Created 21/05/2018
Updated 21/05/2018

Processing of data

KYC Center

Registry code: 14368850
Address: Räime 17-8, Tallinn, Estonia
Telephone: +372 5568 11557
E-mail: [email protected]

Data controller & Data Protection Officer

Tatjana Kostrõkina
Telephone: +372 55681157
E-mail: [email protected]

This Privacy Policy (hereinafter - Policy) is developed in accordance with legislation of the Republic of Estonia and requirements of the Regulation №2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and of the Directive №2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, taking into account national laws on personal data protection of countries outside the European Union.

Personal data processing policy

The present policy regulates the processing of personal data by KYC Center Ltd. (hereinafter – KYC Center). KYC Center implements all necessary measures for the provision of the secure processing of personal data, obtained during activities of KYC Center.

You can review the current personal data processing policy on the permanent URL https://kyc-center.com/en/processing

KYC Center may change the present policy unilaterally. The new edition of the policy becomes effective from the moment of its publication on the website of KYC Center Ltd. unless otherwise provided in the latest version of the document.

The personal data is processed in accordance with this policy and the “General terms and conditions of KYC Center”.

Definitions

Personal data - any information related to an identified or identifiable natural person (“data subject”).

Identifiable natural person – a person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Client – a natural or a legal person successfully verified in the system of KYC Center and issued with a unique personal KYC-code.

Business-partner – a legal person, that signed an agreement on the access to the database and the Application Programming Interface of KYC Center, that is granted with the right to identify a client on the basis of 1) the provision of the KYC-code to the business-partner by the client; 2) the client’s confirmation of the consent to provide data via KYC Center.

Account – a record which contains a data set that a client or a business-partner sends to the KYC Center by filling in the online-form in the system of KYC Center or by other means and that is stored in the system of KYC Center.

Processing of personal data in KYC Center - any automated or non-automated operation or set of operations that are connected with the collection of personal data, their systematization, accumulation structuring, recording, storage, clarification, alteration, monitoring, sending, dissemination (disclosure by transmission, transfer or by providing access), alignment or restriction, erasure or destruction.

Trustworthiness – a set of characteristics and/or transactions that is related to a client in the understanding of the Directive №2015/849 of the European Parliament and the Council.

Person’s profile analysis – a processing of personal data of a subject in KYC Center that includes a usage of personal data for an assessment of particular personal aspects, which are related to a natural person, inter alia, for an analysis and a determination of person’s risk level (low, medium, high) in accordance with the criteria, established in the “General terms and conditions of KYC Center” and with an analysis of aspects related to economic situation, trustworthiness, place of residence and actions of a person.

Person’s verification – a process of person’s identification and a determination of his level of risk in KYC Center following the requirements, stipulated in the Directive of the European Parliament and the Council №2015/849 of 15.05.2015.

KYC-code – a unique personal code, which is issued to a person, who has successfully passed the process of verification in the system of KYC Center. Possession of a KYC-code by a person means that personal data were processed in the system of KYC Center in such way, that a part of personal data was encrypted on a name of a responsible person and was placed in an archive (on a server without the Internet connection). The other part of the information is unavailable to the third parties, it is stored separately and is accessible only to the business-partners, connected to the system of KYC Center.

Encryption of personal data – processing of person’s data, which involves encoding of data by the use of the certificate of the Estonian identity card.

KYC Center – the controller (operator) and the processor that independently defines means and purposes of the processing, as well as carries out processing directly.

Client’s consent – means a freely given, specific, informed and unambiguous indication that a client does wish to agree to the processing of personal data, given by a statement or by clear affirmative action.

Informational notification – notification of a client for informational purposes about new opportunities of the system and business-partners of KYC Center.

Notification about events in the account – notification directed to the client in order to ensure the security of the system of KYC Center, which takes place in the following cases: an activation of the account, a login, a KYC-code generation, an inclusion of a business-partner, a request from a business-partner, unusual activity of a client.

Recommended limit – an annual transaction limit requested by the client and verified by KYC Center, which depends on the country of residence, the scope of activity and professional status of the client.

Risk level - a probability of occurrence of money-laundering and terrorist financing risks in transactions with business-clients, due to the absence of previous business relations with a particular client or due to the uncertainty of the development of a financial transaction with the client at the time of its commitment. KYC Center sets the level of risk by analyzing the client's personal data, as well as publicly available information, and automatically encodes it in the KYC code. The assessment of the risk level shall be made manually by an employee of a KYC Center, taking into account requirements of the Directive of the European Parliament and the Council №2015/849 of 15.05.2015 and in strict compliance with “Procedural rules of person’s identification and risk level assessment”.

