Personal Data not provided through this DPA or this Schedule 5, subject to amendments for adequacy with certain obligations specifically set forth in the Applicable Data Protection Laws, and only to the extent the competent data protection authority has not set forth its specific standard contractual clauses for Restricted Transfers. For the avoidance of doubt, by applying the EU SCCs in accordance with this paragraph 4, the Parties do not intend to grant third party beneficiary rights to Data Subjects under the EU SCCs when Data Subjects concerned would not otherwise benefit from such rights under the Applicable Data Protection Laws or this DPA.
4.2 Where a Restricted Transfer concerns Customer Data originating from Argentina, the standard contractual clauses made under Regulation No. 60-E/2016, and currently located at Argentina's SCCs will be incorporated into the DPA by reference and shall apply to the extent required under Applicable Data Protection Laws and where this DPA or these local laws set out in this Schedule does not provide adequate safeguards.
4.3 Where a Restricted Transfer concerns Customer Data originating from Uruguay, the standard contractual clauses made under Regulation No. 41/2021, and currently located at Uruguay's SCCs will be incorporated into this DPA by reference and shall apply to the extent required under Applicable Data Protection Laws and where this DPA or these local laws set out in this Schedule does not provide adequate safeguards.
5. Biometric Processing
5.1 If the Customer uses GBG’s Services to Process Biometric Data, the Customer shall, prior to collecting, using or disclosing the Biometric Data:
5.2 GBG will Process Biometric Data following Customer’s documented instruction (as described in the Agreement), which shall include the ability to disclose the Biometric Data to GBG’s relevant Subprocessors and protect the Biometric Data in accordance with Schedule 4 of the DPA, as appropriate.
5.3 The Customer warrants that the Data Subject’s Consent mut comply with relevant Applicable Data Protection Laws and, at a minimum, must record Data Subject’s acknowledgement that they have read and agreed to Customer’s biometric privacy policy (and linking back to GBG’s biometric privacy policy), in addition to the more specific notice regarding the collection, use and disclosure of their Biometric Data.
6. Conflict
To the extent there is any conflict or inconsistency between this Schedule 7, and any other terms in this DPA or the Agreement, this Schedule 7 will prevail.
Last updated: 05/08/24
This is only relevant to Channel Partners, where the Channel Partner has one single integration point with GBG for multiple End Users.
|
GB Group plc ('GBG') A Company registered in England and Wales, 2415211. Registered Office Address: GB Group plc, The Foundation Herons Way Chester Business Park Chester CH4 9GB DPO: Kate Lewis. DPO@gbgplc.com Alternatively, this may be the name of the legal entity listed on your Order Form. The DPO name and email address will be the same. |
Name and contact details of the processor |
As documented in the Agreement. |
Categories of processing carried out on behalf of the controller |
Purpose – Meta Data for Data Subject rights.
|
Transfers of personal data to a third country or an international organisation. i) Name the third country or international organisation ii) Document the appropriate safeguards involved in the transfer |
Not applicable. |
General description of the technical and organisational security measures |
The Channel Partner will take all security measures required in accordance with Applicable Data Protection Laws to ensure the protection of Personal Data. See Schedule 4 for description of the technical and organisational measures. |
Last updated: 25/04/24
To support you with this understanding, we have provided some FAQs which explains a number of clauses in more detail. For clarity, the FAQs do not form part of the DPA.
Last updated: 01/08/24