To support you with this understanding, we have provided some FAQs which explains a number of clauses in more detail.
For clarity, the FAQs do not form part of the DPA.
Some customers will be aware GBG moved to controllership under GDPR which meant GBG shared updated version 4 (V4) terms. There is nothing new in the DPA which doesn’t exist in the V4 terms. You may therefore be asking why GBG has then created a global DPA – the answer is GBG has listened to customer feedback and has tried to make it easier for you by having it all in one place, by utilising more simplistic language and creating FAQs to explain why GBG has taken the position it has
Whilst GBG’s processing activity remains consistent, the label which is applied to it under data protection law will vary by country. For example, for ID3global in the UK, GBG would be a Controller. For the same service in the US, GBG would be a Processor. As this is a global DPA, this is addressed in the Product Grid.
GBG had previously operated as a processor under GDPR for some of its products and services but following consultation with the Information Commissioner (the UK regulator), it has been agreed GBG will operate as a separate and independent controller. As GBG has consulted and agreed this position with the regulator, GBG’s role in this processing activity is non-negotiable.
For certain products, the ICO decided that
No, because this is one processing activity therefore it cannot be segregated, plus this is captured as one record in GBG’s Audit Trail for the sole purpose of responding to Data Subject Rights. GBG must clearly be able to advise an individual what data we hold on them, who we received it from, what we did with it and who we then shared it with.
No, GBG must operate within the terms of the agreement which is in place with the Customer which will clearly outline GBG’s activity.
Yes, for certain products, if you are a Channel Partner and you have one access point for a GBG product and service for all multiple customers, then you could be a processor for GBG. GBG is unable to differentiate who our data has been served to; therefore, it is important to enable transparency to an individual as to who has processed their personal data and why. On GBG’s Audit Trail the search will be recorded in the Channel Partner’s name. It is for this reason we request a Channel Partner retain Meta Data which would enable you to advise an individual who you have shared their personal data with. As GBG retain their GBG Audit Trail for 12 months, we request Channel Partners retain this for 12 months also.
In this scenario, we decided to appoint you as our processor to ensure this does not conflict with any other processes, which may mean you need to hold 2 copies of the data or have additional processes to fulfil this, for example if you are a processor for your customer and they ask you to only retain data for 3 months, it would be unfair on an individual to not know who their data has been shared with.
No, GBG’s role is consistent across all customers - it is not possible to tailor this based on customer request. GBG have determined their role under applicable law through research, assessment and consultation with specialists, such as external counsel and regulators.
GBG’s products and services are a ‘one size fits all,’ and therefore it is not possible to configure to specific customer requests. GBG notify customers of intended changes to processors, but it is not possible to accommodate specific objections. If a customer objects to the notification, then there would be the option to cease using this part of the service or terminate the agreement in accordance with the process outlined in the DPA. For example, if we change our cloud hosting services provider, and you object, you will have the right to terminate the Agreement. However, if we change a provider who only provides a specific element of the service that can be switched off in isolation, then you will be able to terminate use of this specific part of the services you are purchasing from us.
The majority of GBG’s services do not involve automated decision making as defined under applicable data protection law. GBG does have a service in the UK that does this, but the relevant notice is provided directly to the individual at the point of collection.
GBG may engage in a form of profiling to generate risk scores or create fraud and/or identity alerts, insights and reports. However, this score is shared with its Customers (for example banks) so they can make their own decision about an individual. Whilst GBG may provide similar information about an individual to its Customers, those services may lead to different decisions about an individual because (i) each organisation may place differing importance on some of the information compared to others (ii) each organisation’s own data, knowledge, processes and practices will play a role in their decision making.
GBG cannot agree to notification of suspected or alleged breaches for any of its Customers for the following reasons as this would be commercially burdensome on GBG and its customer due to: (i) unnecessary notification (e.g., it may not even involve Customer Data), (ii) the overwhelming majority of suspicions of breach tend to result in confirmation that no actual breach occurred, (iii) resource being diverted to notification instead of investigation and management, and (iv) premature/inaccurate information being provided to the Customer.
GBG has over 20,000 customers globally therefore maintains a standard incident response plan, which involves notification of an actual breach upon becoming aware, without undue delay, and no later than 72 hours which is compliant with the breach notification in countries in which GBG operates. To run a separate incident plan by customer is not viable.
