GDPR Compliance

VeriPlus is designed to help you comply with the EU General Data Protection Regulation (GDPR) while performing identity verification and AML screening.

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to:

Geographic Scope:

• EU citizens (regardless of location)
• Businesses operating in the EU
• Businesses offering goods/services to EU residents
• Businesses monitoring behaviour of EU residents

Personal Data Covered:

• Name, email, phone number
• ID documents, biometric images
• IP addresses, device identifiers
• Any data relating to an identified or identifiable person

Penalties:

• Up to €20 million OR
• Up to 4% of annual global turnover
• Whichever is higher

VeriPlus as Data Processor

When you use VeriPlus API:

You (the customer) are the Data Controller:

• Determine purposes and means of processing
• Responsible for lawful basis
• Must provide privacy notice to data subjects
• Handle data subject rights requests

VeriPlus is the Data Processor:

• Process data on your instructions
• Implement security measures
• Assist with data subject rights
• Notify you of data breaches

Lawful Basis for Processing

You must have a lawful basis to process personal data:

1. Consent

When to Use: Marketing, optional processing

Requirements:

• Freely given, specific, informed
• Affirmative action (opt-in)
• Easy to withdraw
• Separate from other terms

Example:

[ ] I consent to identity verification (INCORRECT - verification is required)
[✓] I consent to receive marketing emails (CORRECT - optional)

2. Contract

When to Use: Verification required to provide service

Requirements:

• Necessary for contract performance
• Cannot provide service without verification

Example: Crypto exchange must verify identity before allowing trading

3. Legal Obligation

When to Use: AML/KYC compliance

Requirements:

• Required by law (e.g., AML regulations)
• Cannot opt-out

Example: Financial institutions must perform AML screening under 5AMLD

4. Legitimate Interest

When to Use: Fraud prevention

Requirements:

• Legitimate interest exists
• Less intrusive means not available
• Balancing test (interests vs. rights)

Example: Verifying identity to prevent account takeover fraud

Recommended Basis:

• Identity Verification: Contract or Legitimate Interest
• AML Screening: Legal Obligation
• Fraud Prevention: Legitimate Interest

Privacy Notice Requirements

You must inform data subjects about processing:

Minimum Information

What to Include:

1. Identity of controller (your company)
2. Contact details
3. Data Protection Officer (if applicable)
4. Purposes of processing
5. Lawful basis
6. Categories of personal data
7. Recipients of data (including VeriPlus)
8. Retention period
9. Data subject rights
10. Right to complain to supervisory authority

Example Privacy Notice Clause

## Identity Verification
 
We use VeriPlus to verify your identity to comply with anti-money laundering
regulations and prevent fraud.
 
**Data Collected**: Name, date of birth, government ID document, selfie
**Lawful Basis**: Legal obligation (AML regulations)
**Third Party**: VeriPlus Ltd (Data Processor)
**Retention**: 5 years (regulatory requirement)
**Your Rights**: Access, rectification, erasure (after retention period)
 
For more information, see VeriPlus Privacy Policy: veriplus.co.uk/privacy

Data Subject Rights

Right to Access

Obligation: Provide copy of data within 30 days

How VeriPlus Helps:

// Export applicant data
GET /api/v3/applicants/:id
 
// Get verification details
GET /api/v3/verifications/:id
 
// Export all data
GET /api/v3/applicants?export=json

Your Responsibility: Consolidate VeriPlus data with your own systems

Right to Rectification

Obligation: Correct inaccurate data

How VeriPlus Helps:

// Update applicant information
PATCH /api/v3/applicants/:id
 
{
  "email": "[email protected]",
  "address": { ... }
}

Note: Cannot change ID document data (immutable record)

Right to Erasure ("Right to be Forgotten")

When Applicable:

• Data no longer necessary
• Consent withdrawn
• Unlawful processing

When NOT Applicable:

• Legal obligation (5-year retention for AML/KYC)
• Ongoing legal claim

How VeriPlus Helps:

// Delete applicant and all data
DELETE /api/v3/applicants/:id

After 5-Year Retention: Data automatically deleted

Right to Restriction

Obligation: Stop processing while dispute resolved

How VeriPlus Helps:

// Flag applicant as restricted
PATCH /api/v3/applicants/:id
 
{
  "status": "RESTRICTED"
}
 
// VeriPlus won't process further verifications

Right to Data Portability

Obligation: Provide machine-readable export

How VeriPlus Helps:

// Export in JSON format
GET /api/v3/applicants?export=json
 
// Export in CSV format
GET /api/v3/applicants?export=csv

Scope: All data you've provided to VeriPlus

Right to Object

Obligation: Stop processing when objected

How VeriPlus Helps: Email [email protected]

Effect: Processing stopped (unless legal obligation)

Data Protection by Design

VeriPlus implements privacy by design:

1. Data Minimization

What We Do:

• Collect only necessary data (name, DOB, ID)
• No collection of unnecessary information
• Optional fields clearly marked

What You Should Do:

