Privacy Policy
About this Privacy Notice
This Privacy Notice provides information on how smartKYC processes (i.e. gathers, stores, uses or shares) personal data.
Personal data is defined as any information about a person who can be directly or indirectly identified by it. It could therefore include codified and online identifiers as well as more obvious items such as your name and contact details.
Who we are, our relationship to your personal data and how you can contact us
smartKYC is a provider of screening and monitoring technology which helps organisations fulfil their corporate and regulatory due diligence responsibilities.
smartKYC Limited (smartKYC) is a company registered in England under company registration number 08892868 of International House, 24 Holborn Viaduct, London, EC1A 2BN, United Kingdom.
Insofar as smartKYC determines the purposes and means of data processing (the how and why), it is the Data Controller for that information.
In other instances, smartKYC may be a Data Processor, working on the instruction of other parties. You should consult the Privacy Policy of the relevant Data Controller in that case, although we will of course uphold our data protection obligations in a Data Processor capacity.
Any queries relating to our processing of personal data or this Privacy Notice should be addressed to our Privacy Officer via email (info@smartkyc.com) or in writing to smartKYC, International House, 24 Holborn Viaduct, London, EC1A 2BN, United Kingdom
How we process personal data and the lawful bases for that processing
Personal data is collected directly from individuals when they engage with us, such as to access our thought-leadership content or to learn more about our services.
Our relationships with employees, contractors, suppliers, partners and clients necessitate the collection of personal data too.
We also collect personal data indirectly from third-party content providers in order to provide our screening and monitoring tools.
The lawful bases for our processing of personal data may be:
· Because individuals have consented to our use of their data
· So we can pursue our legitimate interests in running a commercial business effectively
· To fulfil our contractual or legal obligations
· To allow us to pursue our legitimate interests in Research & Development for our technology
Where we are pursuing our legitimate interests, we undertake to carry out thorough assessments to ensure that the rights and interests of data subjects (individuals) do not override these.
The types of personal data we process and how we use it
We collect personal data directly from individuals who engage with us for the purposes of marketing, sales and client servicing, and for internal business operations.
We also collect personal data indirectly from third parties, which may be subscription services, public registers or publicly accessible data sources like media outlets and social media platforms. They, rather than we, are the Data Controllers of this personal data.
Where data is collected indirectly, this is for the development, testing and demonstration of our due diligence and monitoring tools. The technology we have developed allows organisations to screen individuals and companies against criteria set out in their legal and regulatory obligations to fight financial crime, such as money laundering, terrorist financing and fraud.
Depending on the purpose, the personal data we process includes: name and contact details; bank details for payments; employer and role; records of company directorships and shareholdings; inclusion on watch/sanction lists; public domain indicators of financial history (like bankruptcy filings), criminal convictions or being a Politically-Exposed Person; along with other factors relevant to compliance regimes both in the UK and abroad.
We are committed to protecting personal data and upholding rights and freedoms around privacy in all contexts. We apply particular care where processing necessarily concerns sensitive, special category or criminal offence data.
Examples of how we use personal data
Below we describe typical instances of data processing, their purposes and how we are complying with data protection and other laws.
Types of personal data | How and why we use that personal data | Our compliance with data protection law | |
Prospecting, marketing and sales | Contact and contextual information such as name, email address, work address, telephone number, company and position. | We take the opportunity to engage with individuals representing companies who would benefit from our services, providing them with thought-leadership and marketing materials, and demonstrations of our products. | Individuals consent to engage with us and find out more about our products and their benefits. This consent may be retracted at any time. We may also engage with individuals on the basis of our legitimate interests in running a commercial business, giving them the ability to opt out of communications at their choosing. |
Servicing our corporate clients, and working with partners and suppliers | Contact and contextual information as above, along with billing information which may include personal data. | The personal data of the employees of clients, partners and suppliers may be used in the context of fulfilling our service contracts and for billing purposes. | Our clients, partners and suppliers appoint employee representatives to manage their relationships and service agreements with us. This processing of personal data allows us to fulfil our contractual obligations. |
Relationships with employees, contractors and company directors | Contact information; banking details; National Insurance/social security numbers; tax codes; medical and performance data pertaining to occupational health/HR. | The personal data of employees, contractors and company directors is processed for the purposes of remuneration, taxation, operations and Human Resources management. | We have legal and contractual obligations to meet in an employment and corporate directorship context. Where these do not exist, individuals may have given consent for their data to be processed or it may be in our legitimate interests to do so. |
The development, demonstration and delivery of our screening and monitoring tools | Name and contact details; personal identification numbers; familial circumstances; professional and personal associations; financial history; employment, directorship and shareholder information; criminal offence data; inclusion on watch/sanctions lists; other special category data relevant to KYC screening, such as Trade Union roles; and adverse media indicators (AKA ‘red flags’). | Our tools provide organisations with a less privacy-invasive means of carrying out the due diligence which is vital in fighting money laundering, fraud and terrorism, and managing corporate risk. Using Natural Language Processing, our tool’s federated search function automatically collates and disambiguates information from third-party content providers to surface only information relevant to KYC. | This processing is necessary for the purposes of technological development and demonstration. This scientific research furthers our legitimate interests in providing tools which in turn allow organisations to fulfil their legal and regulatory obligations, and pursue their legitimate interests in sound management. There is also substantial public interest in upholding regulatory requirements and fighting all kinds of financial crime (as per (Data Protection Act 2018, Part 1, Schedule 2, conditions 12, 14 and 15). Our tools also help organisations control compliance costs otherwise likely to be passed to consumers. |
The lawful bases for our processing of personal data
Organisations must have a lawful basis for processing personal data (and two if for special category data), as per UK GDPR Articles 6 and 9.