Each organisation will need to assess the situation, but as a high-level steer, GBG would expect the following
For transfers out of the EU, GBG has completed a Transfer Impact Assessment. For transfers out of the UK, GBG has completed a Transfer Risk Assessment
GBG typically utilises EU Standard Contractual Clauses and for the UK, the ICO's International Data Transfer Agreement (IDTA), which is the Addendum to the EU SCCs. GBG’s suppliers may have a different legal mechanism for international transfers.
Across all GBG entities we have an Intra-Group Agreement which covers all processing activity within GBG.
Not in the short term, for a number of reasons. The US is a very volatile privacy landscape with new regulation passing by state frequently, therefore GBG will continue to focus its efforts here and supporting its customers. With Safe Harbor and Privacy Shield being over-turned, and the EU-US Privacy Framework already received a legal challenge, GBG will wait and see for it to be tested as it comes under pressure.
Given GBG’s role as a Controller/Business, individuals often target GBG in this capacity therefore we will look across GBG’s entire estate. As part of fulfilling a request, GBG must inform individuals who they have shared their personal data with, which is typically GBG’s Customers and Data Suppliers. GBG may have processed data on tens of organisations as a controller and unless an individual approaches GBG specifically naming an organisation, then rights requests are treated in GBG’s capacity as a controller under GDPR. It is only where it is mandatory under applicable legislation that GBG will inform its customer as it would not be viable to notify so many when not required. To do so would be commercially burdensome for GBG and its customers.
GBG take appropriate measures to ensure that data has been collected lawfully, is accurate and up to date, however it is not possible to warrant the accuracy of every record. This is standard across the data industry. It depends on the motivation of the individual and how important the data they have shared with GBG’s data supplier is accurate for them. For example, Government/CRA data tends to be accurate at the point of capture. How effective are individuals at maintaining this as soon as their data changes, for example, notifying the local authority if they have got married? For some sources, individuals may deliberately provide inaccurate data. For example, GBG had an example where a son registered his father’s mobile number when he took out a loan.
GBG’s products and services privacy notice can be found here.
As GBG do not predominately interact with data subjects, and when only processing a single data element, such as an address, GBG has no idea who the data subject is. It is for these reasons it is impossible to serve notice at the point of collection. GBG believe it is good practice to advise an individual of who their data is being shared with and why. GBG’s privacy notice was initially developed with the UK Information Commissioner’s Office with this sole objective in mind and has been globalised to cover all GBG processing.
Depending on the processing activity and jurisdiction, for example in the US under BIPA, the individual must be notified of GBG’s part in the processing. Case law to support gathering this correctly, including being named for the US is here. As GBG cannot prevent what documents are uploaded, this term is included for all, with the language ‘where appropriate’
Where a Customer has agreed to GBG to contribute to GBG’s Data Network, the individual should be notified.
GBG is unable to offer legal advice, however GBG’s view is language substantially similar to the following would be acceptable under GDPR:
We use GBG for (insert service, e.g. identity verification service). As part of this service GBG and its wholly owned subsidiaries will collect and combine personal data about you to help organisations you are interacting with, to onboard you safely and quickly. GBG will collect the data you provide to (Customer Name) and combine this with your data that you have provided to other organisations you have interacted with. This form of profiling may be used to generate risk scores or create fraud and/or identity alerts, insights and reports. More information on GBG’s processing can be found here: https://www.gbgplc.com/en/legal-and-regulatory/products-services-privacy-policy
GBG is unable to offer legal advice, however GBG’s view is language substantially similar to the following would be acceptable to gather explicit consent. The below example, which is acceptable under GDPR, is for a Customer who is using a Partner (as a processor) to then pass data to GBG.
(Customer Name) utilises a processor (insert name) for identity document authentication purposes, who in turn uses third parties to support this. One of these third parties is GBG. who, depending on applicable law, may operate as a separate and independent controller for some of this activity. In the journey your biometric data may be processed, which is where face match and liveness tests take place. This may be special category data or sensitive personal information depending on your jurisdiction, which means (Customer Name) and GBG will rely on your explicit consent to process such data. More information on GBG’s biometric processing can be found here: https://www.gbgplc.com/en/legal-and-regulatory/products-services-privacy-policy.
GBG is unable to provide a definitive answer as it depends on your jurisdiction. As a steer we would suggest for the length of time for statute of limitations in relation to that data subject.
Customer Use Case is important for products where processing is in the UK or under GDPR, to support GBG’s Legitimate Interest Assessment as a controller. If this approach is used, the Customer Use Case is detailed on the Product Page. For some products, such as Investigate the use case can vary significantly and determines the functionality within the product.
