Data Processing Agreement

• Data Processing Agreement

• Schedule 1: Definitions and Interpretation

• Schedule 2: Product Grid

• Schedule 3: Authorised Processors/Sub-Processors

• Schedule 4: Security: Technical & Organisational Measures

• Schedule 5: Standard Contractual Clauses (cross border transfers)

• Schedule 6: Local Laws – United States of America

• Schedule 7: Local Laws – Canada and Latin America

• Schedule 8: Meta Data (for Channel Partners only)

• FAQs

This Data Processing Agreement together with its Schedules (the “DPA”) forms part of the Agreement between the Parties for the Customer’s use of the Services which involves the Processing of Personal Data. The Parties have agreed to enter into this DPA to govern such Processing of Personal Data.

AGREED TERMS

1. Scope and Applicability

The Parties agree that:

1.1. This DPA regulates the Processing of Personal Data subject to Applicable Data Protection Law for the Services provided under the Agreement.

1.2. Where the Agreement involves the Processing of Personal Data of individuals that is subject to specific local laws, the terms set forth in the relevant local laws Schedules of this DPA shall apply.

1.3. They shall comply with their respective obligations as set out in this DPA.

2. Roles of the Parties

2.1 The Parties acknowledge and confirm that each Party is responsible for the Processing of Personal Data for its own purposes in the context of the Services specified in the Agreement and as described below:

1. GBG processes Personal Data for the following purposes: operating, providing, supporting or enabling the performance of the Services to the Customer. This involves collection and sharing of Supplier Data and Customer Data, technical and customer support, user management, load balancing, debugging, assessing and improving match rates, maintaining and improving service levels, Customer management which includes enabling payments, finance and account management, Data Subject rights, and where, agreed between the Parties, creating Insights. Whilst GBG’s processing activity remains the same, the role of GBG under Applicable Data Protection Law will vary dependent upon jurisdiction. Schedule 2 (Product Grid) of this DPA describes the role of GBG in relation to the Service specified on the Order.
2. Customer processes Personal Data for the following purposes: collecting and sharing Customer Data with GBG, receiving and using Results in the context of the Services and, where relevant in accordance with its Customer Use Case. GBG utilises Supplier Data to deliver the Results. Details about the role of each Supplier and international transfers are described in the Additional Terms.

3. Channel Partners

This section 3 shall only apply where a Customer is a Channel Partner:

For the purposes of this DPA, “Channel Partner” means any organisation, firm, company, or public authority who operates on behalf of the End User who interacts directly with the Data Subject. The naming convention for this will vary across GBG entities and may include Intermediary, Integrated Introducer, Reseller or any organisation, firm, company or public authority who provides the Results to an End User.

3.1 The Parties acknowledge and agree that:

1. For the purposes of this DPA, Customer Data shall also include, where applicable, data provided to GBG via a Channel Partner by their End User for processing in accordance with the Agreement and this DPA.
2. The Channel Partner is appointed by their End User to process Customer Data it provides to GBG in relation to the Service specified on the Order Form. The role between the Channel Partner and their End User is defined independently and contractually between them. GBG’s role remains as specified in Schedule 2 (Product Grid) of this DPA.
3. For the purposes of this DPA, the Channel Partner takes on the role of Customer and shall comply with the terms set out in this DPA and shall procure that its End Users shall, where applicable, comply with the terms of this DPA.
4. If the Channel Partner is operating as a Processor, it shall not utilise or further process any Results provided by GBG for any purpose not permitted under its role as a Processor. The Channel Partner acknowledges and agrees that GBG is not selling any Personal Data to the Channel Partner and/or End User under the Agreement.
5. Where a Channel Partner has a single integration point to connect a GBG product and/or service for multiple End Users, GBG (where it is acting as an independent Controller as specified in Schedule 2) appoints the Channel Partner as its authorised Processor. Channel Partner shall retain a copy of the Meta Data for the relevant Services in accordance with Schedule 8 of this DPA to ensure both Parties can meet their transparency obligations under Applicable Data Protection Laws.
6. Where relevant, and where Customer Data is being contributed to the Data Network, the Channel Partner will comply with the provisions of sections 5 and 6 of this DPA and the Channel Partner further confirms that:
   1. technical measures have been implemented to allow each of its End Users to opt-in or opt-out of the Data Network.
   2. where Customer Data has been collected for the purposes of contributing to the Data Network, the necessary authorisation has been obtained from their End User which shall be evidenced in its contractual arrangements with their End User.

4. Obligations of the Parties

It is agreed that:

4.1 Both Parties shall comply with all obligations set out in Column A (Data Protection Obligations) in the table below.

4.2 Additional processor obligations will also be applicable where a Party has appointed the other Party as their authorised Processor as outlined in the Product Grid set out in Schedule 2 (Product Grid) of this DPA. In such event and in addition to the obligations set out in Column A (Data Protection Obligations), the terms set out in Column B (Additional Processor Obligations) shall apply.

