Know Your Customer Limited (“KYC”) is subject to the EU General Data Protection Regulation (“GDPR”) and the Hong Kong Data (Privacy) Ordinance, and amendments thereto (“PDPO”).
This Privacy Statement explains how, applying the applicable data protection principles under the GDPR and PDPO, we collect and process personal data for third parties (“KYC Client” or “KYC Clients”) and for our business. For the purposes of the GDPR KYC Clients are deemed data controllers and for the purposes of PDPO they are deemed data users.
The KYC Clients have engaged the services of KYC to provide identity verification services and assist in the collation of due diligence documentation on the KYC Clients prospective and existing customers (the “Customer” or “Customers”), when the KYC Clients Customers provide their personal data to us through the submission of information, forms or documents (in whatever format) through an upload to our website, use of our mobile application or otherwise.
Personal Data we process enables us to identify the Customers either directly or indirectly by reference to an identifier. Examples of identifiers we process are name, identification number, location data, an online identifier or one or more factors relating specifically to the economic, cultural or social identity of the natural person (“Personal Data”).
KYC is a data processor which means that we process Personal Data on behalf of the KYC Clients. Dependent upon the checks that KYC has been engaged by the KYC Client to undertake, KYC may use sub-processors. Prior to working with any sub-processor, KYC ensures that they comply with the GDPR, the PDPO or any other relevant data protection legislation that may be applicable.
The result of the Customer’s verification process, as well as all details and documents provided by Customers to the KYC Clients via the KYC website, mobile application or otherwise are available solely to the KYC Client with whom the Customer is engaging and the Personal Data is provided as part of the KYC Client’s collation and evaluation of due diligence documentation on potential new and existing Customers to comply with applicable International Anti Money Laundering legislation. KYC does not have access to any Customer Personal Data.
For the purposes of GDPR, it should be noted that dependent upon the location of the KYC Client, and the Anti Money Laundering legislation with which they must comply, Personal Data may be transferred or accessed outside the European Economic Area (“EEA”) at the request of the KYC Client.
For Customers who are not resident within the EEA, you should note that if the KYC Client you are engaged with is resident in a country other than your country of residence, there is a possibility your Personal Data will be transferred outside your country of residence. You should consult with the relevant contact at the KYC Client for further details in relation to jurisdictions used for the transfer of your Personal Data.
Individuals (individually a “Subscriber” and collectively the “Subscribers”) may also sign up for news and marketing updates about our business via our website and other marketing tools such as marketing automation platforms. In these instances, KYC is acting as a data controller and data processor. The Personal Data collected enables us to identify Subscribers through a combination of the information provided during the sign-up process. The Personal Data is stored and retained by us for use as part of our marketing activities.
Dependent upon the marketing tools that we use to facilitate the sign-up process, we may on occasion use a third party data processor to process the Personal Data of Subscribers. In such circumstances, Subscribers will be made aware of this during the sign-up process and asked to provide consent accordingly. Third parties we use for data processing adhere to data protection legislation as applicable.
For the purposes of GDPR, it should be noted that dependent upon the location of the Subscriber, Personal Data may be transferred or accessed outside the EEA as part of marketing activities within the group operating companies of KYC. For Subscribers who are not resident within the EEA or Hong Kong, you should note that there is a probability that your Personal Data will be transferred outside your country of residence. If you have any questions in relation to this, please contact the Data Protection Officer at firstname.lastname@example.org.
Purpose of Collection, Processing and Disclosure
The Personal Data provided by Customers will be used by KYC for the purposes of processing for any one or more of the following purposes:
- To enable the KYC Clients to identify and/or verify the identity of the Customers in accordance with applicable International Anti Money Laundering regulations;
- To disclose to the KYC Clients by way of restricted access to the solution, to enable them to verify the identity of their Customers in accordance with applicable International Anti Money Laundering regulations;
- For any other specific purposes requested by the KYC Clients; or
- To comply with legal and regulatory obligations applicable to the KYC Clients.
Personal Data provided by Subscribers will be used by KYC to provide marketing information and news updates to the Subscribers about our business and industry news.
KYC undertakes to adhere to best practice in terms of security of the Personal Data collected. All systems use a Role Based Access Control with enforced multi-factor authentication. All data at rest is secured using 256 bit AES encryption as well as SSL/TLS is used for data in transit.
A cookie is a piece of information in the form of a very small text file that is placed on an internet user’s hard drive. It is generated by a web page server, which is basically the computer that operates a web site. The information the cookie contains is set by the server and it can be used by that server whenever the user visits the site. A cookie can be thought of as an internet user’s identification card, which tells a web site when the user has returned.
Rights of the Data Subject
GDPR provides data subjects with the following rights:
- The right to access their own Personal Data;
- The right to have their Personal Data rectified if it is inaccurate or incomplete;
- The right to request deletion or removal of their Personal Data where there is no good reason for processing to continue;
- The right to restrict processing of their Personal Data;
- The right to data portability to enable the moving, copying or transferring of Personal Data from one platform to another;
- The right to object to the processing of their Personal Data in certain circumstances; and
- Rights relating to profiling and automated decision making resulting from the processing of their Personal Data.
For Customers, these rights are exercisable against the KYC Client and any queries should be directed to the relevant contact as per the privacy statement of the KYC Client.
Subscribers may exercise these rights by sending a request to the Data Protection Officer at KYC at DataProtection@knowyourcustomer.com.
Alternatively requests may be made in writing and sent to:
The Data Protection Officer
Know Your Customer Limited
21/F, The Phoenix
23 Luard Road
Subscribers may also unsubscribe from any future communications from KYC by selecting the unsubscribe option in our email correspondence.
Acceptance of Terms
Please note that by downloading, installing or using our mobile application for the upload of Personal Data, or by uploading Personal Data via a KYC webpage, or a marketing automation platform, you are accepting the practices described in this Privacy Statement and agree to the processing of your Personal Data by KYC as described in this document.
For Subscribers who are a resident of the EEA, in acceptance of these terms you are providing explicit consent to KYC for the processing of the Personal Data to comply with GDPR and that in giving your consent, and uploading the Personal Data, you are agreeing to the processing of the Personal Data by KYC for the purposes as set out in the sign-up form submitted to KYC, and that in giving such consent, your Personal Data may be transferred outside of the EEA to other companies within the KYC group for marketing purposes.
Amendments or Updates to this Privacy Statement
KYC reserves full rights to amend or update this Privacy Statement unilaterally from time to time as it sees fit or necessary to meet any change in any of the relevant laws or the regulatory environment, or business needs, or to satisfy the needs of stakeholders in the business. Updated versions will be posted to the KYC website and date stamped so that you are always aware of when the Privacy Statement was last updated. The whole content of this Privacy Statement will then be construed accordingly in conjunction with such amended or updated versions.