Please note that from 25th May 2018 Client firms will have to be compliant with GDPR this means that they will have to update or create new policies and procedures for processing personal data.
The Regulation provides a definition of twenty-six of the relevant terms, including the following (GDPR Article 4 – Definitions):
1 "personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2 "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
7 "controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
8 "processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
For the purposes of GDPR and the DPA we are Data Controllers with our Clients for more information click here.
Under GDPR your legal basis for processing Customer Data (i.e. Personal Data) is “Legal Obligation”, because the processing of Personal Data is necessary for the compliance with legal obligations in The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, and the Proceeds of Crime Act 2002, it is very likely that you will also have to comply with the UK and/or other Financial Sanction Regimes.
You do not need "Consent" to run SmartCredit checks on Personal Data but you must inform the Data Subject that a check will be undertaken as per Clause 2.3 of the Experian Data Services End Users Terms and Clause 3.1 of the Equifax Customer Terms Schedule that form part of our Agreement with your firm.
Our Data Retention policy states we will hold Personal Data on your Customers for 5 years from the date the search is run, or 5 years from the date that you turn the monitoring off, at which point the data is deleted. This mirrors the requirements under The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
Personal Data We Hold and Process on You and/or Your Firm
We may also hold personal information about you and/or your firm such as names, email addresses, IP address, contact notes etc. We need this information to provide the SmartCredit service to you and your firm. The legal basis for us holding this Personal Data under GDPR is Contractual where the processing of Personal Data is necessary for the performance of a contract to which the individual or the firm is a party.