GBG’s customer support is global and cannot be restricted to a specific region only as it is a global ticketing system. The Customer would need to request when raising each ticket or phoning in, the request is handled by the specific team, which could delay resolution of issues. For clarity, the team only access Customer Data upon request but all team members with access privileges could view the ticketing system.
GBG may process Customer Data provided to GBG under your Agreement in any or all of GBG’s proprietary networks. These networks are separate and individual data pools that consist of the information (including Personal Data) that GBG receives from its other customers (Data Networks). The information held by GBG in the Data Networks may be used to create Insights. GBG may utilise Insights to provide risk scores, alerts, etc. to any of its business customers who are also contributing information into the Data Network.
Please note the information is only accessed by GBG to create the Insights, without actual disclosure of any Personal Information to any other customers or third parties.
Thus, it depends on the network that you are contributing to, as to how it works, but the principle remains the same.
Today GBG holds securely each piece of individual data in insolation and run queries over the top of it to provide customers with insights. You could use this service to:
In the future, we plan to create persisted identities as we feel there is more value for our customers and individuals, but this will involve profiling (see specific FAQ on this).
GBG’s has a number of Data Networks:
The Customer could feed into one or more data networks, as set out on the order, or choose not to feed into any at all if the Customer opts out.
Our goal is to expand GBG Trust across all GBG entities, with the data held in region (EU/US/Australia). If GBG was to receive a US individual via an organisation contracting with GBG EMEA, this individual would be held in the US data instance.
Our GBG Trust Data Network may hold a named individual’s single record, in order to help us gain inferences and insights to try to better help organisations detect and prevent fraud when using our Services to run their transactions. For example, if someone is fraudulently using John Smith’s information to procure goods or services from our customer (who is using our GBG Trust Data Network), we could use the information we hold in John Smith’s profile to provide insights to our customer of the potential of the transaction being fraudulent. This could in turn protect the real John Smith from having had his information used so adversely.
GBG, The Foundation, Herons Way, Chester Business Park, Chester, CH4 9GB, UK
In the EU, we have an EU representative:
GBG, WeWork Passeig de Gracia, Pg. de Gràcia, 17, 08007 Barcelona, Spain
The email address for DPO@gbgplc.com should be used.
DPO@gbgplc.com is monitored by a team of people, as opposed to an individual to ensure you receive a speedy response. Matters will be escalated accordingly.
See Schedule 6. If you are contributing to our GBG Data Network, GBG uses the personal data that your data subjects provide to you in order to help us gain Insights to detect fraud outside of the scope of a Processor. We control the means and purpose of processing, we select the data categories to be processed, and all of the rules that will be applied in determining fraud risk. Thus, when you provide us with your data subjects’ personal data, you are likely “selling” data to us. You can request to opt out of this processing, but you would then not be able to benefit from our fraud detection functionality that is provided by our Data Network.
It is worth noting that we will not sell the personal data you provide to us to any third parties. The only information that we would provide our other customers with is Insights (fraud risk scores/flags).
If you take our Expect ID Email solution or utilise 0408 Email Intelligence (ID Number 201622) via ID3global, where relevant (it depends on where your data subject is based) you are agreeing to sell your personal data to our Supplier, LexisNexis Risk Solutions. They may utilise the email address your data subjects provide in order to detect fraud activity associated with that email address. GBG itself does not receive any monetary or non-monetary consideration nor do we use the results that ensue for any purposes outside of our direct business relationship. If you ever would like us to forward a Do Not Sell My Personal Information Request on your behalf, we are happy to do so as your processor/service provider, in accordance with your instructions.
For some products, GBG retain a copy of all transactions which have been processed for a specific period of time. There is a standard retention period built within the product and what you can do can vary by product. To recap, “Customer Audit Trail” means an electronic record of the Transactions carried out using the Service, including any Results generated.
The approach to the Customer Audit Trail varies by product and is defined further in the Product Grid. The reason for this inconsistency is because products have been available for many years and were created by different legal entities. The decision was made not to align this so not to impact existing customers.
For GreenID, ExpectID and IDV products this is set at a specific period as defined in the Product Grid and cannot be amended.
For ID3global and IDScan this can be configured as defined in the Product Grid.
As defined "GBG Audit Trail" means a copy of the Customer Data and Results of a Service which is retained by GBG for 12 months for the sole purpose of responding to data subject rights. This data is held in a separate database, with access restricted to GBG’s Privacy Team only. The data is not accessed unless a data subject makes a rights request to GBG, which we action in our capacity as a controller. This data automatically deletes after 12 months and is not further processed in anyway.
