Please note that from 25th May 2018 Client firms will have to be compliant with GDPR this means that they will have to update or create new policies and procedures for processing personal data.
The Regulation provides a definition of twenty-six of the relevant terms, including the following (GDPR Article 4 – Definitions):
For the purposes of GDPR and the DPA we are Joint Data Controllers with our Clients for more information click here.
Under GDPR your legal basis for processing Customer Data (i.e. Personal Data) is “Legal Obligation”, because the processing of Personal Data is necessary for the compliance with legal obligations in The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, and the Proceeds of Crime Act 2002, it is very likely that you will also have to comply with the UK and/or other Financial Sanction Regimes.
You do not need "Consent" to run SmartSearch checks on Personal Data but you must inform the Data Subject that a check will be undertaken as per Clause 2.3 of the Experian Data Services End Users Terms and Clause 3.1 of the Equifax Customer Terms Schedule that form part of our Agreement with your firm.
Our Data Retention policy states we will hold Personal Data on your Customers for 5 years from the date the search is run, or 5 years from the date that you turn the monitoring off, at which point the data is deleted. This mirrors the requirements under The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
Personal Data We Hold and Process on You and/or Your Firm
We may also hold personal information about you and/or your firm such as names, email addresses, IP address, contact notes etc. We need this information to provide the SmartSearch service to you and your firm. The legal basis for us holding this Personal Data under GDPR is Contractual where the processing of Personal Data is necessary for the performance of a contract to which the individual or the firm is a party.