	Column A - Data Protection Obligations	Column B - Additional Processor Obligations These terms shall only apply where a Party has appointed the other Party as their authorised Processor.
4.3 Compliance with Applicable Law	Both Parties represent and warrant that they will comply with Applicable Data Protection Laws when Processing Personal Data in the context of the Services, and that they will perform their obligations under this DPA.	A Party, appointed as a Processor shall process the Personal Data strictly in accordance with the documented instructions of the Controller, including with regard to Restricted Transfers of Personal Data to a third country or an international organisation except where otherwise required by any relevant applicable law, in which case the controller shall inform the Processor of that legal requirement before Processing (unless prohibited by that law on important grounds of public interest). The Processor shall immediately inform the Controller if it becomes aware that the Processing instructions infringe Applicable Data Protection Law.
4.4 Security	Each Party shall implement and maintain reasonable and appropriate technological and organisational measures to protect Personal Data from a Data Breach. Where expressly stated in the Additional Terms, the Customer shall also comply with the additional security provisions in relation to the relevant Supplier Data. Such measures shall include complying with any ’Information Security Requirements’ that are applicable under Schedule 4 of this DPA.
4.5 Confidentiality	In addition to the confidentiality provision in the Agreement, the Parties warrant they have taken steps to ensure that any person or entity acting under its authority, who Processes or in any way has access to Personal Data in the context of the Services (including any entity engaged by a Party or any further sub-contractor) is only granted access to Personal Data on a need-to-know basis and is subject to a duly enforceable contractual or statutory confidentiality obligation.
4.6 Subprocessors	Either Party may, at its election, appoint a third-party processor, provided that such processing complies with Applicable Data Protection Law. The Party engaging a third-party processor in accordance with this Section 4 will remain liable for any act or omission of that third-party processor.	The Customer provides general written authorisation to GBG to: engage any of the third-party Subprocessors set out in Schedule 3 of this DPA in the event GBG is the Processor or in the event the Customer is the Processor, GBG provides general written authorisation to the Customer engaging Subprocessors to process Personal Data. Provided that: the Processor informs the Controller of any intended changes concerning the addition or replacement of a Subprocessor with access to the Personal Data and give the Controller the opportunity to object to such changes within thirty (30) days after receipt of such notice, in writing and based on reasonable grounds relating to data protection. If the Parties do not reach a resolution then, the Controller, acting reasonably may terminate the affected element of the Service by providing written notice to the Processor. the Processor imposes data protection terms on any Subprocessor it appoints that protects the Personal Data to the same standard provided for by this section 4; and the Processor remains fully liable for any breach in relation to the Processing of Personal Data that is caused by an act, error or omission of its Subprocessor.
4.7 Automated Decision Making	Each Party hereby represents and warrants that it shall comply with all Applicable Data Protection Law requirements if it uses the Services to make any automated decisions that produce legal effects concerning Data Subjects or otherwise produces similar significant effects on Data Subjects. Each Party shall ensure that (where required under Applicable Data Protection Law): there is a valid legal ground for the decision-making. consent is obtained from Data Subjects, and/or appropriate safeguards are implemented, such as providing Data Subjects with the right to obtain human intervention in the decision-making process. For the avoidance of doubt, GBG does not make any automated decisions.
4.8 Mutual Assistance	Each Party shall provide reasonable assistance to the other Party, as may be required, in order to enable the other Party to perform its responsibilities under this DPA and Applicable Data Protection Laws, pursuant to any correspondence, inquiry or complaint from a Data Subject, regulator, or Third Party that may be deemed to have a material impact for the other Party.
4.9 Data Breach	Upon becoming aware, each Party must notify the other Party of a Data Breach that relates to Personal Data Processed in the context of the Service and for which the other Party is a Controller, without undue delay, and not later than 72 hours. The Parties will assist each other, in accordance with Applicable Data Protection Law, in complying with their obligations to provide the Data Breach notification.
4.10 Transfers	To the extent the Customer’s use of the Service involves a Restricted Transfer, the Exporter of the Personal Data shall notify the other Party of any such Restricted Transfer prior to the Processing and both Parties shall agree a lawful means for the Processing of the Restricted Transfer. In the event the Parties are unable to establish or agree upon a lawful means, the Exporter acknowledges and agrees it is prohibited from transferring Personal Data in a manner that would violate a Restricted Transfer. Schedule 5 of this DPA shall apply where Standard Contractual Clauses have been established as the lawful means for processing. To the extent the Customer’s use of the Service requires an onward transfer mechanism to lawfully conduct a Restricted Transfer of Personal Data from a restricted jurisdiction to a third party within the same jurisdiction or to another jurisdiction, then the Exporter shall ensure a lawful means for processing under Applicable Data Protection Laws is put in place with the third party. In the event a jurisdiction’s Applicable Data Protection Law requires and accepts the Standard Contractual Clauses as appropriate safeguards under their data protection laws, the Standard Contractual Clauses (Schedule 5) shall be deemed applicable and any amendments required by such a jurisdiction’s regulator shall be deemed to be made to the Standard Contractual Clauses as necessary to comply with the Applicable Data Protection Law.
4.11 Data Disclosures	The Parties represent and warrant that they will only disclose Personal Data to a Third Party in accordance with Applicable Data Protection Law, this DPA and the Agreement.	Processor shall provide reasonable and timely assistance to the Controller to enable it to respond to: any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third-party in connection with the Processing of the Personal Data. Where the Processor is contacted directly and expressly in relation to Processing it performed for the Controller, the Processor shall promptly notify the Controller upon becoming aware of such request and shall provide full details if and to the extent required by Applicable Data Protection Laws.
4.12 Deletion or return of data		Upon termination or expiry of this DPA, the Processor shall (at the Controller’s election) destroy or return to the Controller within 30 days, all Personal Data. This requirement shall not apply to the extent that the Processor is required by any applicable law to retain some or all of the Personal Data, in which event the Processor shall isolate and protect the Personal Data from any further processing except to the extent required by such law until deletion is possible. Until the Personal Data is deleted or returned, the Processor shall continue to ensure compliance with this DPA.
4.13 Limitations		Processor acknowledges and agrees that it is not permitted to: Retain, use, disclose or otherwise process Personal Data for any commercial purposes or for any purpose other than for the purpose as outlined in the Agreement and this DPA Processing Personal Data at the Controller’s instruction within the direct business relationship between GBG and Customer; or as otherwise permitted by Applicable Data Protection Law. Sell, share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data (unless it is to an authorised Subprocessor) for (i) monetary or other valuable consideration, or (ii) for cross-context behavioural advertising, whether or not for monetary or other valuable consideration; or Combine Customer Data or Meta Data (as may be applicable in the context) with any other Personal Data the Processor receives from, or on behalf of, another person or persons, or collects from its own interaction with a Data Subject, unless and to the extent permitted by Applicable Data Protection Law, the Agreement, or this DPA.

5. Customer Obligations

5.1 Customer Representations and Warranties. Customer hereby represents and warrants the following:

1. The Customer Data has been and will continue to be collected, processed, transferred, and/or exported to GBG in accordance with Applicable Data Protection Law and that the Customer’s collection, processing, transferring, or exporting of Customer Data shall not be in violation of any such law.
2. The Customer will provide Data Subjects with all notices and obtain from them all rights and, where applicable, Consents, necessary for the provision and transfer of such data to GBG, the Processing of such data by or on behalf of GBG, and the Customer’s use of Results pursuant to the Agreement.
3. As between the Customer and GBG, Customer is solely responsible for providing such notice and obtaining such Consent, where necessary. This shall include, where appropriate:
   1. gathering the affirmative, unambiguous and explicit Consent from the Data Subject, or authorised representative for minors, for the collection, export, and Processing of his/her Personal Data by the Customer, GBG, and any Authorised Subprocessors or Processors; and
   2. provide a link to GBG’s privacy notice, prior to the collection of the Personal Data.

5.2 Customer’s Retention of Evidence. Where applicable, the Customer shall retain evidence of having acquired the necessary Consents and/or provided the transparency required under this DPA and Applicable Data Protection Law and shall, on reasonable request from GBG, provide evidence in a machine portable manner. The Customer shall retain such evidence for the duration required under Applicable Data Protection Law.

5.3 Where relevant, the Customer is responsible for identifying and communicating its Customer Use Case to GBG. The Customer represents, warrants and undertakes that it shall only use the Software, Service and Results in accordance with the Customer Use Case it has selected on the Order Form and shall not change its Customer Use Case without first agreeing, in writing, such change with GBG. The Customer shall regularly review its Customer Use Case and notify GBG without undue delay if it determines a change in its Customer Use Case is likely to be required.

6. Data Network

The Parties agree that:

6.1 Where applicable and included on the Order Form, GBG will, subject to section 6.3 below collect Customer Data into a Data Network where it will combine and match data to generate Insights about specific data attributes, individuals or a location. The Customer acknowledges and agrees that GBG may transfer Personal Data from one GBG Entity to another for the purposes of utilising it in the Data Network. Such Insights may be available to Customers as an address, risk score, fraud or identity alert via GBG’s products and services.

6.2 The Data Network may utilise profiling as defined under Applicable Data Protection Law.

6.3 GBG confirms that information held in the Data Network:

1. will not be used for marketing purposes by GBG or GBG Customers.
2. will not be shared, in bulk or otherwise, with Third Parties. For the avoidance of doubt, GBG do not grant our Customers or any Third Parties direct access to the data held in our Data Network.
3. will always utilise data from multiple sources to ensure that no data variables from an individual customer record within the Customer Data is used in isolation.
4. may be used by organisations, only for tracing of individuals, verification and/or validation of the identity of individuals or an address.
5. may be used for testing and evaluation purposes by GBG only to improve and maintain GBG solutions.
6. may be used for product improvement and commercial use, as permitted under Applicable Data Protection Law.
7. will be created and processed in accordance with GBG’s Products and Services Privacy Policy available at: https://www.gbgplc.com/en/legal-and-regulatory/products-services-privacy-policy/ and all Applicable Data Protection Laws.

