Data Privacy and Ravelin
Why data privacy matters to Ravelin
Ravelin is a data company. Our customers trust us with some business-critical data so that we can make predictions that are important to their business. We do everything that we can to earn and retain that trust and to all that we can to make sure that the data is secure and that we are compliant with all relevant legislation and regulation.
This website is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how Ravelin has addressed some important legal points. This legal information is not the same as legal advice, where a lawyer applies the law to your specific circumstances, so we insist that you consult a lawyer if you’d like advice on your interpretation of this information or its accuracy. Briefly, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.
We are sure you are aware of the implementation of the General Data Protection Regulation (GDPR), which is a piece of legislation that replaces the current data protection law in the UK and the rest of the EU on 25 May 2018. A similar law to the GDPR will apply after the UK leaves the EU.
We provide fraud prevention detection services and other related services to our clients under a contract between us (Services). The provision of those Services involves us collecting and handling (processing) personal data of their end users, customers and or users of, and visitors to, your websites (End Users).
The processing of that personal data will be governed by the GDPR in different ways.
We take the processing of personal data very seriously and so are actively observing GDPR by engaging with our customers and prospects to:
- explain to them what our respective data protection responsibilities are in the context of the provision of our Services to them;
- establish a data protection framework with you in respect of those responsibilities, which complies with the GDPR; and
- put in place any necessary contractual arrangements to reflect such compliant responsibilities.
Our respective data protection status
Under GDPR, we each have a variety of data protection personalities in respect of the provision and receipt of our Services to our clients. We set out below an explanation of those personalities and when they will apply to each of us:
- Data processor – a data processor is responsible for processing personal data on behalf of a data controller.
Where we process the personal data that is provided to us for the purposes of providing our basic service to a client, we do so as a data processor on their behalf as the data controller.
The GDPR requires contractual obligations to be placed on data processors. We set out these obligations in a Data Processor Rider which we include with any client that contracts with Ravelin for our services.
2. Data controller – we use the personal data that is provided to us to build fraud-related profiles of the individuals concerned. This involves sourcing further information relating to those individuals independently of the personal data that is provided to us. We process the personal data that you provide to us together with the additionally sourced information for our own purposes and in our own unique way. Determining how and why personal data is processed means that we will be the data controller of the personal data within those profiles; and
3. Data controllers in common – we provide a fraud look up service as an add-on to the Services to some of our customers with their permission. The look up service involves us sharing a pool of personal data with the relevant customers who will use that personal data for their own purposes and in their own way. In this case, these customers will be data controllers in common with us. It is good practice for data controllers in common to agree a Data Sharing Protocol in respect of their respective use of that personal data.
Customer Personal Data means any Personal Data transferred by the Customer to the Supplier for the purposes of the provision of the Supplier’s basic service to the Customer;
Data Controller, Data Processor, Data Subject, Personal Data and Processing shall each have the meanings set out in the Data Protection Legislation and shall be construed accordingly in this Agreement; and
Data Protection Legislation means the European Union's General Data Protection Regulation (2016/679), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and all applicable laws and regulations relating to the Processing of personal data and privacy as amended, re-enacted, replaced or superseded from time to time, including where applicable the guidance and codes of practice issued by the United Kingdom's Information Commissioner.
2. DATA PROTECTION LEGISLATION
2.1 The parties acknowledge and agree that for the purposes of the Data Protection Legislation and in relation to the Customer Personal Data, the Customer is the Data Controller and the Supplier is the Data Processor.
2.2 The Supplier is hereby appointed by the Customer to Process Customer Personal Data on behalf of the Customer as is necessary to provide its basic service to the Customer under this Agreement and in accordance with such other written instructions as the Customer may issue from time to time.
