DATA PROTECTION INFORMATION NOTICE
ID-PAL LIMITED
A certified Identity Service Provider
With effect from September 2022

1. Who we are?
Part I – App Users

2. How does the ID-Pal app work and what personal data is processed?
3. Who is the Data Controller for the various processing activities outlined above?
4. What legal bases do ID-Pal rely on for the processing of personal data?
5. Who do ID-Pal share with /disclose to your personal data?
a. CIFAS

6. Do we transfer personal data outside the United Kingdom?
7. How do ID-Pal keep my personal data safe and secure?
8. How long do we retain your personal data for?
9. What data protection rights do you have?

Part II – Our Customers
10. What personal data of customers do ID-Pal process?
11. What do you do with this personal data?
12. What legal basis do you rely on for these processing activities?
13. Who do you share the personal data with?
14. How long do you retain personal data for?
15. What data protection rights do you, our customer have?

1. Who we are?
We are ID-Pal Limited, a company incorporated under the laws of Ireland with company
registration number 578727, whose registered office is at 145 Pearse Street, Dublin, 2,
D02 CP08, Ireland.

We provide mobile and web application software to customers which verifies and
authenticates identity information and documentation submitted to us.

We have been certified as an Identity Service Provider and meet the relevant
requirements of the United Kingdom Digital Identity & Attributes Trust Framework. Our
Schedule of Certification can be viewed here.

Our Data Protection Officer (‘DPO’) is Sinead McDonald who can be contacted at our
registered address and at sinead@id-pal.com

ID-Pal Limited (‘ID-Pal’) and our DPO are registered with the Information Commissioners
Office (‘ICO’).

Our UK Representative is Waystone Compliance Solutions (UK) Limited.
This Data Protection Information Notice outlines our processing activities as a data
controller.

Part I- App users

2. How does the ID-Pal app work and what personal data is processed?

We provide our software to customers who are obliged under the Rent to Work or Right
to Rent schemes in the United Kingdom to verify the identity of prospective employees
or tenants (the ‘Purpose’). Only certified Identity Service Providers can assist in this
exercise.

Our customers will send you a link via SMS or email and request you download the IDPal app from either the App Store/Google play store. Once downloaded, you will be
asked to:
• Upload your identity document which can be a passport, a driver licence or
National Identity Document
• Take a selfie and submit it
• Submit your name, address, date of birth, gender, email address and mobile
number.

We will also automatically collect certain technical information when you use our app
such as device make and model and IP address.

We will undertake a number of technical checks on the identity document and selfie
image to ensure their authenticity. We will check all details against a number of fraud
databases, for the purposes of preventing fraud and money laundering.

We will provide a report to our customers outlining the results of our fraud, verification
and authentication checks, in the form of a due diligence report.

If we detect fraud on documentation or information submitted as well as advising our
clients, we may also file a case with CIFAS a fraud prevention service.

3. Who is the Data Controller for the various processing activities outlined above?

ID-Pal is the data controller of the personal data submitted or uploaded to our App as
we have determined the purpose and means of the processing. The purpose is to verify
and authenticate identities and the means is through use of our mobile app.

We provide our app and service to prospective employers and landlords, (‘Our
Customers’) who are also data controllers of your personal data. They will have separate
Data Protection Information Notices.

If we have cause to file a case with CIFAS they are a data controller for the maintenance
of those databases. See section 5 below.

4. What legal basis do ID-Pal rely on, for the processing of personal data?

The processing of the personal data outlined in section 2 above is necessary for the
purpose of the legitimate interest pursued by ID-Pal (Article 6(1)(f) of the GDPR). This
legitimate interest is to provide robust, safe and secure software to our customers to
verify and authenticate identities in order to assist them in complying with their legal
obligations.

Biometric checks on a ‘Selfie’ fall within definition of special categories of personal data
and the legal basis relied on here is your explicit consent (Article 9(2)(a)) which is
requested in the app before you submit your Selfie. If you do not provide your consent,
we will be unable to verify and authenticate your identity.

Where we disclose our verification and authentication checks to CIFAS, we do so on the
basis that it is in the public interest to takes measures to detect and prevent fraud as set
out in paragraph 14 of Schedule 1, Part 2 of the Data Protection, Act 2018.

Our customers may ask us to store our due diligence report, once complete and if they
do, we will be acting as their data processor.