 

Last updated: 25/04/24

Schedule 1: Definitions and Interpretation

DEFINITIONS AND INTERPRETATION.

1.1 Capitalised terms not otherwise defined herein have the meaning given to them elsewhere in the Agreement.  Except as modified below, the terms of the Agreement remain in full force and effect.

1.2 The following terms have the meanings set out below for this DPA:

“Agreement” means a written services agreement, an Order or any other relevant agreement between the Parties which involves the Processing of Personal Data of individuals subject to Applicable Data Protection Laws.

“Applicable Data Protection Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Customer Data (as defined below) including, as applicable, (i) Regulation 2016/679 (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any and all applicable national law made under or pursuant to (i) or (ii); (iv) the EU GDPR as it is saved and incorporated into UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); and (v) the California Consumer Privacy Act of 2018 and its corresponding regulations, as amended by the California Privacy Rights Act (collectively the “CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and any other comprehensive US state privacy laws;  (vi) Biometric Information Privacy Act of Illinois (“BIPA”); and (vi) any amendment, consolidation or re-enactment thereof, any legislation of equivalent purpose or effect enacted, and any orders, guidelines, guidance and instructions issued under any of the above or by any other relevant national authorities.

“Authorised Subprocessor” means a Subprocessor who is either (i) set out in Schedule 3 which are hereby deemed to be approved by the Customer or (ii) otherwise authorised to Process Customer Data on behalf of GBG pursuant to section 4 of this DPA.

"Biometric Data” shall have the meaning set out in the relevant Applicable Data Protection Law. For the avoidance of doubt, it shall include ‘biometric identifiers’ and ‘biometric information’ as defined under US biometric privacy laws, including BIPA.

“Consent” shall have the meaning set out in the relevant Applicable Data Protection Law. For the avoidance of doubt, under GDPR it shall mean any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her. The term “Consent” shall be interpreted to include any additional requirements, including obligations relating to collecting consent via written or electronic form, under Applicable Data Protection Laws.

“Controller” means the person or entity, which alone or jointly with others, determines the purposes and means of the Processing of Personal Data. The term “Controller” shall be interpreted to include the meaning of the term “controller” as such term is defined by the GDPR, and similar designations under and regulated by Applicable Data Protection Law(s).  Additionally, the term “Controller” shall also be interpreted to mean “Business” as defined under the CCPA, where applicable.

“Customer Audit Trail” means an electronic record of the Transactions carried out using the Service, including any Results generated.

“Customer Data” means any and all data (which may include Personal Data) provided by the Customer to GBG, or by the Channel Partner to GBG on behalf of an End User, for processing in accordance with the terms of the Agreement and this DPA;

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data or Meta Data (as may be applicable in the context) transmitted, stored or otherwise processed.

“Data Network” means separate and individual data pools that consist of information (including Personal Data) that GBG receives from its customers and/or End Users.  The information held by GBG in the Data Network may be used to create Insights in accordance with section 6 of this DPA. 

“Data Subject” means an identified or identifiable natural person to whom Personal Data, which is being processed by GBG to perform its services under the Agreement, relates.

“De-Identified Data” means an action by GBG to remove identifying characteristics from Customer Data necessary for compliance with Applicable Data Protection Laws

"EEA" means the Member States of the European Economic Area.

“End User” means an End User who is licenced by the Channel Partner for the use of GBGs products and services.

"Exporter means any Controller or Processor located in a regulated jurisdiction processing Personal Data which transfers Personal Data outside the regulated jurisdiction in which it is located.

“GBG Audit Trail” means a copy of the Customer Data and Results of a Service which is retained by GBG for 12 months for the sole purpose of responding to Data Subject rights.

"Importer” means any Controller or Processor processing Personal Data who receives Personal Data from the Data Exporter under a Restricted Transfer.

“Insights” means data that is created by GBG as part of the provision of the Service, from the collection, storage and analysis of any data relating to the Customer's (or End User's as the case may be) use of the Service.

“Meta Data” means the Channel Partner’s End User’s name, search date, time stamp, and Data Subject’s name, this may include Personal Data.

“Personal Data” shall have the meaning set out in the Applicable Data Protection Law and shall be applied to all Data Subjects being processed under the Agreement; provided however, where this term is not defined, it shall mean any information relating to a Data Subject; who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, adaptation, or alteration, retrieval, consultation, use, modification, storage, disclosure, restriction, erasure or destruction. 

“Processor” shall have the meaning set out under the Applicable Data Protection Law. The term “Processor” shall be interpreted to include the meaning of the term “processor” as such term is defined by the GDPR and similar designations under and regulated by Applicable Data Protection Law. Additionally, the term “Processor” shall also be interpreted to mean “Service Provider” as defined under the CCPA, where applicable. 

"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018; (iii) where the Swiss Federal Act on Data Protection (“FADP”) applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

“Standard Contractual Clauses”  means (i) where EU GDPR applies, the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”).

“Subprocessor” means other Processor(s) engaged by a Processor to Process data on its behalf.

“Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR.

"Third Party” for the purpose of this DPA means any organisation who is not GBG or a GBG Group Company; and

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK’s Information Commissioner’s Office in accordance with s119A of the Data Protection Act 2018.

1.3 References to sections refer to terms of the Data Processing Agreement of this DPA.

1.4 References to paragraphs are to terms of the Schedules to this DPA. 

 

Last updated: 25/04/24

Schedule 2: Product Grid

See spreadsheet here.

 

Last updated: 26/11/24

Schedule 3: Authorised Processors/Sub-Processors

GBG's role is dependent upon the jurisdiction which is detailed in Schedule 2 (Product Grid).

View here.

 

Last updated: 26/11/24

Schedule 4: Security: Technical & Organisational Measures

Where applicable, both Parties shall comply with the following Information Security Requirements in addition to any security requirements that are also required under Applicable Data Protection Laws:

1. Physical Access Control
Both parties shall implement and maintain physical controls to prevent unauthorised access, damage and interference to data processing systems.

Measures shall include and not limited to:

• Establishing secure areas, restriction of access paths.
• Establishing access authorisations for employees and third parties.
• Access control system (ID reader, magnetic card, chip card).
• Key management, card-keys procedures;
• Door locking (electric door openers etc.).
• Site security or security guards.
• Surveillance facilities, video/CCTV monitor, alarm system.
• Securing decentralized data processing equipment and personal computers.

2. System Access Control
Both parties shall ensure that it reviews and maintains a formally documented access control policy to prevent data processing systems from being used by unauthorised persons.

Measures shall include and not limited to:

• User identification and authentication procedures (two factor authentication, multi-factor authentication).
• Password security procedures (, minimum length, complexity and password rotation).
• Automatic locking of devices (e.g. failed password attempts or inactive timeout).
• Monitoring and alerting of break-in-attempts and automatic lock out of the user ID upon 10 erroneous passwords attempts.
• Encryption of data storage media using industry standard encryption methods.

3. Data Access Control
Both parties shall ensure that only persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorisation.