• Don't send data you don't need
• Use metadata field sparingly
• Delete old verification data

2. Pseudonymization

What We Do:

• Random applicant IDs (not sequential)
• Encrypted storage
• Access controls

What You Should Do:

• Don't expose applicant IDs publicly
• Use internal IDs for your systems

3. Purpose Limitation

What We Do:

• Process only for verification/AML purposes
• No secondary use of data
• No marketing use

What You Should Do:

• Use VeriPlus only for compliance purposes
• Don't repurpose verification data

4. Storage Limitation

What We Do:

• Auto-delete after 5 years
• Temporary files deleted after 24 hours
• Backups deleted after 30 days

What You Should Do:

// Delete when no longer needed
if (accountClosed) {
  await deleteApplicant(applicantId);
}

5. Security

What We Do:

• AES-256 encryption
• TLS 1.3 communication
• Access logging
• 24/7 monitoring

What You Should Do:

• Secure API keys
• Use HTTPS
• Implement access controls
• Monitor API usage

International Data Transfers

EU to EU

No Issues: Data stays within EU

VeriPlus Storage: EU-West-1 (Ireland), EU-Central-1 (Frankfurt)

EU to US

Challenge: US not in EU adequacy list

VeriPlus Solution:

• Standard Contractual Clauses (SCCs) with US sub-processors
• DPA includes SCC terms
• Supplementary measures (encryption, access controls)

Sub-Processors in US:

• Stripe (payment processing) - DPA + SCCs
• Resend (email delivery) - DPA + SCCs

EU to UK

Post-Brexit: UK has adequacy decision (for now)

If Adequacy Withdrawn: SCCs ready

Data Processing Agreement (DPA)

What's Included

VeriPlus DPA covers:

1. Subject matter and duration
2. Nature and purpose of processing
3. Categories of data
4. Categories of data subjects
5. Obligations of processor
6. Sub-processor terms
7. Data subject rights assistance
8. Data breach notification
9. Deletion or return of data
10. Audits and inspections

How to Sign

1. Navigate to Dashboard → Settings → Legal
2. Review DPA
3. Click "Sign DPA"
4. Download signed copy

Required: You must sign DPA to comply with GDPR

Data Breach Obligations

VeriPlus Responsibilities

Notification to You: Within 24 hours of discovery

Information Provided:

• Nature of breach
• Categories and number of records
• Likely consequences
• Mitigation measures

Your Responsibilities

Assessment: Determine if notification required

Notification to DPA: Within 72 hours (if high risk)

Notification to Data Subjects: Without undue delay (if high risk to rights)

VeriPlus Support: We'll provide all necessary information

Records of Processing Activities

VeriPlus Records

We maintain records of:

• Processing purposes
• Categories of data and subjects
• Recipients of data
• International transfers
• Security measures
• Retention periods

Available Upon Request: For audits

Your Records

You should document:

• Lawful basis for using VeriPlus
• Data flows (your app → VeriPlus → Dataspike)
• Retention policies
• Security measures
• DPA with VeriPlus

Data Protection Impact Assessment (DPIA)

When Required

DPIA required for high-risk processing:

• Large-scale processing of special categories
• Systematic monitoring
• Automated decision-making with legal effects

Identity Verification: May require DPIA depending on scale

VeriPlus Assistance

We provide:

• Description of processing operations
• Security measures
• Sub-processor information
• Data flow diagrams

Your Responsibility: Conduct DPIA for your processing

Supervisory Authority

Which DPA Applies?

EU Member State: Your local Data Protection Authority

Example:

• Germany: BfDI (Federal Commissioner)
• France: CNIL (Commission Nationale)
• Ireland: DPC (Data Protection Commission)

Contact: Find your DPA

Right to Complain

Data subjects can complain to:

• Your local DPA
• DPA where infringement occurred
• VeriPlus DPA (Ireland DPC)

GDPR Compliance Checklist

Common GDPR Mistakes

❌ Mistake 1: No Privacy Notice

Wrong: Collect data without informing users

Right: Provide clear privacy notice before collection

❌ Mistake 2: Wrong Lawful Basis

Wrong: Using consent for mandatory processing

Right: Use contract or legal obligation for required verification

❌ Mistake 3: No DPA

Wrong: Use VeriPlus without signed DPA

Right: Sign DPA before processing personal data

❌ Mistake 4: Indefinite Retention

Wrong: Keep verification data forever

Right: Delete after 5 years (or legal retention period)

❌ Mistake 5: Ignoring Rights Requests

Wrong: Delay or ignore data subject requests

Right: Respond within 30 days using VeriPlus API

GDPR Resources

Official:

• GDPR Text: gdpr-info.eu
• EU Commission: ec.europa.eu/info/law/law-topic/data-protection_en
• ICO Guide (UK): ico.org.uk

VeriPlus:

• Privacy Policy: veriplus.co.uk/privacy
• Data Processing Agreement: veriplus.co.uk/dpa
• Subprocessor List: veriplus.co.uk/subprocessors

Next Steps