GBG has focussed on roles under GDPR and US legislation as it would be impossible to define for every single market. Where a jurisdiction not captured below, GBG would be happy to clarify on the Order Form.
Key: C = Controller P = Processor Y = Yes N= No N/A = Not applicable
| Product Name/Activity | GBG role under | Comments | Data Network Option | Data Retention | International Transfers | GDPR Record of Processing Available | ||
|---|---|---|---|---|---|---|---|---|
| GDPR | US Law | Duration | Why | Product Processing Location | ||||
| GBG GO | ||||||||
| Journey Designer | P | P | The Customer has the ultimate choice regarding configuration of a Journey and must accept the design they have chosen, before it is put into production. A Journey is a the end to end flow that users build within the Go platform. A Module is a step within a Customer's Journey powered by different Sources. |
N | N/A | No data is processed as part of the configuration, but it is treated as the customer's instructions for processing as to what activities GBG is required to complete on their behalf. | UK | Y |
| For the Identity Data Modules | C/P | P | This is where Identity Data as opposed to an Identity Document is used. GBG's role depends on the Sources (Datasets) chosen. For example, under GDPR GBG is typically a Controller, however there are some exceptions. This is defined in the Additional Terms. | Y | 12 months | Only when operating as a Controller, does GBG retain the GBG Data Audit Trail for 12 months. This is to respond to Data Subject Rights. | It will be the UK, US or Australia and dependent upon the Source, there may be an onward transfer. This is defined in the Additional Terms. | N |
| For the Identity Document Modules | C | P | This is where an Identity Document is used. | Y | 12 months | GBG Audit Trail | UK, US or Australia (customer chooses) | Y |
| For the Evaluation Stage | P | P | An evaluation node within the Journey Designer enables customers to decide whether additional processing is necessary, or if the customer can make a decision based on the outcomes of modules. This is determined by the Customer. | N | N/A | UK | Y | |
| For the Customer Audit Trail | P | P | Known as 'Investigation'. This is the audit trail that we maintain on your behalf, which retains all of the information in relation to the processing within Go. The Customer can opt-in to utilise user insights which contain personal data. | N/A | Variable | You set the retention period within the Go Platform, prior to transacting, which can be from zero retention to 5 years. | UK, US or Australia (customer chooses) | Y |
| Loqate Capture & Verify | ||||||||
| Address (Address Look-Up Only) | P | P | This solely pertains to the actual address verification and pre-population processing. |
Y | 30 days | GBG holds data to deliver the service, which includes an IP address. |
Load Balancer determines which Data Centre is used based on proximity to the data subject. It then aims to send it to UK, Belgium or US, however for system performance, it could go to any.
|
Y |
| Address (Post-Processing) | C | P | Infrastructure Logs, Usage Data & Account Data. | N | 30 days | To maintain Infrastructure Logs, Usage Data, and Account Data for our internal business purposes only. | N | |
| Electricity Enquiry Service | C | N/A |
UK Only Service. Defined by RECCo as personal data as it is meter information, although GBG cannot identify an individual.
|
N | 12 months | GBG Audit Trail | N | |
| Gas Enquiry Service | C | N/A | N | 12 months | GBG Audit Trail | N | ||
| Business Data | C | N/A | UK Only Service | N | 30 days | Infrastructure Logs, Usage Data | N | |
| Phone | C | P | Y | 12 months | GBG Audit Trail | N | ||
| C | P | Y | 12 months | GBG Audit Trail | N | |||
| Bank | C | N/A | UK Only Service | N | 12 months | GBG Audit Trail | N | |
| Store Finder | P | P | N | 30 days | Infrastructure Logs, Usage Data | Y | ||
| Loqate Data Maintenance | ||||||||
| UK | C | N/A | GBG holds data and completes the matching. GBG places on SFTP to be downloaded by Customer. | Y | 12 months | GBG Audit Trail | UK | N |
| EU | P | N/A | GBG utilises a sub-processor for this. | N | Variable | The data is only held whilst processed, which includes transferring it to a third party. | EU | Y |
| US/Canada (North America) | N/A | P | GBG may hold the data and complete the matching, or utilise a sub-processor for this. | N | 21 days | This is held for the duration of processing. | US | N |
| Address Cleansing & De-Duplication | P | P | GBG cleanse and de-dupe addresses. | N | 30 days | US | N | |
| Email/Phone Validation | C | P | GBG utilise a third party supplier to complete the email/phone validation. | N | 12 months | US | N | |
| Data Healthcheck | C | P | This service processes customer data to create a report based on data quality. Only statistics are shared back with the Customer, but depending upon the data sent, this may or may not contain personal data. | N | 12 months | GBG Audit Trail | UK, US | N |
| ID3global | ||||||||
| For the Identity Verification Check | C | P | GBG acts as a processor for checks in relation to data subjects residing in the US and the rest of the Americas. GBG also acts as a processor for a small number of checks - where this is the case, it is defined in the Additional Terms. | Y | 12 months | GBG Audit Trail |
UK and item checks accessed via API to various countries, as defined in the Additional Terms.