Measures shall include and not limited to:

• Internal policies and procedures.
• Control authorisation schemes, including segregation.
• Differentiated access rights (profiles, roles, transactions and objects). Access to the personal data must be restricted to a need-to-know basis, and access must be revoked when appropriate.
• Monitoring and logging of access.
• Reports of access.
• Access reviews.
• Disciplinary action against employees who access Personal Data without authorisation.
• Access procedure.
• Change procedure.
• Revocation procedure.

4. Pseudonymisation
Where appropriate to do so both Parties shall adopt pseudonymisation measures. This means the Processing of Personal Data in such a manner that the data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to corresponding technical and organisational measures.

5. Transfer Control
Both parties shall ensure that there is no unauthorised reading, copying, modifying or removal of data during electronic transmission or transport.

Measures shall include and not limited to:

• Encryption, using industry standard encryption methods.
• Virtual Private Networks (VPN).
• Electronic Signature.

6. Availability Control
Both Parties shall put in place protection against accidental or deliberate destruction or loss.

Measures shall include and not limited to:

• Back-up strategy (online/offline; on-site/off-site).
• Uninterruptible power supply (UPS).
• Anti-Virus/Firewall Systems.
• Alerting and Reporting channels.
• Operational Resilience and Redundancy Plans, including Disaster Recovery.

7. Disclosure Control
Both parties shall ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed.

Measures may include and not limited to:

• Transport Layer security using industry standards.
• Encryption using industry standards.

8. Entry Control
Both parties shall invoke measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing system.

Measures shall include and not limited to:

• Logging, alert and reporting systems.
• Audit trails and documentation.

9. Separation Control
Both parties shall ensure that Personal Data collected for different purposes can be processed separately.

Measures may include and not limited to:

• Separation of databases.
• “Internal client” concept / limitation of use.
• Segregation of functions (production/testing).
• Procedures for storage, amendment, deletion, transmission of data for different purposes.

10. Control of Instructions
Both parties shall ensure that Personal Data are processed solely in accordance with the instructions of the Controller.

Measure may include and not limited to:

• Unambiguous wording of the contract.
• Formal commissioning (request form).
• Criteria for selecting the Processor.

11. Both Parties shall implement processes for regularly testing, assessing, and evaluating security measures
Measures shall include and not limited to:

• Security assessments.
• Where applicable Penetration Testing (Security Testing).
• Vulnerability Scanning.
  

12. Information Security Management and Policy
Both parties shall ensure that:

• The roles and responsibilities for information security management are formally identified and documented.
• There is a formal documented approach to risk management.
• It carries out regular risk assessments.
• There is a formal documented information security training and awareness program in place.
• Maintains and reviews an information security policy and communicates that to its employees/agent and/or contractors; and
• It maintains and reviews an effective privacy and security incident plan.

 

Last updated: 25/04/24

Schedule 5: Standard Contractual Clauses (cross border transfers)

The following terms as set forth in Schedule 5 of this DPA shall apply, in addition to the applicable terms set out in the DPA, when GBG Processes Personal Data originating in Europe or the United Kingdom.

1. EEA Restricted Transfer

To the extent that Exporter transfers Personal Data originating from the EEA to Importer located outside the EEA, unless the Parties may rely on an alternative transfer mechanism or basis under the Applicable Data Protection Laws, the EU SCCs will be deemed entered into by the Parties, and incorporated into this DPA by reference, and completed as follows:

1.1 Module One (controller to controller) of the EU SCCs annexed to Commission Implementing Decision (EU) 2021/914 shall apply where Exporter acts as the Controller of Personal Data and Importer acts as a separate Controller.

1.2 Module Two (controller to processor) of the EU SCCs annexed to Commission Implementing Decision (EU) 2021/914 shall apply where Exporter acts as the Controller of Personal Data and Importer acts as a Processor.

1.3 Module Three (processor to processor) of the EU SCCs annexed to Commission Implementing Decision (EU) 2021/914 shall apply where Exporter acts as a Processor of Personal Data and Importer acts as a Subprocessor.

Population of the EU SCCs:

1.4 For Module One, where applicable:

1. The optional docking clause in clause 7 will not apply.
2. Clause 9 shall be deemed inapplicable.
3. In clause 11, the optional language will not apply.
4. In clause 13, all square brackets are removed, and all text therein is retained.
5. In clause 17, the Parties agree that the EU SCCs shall be governed by the law of Ireland or country specified by Customer in Agreement in relation to any EEA Restricted Transfer.
6. For the purposes of clause 18, the Parties agree that any dispute arising from the EU SCCs in relation to any EEA Restricted Transfer shall be resolved by the courts of Ireland or any other Member State specified by the Customer in the Agreement, and clause 18(b) is completed accordingly.

1.5 For Module Two and Module Three, where applicable:

1. In clause 7, the optional docking clause will not apply.
2. In clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be 30 days.
3. In clause 11, the optional language will not apply.
4. In clause 17, the parties agree that the EU SCCs shall be governed by the law of Ireland or any other Member State specified by the Customer in the Agreement in relation to any EEA and Swiss restricted transfer.
5. For the purposes of clause 18, the parties agree that any dispute arising from the EU SCCs in relation to any EEA and Swiss restricted transfer shall be resolved by the courts of Ireland or any other Member State specified by the Customer in the Agreement and clause 18(b) is completed accordingly.

1.6 Population of the Annexes to the EU SCCs:

1. Annex I.A (List of Parties) shall be deemed to incorporate the information set out in the Agreement.
2. Annex I.B (Description of Transfer) shall be deemed to incorporate the information set out in Annex A of this Schedule
3. For the purposes of Annex I.C (Competent Supervisory Authority), the competent Supervisory Authority shall be in accordance with the criteria set out in clause 13(a) of the EU SCCs;
4. Annex II (Technical and Organisational Measures) shall be deemed to incorporate Schedule 4 (Security: Technical & Organisational Measures) of this DPA.

2. UK Restricted Transfers

The EU SCCs also apply in the context of UK Restricted Transfers as varied by the UK Addendum. For data transfers from the United Kingdom that are subject to the UK Addendum, the UK Addendum will be deemed entered into by the Parties and incorporated into this DPA by reference as follows:

2.1

1. Part 1 of the UK Addendum. As permitted by Section 17 of the UK Addendum, the Parties agree that:
   1. Tables 1, 2, and 3 of Part 1 of the UK Addendum are completed respectively with the information set out in the Agreement (as applicable); and
   2. Table 4 of Part 1 of the UK Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
2. Part 2 of the UK Addendum. The Parties agree to be bound by the mandatory clauses of the UK Addendum.
3. In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in this DPA to the SCCs shall be read as a reference to those SCCs as varied in the manner set out in this paragraph 2 of Schedule 5.

2.2 For the purposes of the UK Addendum:

1. Annex I.A (List of Parties) shall be deemed to incorporate the information as set out in the Agreement.
2. Annex I.B (Description of Transfer) shall be deemed to incorporate the information as set out in the Annex A of this Schedule
3. Annex II (Technical and Organisational Measures) shall be deemed to incorporate Schedule 4 (Security: Technical & Organisational Measures) of this DPA.

3. Swiss Restricted Transfers

The EU SCCs apply to Swiss Restricted Transfers, subject to the following amendments and additional provisions:

1. References to the GDPR are to be understood as references to the revised FADP.
2. The competent Supervisory Authority (to be named in Annex I.C) is the Swiss Federal Data Protection and Information Commissioner; and
3. The term 'Member State' must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of bringing legal proceedings against the Exporter and/or Importer before the courts of Switzerland.