5. Who do ID-Pal share with /disclose to your personal data?

Our Customers
We prepare a due diligence report for delivery to our customers which contains images
of the identity documentation and information submitted as well as the results of our
verification and authentication checks which we present in the form of a due diligence
report.

Our data processors:
The information we collect from you may be transferred to third parties in connection
with our service model and the technology infrastructure we use. It may also be
processed by these companies and/or by our and their respective employees and
service providers. These third parties are our data processors. We will take steps to
ensure that these third parties will:
• only receive the personal data necessary for them to provide us with their
service;
• only process personal data in accordance with our instructions;
• take appropriate security measures to protect your personal data;
• commit themselves and their employees to confidentiality;
• provide assistance to us in the discharge of our obligations to you; and
• report all data breaches to us without undue delay.

CIFAS
CIFAS is a not-for-profit fraud prevention membership organisation. They are the UK’s
leading fraud prevention service, managing the largest database of instances of
fraudulent conduct in the country.

Their members are organisations from all sectors, sharing their data across those
sectors to reduce instances of fraud and financial crime.

ID-Pal are a member of CIFAS and can search their databases for records of fraudulent
conduct by individuals. Should ID-Pal identify fraudulent conduct at any time that meets
CIFAS’ standard of proof, ID-Pal are required to file a new case to the database. In
addition, we will advise our customers of findings of fraud who may in turn decide not
to proceed with your application for employment or to rent. A record of any fraud or
money laundering risk will also be retained by CIFAS and may result in other members
of CIFAS refusing to provide services, financing or employment to you.

CIFAS may also share your personal data with law enforcement agencies who detect,
investigate and prevent crime.

Others
ID-Pal may also have to share information with third parties to meet any applicable law,
regulation or lawful request from a law enforcement agency. When we believe we have
been given false or misleading information, or we suspect criminal activity we have an
obligation to record this and report to law enforcement agencies, which may be either
in or outside Ireland.

ID-Pal may also disclose information to our professional advisors in order for them to
provide us with advice.

6. Do we transfer personal data outside the United Kingdom?

Personal Data may be transferred to third parties who are our processors/sub
processors as part of our business model as described in sections 5 above. This may
include the transfer of data to other jurisdictions for processing at a destination outside
the United Kingdom. Such transfers only occur either on the basis of an adequacy
decision made by the United Kingdom Government or an approved safeguard measure
such as standard contractual clauses.

7. How do ID-Pal keep my personal data safe and secure?

All information including personal data is encrypted at rest and in transit. We use AWS
in Europe, for storage. We have firewalls on our application and database servers.
Personal data is logically segmented to ensure that only the customer you are
submitting to (and ID-Pal, when reviewing submissions), have access to the personal
data. Customers must be authenticated, before they can access their account on the
platform. All ID-Pal employees are subject to contractual obligations of confidentiality
and must undertake annual data protection and information security training.

While we take these steps to maintain the security of your information, you should be
aware of the many information security risks that exist and take appropriate care to help
safeguard your information. The nature of the internet is such that we cannot guarantee
the security of the information you transmit to us via email, and any transmission is at
your own risk.

ID-Pal is ISO 27001 certified.

8. How long do we retain your personal data for?

ID-Pal retain the completed due diligence report in our systems for 30 days following
completion, unless our customers instruct us, as their data processor, to store it for a
longer to enable them to comply with their obligations under the right to work or right
to rent schemes.

Our customers have different retention periods to ID-Pal. They are required to retain the
due diligence report we have prepared for the duration of your employment/tenancy
and up to 2 years thereafter.

CIFAS have also different retention periods to ID-Pal. If you are considered to pose a
fraud or money laundering risk, they will retain your personal data for up to 6 years.