Rights of the data subjects

In accordance with provisions of Regulation of the European Parliament and the Council №2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the client has the following rights:

  1. to receive adequate and comprehensive information regarding the processing of personal data;
  2. to obtain information on the legal basis and the purposes of the processing of personal data;
  3. to get contact details of the controller and of the data protection officer;
  4. to obtain information about the recipients (receivers) of the personal data;
  5. to file a request before KYC Center and to receive a response to the request at the latest within one month of the receipt of that request;
  6. to receive information on the retention period for personal data;
  7. to get an access, to erase, to rectify personal data and to restrict their processing without undue delay;
  8. to receive the personal data, which he has provided to KYC Center and to transmit them to another controller;
  9. to withdraw consent to the processing of personal data and to request the closure of the account in the system of KYC Center. The request can be made by sending of an individual written application submitted to the legal address of KYC Center Ltd. via registered mail return receipt or by filling in of the appropriate form in the account or by sending of the application at the e-mail address [email protected] with the subsequent client’s identification;
  10. to opt-out of receiving of informational notifications or notifications about events in the account. For this purpose the client need to turn off notification feature in the account or to send the corresponding request with his KYC-code at the e-mail address [email protected]
  11. to challenge a risk level assigned by KYC Center according to the procedure laid down in the “General terms and conditions of KYC Center”;
  12. to obtain an abstract of personal data, which are stored in KYC Center. For this purpose, the client has to submit a request to the legal address of KYC Center Ltd. via registered mail return receipt. The application shall contain the KYC-code, the number of the primary identification document of the data subject or his representative, the information on the date of issuance of this document and the issuing organization, the particulars, the signature of the data subject or his representative. In case of submission of the request through data subject’s representative, it must be accompanied by a paper confirming his representation powers.
  13. to receive information about the location of KYC Center Ltd., persons (except of employees of KYC Center) that have a right to access his personal data or to whom they could be disclosed under a contract with KYC Center or under the law;
  14. to obtain information on business-partners that have an access to the KYC Center database. When the client provides the business-partner with the KYC-code and reaffirms the consent to give an access to his personal data to the business-partner (in response to the request of a business-partner to KYC Center) the client also, depending on partner’s location, provides a separate consent on the transfer of personal data to third countries. The business-partner becomes a sole controller of a data referred to him and conducts their processing exclusively on the basis of standard contractual clauses, adopted by the European Commission. The list of data to which the business-partner might gain an access, is specified in the para 7 of the section 7 of this Policy.;
  15. to receive information about automatic personal data processing of personal data. The logic involved and the consequences of the application of automated decision-making by KYC Center for a client are described in the “General terms and conditions of KYC Center”;
  16. to lodge a complaint against KYC Center in a particular supervisory authority, if he believes that the processing of personal data does not comply with legislation:

Estonian The Data Protection Inspectorate

Address: Väike-Ameerika 19, Tallinn 10129

E-mail: [email protected]

Telephone: +372 627 4135

The fundamental principles of the processing of data in KYC Center

KYC Center guarantees that the processing of personal data in the system of KYC Center is conducted on a legal and fair basis, in strict compliance with the purposes and principles, which are indicated in the “General terms and conditions of KYC Center”. The collected data is not processed for reasons, which are not listed in the “General terms and conditions of KYC Center”.

The person provides only specific personal data for the verification procedure, which is needed for KYC Center to achieve the goals outlined in the “General terms and conditions of KYC Center”. The excessive processing in relation to the purposes, which are declared in the “General terms and conditions of KYC Center”, is not permitted.

KYC Center partially uses the system for the automated processing of personal data but doesn’t make decisions based solely on automated means.

KYC Center excludes consolidation of databases that contain personal data, processing of which is carried out for incompatible purposes.

KYC Center ensures accuracy, sufficiency and relevancy of personal data with regard to the purposes of their processing in the most accessible and reasonable way.

The consent of the data subject

The registration of the account on the website www.kyc-center.com confirms person’s free will, intended to accept conditions of this agreement.

The client ticks the boxes and confirms the following facts, before registration in the system of KYC Center and prior to the provision of his data:

  • personal data, which he gives out belong to him personally;
  • he reviewed the present personal data processing policy carefully, in its entirety;
  • he acknowledges and confirms that he understands all provisions of this agreement and terms of the processing of personal data;
  • he gives consent for the processing in the system of KYC Center of personal data, which he provides for the registration as the client of KYC Center.

