We have made every effort to provide a detailed overview of GDPR compliance and how Shufti supports your business to operate within the confines of this regulation, especially when it comes to customer data and its verification through Shufti. However, it is still advised to engage the services of legal counsel to have a better understanding of GDPR compliance and the liabilities that come along with it. The following compliance guide details the practices, procedures, and upgrades introduced in the internal workings of Shufti to make its services GDPR-compliant.
The guideline for GDPR compliance is here, and Shufti has ensured that its services remain fully compliant with the EU’s User Data and Protection guidelines. We have adopted an industry-prevalent approach known as Data Process Control to better protect the interests of not only our clients but their customers as well.
Note: As a data processor, Shufti operates under the instructions of the data controller. Therefore, all requests from data subjects regarding their rights under GDPR should be directed to the data controller, who has the authority to manage such requests. In certain scenarios, Shufti may also act as a data controller, as described below.
Summary of GDPR sections applicable to customers and users of Shufti services
Cookies
GDPR requires websites and online businesses to inform users that they are using cookies. The language of this notification should be easily understandable for an average user. Consent is required from users before they are tracked by cookies. We have updated our cookies policy in this regard as well.
Lawful basis
GDPR only allows the collection of user data for a legal reason. Shufti collects data solely for verification purposes, as per the legal agreement signed by Shufti and its customers. This data is limited to verifying credentials, identity, or any other related verification required by our customers as per the legal agreement.
We have added a consent button in the form where a customer is supposed to fill in their identification details. We also provide the option for customers to review our data protection, privacy policy, and Terms & Conditions to ensure full transparency.
Deletion
GDPR requires businesses and websites to forget and delete user data when requested by the user. However, as Shufti acts as a data processor, all such requests must be made directly to the data controller, who will handle these requests according to GDPR guidelines.
Shufti GDPR compliance process
Scenarios where Shufti acts as a data processor
As a data processor, Shufti processes personal data on behalf of its clients, who are the data controllers. In this role, Shufti follows the instructions of the data controller and does not make decisions regarding the processing of personal data.
Example of Data Subject Interaction with Shufti as a Processor
01A client integrates Shufti with their online business/portal/app.
02The data subject (e.g., Daniel from France) is redirected to a landing page where Shufti verification is carried out.
03Daniel enters relevant credentials (DOB, Full Name, Address).
04Daniel displays his verification document (ID, Driver License, Passport) to the web camera.
05The AI technology compares the information filled in the form to that present on the document.
06Based on the results of the verification (Verified or Not-Verified), the user is redirected back to the online business.
All the above steps involve gathering user data from the data subject on behalf of the controller, which is then processed by Shufti as the processor. Under GDPR guidelines, Shufti only acts on instructions from the data controller regarding the processing and handling of this data.
User data handling
Shufti processes user data on industry-secured servers located in the EEA zone. The storage and handling of data are subject to GDPR requirements, and Shufti’s responsibilities vary depending on whether it is acting as a processor or a controller.
Automated decision-making
Shufti uses personal data for automated decision-making solely for verifying identity and document authenticity. The process involves checking the information provided by the data subject against identity documents and determining verification outcomes. When Shufti acts as a processor, all automated decision-making is carried out under the instruction of the data controller. When acting as a controller, Shufti determines the decision-making processes independently.
Data access and user rights requests as a processor
As a data processor, Shufti does not independently handle requests from data subjects regarding their personal data. Any request from a data subject regarding their personal data, including but not limited to access, rectification or deletion should be made directly to the data controller. The controller will then instruct Shufti, as the processor, on how to proceed with the request in accordance with GDPR.
Scenarios where Shufti acts as a data controller
In certain situations, Shufti may act as a data controller. This occurs when Shufti determines the purposes and means of processing personal data independently, rather than on behalf of another entity.
Example of Shufti as a Controller
When Shufti collects personal data directly from individuals for any lawful purpose, it acts as a data controller because it independently determines the objectives and methods of processing.
Handling Data Access and User Rights Requests as a Controller
As a data controller, Shufti is directly responsible for handling requests from data subjects regarding their personal data. Data subjects can contact Shufti directly at [email protected] for access, correction, deletion, or other actions concerning their data. Shufti will respond to these requests in compliance with GDPR requirements.
Data subject rights
Access Rights
Under GDPR, data subjects have the right to access their personal data. When Shufti acts as a data processor, these requests should be directed to the data controller. Shufti will provide complete assistance to the data controller, who will then instruct Shufti on how to handle the request. In situations where Shufti acts as a data controller, it is directly responsible for responding to data subject requests for access to their data. Shufti will process these requests promptly and in accordance with GDPR regulations.
Deletion Rights
Data subjects have the right to request the deletion of their personal data.
As a
data processor, Shufti will handle deletion requests based on instructions from the data controller.
When Shufti is the data controller, it will directly process requests for data deletion, ensuring
they
are fulfilled in compliance with GDPR.
In many cases, the right to deletion is not absolute, and
can
depend on the context of the request, so it does not always apply.
Modification Rights
Data subjects also have the right to ask for modifications
or
corrections to their personal data. As a processor, Shufti will follow the data controller’s
instructions on making any necessary changes. If acting as a controller, Shufti will manage such
requests directly and ensure any required modifications are made promptly in line with GDPR
standards.
Shufti is committed to upholding the rights of data subjects and maintaining GDPR
compliance in all of its operations, whether acting as a data processor or a data controller.
Achieving critical compliances to ensure your peace of mind
iBETA
PCI DSS
SOC2
GDPR
QG GDPR
ISO 27001:2022
CYBER ESSENTIALS
CYBER ESSENTIALS PLUS
KJM AGE VERIFICATION
CCPA
iBETA
PCI DSS
SOC2
GDPR
QG GDPR
ISO 27001:2022
CYBER ESSENTIALS
CYBER ESSENTIALS PLUS
KJM AGE VERIFICATION
CCPA
iBETA
PCI DSS
SOC2
GDPR
QG GDPR
ISO 27001:2022
CYBER ESSENTIALS
CYBER ESSENTIALS PLUS
KJM AGE VERIFICATION
CCPA
Get the Shufti newsletter
Stay ahead of the curve with fresh takes on the latest identity innovations.
Follow Us
Take the next steps to better security.
Contact us
Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.
Contact us