4. Conflict. To the extent there is any conflict or inconsistency between this Schedule 5, and any other terms in this DPA or the Agreement, this Schedule 5 will prevail.

ANNEX A – DESCRIPTION OF THE TRANSFER

Description of the Restricted Transfer in relation to Customer Data and Results.

	Customer Data	Results
Categories of Data Subjects whose Personal Data is transferred	The Personal Data transferred concern the following categories of Data Subjects: The Customer’s customers or End Users including employees and contractors, and the Data Subjects.	The Personal Data transferred concern the following categories of Data Subjects: The Customer’s customers or End Users including employees and contractors, and the Data Subjects.
Purpose(s) of the data transfer and further Processing	The transfer is made for the following purpose: In accordance with the Customer Use Case and the Agreement.	The transfer is made for the following purpose: To permit the Customer to use the Supplier Data and/or Results in accordance with their Customer Use Case and the Agreement.
Categories of Personal Data transferred	contact information, employment information, demographics, financial, location, personal identification, user account information.	contact information, employment information, demographics, financial, location, personal identification, user account information.
Sensitive data transferred (if applicable)	In accordance with the Agreement.	In accordance with the Agreement.
Frequency of transfer	In accordance with the Agreement.	In accordance with the Agreement.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period	In accordance with the Agreement.	In accordance with the Agreement.

 

Last updated: 25/04/24

Schedule 6: Local Laws – United States of America

The following terms as set forth in this Schedule 6 shall apply, in addition to the applicable terms set out in the DPA, when GBG Processes Personal Data pertaining to US residents that is subject to applicable US privacy law.

1. GBG Processor Obligations.

1.1 GBG shall comply with all applicable Processor terms set out in section 4 of this DPA, in accordance with the obligations, rights, and restrictions imposed on it as a Processor under the relevant Applicable Data Protection Law.

1.2 GBG agrees that, to the extent that relevant Applicable Data Protection Law requires:

1. it is processing the Customer Data pursuant to the Agreement and this DPA, and the Customer is disclosing the Customer Data to GBG only for the following limited and specified Business Purpose(s) listed in subparagraph (b) below.
2. the specific Business Purpose for which GBG is processing Customer Data pursuant to the written Agreement with the Customer is to perform services on behalf of the Customer by verifying Customer’s Data Subjects’ information, provide Customer support, as further detailed in the Agreement and in accordance with the Applicable Data Protection Law (the “Business Purposes”). GBG shall not retain, use, or disclose any Customer Data that it collected pursuant to the Agreement for any purpose other than the Business Purpose, or as otherwise permitted by the Applicable Data Protection Law.
3. it shall not sell or share any Customer Data it collects pursuant to the Agreement; it shall not retain, use, or disclose the Customer Data that it collected pursuant to the Agreement for any commercial purpose other than the Business Purpose, outside the direct business relationship between GBG and the Customer, unless expressly permitted under Applicable Data Protection Law.
4. it shall comply with all applicable sections of the Applicable Data Protection Law, including – with respect to the Customer Data it collected pursuant to the Agreement – providing the same level of privacy protection as required of businesses by the Applicable Data Protection Law. This includes using reasonable commercial efforts to cooperate with the Customer in responding to and complying with Data Subjects’ requests made to the Customer in relation to GBGs Processing under the Agreement pursuant to the Applicable Data Protection Law, and implementing reasonable security procedures and practices appropriate to the nature of Customer Data to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with the Applicable Data Protection Law. If GBG, while acting in its capacity of a Processor, receives a request directly from a Customer’s Data Subject, GBG shall process the request in accordance with its obligations as a Processor under Applicable Data Protection Law.
5. it shall notify the Customer after it makes a determination that it can no longer meet its obligations under Applicable Data Protection Law.
6. it grants the Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate GBG’s unauthorized use of Customer Data.
7. If GBG subcontracts with another person in providing services to Customer, GBG shall have a contract with the subcontractor that complies with the Applicable Data Protection Law.

2. Scope of Processing by GBG as a Processor.

2.1. The Parties agree that the following applies where GBG is acting as a Processor:

1. the nature and purpose of the processing are as set out in the Agreement.
2. the duration of the processing shall last throughout the duration in which the Agreement is in effect, or as otherwise agreed by the parties.
3. the rights and obligations of both parties are set out in the Agreement.
4. the types of Personal Data which are subject to GBG’s Processing depends on the product(s) the Customer is contracting to take from GBG under the Agreement and/or Customer’s instructions on what types of Personal Data it wants GBG to Process on its behalf, and may be as follows, respectively:

 

Product	Data Subjects' Data Processed under the relevant Product
ID3global	Personal Identification: Driving license number, Date of Birth, National Identification Number, National identity card details, Passport Number, Full Name, Photo  User Account Information: Account Number  Browsing Information: IP Address Contact Information: Home Address, Previous Residence Address, Phone Numbers, Email, Contact details Financial Information: Bank account information Geolocation: Country
IDScan Enterprise (web)	Personal Identification: National Identification Number, Date of Birth, National identity card details, Signature, Gender, Photo, Age, Marital Status, Citizens Status, Full Name, Nationality, Physical Characteristics, Government Identification Document (e.g. driver’s license or passport, and all personal information contained therein)  Contact Information: Home Address  Family Information: Relationships, Parents’ Names Information that could be deemed Sensitive Personal Information, depending on the jurisdiction: Biometric data, Racial or Ethnic Origin, Driving license number, Social Security Number, Passport Number
Loqate Verify	IP address, Postal Address, Geocode (only at your affirmative selection)
Loqate Capture	IP address, Postal address, and Geolocation (only at your affirmative selection)
Loqate Storefinder	IP address, Postal address, and Geolocation (only at your affirmative selection)
Loqate Data Maintenance	May include the following (as set out in your Order Form): name, address, email, phone number
Loqate Phone/Email Validation Services	May include the following (as set out in your Order Form): phone number, email
ExpectID/ExpectID Age/ExpectID with International Data/ExpectID IQ/ExpectID Customer Based Authentication	Name, postal address, country. May also include the following (as set out in your Order Form): social security number (4/9), date of birth, IP address, email address, shipping or alternative address
ExpectID GeoTrace	IP address
GBG Trust USA Velocity Professional Services	Name, postal address, email address, social security number (9), IP address, phone number
ExpectID Scan Onboard/ExpectID Barcode Scan	Document Image front/back. May also include the following (as set your in your order form): selfie
ExpectID Scan Verify	Document image front/back, name, postal address, date of birth, social security number (9), May also include the following (as set out in your Order Form): selfie
ExpectID Name to Phone	Name, postal address, phone number
ExpectID Death Scrub	Social security number (9)
ExpectID Number Verification/ExpectID Mobile Attributes/ExpectID Secure One Time Verify	Phone Number
ExpectID Email	Email address
ExpectID PA	Name. May also include the following (as set out in your Order Form): Country, date of birth

 

3. Customer Reviews and Audits.

GBG shall make available to the Customer all information necessary to demonstrate compliance with its obligations under Applicable Data Protection Laws in accordance with the audit rights set out in the Agreement.