The consent to the processing shall remain in force indefinitely, but could be withdrawn by the data subject by sending of an individual written application submitted to the legal address of KYC Center Ltd. via registered mail return receipt or by filling in of the appropriate form in the account or by sending of the application at the e-mail address [email protected] with the subsequent client’s identification;

Prior to applying for KYC-code, the client can permit to send him informational notifications or notifications about events in the account in the form of SMS-messages or e-mails. He should indicate it by ticking the appropriate box “Accept notifications”.

The option of applying for KYC-code does not depend on consent mentioned above. The consent on receiving of informational notifications can also be provided later by turning on the notification function in the account. The permission to the processing shall remain in force indefinitely but could be withdrawn by the data subject by turning off the notification feature in the account.

By accepting the terms of this policy, the subject agrees his data to be processed by KYC Center. A person consents as indicated in this policy on the processing of his personal data in the following ways: collection, systematisation, accumulation, storage, clarification (updating or alteration), usage, dissemination (under this policy), depersonalization, blocking, destruction and the transmission, including cross-border transfer (under this policy).The processing may take place by automated means, as well as without them.

By accepting this agreement the person also gives consent for analysis and verification of personal data submitted by him with the help of publicly available resource.

By accepting this agreement, the person agrees that some of his personal data (para 7 of section 7 of this policy) will be provided to the business-partners within the terms stipulated in this policy and in the “General terms and conditions of KYC Center”.

By accepting this agreement the person acknowledges and reaffirms, that in cases specified by the “General terms and conditions of KYC Center”, KYC Center is entitled to disclose his personal data, following the written request of public authorities. During disclosure of personal data to a public authority KYC Center is guided by requirements of Money Laundering and Terrorist Financing Prevention Act of the Estonian Republic and the Directive №2015/849 of the European Parliament and of the Council of 20.05.2015 or other legal act, which is binding for KYC Center or for business-partners, which are connected to him.

KYC Center is obliged to disclose and share personal data in order to carry out legal demands of public authorities or with an aim to achieve security of business-partners or other persons against fraudulent activities and to prevent the financing of terrorist activity. Further details can be found at the following link: ###

The information that is gathered by KYC Center

KYC Center Ltd. gathers only those personal data that are necessary for the practical achievement of the goals outlined in the “General terms and conditions of KYC Center”. In pursuit of these objectives, KYC Center Ltd. collects data that are related to the development and operation of the system of KYC Center, the opening and administration of an account, the performance of contracts with business-partners. Identified or identifiable person directly provides his personal data to the system of KYC Center by filling in the online form or by reporting of further details about himself.

Information that is collected and processed shall include:

  1. the individual's name, surname, date of birth, sex, place of birth and country of residence for tax purposes;
  2. the information on ultimate beneficiaries (assignee);
  3. the contact details: residential address, phone number, e-mail address;
  4. the payment information;
  5. the copies (the photo in JPG or PNG format; with a good quality of 4000 pixels resolution on both sides) of passports or ID-cards and, if necessary, other identity documents, that should be given to prevent money-laundering, fraud and terrorist financing;
  6. the photo of identified or identifiable natural person (in JPG or PNG format; with a good quality of 4000 pixels resolution on both sides);
  7. the details on visiting/ login to the system by the client of the system of KYC Center;
  8. the details on requests of business-partners for verification of the KYC-code, where clients confirmed providing the business-partner with access to personal data;
  9. the IP address – the country, the time zone/region, the Internet service provider;
  10. the data on involvement in litigations from open sources and state registries;
  11. the info on the sphere of activity (the profession), the financial condition and, if necessary, on sources of income;
  12. the result of the investigation of the designation of the person on sanctions lists;
  13. publicly available information about the person;
  14. the information about accounts and social networking pages from the references provided by the clients;
  15. the records of phone-calls/ Skype conversations and any other correspondence between KYC Center Ltd. and identified or identifiable person and business-partner;
  16. the data on the assigned to the individual risk level and personal KYC-code.

