Version number: 2.0
This DPA took effect on: 1 April 2023. Here’s a quick summary of the key points:
Verify 365 digital onboarding technology provides a range of KYC, AML, Source of Funds verification, eSignatures, ePayments, and KYB services designed to help you understand the risks associated with verifying your individual and corporate clients. We’ll carry out your preferred checks on your clients and then provide you with a report of the results.
1. Definitions in this DPA
1.1 “Adequate Country” means a country or territory outside the European Economic Area (“EEA”) that has received an adequacy decision under Article 45 of the European Union Regulation (EU) 2016/679 (“GDPR”)
1.2 “Controller”, “Data Subject”, “Personal data”, “Process” “Processing”, “Processor”, and “Supervisory Authority” will have the same meanings as in the Data Protection Laws.
1.3 “Data Protection Laws” means all applicable laws and regulations, including the GDPR and the UK Data Protection Act 2018, both as may be amended from time to time.
1.4 “EU Transfer Clauses” means module 2 of the Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021, as may be amended from time to time, for the transfer of Personal Data from the EEA to a third party country.
1.5 “UK Transfer Clauses” the International Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018 and in force from 21 March 2022 for transfers of Personal Data from the United Kingdom (“UK”) to a third country, and any subsequent version issued by the United Kingdom.
1.6 “Transfer Clauses” means the EU Transfer Clauses and the UK Transfer Clauses.
2. What do we do and what do you do?
2.1 Status. You’re the Controller and we’re the Processor of any Personal Data you provide us. If you are purchasing Services via our Platform, this will also cover any Personal Data provided to us by your clients for the purpose of completing any checks initiated by you.
2.2 Details of the processing. All the information you might need about the Personal Data we process for you is described in Schedule 1.
2.4 Processor obligations. We’ll:
(a) only process Personal Data to provide the Services and with your instructions;
(b) inform you immediately if (in our opinion) your instructions infringe Data Protection Laws;
(c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved with the processing;
(d) only allow our personnel access to Personal Data who need it to perform the Services;
(e) notify you in writing without undue delay if we become aware of a Personal Data breach, take steps to mitigate the breach and provide you with reasonable assistance and details of what happened;
(f) provide reasonable assistance to allow you to: (i) conduct data protection impact assessments;
(ii) respond to Data Subjects’ requests to exercise their rights under Data Protection Laws; and
(iii) consult with data protection supervisory authorities;
(g) if requested, provide information necessary to show that we comply with Data Protection Laws;
3. How can we use sub-processors?
3.1 Use of sub-processors. You allow us to use sub-processors to process Personal Data.
3.2 Sub-processor obligations. We’ll:
(a) require our sub-processors to comply with obligations equivalent to those in this DPA;
(b) ensure appropriate safeguards are in place before internationally transferring Personal Data to our sub-processors; and
(c) be liable for our sub-processors’ actions.
3.3 Approvals. We may appoint new sub-processors provided we notify you in writing within 30 days, but we shall be entitled to appoint third parties as general suppliers of technology and services without notice, provided that such third parties do not carry out processing activities of your or your clients’ Personal Data.
4. Will Personal Data be transferred internationally?
4.1 Transfer Mechanism. Where we transfer or process Personal Data outside the UK, the EEA or an Adequate Country, we agree to comply with the EU Transfer Clauses or the UK Transfer Clauses as applicable, which are incorporated into this DPA by reference and are completed with the additional information contained in Schedule 2. Under the Transfer Clauses, we act as the data importer, and you are the data exporter.
4.2 Additional measures. If the Transfer Clauses are not sufficient to safeguard the transfer due to applicable surveillance laws, we’ll implement any additional technical, contractual or policy measures as needed to ensure Personal Data is protected to a standard equivalent to that under the Data Protection Laws.
4.3 Disclosures. If a public authority requests access to Personal Data, where legally possible, we’ll:
(a) challenge the request and promptly notify you;
(b) not disclose any Personal Data without your consent;
(c) notify you and provide you with information of such requests; and
(d) if we are required to disclose Personal Data, we’ll only disclose the minimum amount required and keep a record of the disclosure.
5. What else do you need to know?
5.1 Changes. We reserve the right to make any updates and changes to this DPA. We will provide at least 30 days prior written notice to you when an update is required as a result of:
(a) changes in Applicable Data Protection Laws;
(b) a merger, acquisition, or other similar transaction; or
(c) the release of new products or services or material changes to any of the existing Services.
5.2 Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
Schedule 1: Details of processing
Our security measures are set out at https://verify365.app/security-measures/
Purpose, scope and nature of the processing
Types of Personal Data
Name, address, date of birth, banking details, email address, financial information and other similar information as required by Verify 365’s clients in order for them to identify individuals instructing them and meet their regulatory obligations.
Duration of the processing
As long as Verify 365 is processing Personal Data on behalf of Verify 365’s clients.
o Users of the Verify 365 App
Details of special category data
We process the following biometric data for identification purposes:
o selfies and live videos of the App user’s face; and
o photos of the individual contained in their ID documents.
Schedule 2: Transfer Clauses
Purpose. This Schedule supplements the DPA entered into between the parties to govern the international transfer of Personal Data.
1. EU Transfer Clauses Variables
Use of sub-processors
Clause 13(a) is deleted in its entirety and replaced with the following:
The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority
Clause 17 is deleted in its entirety and replaced with the following:
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 7 of the Clauses do not apply.
No changes are made to Clause 9 of the Clauses. The optional Clause 11 is deleted
Appendix to the clauses
List of Parties
The data exporter is the Controller, and the data importer is the Processor. The data exporters contact details are those provided to the importer upon sign- up, and the data importers contact details firstname.lastname@example.org.
Description of transfer
The information required for this section is as described in Schedule 1 of this DPA.
Competent supervisory authority
The Irish supervisory authority at the Office of the Data Protection Commissioner.
Part 2: Mandatory Clauses
Mandatory Clauses of the Approved Addendum, being the template Addendum B. 1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.