4. GBG Data Networks

4.1 Sale of Data to GBG (CCPA Third Party Contract Requirements):The terms set out in paragraphs 4.1 through 4.9 shall apply when GBG contributes Customer Data into its Data Network under section 6 of the DPA. The term “third party” in this Schedule 6 shall have the meaning set out in the CCPA. The Customer acknowledges and understands that GBG will only pool Customer Data into its Data Network unless the Customer opts-out from such Processing under its corresponding Order Form(s). GBG’s Data Network Processing will be denoted as follows in the Order Form(s):

1. "GBG DATA NETWORK | ID NUMBER 201493" or "GBG Data Network License".

4.2 The Customer acknowledges and agrees that:

1. GBG may Process Customer Data provided to GBG under the Agreement in any or all of GBG’s proprietary Data Networks that fall under the terms set out in paragraphs 4.1 through 4.9. The information held by GBG in the Data Networks may be used to create Insights, as defined in section 6 of the DPA. For the avoidance of doubt, GBG may provide such Insights to any of its business customers who are also contributing information into the Data Networks. All of GBG’s business customers (or their End Users) to whom Insights may be provided to by GBG, including the Customer, are in direct privity with the relevant Data Subject, who is intentionally interacting with them to obtain goods or services.
2. The Data Networks do not disclose, transfer, or sell information provided by Customers to any third-parties; the information is only accessed by GBG to create Insights, which are the only information disclosed to other business customers to assist a current transaction that the Data Subject is intentionally interacting in with them. The data held in the Data Networks and any Insights derived therefrom will never be disclosed, transferred, or sold to third parties.
3. For the avoidance of doubt, all terms set out in section 6 (Data Networks) of the DPA shall apply.

4.3 The Customer understands and acknowledges that the processing under this paragraph 4 may be construed as a sale of Personal Data from the Customer to GBG, provided that no exception to the sale of Personal Data applies in accordance with the CCPA and Applicable Data Protection Law. GBG will not sell the Personal Data provided by Customer under the Agreement onward to any Third Parties.

4.4 The limited and specified purpose(s) for which the Customer Data is made available to GBG under the Agreement is to provide services to the Customer to verify Customer’s Data Subjects’ data, provide fraud detection and prevention, and conduct data analytics, which includes combining the Personal Data that it receives from, or on behalf of, the Customer with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject, as detailed in this paragraph 4, in accordance with the CCPA and Applicable Data Protection Law. GBG may retain and utilize the Customer Data held in its Data Networks for its own commercial purposes outside of the direct business relationship with the Customer, to improve and develop GBG’s existing and future products it provides and offer those improved services to other business customers, and to provide GBG’s professional services offerings in connection to fraud.

4.5 The Customer is making the Customer Data available to GBG only for the limited and specified purposes set forth above and within the Agreement and requires GBG to use it only for those limited and specified purposes.

4.6 GBG must comply with all applicable sections of the CCPA, including with respect to the Customer Data that the Customer makes available to GBG providing the same level of privacy protection as required of businesses by the CCPA.

4.7 GBG grants the Customer the right with respect to the Customer Data that the Customer makes available to GBG to take reasonable and appropriate steps to ensure that GBG uses it in a manner consistent with the Customer’s obligations under the CCPA.

4.8 GBG grants the Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Data made available to GBG.

4.9 GBG shall notify the Customer after it makes a determination that it can no longer meet its obligations under the CCPA.

4.10 GBG Trust USA and Velocity: For the avoidance of doubt, the “GBG Trust USA" and “Velocity” data solutions and their networks, which may be utilized in conjunction with our ExpectID Solutions, fall outside the scope of paragraphs 4.1 through 4.9 and, therefore, shall not constitute a sale of data. The Parties agree that GBG’s processing under the GBG Trust USA” and “Velocity” data solutions and their networks shall be performed by GBG as Customer’s Processor and will be subject to paragraphs 1-3 of this Schedule 6. The Customer Data is made available to GBG under the Agreement for the permitted Business Purpose(s) of verifying Customer’s Data Subject’s information for fraud and risk purposes in accordance with Customer’s risk appetite as configured by Customer within the GBG Product, as further detailed in the Agreement. The performance of such services includes retaining and utilizing Customer Data in the GBG Trust USA and/or Velocity, and combining Customer Data that GBG receives from, or on behalf of, its customers with Personal Data that it receives from, or on behalf of, its other persons to perform fraud prevention and risk services for GBG’s customers when providing matches for velocity or anomaly in relation to any data attribute(s) queried by Customers for a specific transaction, as permitted by the CCPA. All data pooled into the GBG Trust USA and/or Velocity is pseudonymized, encrypted in transit and at rest, and masked upon receipt and will not itself be appended or provided outright to any other business customer. Instead, it is used to derive fraud alerts in accordance with Customer’s rules engine configuration to enable our customers’ risk assessment regarding risk, transactions, and fraud.

4.10.1 The Parties agree as follows in regards to the Processing performed under paragraph 4.10 above:

4.10.1.1 GBG may process Customer Data as reasonably necessary and proportionate to achieve the Business Purpose(s) for which the Personal Data was collected or processed;

4.10.2 Customer is responsible for customizing and maintaining all rules, which will determine GBG’s Processing;

4.10.3 Customer understands the network’s Processing and instructs GBG to contribute the Personal Data into the relevant GBG Trust USA and/or Velocity data network;

4.10.4 Customer is making the Personal Data available to GBG for the limited purpose of enabling GBG to perform the services it is instructed to perform by the Customer; and

4.10.5 Any and all exchange of Personal Data under the Agreement is necessary to enable GBG to provide its services to Customer.

5. GBG Trust Core

5.1 When GBG provides Customer with Insights via the GBG Trust Core, GBG is making Insights available to Customer only for the limited and specified purposes of Customer’s compliance with regulatory requirements, for fraud prevention and detection, or both, and includes verifying the identity of an individual. As such, Customer acknowledges and agrees with the following: (i) Customer shall comply with Applicable Data Protection Laws, including—with respect to any Insights that GBG makes available to the Customer—providing the same level of privacy protection as required under Applicable Data Protection Laws, (ii) Customer shall grant GBG the right with respect to any Insights that GBG makes available to Customer to take reasonable and appropriate steps to ensure that Customer uses it in a manner consistent with Customer’s Use Case; and (iii) Customer shall notify GBG after it makes a determination that it can no longer meet its obligations under Applicable Data Protection Laws.

5.1.1 Customer may use GBG’s Trust Core product only to confirm a Data Subject’s identity—that is, to determine whether the Data Subject is in fact who they claim to be and not an identity thief or fraudster—Customer may only use GBG’s Insights only for the limited and specified purposes as set forth in paragraph 5.1 above. For the avoidance of doubt, Customer may not use GBG’s Trust Core to assess an individual’s eligibility to receive its services, including any permissible purposes covered under the FCRA.

5.2 For the avoidance of doubt, GBG may provide such Insights to any of its business customers who are also contributing information into the Data Networks. All of GBG’s business customers (or their End Users) to whom Insights may be provided to by GBG, including the Customer, are in direct privity with the relevant Data Subject, who is intentionally interacting with them to obtain goods or services. As such, Customer understands and acknowledges that the Processing under the paragraphs 5.1-5.2 Section 5 shall not be construed as a sale of Personal Data from GBG to the Customer, as Customer is not a Third Party. Moreover, GBG will not sell Insights to any Third Parties.

