Shufti Pro GDPR Compliance Guide

Brining you up to date with the GDPR Compliance, necessary for businesses wishing to operate in European Union.

We have made every effort to provide detailed overview of the GDPR compliance and how does Shufti Pro supports your business to operate within the confines of this regulation especially when it comes to customer data and its verification through Shufti Pro. But it is still advised to engage services of a legal counsel in order to have a better understanding of GDPR compliance and the liabilities that come along with it. The following compliance guide is actually the practices, procedures and upgrades introduced in the internal working of Shufti Pro to make its services GDPR complaint.

The deadline for GDPR compliance is here and Shufti Pro has wasted no time to make its services fully compliant with EUís User Data and Protection guidelines. We have adopted an industry prevalent approach known as ìData Process Controlî to better protect the interests of not only our clients but their customers as well.

Here is a summary of GDPR sections that are applicable over customers and users of Shufti Pro services.

Cookies:

GDPR needs the websites and online businesses to intimate users that they are using cookies. The language of this intimation is also desired by GDPR to be easily understandable for an average user. Consent is required from user before they are tracked because of these cookies. We have updated our cookies policy in this regard as well.

Lawful Basis:

GDPR only allows collection of user data for a legal reason. Shufti Pro only collects data for verification purposes as per the legal agreement signed by Shufti Pro and its customers. This data will be limited to verification of the credentials, identity or any other related verification that was required by our customers to be provided as per the legal agreement.

We have even added a consent button at the form where a customer is supposed to fill its identification details. We also provide the option for customers to go through our data protection, privacy policy and Terms & Conditions, to ensure full transparency.

Deletion:

GDPR requires businesses and websites to forget and delete the user data when requested by the user.
Shufti Pro has taken steps to provide full control to the end-users about their data that they have submitted for identity verification.

Hereís our Game Plan for GDPR Compliance

Either you are a B2B or B2C, Ecommerce company, Educational Entity or Crypto based organization, you probably by this point have known about General Data Protection Regulation (GDPR). It is a new directive set by the European Union, a legislation that set forths guidelines regarding how information is collected and how it is processed and used.

The GDPR legislation was formed to harmonize data privacy laws across Europe. Empowering all EU citizenís data privacy in the process, and to reshape how organizations approach data privacy in a secure and transparent manner.
At Shufti Pro, tireless efforts have been underway over the last few months to assist our users, businesses and our clients. To help them understand, what the GDPR means for their businesses and to assist them in establishing a compliant process of their own. Considering that aspect, weíve made great improvements to our Shufti Pro platform to ensure that we stand at par with the GDPR measures.

Shufti Pro has prepared a ëGame Planí for you to understand, how GDPR ëoperatesí behind the scenes, when a customer interacts using our service.

Here is the Process:
Letís say that Daniel is a potential customer and lives in France. Heís called the ìData Subject,î and your company ñ the service provider, is called the ìControllerî of his data. Since Shufti Pro is verifying the credentials of Daniel on behalf of your company , then that makes Shufti Pro, the ìProcessorî.

Hereís how Daniel might interact with Shufti Pro:

  • A customer integrates Shufti Pro with their online business/portal/app
  • Daniel approaches the ëOnline Businessí and is redirected to a landing page where Shufti Pro Verification is carried out.
  • Daniel enters relevant credentials(DOB,Full Name, Address,)
  • Daniel displays his verification document(ID,Driverís Licence, Passport) upto the web camera.
  • The AI Technology compares the information filled in the form to that present on the document.
  • Based on the results of a verification of ëVerifiedí or ëNot-Verifiedí the user is redirected back to the online business

All the above stated steps gather user data from the ìData Subjectî on behalf of ìControllerî that is passed on to ìProcessorî. Following are various aspects of our data protection policy, privacy policy and Terms & Conditions that control the entire process, under the guidelines of GDPR