|
N |
| For the Customer Audit Trail | P | P | This is the audit trail that we maintain on your behalf, which retains all of the information in relation to the processing of your Identity Verification Check. | N/A | Variable | This is defined by the Customer and can be configured in the Admin Portal. | Y | |
| IDScan Enterprise | ||||||||
| For the Identity Verification Check | C | P | GBG acts as a processor for checks in relation to data subjects residing in the US and the rest of the Americas. Customer can determine which location the processing will take place in. | Y | 12 months | GBG Audit Trail | UK, US, Australia. It is not in all of these locations, but one of them. Typically it's the local instance closest to the legal entity you are engaging with, but it can be defined by the customer. | N |
| Manual Document Review | P | P | This review is complete by GBG employed team members. | N/A | N/A | Viewed on screen only | UK | Y |
| For the Customer Audit Trail | P | P | Known as 'Investigation Studio'. This is the audit trail that we maintain on your behalf, which retains all of the information in relation to the processing of your Identity Verification Check. | N/A | Variable | 31 days as standard, but the customer can define less. If this customer wants this for longer, this is chargeable. The price will need to be determined based on volumes. | UK, US, Australia. It is not in all of these locations, but one of them. Typically it's the local instance closest to the legal entity you are engaging with, but it can be defined by the customer. | Y |
| Detected | ||||||||
| Business Screening | P | P | This is complete within the Detected platform (which is owned and hosted by Detected Ltd). Both GBG and Detected Ltd operate as processors. The journey and scoring is configurable by the Customer. | N | Variable |
In the Detected platform, data retention is set for the life of the contract, but the Customer can delete records at any time.
Audit logs of each transaction are retained by Detected Ltd for 12 months. |
UK
|
|
| PEPs & Sanctions | P | P | This is complete within the Detected platform (which is owned and hosted by Detected Ltd), which then calls out to a third party supplier. Both GBG and Detected Ltd operate as processors. | N | Variable | |||
| ID Verification - Data Journey | C | N/A | This uses ID3global, see for detail. Currently only UK ID verification checks only. Detected Ltd operate as a Processor displaying the results from the Identity Verification check that use ID3global. |
Y | Variable | |||
| ID Verification - Document Journey | C | P | This uses IDScan Enterprise, see for detail. Detected Ltd operate as a processor, only seeing the high level result. You will need to access IDScan Enterprise via the weblink if you wish to see more detail. |
Y | See IDScan Enterprise for detail, however the 31 days for the Customer Audit Trail is not configurable due to the integration by Detected. | |||
| Identity & Fraud | ||||||||
| IDScan Core | P | P | No data is retained. This is a direct access API. | N/A | N/A | UK | Y | |
| Professional Services and Support Services | P | P | This utilises human beings acting under the customer's instructions in relation to a specific service. This is not a one size/fits all therefore instructions/retention vary. | N | Variable | Your professional service/support representative will be able to advise you. | Variable | N |
| Identify | ||||||||
| For the Identity Verification Check | C | N/A | UK Only Service | Y | 12 months | GBG Audit Trail | UK | N |
| For the Customer Audit Trail | P | P | This is the audit trail that we maintain on your behalf, which retains all of the information in relation to the processing of your Identity Verification Check. | N/A | Variable | For the data journey, this data retention period is defined by the Customer and can be configured in the ID3global Admin Portal. For the document journey, this data retention period is set to 31 days as standard, but the customer can define less within the Investigation Studio, which is held in IDScan. |
UK | Y |
| ProID | ||||||||
| For the Identity Verification Check | C | N/A | UK Only Service | Y | 12 months | GBG Audit Trail | UK | N |
| For the Customer Audit Trail | P | P | This is the audit trail that we maintain on your behalf, which retains all of the information in relation to the processing of your Identity Verification Check. | N/A | 12 months | UK | Y | |
| Investigate | ||||||||
| Investigate UI | C | N/A | UK Only Service | Y | 12 months | GBG Audit Trail |
UK for the processing, however one supplier (CCJs/CLAs) may transfer data if a support request is initiated by you. This supplier is highlighted in the relevant Additional Terms.