Below we describe what these lawful bases are in typical scenarios:
Activities | Lawful bases which may be applicable |
Business administration, including Human Resources and directorships | · Contract fulfilment/pre-contractual measures · Legal obligation · Consent · Legitimate interests · Employment, social security and social protection purposes · Occupational health purposes · Public health · The establishment, exercise or defence of legal claims |
Marketing and sales | · Consent · Legitimate interests · Contract fulfilment/pre-contractual measures |
Servicing clients and working with suppliers | · Consent · Legitimate interests · Contract fulfilment/pre-contractual measures · The establishment, exercise or defence of legal claims |
Developing, testing and demonstrating our tools | · Substantial public interest in upholding regulations and fighting financial crime · The information has been manifestly made public by data subjects · Legitimate interests in R&D for technological development and demonstration |
Data sharing, recipients and international transfers
Like most companies today, we make use of cloud-based service providers, such as Client Relationship Management and email marketing platforms.
Where personal data is processed via servers that are not our own or personal data is processed on our behalf by other companies, we a) enter Data Processing Agreements to ensure that data protection obligations are fulfilled throughout our data processing supply chain and b) ensure that this processing takes place within the UK, EU or other jurisdiction deemed to offer adequate levels of data protection. Where data is transferred to other jurisdictions, we employ Standard Contractual Clauses or equivalent safeguarding mechanisms to ensure equivalent data protection rights.
Data may also be shared because we have a legal obligation to do so or to serve our legitimate commercial interests. In all cases, we commit to sharing only that which is necessary and proportionate for lawful purposes, and that formal data protection guarantees are in place.
The categories of recipients include:
· Public authorities, such as HM Revenue & Customs
· Data processing suppliers, such as our accounting, payroll and CRM providers
· (Prospective) client organisations, such as the financial institutions we demonstrate our products to
Data retention
Our data retention policy and review schedule ensures that we only retain personal data for as long as required to fulfil a legitimate purpose or to comply with legal/regulatory requirements.
In the context of business and employment, this will be for the duration of the relationship and seven years thereafter, in compliance with these rules and to allow us to respond effectively to legal claims.
In a marketing and sales context, data is retained only for as long as a demonstrable interest in our products remains valid (retention is reviewed after a maximum of one year).
Statutory and contractual obligations to provide personal data
In some cases, individuals are obliged by law or contract to provide personal data to us, such as employees providing their National Insurance number for taxation purposes. Where individuals are so compelled, this will be made clear to them.
Your data protection rights
We are committed to upholding the rights of data subjects, which are as follows:
Right to be informed: this Privacy Notice is intended to fulfil this right, telling you how and why we process personal data. You can request further details if desired.
Rights of access and portability: you have a right to know if we are processing your personal data, which data is concerned and to obtain a copy of it. Where you have given information to us on the basis of consent or contract, and it is being processed automatically, you have the right to have your data in an electronic format or to have it transferred to another data controller of your choice.
Right to rectification: you have a right to have information that is incorrect or out of date amended, subject to this demonstrably being the case.
Right to erasure: you can request that your personal data be deleted if you object to its processing, if its processing is not lawful or if it is being processed on the basis of consent and you have withdrawn this. There are circumstances, however, where this right may not apply, but we will always explain why this is the case.
Right to objection/withdrawal of consent: you have an inalienable right to object to personal data processing for marketing purposes at any time, or where processing is based upon consent. Elsewhere, your right to request we stop processing your data may conflict with other obligations or legitimate interests of ours. We undertake to give every request careful consideration and to be transparent in the decisions which are made.
Automated decision-making/profiling
While our tools allow for profiles to be built about individuals for the purposes of fighting financial crime, we ourselves do not engage in automated decision-making in a manner which has significant effects on them.
Your right to complain
We take our data protection obligations very seriously. In the first instance, we would urge anyone with concerns about the processing of their personal data to get in touch so we can address them.
You have the right to make a complaint to the relevant Supervisory Authority for data protection, which in the UK is the Information Commissioner’s Office.
EU citizens may also complain to the Supervisory Authority in the location where they reside or work.
You can refer to the global directory of Supervisory Authorities, although we do not guarantee its accuracy.
Keeping this Privacy Notice up to date
This Privacy Notice was posted on 01/03/2023.
Along with the fact that data protection regulations are evolving, we also want to ensure that this Privacy Notice continues to reflect our practices and policies accurately, and so it may be subject to change. Please revisit this Privacy Notice periodically.