9. What data protection rights do you have?

Under UK GDPR you have the following rights:
• You have the right to withdraw your consent for the processing of personal data.
• You have the right to request information about whether we hold your personal
data, and, if so, what that personal data is and why we are holding/using it.
• You have the right to request access to your personal data (commonly known as
a “data subject access request”). This enables you to receive a copy of the
personal data we hold about you and to check that we are lawfully processing it.
• You have the right to request correction of the personal data that we hold about
you. This enables you to have any incomplete or inaccurate personal data we
hold about you corrected.
• You have the right to request erasure of your personal data. This enables you to
ask us to delete or remove personal data where there is no good reason for us
continuing to process it. You also have the right to ask us to delete or remove
your personal data where you have exercised your right to object to processing
(see below).
• You have the right to object to processing of your personal data where we are
relying on a legitimate interest (or those of a third party) and there is something
about your particular situation which makes you want to object to processing on
this ground. You also have the right to object where we are processing your
personal data for direct marketing purposes.
• You have the right to object to automated decision-making including profiling,
that is not to be the subject of any automated decision-making by us using your
personal data or profiling of you. ID-Pal does not make decisions based solely on
automated processing. If any of our checks indicate a concern, a member of the
ID-Pal team will assess that specific submission before completion of the due
diligence report.
• You have the right to request the restriction of processing of your personal data.
• You have the right to request transfer of your personal data in an electronic and
structured form to you or to another party (commonly known as a right to “data
portability”).

Not all data protection rights are absolute and some, not all, may be restricted in
certain circumstances.

You can submit a data protection rights request to our DPO at sinead@id-pal.com
and we will respond without undue delay and in any event within one month of
receipt.

You also have the right to complain to the ICO if you have concerns about how we
process your personal data. Make a complaint | ICO

 

Part II- Our customers

10. What personal data of customers do ID-Pal process?

In order to provide our product and service to you, our customers, we will process the
some or all of following personal data belonging to you and your employees:
• Name
• Address
• Email address
• Contact details including mobile numbers and LinkedIn profiles
• Credit card/bank account (if you are a sole trader)
• Username and password
• Log activity
• Telephone messages
• Job role

11. What do you do with this personal data?

We use this personal data to
• deliver our product to you,
• provide secure access to the web platform,
• investigate any issues you may have,
• answer your queries,
• provide you with updates on features and upgrades,
• assist you and your team with implementation and training,
• advise you of regulatory developments,
• invite you to events, and
• ask you for feedback on our product and services.

12. What legal basis do you rely on for these processing activities?

We rely on one of the following:
• Processing is necessary for the performance of the contract we have with you.
• Processing is necessary for the legitimate interest pursued by ID-Pal which is to
deliver the best-in-class product and customer service to our customers.

13. Who do you share the personal data with?

We use a range of information technology and software to deliver our product and
services to you and these providers are our data processors. In addition, we may also
disclose your personal data to our professional advisers such as lawyers, information
security and data protection specialists and accountants.

Some of our data processors are located outside the United Kingdom. Personal data is
transferred either on the basis of an adequacy decision made by the United Kingdom
Government or an approved safeguard measure such as standard contractual clauses.

14. How long do you retain personal data for?

ID-Pal will retain customer personal data for the duration of our business relationship
and seven years thereafter as required for tax and accounting purposes.

15. What data protection rights do you, our customer have?

Under UK GDPR you have the following rights:
• You have the right to opt out of receiving marketing emails.
• You have the right to request information about whether we hold your personal
data, and, if so, what that personal data is and why we are holding/using it.
• You have the right to request access to your personal data (commonly known as
a “data subject access request”). This enables you to receive a copy of the
personal data we hold about you and to check that we are lawfully processing it.
• You have the right to request correction of the personal data that we hold about
you. This enables you to have any incomplete or inaccurate personal data we
hold about you corrected.
• You have the right to request erasure of your personal data. This enables you to
ask us to delete or remove personal data where there is no good reason for us
continuing to process it. You also have the right to ask us to delete or remove
your personal data where you have exercised your right to object to processing
(see below).
• You have the right to object to processing of your personal data where we are
relying on a legitimate interest (or those of a third party) and there is something
about your particular situation which makes you want to object to processing on
this ground. You also have the right to object where we are processing your
personal data for direct marketing purposes.
• You have the right to object to automated decision-making including profiling,
that is not to be the subject of any automated decision-making by us using your
personal data or profiling of you. ID-Pal does not make decisions based solely on
automated processing.
• You have the right to request the restriction of processing of your personal data.
• You have the right to request transfer of your personal data in an electronic and
structured form to you or to another party (commonly known as a right to “data
portability”).

Not all data protection rights are absolute and some, not all, may be restricted in
certain circumstances.

You can submit a data protection rights request to our DPO at sinead@id-pal.com
and we will respond without undue delay and in any event within one month of
receipt.

You also have the right to complain to the ICO if you have concerns about how we
process your personal data. Make a complaint | ICO