Sumsub How to: Guide for Navigating in GDPR

Implementing General Data Protection Regulation (GDPR), a new data privacy law from the European Union (EU), is not a one-time activity but an important process for every business that works with personal data in the EU.

For companies, GDPR means obligations for collecting, handling, or analyzing personal data with greater control over the personal data of the individuals.

Implementing organizational changes to comply with the GDPR is not an easy task. That is why our legal department made a highly detailed How-to guide for you. The guide offers a clear approach for creating and executing the GDPR compliance program — the necessary steps what to do and what to check.

Please note that our GDPR Guide has no legal force.

What is GDPR?

New, privacy and data protection law of the EU calls for more detailed privacy rules in the organizational systems, explicit data protection agreements, and consumer-oriented disclosures about privacy and data protection practices in the organisation.

GDPR applies to all companies and organisations, including freelancers, even those who store personal information in an address book. All material or digital devices and software should be checked and audited to be sure that all personal data on it is protected according to the new regulation.

What if you are located outside the EU?

GDPR is applied not just towards the organisations located in the EU, but to any globally operating company that processes data of the EU individuals, offers goods and services to them or monitors their behavior.

What is “Personal Data” and what does “processing” mean?

Under GDPR Personal data is any information related to an identified or identifiable individual. But it is not just the name or email address of a person. Financial information, an IP address, biometric data also fall within the GDPR protection.

Moreover, some categories of personal data are under a higher level of protection due to their sensitive origin. That includes information about political opinion, religious and philosophical beliefs, race and ethnic origin, trade union membership, genetic data, biometric and health data, information about a person’s sex life and orientation, criminal record information.

Processing of personal data means any operation that is conducted on personal data or on sets of personal data. Regardless if it is performed automatically, any process that stores or consults personal data is determined as processing. Most common activities are collection, recording, systemisation, structuring, storage, adaptation or alteration, retrieval, consultation, usage, disclosure by transmission, dissemination or opening information by any means, alignment or combination, restriction, erasure or destruction.

Determining participants: data controllers and data processors

The data controller and the data processor — are two entitled bodies that can process personal data.

The data controller determines the purposes and means of the processing of personal data — alone or jointly with others. The data processor processes the information on behalf of the controller.

A decision on whether a controller or a processor will proceed the personal data should be made when designing an interaction model with the GDPR. It will help to understand what rights and obligations are entitled to each operator.

However, these roles could be dual. Sumsub is a good example. Sumsub processes personal data, such as the ICO contributor’s name, ID number, expiry date, and others, as soon as the data is sent by a user to Sumsub via Sumsub API. After that Sumsub uses the data to conduct the KYC process using the database systems and software. That is a function that Sumsub performs as a data processor.

GDPR applies to all companies and organisations, including freelancers, even who store personal information in a address book

Understanding whether you have legal basis for processing

Not all processing activities are GDPR-compliant. Under the GDPR you need to rely on a legal basis to stay compliant. There are six legal bases for processing the EU individuals’ personal data:

• The individual has given consent to the processing of his or her personal data for one or more specific purposes;
• The processing is necessary for conducting your processes where the user is partly involved or in order to answer the user’s request;
• The processing is necessary to stay compliant with your legal obligation;
• The processing is necessary to protect a vital interest of the individual;
• The processing is necessary to perform a task of the public interest;
• The processing is necessary to comply with the requirements of the official authority. The processing is necessary to legitimate the interest pursued by the entity, except when such interest is overridden by the interest or fundamental rights and freedoms of the individual and requires personal data protection.

GDPR strict consent: 

• It must be verifiable;
• The request for consent must be clearly distinguishable from other agreements;
• Individuals must be informed of their right to withdraw their consent.

The important thing to do is to prove your legal basis by running a test based on this legal framework. A test means that you will document your compliance, your approach and the arguments that you have reviewed before.

Individual rights under the GDPR

Certain basic rights are now guaranteed to the individuals regarding their personal data:

• Data access request

Users have the right to know if their personal data are being processed, what and how it is being processed, and what are the data processing operations.

• Right to object

Users can prohibit particular data processing operations. Individuals may also object to the processing of their personal data for direct marketing purposes.

• Right to amend

Individuals may request to complete or correct the incompleted or incorrect data to ensure that the processing of personal data is in compliance with applicable data protection rules.

• Right to restriction

Some circumstances allow users to restrict the processing of their personal data, for example when the user questions the accuracy of the data.

• Right to be forgotten

Users can request to erase the data when it is no longer necessary for the purposes of its collection, or if a user withdraws consent to the processing and no other legal basis allows to continue the processing.

• Right to data portability

Users can request that personal data held by one data controller can be provided to another controller.

International data transfers and non-compliance

International data transfers

Not so many data transfer mechanisms are available under the GDPR. Personal data flows from the EU to the United States. Privacy Shield framework is the main mechanism for this procedure. The EU-US and Swiss-US Privacy Shield is a method of ensuring that an organization provides a necessary level of data protection, by requiring that the organization should be certified and registered according to the requirements of the Privacy Shield framework.

Non-compliance

A fine is imposed in case of non-compliance with the GDPR, and its sum might come up to 4% of global revenue or 20 million EUR.

The data protection authorities’ (“DPAs’ “) are rarely used in practice. They can impose additional measures, for example, a ban on data processing—temporarily or constantly.