6. Customer/End User’s Disclosure of Data to Approved Third Party Supplier

6.1 The terms set out in this paragraph 6 shall apply where Customer purchases either: (1) "GBG's ExpectID Email" solution, or (2) "0408 Email Intelligence (ID Number 201622) via ID3global" solution as set out in Customer’s Order Form.

6.2 The Expect ID email verification service GBG provides involves transferring Customer Data consisting of email addresses to Customer authorized supplier: Lexis Nexis Risk Solutions (“LexisNexis”). As part of the Processing, LexisNexis may retain Customer Data in its own proprietary network consortium to derive insights and provide its email verification services to other customers, subject to the contractual limitations imposed on third parties in accordance with the CCPA. GBG is acting solely as an intermediary between LexisNexis and Customer and therefore does not retain Customer Data nor process it for any other purposes beyond those permitted under paragraph 1 of this Schedule 6.

6.3 The Customer acknowledges and agrees that where GBG transfers Customer Data to LexisNexis it does so solely at the request of and on behalf of Customer as its Processor. GBG does not receive any consideration, monetary or otherwise, and there is no sale of data by GBG to LexisNexis. GBG shall follow Customer’s instructions as its Processor.

6.4 Customer shall ensure that it notifies and obtains any required express or implied consents (including consent to LexisNexis’ applicable privacy notice and/or policy) from Customer’s Data Subjects whose personal data LexisNexis receives as a Third Party / Controller, arising out of any use of the LexisNexis services including, without limitation, any transmission of such information to LexisNexis in accordance with the applicable LexisNexis processing notice, available at https://risk.lexisnexis.com/group/processing-notices (as updated from time to time, the “LN Processing Notice”) and/or the privacy notice made available by LexisNexis by any other means and/or format. The terms of the LexisNexis Risk Solutions Group Data Protection Addendum at https://risk.lexisnexis.com/group/dpa will apply.

7. Biometric Processing

7.1 If the Customer uses GBG’s Services to Process Biometric Data, the Customer shall, prior to collecting, using and disclosing the Biometric Data:

1. provide notice to Data Subjects, including applicable retention periods and destruction, and any disclosure of Biometric Data by GBG to its third-party vendors or service providers, and linking back to our privacy notice.
2. obtain and retain written Consent from Data Subjects for the specific purposes of Processing Biometric Data; and
3. delete the Biometric Data, all in compliance with Applicable Data Protection Law.

7.2 GBG will process Biometric Data following the Customer’s documented instructions (as described in the Agreement), which shall include the ability to disclose the Biometric Data to GBG’s relevant Subprocessors and protect the Biometric Data in accordance with Schedule 4 of the DPA, as appropriate.

7.3 The Customer warrants that the Data Subjects’ Consent must comply with relevant Applicable Data Protection Law and, at a minimum, must record Data Subject’s acknowledgement that they have read and agreed to the Customer’s biometric privacy policy in addition to the more specific notice regarding the collection and use of Biometric Data, including the Customer’s ability to disclose their Biometric Data with any service provider or third party vendors.

8. De-Identified Data

8.1 The terms set out in this paragraph 8 shall apply when GBG Processes De-Identified Data under the Agreement:

1. GBG shall take reasonable measures to ensure that such De-Identified Data cannot be associated with a Data Subject or household.
2. will maintain and use the information in De-Identified form and not to attempt to reidentify the information, except that GBG may attempt to reidentify the information solely for the purpose of determining whether its De-Identification processes satisfy the requirements of US privacy law; and
3. GBG will not disclose De-Identified Data to any recipients.

9. Conflict

To the extent there is any conflict or inconsistency between this Schedule 6, and any other terms in this DPA or the Agreement, this Schedule 6 will prevail.

 

Last updated: 05/08/24

Schedule 7: Local Laws – Canada and Latin America

The following terms as set forth in this Schedule 7 shall apply, in addition to the applicable terms set out in the DPA, when GBG Processes Personal Data originating in Canada or Latin America.

1. Customer’s Obligations.

1.1 The Customer represents and warrants that in accordance with Applicable Data Protection Laws it shall:

1. prior to the collection, use or disclosure of Personal Data, have in place a transparent and compliant privacy notice available to Data Subjects.
2. prior to the collection, use or disclosure of Personal Data, obtain any legally required authorization or Consent from Data Subjects.
3. retain evidence of any legally required authorization or Consent from Data Subject and shall, on request from GBG, provide evidence in a machine portable manner; and
4. comply with any jurisdiction-specific requirement under the Applicable Data Protection Law, such as but not limited to database registration with the competent data protection authority and provision of information for any transfers and communication of Personal Data to any service providers or third parties.

1.2 Where GBG’s Processing of Customer Data requires Data Subject’s consent for GBG to lawfully Process Personal Data under the Agreement, the Customer shall:

1. disclose GBG’s role and where appropriate, obtain consent on GBG’s behalf.
2. provide transparent disclosures of the Processing, which includes outlining GBG’s role in the Processing of Personal Data and, where appropriate, the roles of any of GBG’s Sub-processors; and
3. where appropriate, provide a link back to GBG’s privacy notice while the Customer was obtaining Consent from the Data Subject prior to the collection of Personal Data.

2. GBG’s Obligations.

2.1 When acting as a Processor, GBG shall, in accordance with Applicable Data Protection Laws:

1. Process Personal Data in accordance with Customer’s document instructions, as set out in the Agreement, including the Customer’s instructions via configuration tools (i.e., engine rules) and APIs made available by GBG as part of the Services.
2. Process Personal Data only to the extent necessary to provide the Services.
3. implement security measures in accordance with Applicable Data Protection Laws and Schedule 4 of this DPA.
4. keep confidentiality regarding the Personal Data Processed in accordance with the Agreement.
5. delete all Personal Data upon termination of the Agreement in accordance with section 4 of this DPA; and
6. only transfer Personal Data to Sub-processors in accordance with section 4 of this DPA.

3. GBG’s Data Network.

3.1 The terms set out in this Paragraph 3 shall apply when GBG contributes Customer Data into its Data Network under section 6 of the DPA, where Processing of Customer Data is compatible with the context in which the Personal Data was initially collected by Customer, including combining and matching Personal Data. The Customer acknowledges and understands that GBG will contribute Customer Data into its Data Network provided Customer affirmatively authorizes such Processing under its corresponding Order Form(s). GBG’s Data Network Processing will be denoted as follows in the Order Form(s):

1. GBG DATA NETWORK | ID NUMBER 201493 or “GBG Data Network License”.

3.2 Customer acknowledges and agrees that:

1. GBG may Process Customer Data provided to GBG under the Principal Agreement in any or all of GBG’s proprietary Data Networks, subject to paragraph 3.1 above. The information held by GBG in the Data Networks may be used to create the Insights, as defined in section 6 (Data Network) of the DPA. For the avoidance of doubt, GBG may utilize the Data Network to provide risk scores, alerts, etc. to any of its business customers when customers decide to take certain products and services from GBG. All of GBG’s business customers (or their End Users) to whom Insights may be provided to by GBG, including the Customer, are in direct privity with the relevant Data Subject, who is intentionally interacting with them to obtain goods or services and to whom the Customer has provided the necessary information as required under paragraph 1.1. of this Schedule 7.
2. All information in our Data Networks is only accessed by GBG to create the Insights, which is the only information disclosed.
3. For the avoidance of doubt, all terms set out in section 6 (Data Network) of the DPA shall apply.
4. Customer understands and acknowledges that the processing under this paragraph 3 may be construed as a transfer of Personal Data from the Customer to GBG where GBG further processes Customer Data for limited, specific and compatible purposes necessary for the provision of GBG’s Services for identity verification, regulatory compliance, and fraud management, which includes conducting data analytics on Personal Data to derive Insights (as defined in section 6 of the DPA), product improvement and development, commercial use, and to provide GBG’s professional services offerings in connection to fraud, and not for any other purpose.
5. When GBG contributes Customer Data into its Data Network as described herein, the Customer shall comply with paragraph 1.1. of this Schedule and any additional requirements for the lawful Processing of Customer Data under Applicable Data Protection Laws.

