Explanation of SmartCredit as Joint Data Controllers

DEFINITIONS

In this agreement the terms as specifically defined have the meanings assigned. "Data Protection Legislation" means any applicable legislation or regulation in force in the United Kingdom from time to time including the Data Protection Act 1998 (or any subsequent legislation including the General Data Protection Regulation (Regulation (EU) 2016/679)) or any regulations or statutory instruments (or similar) made under such legislation.

In processing of Personal Data supplied by our clients SmartCredit are (joint) data controllers for the following reasons; a data controller (either alone or jointly with other persons) determines the purpose for which and the manner in which any personal data is, or is to be processed. Activities such as the interpretation, significant decision making and exercising professional judgement of the data must be carried out by a data controller, which in this case is SmartCredit.

When a data controller discloses personal data to another data controller (as in this case) each has full DPA/GDPR responsibility because both parties will exercise control over the purpose for which and the manner in which the data is processed. SmartCredit is a commercial organisation, supplying Anti-Money Laundering checks. SmartCredit decide which data partners to use, how the data is processed and more critically the purpose for which the data is processed.

SmartCredit is a data controller as SmartCredit decide the following not the client. The legal agreement is that SmartCredit collect the personal data of our clients customers i.e. data subjects name address, DoB (notification is given to the data subject by way of Experian T&C's 2.3 and Equifax 3.1), SmartCredit decide the way that our clients supply this data and what additional information may (or may not) be processed such as driving licence, passport or national insurance number (these checks are SmartCredit's own algorithms), SmartCredit also decide how this data is processed against the Experian CAIS or Equifax Insight database.

Experian or Equifax return data on that data subject and SmartCredit decide what results to display to the client on that data subject; again, neither Experian/Equifax nor the client tell us how to do this, SmartCredit make these decisions alone. SmartCredit also decide how the pass/refer and/or warning results will be displayed to the client, and reserve the right to change this and any other aspects of the form and content of the service, giving the client not less than 2 months’ notice Clause 3.2; there is no right whatsoever for the client to impose their own instruction on us.

SmartCredit also control the process with the Dow Jones Factiva Watchlist, which SmartCredit host and receive daily updates to. SmartCredit decide how this data is matched, for what purpose, and how it's presented. SmartCredit also decide where the data is stored, how long it's stored and the encryption etc; in essence we take all the overarching decisions, on how the personal data will be used, what the content will be, control all of the security arrangements and again our clients have no say in such matters. A fundamental point is that we cannot be both data controllers and data processors for the same data processing activity, it must be one or the other. We clearly have the necessary autonomy and decision-making capability in respect of the data.

A footprint is created on the data subject credit file at Experian/Equifax marked with SmartCredit Ltd T/A SmartCredit. Data subjects can make a Subject Access Request (SAR) to both Experian/Equifax and SmartCredit and SmartCredit have to deal with such SARs.

SmartCredit is therefore unable to enter into a data processing agreement with our Clients. If we did then we would have to process the data in accordance with their instructions, delete the data upon their request, comply with their security instructions, use of sub-contractors etc, etc. All of these are decisions that SmartCredit make and will continue to make.

If there are any questions regarding the above then please email dataprotectionofficer@smartsearchuk.com.


Legal Basis for SmartCredit to Process Clients Customer Data

SmartCredit provides Anti-Money Laundering “Know Your Customers” checks to Client firms as required by the Money Laundering Regulations 2017 and Proceeds of Crime Act 2002. SmartCredit has a legitimate Interest in processing this personal data on behalf of its Clients as Clients have a legal requirement to do so and SmartCredit is a commercial organisation that provides such a service, for the prevention of Money Laundering, Fraud Prevention and the Detection of Crime.

Data Subjects are notified by Client firms that these checks will take place and would therefore expect these checks to be undertaken. The checks create a footprint on the data subjects credit file but does not affect their credit rating or have any other impact on the data subject.