For Loqate, GBG reduces Customer Data to only the postal address, within 30 days, ensuring all other data elements of the Customer Data is removed (for example any IP information or any metadata originating from the Customer or Customer's End Users). Under U.S. privacy laws, de-identification is accomplished by GBG when data "cannot reasonably” be “associated with” a particular data subject. There is then an additional step where the De-identified data is then further processed to derive location insights to generate a new valid location address. In most jurisdictions, an address on its own is not classed as Personal Data.
For GBG Alert (via GreenID), transactions are de-identified using pseudonymisation which is sufficient to meet deidentification requirements under the Australian Privacy Act, with sufficient controls in place to ensure that process cannot be reverse engineered or cross referenced with a non-de-identified data set.
The DPA as drafted covers all of the elements GBG would include for Asia Local Laws. Below are the terms GBG has used historically to include and where this is now covered today
Asia Local Laws Historic Terms |
Relevant section in DPA |
The Asia Terms apply when:
DEFINITIONS Capitalized terms not defined will have the meanings ascribed to them in the Agreement. "Asia Countries" means Malaysia, Singapore, Philippines, Thailand, Indonesia, Vietnam and Hong Kong. "Asia Data Protection Laws" means data protection and privacy laws and regulations applicable to the personal data in question, including
and its regulations thereto including any other sectorial regulations that may be applicable to the personal data. "Controller" and Co-controller here will have the meaning as
Data Processor here will have the same meaning as
|
N/A |
2 ASIA DATA PROTECTION LAWS OBLIGATIONS
2.1 Each Party represents and warrants that it shall comply with all requirements under Asia Data Protection Laws.
|
4.1 |
2.2 To ensure compliance with clause 2.1 above, the Customer represents and warrants that: 2.2.1 Legal Basis of Processing: In jurisdiction that does not recognise ‘legitimate interest’ as a valid legal basis of processing Personal Data under its Asia Data Protection Law:-
|
5.1, 5.2 |
2.2.2 Transfer of Personal Data: In jurisdiction that requires data localisation or specific requirements for transfer of data under its Asia Data Protection Law:-
|
4.10 |
2.2.3 Registration: In jurisdiction that requires registration of data processing system, data protection officer and/or service providers:-
|
4.1 |
The DPA as drafted covers all of the elements GBG would include for Australia and New Zealand. Below are the terms GBG has used historically to include and where this is now covered today:
Australia/New Zealand Historic Terms |
Relevant section in DPA |
For the avoidance of doubt, the Parties agree that: a. GBG is subject to the Privacy Act 1988 (Cth) including the Australian Privacy Principles (“APPs”) in Australia; and the Privacy Act 2020 and Information Privacy Principles (IPP’s) in New Zealand (together the “relevant privacy laws”); |
4.1 |
b. the relevant privacy laws require that GBG shall ensure that any recipient of Personal Data (as defined in the Reseller Agreement) handles such Personal Data in accordance with those laws. To assist GBG and it’s customers in meeting those laws the Supplier agrees that they: |
|
i. must only collect, use and disclose Personal Information strictly for the purpose for which that Personal Data was disclosed to it; |
1.1, 3 |
ii. unless otherwise instructed by GBG, only store Personal Data for the period necessary to fulfil that purpose and must destroy that Personal Data when it is no longer required and upon request from GBG; |
See Product Grid, Schedule 2 |
iii. comply with any of GBG’s reasonable requests or directions in respect to the Personal Data; |
4.8 |
iv. protect Personal Data it holds from misuse, interference and loss, as well as maintain/implement systems and processes to ensure the security of personal information; |
4.4, Schedule 4 |
v. reasonably assist GBG to resolve any request for access, correction or a complaint in relation to Personal Data; |
4.11 |
vi. provide individuals with the right to access and seek correction of Personal Data; |
4.11 |
vii. promptly notify GBG if it is aware of any misuse, interference and loss, unauthorised access, modification or disclosure by itself or its personnel; |
4.9 |
viii. only disclose Personal Data to others in compliance with these requirements after obtaining GBG consent and in accordance with any conditions GBG reasonably deems fit to impose; |
4.8, 4.11 |
ix. allow GBG or any applicable regulatory body to audit the Supplier’s compliance of these requirements and any records the Supplier holds containing the Personal Data, subject to the Supplier’s obligations of confidentiality to other parties and any other law or authority with jurisdiction over the Supplier; and |
4.8 |
x. comply with any additional reasonable requirements notified to it by GBG from time to time in respect of Personal Data |
4.8, 4.11 |
Last updated: 01/08/24