2.3 Appendix 1 sets out the scope, nature and purpose of Processing by the Supplier, the duration of the Processing, the types of Personal Data and categories of Data Subjects that apply to the Processing by the Supplier under this Agreement
3. OBLIGATIONS OF THE SUPPLIER
3.1 The Supplier shall:
3.1.1 only Process the Customer Personal Data in accordance with the written instructions of the Customer which the parties shall agree between them now, unless the Supplier is required to do otherwise by applicable law. In the event the Supplier is required to do otherwise, it shall inform the Customer of such legal requirement before Processing the Customer Personal Data, unless that same law prohibits the Supplier from doing so on important grounds of public interest;
3.1.2 shall ensure that all personnel acting under the authority of the Supplier who have access to the Customer Personal Data do not process it except on the written instructions of the Customer, unless required to do otherwise under applicable law;
3.1.3 ensure that all such personnel who have access to and/or Process the Customer Personal Data are obliged to keep the Customer Personal Data confidential;
3.1.4 ensure that it has in place appropriate security of the Customer Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage to the Customer Personal Data and implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of harm that might result from:
- unauthorised or unlawful Processing;
- accidental or unlawful loss, destruction or alteration;
- unauthorised access (or disclosure of); or damage;
to the Customer Personal Data, taking into account:
- the nature, scope, context and purposes of the Processing of the Customer Personal Data to be protected;
- the state of the art in technological developments in information security; and
- the cost of implementing any measures; which
shall include, as a minimum, pseudonymising and encrypting the Customer Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Customer Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it;
3.1.5 ensure that no Customer Personal Data is Processed outside either the European Economic Area (EEA) or any other territory in which the European Commission has decided that the third country ensures an adequate level of protection. If the Supplier does so, it shall comply with any safeguards put in place by the Customer to protect the Customer Personal Data;
3.1.6 maintain complete and accurate records and information to demonstrate its compliance with this paragraph and make available such records and any other information necessary to demonstrate compliance with its obligations as a Data Processor under the Data Protection Legislation, and allow for and contribute to audits, including inspections, conducted by the Customer or the Customer's designated auditor or data supervisory authority on reasonable notice;
3.1.7 immediately inform the Customer if it considers that any of the Customer’s instructions infringe the Data Protection Legislation;
3.1.8 notify the Customer without undue delay on becoming aware of a Customer Personal Data security breach, which shall include without limitation where any Customer Personal Data is lost, stolen, destroyed, damaged or corrupted or where there is any unauthorised or accidental Processing, alteration, deletion or disclosure of, or access to, such Customer Personal Data, or any attempt of the same;
3.1.9 notify the Customer without undue delay if it receives any complaint, notice or communication that relates to the Processing of the Customer Personal Data (including without limitation any Data Subject requests) and/or to either party’s compliance with the Data Protection Legislation;
3.1.10 at the written Customer’s direction and subject to paragraph 4.1 below, delete or return to the Customer all Customer Personal Data unless required by applicable law to retain it;
3.1.11 provide co-operation and assistance to the Customer, at the Customer’s cost, to allow the Customer to comply with its obligations under the Data Protection Legislation with respect to data security, data breach notifications, data protection impact assessment, consultations with supervisory authorities, the fulfilment of Data Subjects’ rights, and any enquiry, notice or investigation by a supervisory authority; and
3.1.12 enter (or confirms that it already has entered) into a written agreement with any authorised third-party processor incorporating terms which are substantially similar to those set out in this paragraph 3. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any authorised third-party processor.
PROVISIONS RELATING TO THE CUSTOMER
4.1 acknowledges that the Supplier will use the Customer Personal Data for other purposes as a Data Controller to which the provisions of this Data Processing Rider will not apply;
4.2 shall have at all times within its own systems and processes during the term of this Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Customer Personal Data;
4.3 shall provide clear and comprehensible written instructions to the Supplier for the Processing of Customer Personal Data to be carried out under this Agreement;
4.4 shall ensure that it has a lawful basis/bases for Processing the Customer Personal Data and all licences, permissions, consents and/or notices, (including from the Data Subjects whose Customer Personal Data will be Processed by the Supplier and/or third party processor(s) as contemplated under this Agreement) in place to enable lawful transfer of the Customer Personal Data to the Supplier for the duration and purposes of this Agreement;
4.5 shall provide (or acknowledges that it has already provided) to the Supplier all information required to allow the Supplier to regularly assess and evaluate the effectiveness of the technical and organisational measures adopted by it in relation to the Customer Personal Data;
4.6 shall provide all information required by the Data Protection Legislation and as set out in Appendix 1 in order to allow the Supplier to Process the Customer Personal Data as contemplated by this Agreement; and
4.7 consents to the Supplier appointing the entity(ies) named in Appendix 1 below as third-party processor(s) of the Customer Personal Data under this Agreement.
LIMITATION OF LIABILITY
Without prejudice to any other provision contained within or applicable to this Data Processor Rider, the limitation of liability provisions applicable to the Supplier contained within this Agreement shall apply equally to the provisions of this Data Processor Rider. Where no limitation of liability provisions applicable to the Supplier are contained within this Agreement, the parties agree that the Supplier’s total aggregate liability to the Customer in relation to the subject matter of this Data Processor Rider whether arising in contract, tort (including without limitation negligence), under statute or otherwise, and the Customer’s total remedy for damages in that respect, shall not exceed the stipulated Cyber Insurance Coverage
Description of Customer Personal Data Processing
The Processing activities carried out by the Supplier as a Data Processor under this Agreement are described as follows:
To process Customer Personal Data as is necessary to provide the Supplier’s basic service to the Customer pursuant to this Agreement and as further instructed by the Customer in writing in relation to the Supplier’s use of the Customer Personal Data.
Nature and purpose
To provide the Supplier’s basic service to the Customer and the anonymisation of Customer Personal Data for the purposes of carrying out analytical research and statistical analysis by the Supplier.
Category of Data Subjects
Prospects, customers, business partners and vendors of Customer (who are natural persons)
Employees or contact persons of Customer’s prospects, customers, business partners and vendors
Employees, agents, advisors, freelancers of Customer (who are natural persons)
Customer’s Users authorised by Customer to use the Services.
Type of Personal Data
First and last name
Contact information (email, phone, address)
Professional life data
Personal life data
For the duration of this agreement
All data storage providers