3.3 GBG Trust USA and Velocity: For the avoidance of doubt, the “GBG Trust USA” and/or “Velocity” data solutions and their networks, which may be utilized in conjunction with our ExpectID Solutions, fall outside the scope of paragraphs 3.1 through 3.2 and, therefore, shall not constitute a data transfer for further processing as GBG continues to act on Customer’s instructions. The Customer Data is made available to GBG under the Agreement for the limited purposes of verifying Customer’s data subject’s information for fraud and risk purposes in accordance with Customer’s risk appetite as configured by Customer within the GBG Product, as further detailed in the Agreement. The performance of such services includes retaining and utilizing Customer Data in the GBG Trust USA and/or Velocity, and combining Customer Data that GBG receives from, or on behalf of, its customers with Personal Data that it receives from, or on behalf of, its other persons, to perform fraud prevention and risk services for GBG’s customers when providing matches for velocity or anomaly in relation to any data attribute(s) queried by Customers for a specific transaction, as permitted by Applicable Data Protection Laws for the prevention of fraud. All data pooled into the GBG Trust USA and/or Velocity is pseudonymized, encrypted in transit and at rest, and masked upon receipt and will not itself be appended or provided outright to any other customer. Instead, it is used to derive fraud alerts in accordance with Customer’s rules engine configuration to enable our customers’ risk assessment regarding risk, transactions, and fraud.

3.3.1 The Parties agree as follows in regard to the Processing performed under paragraph 3.3 above:
3.3.1.1 GBG may process Customer Data as reasonably necessary and proportionate to achieve the purposes for which Personal Data was collected or processed;
3.3.1.2 Customer is responsible for customizing and maintaining all rules, which will determine GBG’s Processing;
3.3.1.3 Customers understands the network’s Processing and instructs GBG to contribute the Personal Data into the relevant GBG Trust USA and/or Velocity data network;
3.3.1.4 Customer is making the Personal Data available to GBG for the limited purpose of enabling GBG to perform the services it is instructed to perform by Customer; and
3.3.1.5 Any, an all exchange of Personal Data under the Agreement is necessary to enable GBG to provide its service to Customer.

4. Restricted Transfers of Personal Data by Adopting Countries.

4.1 Except as otherwise set forth in this paragraph, Schedule 5, the EU SCCs will apply to (i) any Transfer of Personal Data that is subject to the laws of a country outside the EEA/UK in which the competent data protection authority has approved the use of the EU SCCs (each, an “Adopting Country”), or otherwise requires certain privacy safeguards, model contractual clauses, or any other contractual privacy provisions for the Transfer of Personal Data not provided through this DPA or this Schedule 5, subject to amendments for adequacy with certain obligations specifically set forth in the Applicable Data Protection Laws, and only to the extent the competent data protection authority has not set forth its specific standard contractual clauses for Restricted Transfers. For the avoidance of doubt, by applying the EU SCCs in accordance with this paragraph 4, the Parties do not intend to grant third party beneficiary rights to Data Subjects under the EU SCCs when Data Subjects concerned would not otherwise benefit from such rights under the Applicable Data Protection Laws or this DPA.

4.2 Where a Restricted Transfer concerns Customer Data originating from Argentina, the standard contractual clauses made under Regulation No. 60-E/2016, and currently located at  Argentina's SCCs will be incorporated into the DPA by reference and shall apply to the extent required under Applicable Data Protection Laws and where this DPA or these local laws set out in this Schedule does not provide adequate safeguards.

4.3 Where a Restricted Transfer concerns Customer Data originating from Uruguay, the standard contractual clauses made under Regulation No. 41/2021, and currently located at Uruguay's SCCs will be incorporated into this DPA by reference and shall apply to the extent required under Applicable Data Protection Laws and where this DPA or these local laws set out in this Schedule does not provide adequate safeguards.

5. Biometric Processing

5.1 If the Customer uses GBG’s Services to Process Biometric Data, the Customer shall, prior to collecting, using or disclosing the Biometric Data:

1. provide notice to Data Subjects, including applicable retention periods and destruction of Biometric Data, and any disclosure of Biometric Data including by GBG to its third-party vendors or service providers.
2. obtain and retain written Consent from Data Subjects for the specified purposes of Processing Biometric Data; and
3. delete the Biometric Data, all in compliance with Applicable Data Protection Law.

5.2 GBG will Process Biometric Data following Customer’s documented instruction (as described in the Agreement), which shall include the ability to disclose the Biometric Data to GBG’s relevant Subprocessors and protect the Biometric Data in accordance with Schedule 4 of the DPA, as appropriate.

5.3 The Customer warrants that the Data Subject’s Consent mut comply with relevant Applicable Data Protection Laws and, at a minimum, must record Data Subject’s acknowledgement that they have read and agreed to Customer’s biometric privacy policy (and linking back to GBG’s biometric privacy policy), in addition to the more specific notice regarding the collection, use and disclosure of their Biometric Data.

6. Conflict

To the extent there is any conflict or inconsistency between this Schedule 7, and any other terms in this DPA or the Agreement, this Schedule 7 will prevail.

 

Last updated: 05/08/24

Schedule 8: Meta Data (for Channel Partners only)

This is only relevant to Channel Partners, where the Channel Partner has one single integration point with GBG for multiple End Users.

Name and contact details of the controller	GB Group plc ('GBG') A Company registered in England and Wales, 2415211. Registered Office Address: GB Group plc, The Foundation Herons Way Chester Business Park Chester CH4 9GB DPO: Kate Lewis. DPO@gbgplc.com Alternatively, this may be the name of the legal entity listed on your Order Form. The DPO name and email address will be the same.
Name and contact details of the processor	As documented in the Agreement.
Categories of processing carried out on behalf of the controller	Purpose – Meta Data for Data Subject rights. Hold on behalf of GBG a record for every search which Channel Partner has placed a check through the GBG service. This must include the End User’s name, search date, time stamp and Data Subject’s name. Upon specific request, provide to GBG the End User’s Business Details relating to a particular search. Retain these details for a period of 12 months.
Transfers of personal data to a third country or an international organisation. i) Name the third country or international organisation ii) Document the appropriate safeguards involved in the transfer	Not applicable.
General description of the technical and organisational security measures	The Channel Partner will take all security measures required in accordance with Applicable Data Protection Laws to ensure the protection of Personal Data. See Schedule 4 for description of the technical and organisational measures.

 

Last updated: 25/04/24

FAQs

To support you with this understanding, we have provided some FAQs which explains a number of clauses in more detail.  For clarity, the FAQs do not form part of the DPA.

 

Last updated: 01/08/24