The usage of personal data

The collection and processing of data subject’s personal data are meant for the following purposes:

  1. the registration of the account in the system of KYC Center;
  2. the identification of the person and determination of his risk level, taking into consideration criteria indicated in the “General terms and conditions of KYC Center”;
  3. the prevention and detection of fraud, money laundering and terrorist financing;
  4. the verification and monitoring of clients, that are required under legal acts and internal regulations;
  5. the provision to clients and business-partners of uninterruptible and continued access to the system of KYC Center via computer or other compatible devices;
  6. the delivery of information regarding new products/services of KYC Center or newly connected business-partners, if the person allowed to contact him for such purposes;
  7. the statistical analysis for internal use of KYC Center;
  8. the design and improvement of services of KYC Center;
  9. the informing individuals about malfunctions of the service, hacker attacks, other incidents, as a result of which the personal data were put at risk in any way and their potential negative consequences, as well as about the measure taken by KYC Center to fix malfunctions, to implement additional security measures to protect personal data and the provision of necessary instructions;
  10. the prevention of unauthorized usage of the KYC-code by third parties.

KYC Center determines person’s risk level on the basis of personal data supplied to the system of KYC Center by the client and according to “Procedural rules of person’s identification and risk level assessment”. KYC Center relies on three levels of risks:

  • Green level of risk - a person has a low level of risk if in the verification process a person has provided complete and reliable personal data and is not: a politically significant person; a person from a high-risk country; a subject of international sanctions.
  • Yellow level of risk - a person has heightened level of risk since in the verification process it was found that he is a politically significant person or a person, with whom the conduction of transactions require more substantial attention from the business-partner. At the time of verification, the person provided complete and reliable personal data. Business-partners are informed that deals with such person call for special attention.
  • Red level of risk - the person has a high level of risk, since he is a subject to international sanctions. Deal with this person is prohibited. A red risk level is also assigned to a person who has not undergone mandatory re-verification, which takes place once a year.

The storage and transfer of personal data

The principal place of storage of personal data is the territory of the European Union. KYC Center is also entitled to maintain personal data outside the European Union, and this also applies to states and territories, whose legislation requires the storage of their citizens’ personal data within territories of those states. The storage of data outside the European Union is intended to provide a backup. There is a transfer of data between the jurisdictions (territories) mentioned above in the course of its creation.

By accepting this agreement the client acknowledges his awareness of potential risks of transfer of personal data to third countries, that are located outside the European Union, including countries for which there is no decision of European Commission on an adequate level of protection of personal data within the meaning of the Article 45 of the Regulation of the European Parliament and the Council №2016/679 of 27 April 2016 „On the protection of natural persons with regard to the processing of personal data and on the free movement of such data”, More information about the adequate level of data protection can be found here.

If a person is not a European Union citizen, by accepting this policy he voluntarily and consciously consents to the cross-border transfer of personal data. In case, wherein the state of client’s residency there is the requirement to collect personal data exclusively on the territory of such state, the KYC Center is obliged to transfer personal data of these individuals outside the European Economic Area for lawful data acquisition and processing.

KYC Center applies procedures and protective measures to prevent unauthorized access, unlawful processing, accidental loss, destruction or damage of data. They are applied to all personal data of clients and business-partners, which were received through the system of KYC Center by filling in the online-form.

After processing of personal data provided by the client and issuing of individual personal KYC-code for him, the part of personal data is achieved, encrypted through the use of digital technologies and is sent for storage purposes to the archive on a hard drive without access to the Internet. The remainder of the information is securely protected from unauthorized access of third parties.

The data that is moved to the archive include:

  • the copies of the passport/ ID-card;
  • the payment information;
  • the client's photo with identity document;
  • the contact details: residential address, phone number, e-mail address;
  • the information on the scope of activity (the profession), the financial condition and sources of income;
  • the data on checking the person against sanction lists;
  • the information on the person’s accounts in social networks;
  • the records of phone-calls, internet calls and any other correspondence and information received by KYC Center Ltd. during the process of identification of the person.

The data is provided to the connected to the system of KYC Center business-partner within the framework of the “General terms and conditions of KYC Center” with the consent of the client, which is given by acceptance of the conditions of the present agreement, and also by reaffirming the consent to the transfer of the data listed below separately to a specific business-partner.

This data includes:

  • the name and surname of the Client;
  • the date of birth of the Client;
  • the country of residence of the Client;
  • the date of receipt of the code;
  • the level of risk of the Client;
  • the recommended limit.

KYC Center observes the principle of confidentiality of personal data of identified or identifiable persons and provides data to business-partners only in those amount and ways, that are specified by this policy and set out in the “General terms and conditions of KYC Center”, as well as to authorized public authorities on the grounds of a written request to KYC Center.

KYC Center Ltd. retains personal data throughout the period of subscription to the system of KYC Center, and 5 (five) years after termination of the contractual relationships.

The KYC Center company has developed internal procedural rules for the protection of personal data, which are compulsory for all employees of KYC Center.

came into force on 01.06.2018