|
N |
| Saved Graphs | P | N/A | Available with Investigate UI. UK Only Service | N/A | 12 months | The Customer can download to retain at any time. | Y | |
| Self Service Reporting | P | N/A | Available with Investigate UI. UK Only Service | N/A | 12 months | Default time period for all users | Y | |
| Investigate API | C | N/A | UK Only Service | Y | 12 months | GBG Audit Trail | N | |
| Investigate Managed Services | C | N/A | UK Only Service | Y | 12 months | GBG Audit Trail | N | |
| Cloudcheck | ||||||||
| For New Zealand Identity Verification | N/A | N/A | New Zealand service only, therefore roles not defined. | Y | 7 days | New Zealand | N | |
| For International Idenitity Verification | C | P | Service targeted at New Zealand Customers Only | Y | 7 days | UK | N | |
| GreenID | ||||||||
| For the Identity Verification Check | N/A | N/A | Australia/New Zealand service only, therefore roles not defined. | Y | Variable |
Australia
|
N | |
| For Customer Audit Trail | N/A | N/A | This is the audit trail that we maintain on your behalf, which retains all of the information in relation to the processing of your Identity Verification Check. | Y | Variable | Unless defined by the Customer, the data is deidentified after 12 months. Once the record has been de-identified, no personal information is retained, however it will retain sufficient information for billing purposes including the unique reference number. All records will be automatically deleted after a period of seven (7) years from the date of verification or verification attempt, unless otherwise agreed between the parties. |
N | |
| GBG Trust: Alerts | N/A | N/A | This is the Data Network in which we retain all of the input data you provide to us, for the purposes of creating De-Identified Data. It is only available with GreenID. | Y | 3 years | N | ||
| ExpectID | ||||||||
| ExpectID | N/A | P | Y | Variable | 15 days as standard, but the customer can define. |
US
|
N | |
| ExpectID Age | N/A | P | Y | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID International Data | C | N/A | For Latin America, GBG is deemed to operate as a Processor. | Y | Variable | 15 days as standard, but the customer can define. | N | |
| ExpectID IQ | N/A | P | Y | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID Customer Based Authentication | N/A | P | Y | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID GeoTrace | N/A | P | Y | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID Score | N/A | P | Y | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID Scan Verify | N/A | P | Y | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID Name to Phone Match | N/A | P | N | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID Death Scrub | N/A | P | N | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID Number Verification | N/A | P | N | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID Mobile Attributes | N/A | P | N | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID Email | N/A | P | See US Local Laws for specific terms in relation to this processing. | N | Variable | 15 days as standard, but the customer can define. | N | |
| ExpectID Secure One-Time Verify | N/A | P | N | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID Scan Onboard | N/A | P | N | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID Barcode Scan | N/A | P | N | Variable | 15 days as standard, but the customer can define. | N | ||
| ExpectID PA | N/A | P | N | Variable | 15 days as standard, but the customer can define. | N | ||
| IDV | ||||||||
| Acufill | P | P | Y | 60 seconds |
US and Germany. Customer can define the hosting location.
|
Y | ||
| AssureID | P | P | Y | 60 seconds | Y | |||
| MedicScan | P | P | N | 60 seconds | Y | |||
| Acuant Face | P | P | N | Within Acuant, data is only retained for 60 seconds. For Facematch, there is a transfer to Microsoft Azure, who retain data for 24 hours. | Y | |||
| Ozone | P | P | This service does not process any personal data | N | 60 seconds | Y | ||
| VideoKYC | P | P | N/A | 60 seconds | Y | |||
| Compliance Application Fraud Solution (CAFS) | ||||||||
| Instinct - on prem | N/A | N/A | Available globally | N | N/A | N | ||
| Predator - on prem | N/A | N/A | Available globally | N | N/A | N | ||
| Instinct - hosted by Customer | N/A | N/A | Available in Australia | N | N/A | N | ||
| Predator - hosted by Customer | N/A | N/A | Available in Australia | N | N/A | N | ||
| Intelligence Centre (Ochestration) | N/A | N/A | Available in Asia | N/A | N/A | N | ||
| Data Networks | ||||||||
| GBG Data Network | C | C | This is the Data Network of the input data you provide to GBG. | N/A | 3 years | For creating Insights | UK, US. The individual's data will be held in region. | N |
| GBG Trust USA | P | P | This is a Data Network which takes the data input into ExpectID and has rules configured and controlled by the Customer to protect against fraudulent or illegal activity. | N/A | 90 days | To help you detect fraud by customising rules that access this data network consortium. | US | N |
| Velocity | P | P | This is a Data Network which takes the data input into ExpectID and has rules configured and controlled by the Customer to protect against fraudulent or illegal activity. | N/A | 90 days | To help you detect fraud by customising rules that access this data network consortium. | US | N |
| GBG Trust Core | C | N/A | This is a rules engine which acceses the GBG Data Network to create Trust Scores. This does not process US resident data. | N/A | 3 years | To help detect fraud across our network of customers who contribute data into our data network consortium. | UK | N |
| GBG Trust: Outcomes | C | N/A | This data feeds into GBG Trust Core | N/A | 6 years | To help detect fraud and provide insights across our network of customers who contribute data into our data network consortium. | UK | N |
| Loqate Data Network | N/A | N/A | This only contains postal addresses, which are not linkable to any individuals and therefore we do not deem them to be personal data. | Y | Unlimited | To improve the quality of addresses in our services. | UK | N |
Last updated: 23/04/25