User Data

User Data means any data, content, code, video, images or other materials of any type that User uploads, submits or otherwise transmits to or through Services. User will retain all right, title and interest in and to User Data in the form provided to Shuti Pro. Shufti Pro stores data on industry secured servers located in EEA zone, and are monitored. Subject to the terms of this Agreement, you hereby grant to Shufti Pro a non-exclusive, worldwide, royalty-free right to;

(a) collect, use, copy, store, and transmit User Data, in each case solely to the extent necessary to provide the applicable Services to Client
(b) Client hereby grants to Shufti Pro all necessary rights to use, reproduce, modify, create derivative works from, distribute, perform, transmit and display the User Information (including any rights specifically pertaining to biometric information) solely to the extent necessary to provide the Services which will include the right for Shufti Pro to grant equivalent rights to its service providers that perform services that form part of or are otherwise used to perform the Services.

Access to Data

The Services include access to the Back-office, Client may access and download (either manually or via API) the data from each of its Verifications, including extracted data and images for each individual Transaction, via the Back-office for the Term. Upon termination of this Agreement for any reason, access to the Back-office, and therefore access to data storage, will be revoked. Shufti Pro may delete any stored items in storage upon expiration or termination of this Agreement. Shufti Pro will have no responsibility or liability for storing and deleting items in accordance with this Section 9.

User Data

You may instruct us to provide you with any personal information we hold about you; provision of such information will be subject to:

  1. The payment of a fee (currently fixed at GBP 10) and
  2. The supply of appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address).

We may withhold personal information that you request to the extent permitted by law.

You may instruct us at any time not to process your personal information for marketing purposes.

In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt out of the use of your personal information for marketing purposes.

Automated decision-making

We will use your personal data for the purposes of automated decision-making in relation to recording the live video stream of the entire verification process, taking frames from that video at each verification step, storing your residence address, name, date of birth, credit/debit card number, passport details and driving license details.
This automated decision-making will involve checking the info provided by you and matching that with the identity document information provided by you to the merchant (our client) .
The significance and possible consequences of this automated decision-making are to verify your identity and authenticity of your documents, based on which your chosen process will proceed further.

ID, Identity and Documents Verification

Shufti Pro employs machine learning, computers, Artificial Intelligence, Human Intelligence and Software technology to perform Verification processes through Template Matching Technique.

Unless otherwise stated in the Standard Agreement, the Verifications parameters include:

  1. Name, Date of Birth, Image, Video, and Plastic Payment Card Numbers.
  2. Proof of Address, Age, Designation, Academic Degree, Company Identity, Logos, etc. made available by Shufti Pro as Customised Services.

Userís Individual Rights Request

The GDPR enhances the rights of individuals in a number of ways.

Access and Privileges

User can request access to the personal data he has shared with Shufti Pro about himself. Personal data is anything identifiable, like his name and email address. If he requests access, Shufti Pro (as the processor) need to provide a copy of the data, in most cases in machine-readable format (e.g. CSV or XLS).
Daniel can also request to see and verify the lawfulness of processing.

A client can seek access to their data by asking Shufti Pro of what they require at privacy@shuftipro.com. We at Shufti Pro believe to be at legal and moral obligation to facilitate any manner of an individual rights request.

Shufti Pro enables you to grant any access request by easily exporting user record into a machine-readable format.

Modification

In the manner same as accessing information, user can request Shufti Pro to modify his personal data, if it is inaccurate, incomplete or requires any sort modification or amendment.

The GDPR requires that a company be able to accommodate modification requests, as and when required.

Deletion

Under the GDPR, user has the right to request that Shufti Pro delete all personal data it has collected from him. The GDPR is required to permanently remove userís contact from their database, including verification results, all personal information, saved images/video, form submission data and credit card data.
In a GDPR compliant manner, a client can seek to have their data deleted by querying Shufti Pro at privacy@shuftipro.com. The Data protection officer at Shufti Pro in most cases will respond back within a 30 day period.
In many cases, the right to deletion is not absolute, and can depend on the context of the request, so it doesnít always apply.

INTERNATIONAL COMMISSIONER OFFICE UK REGISTRATION

Strengthen Data Protection

Data Unification

Secure Export of PII

Data Portability