Privacy User Acknowledgement and Consent——Sumsub

By clicking the “Continue” button, I hereby agree and express my voluntary, unequivocal and informed consent that personally identifiable information (PII) and the biometric information will be collected and processed for the purposes as specified in this Consent of the organisation for which I pass the identity verification process, and  I wish to establish a business relationship (hereinafter - Company) that uses Sumsub Group of Companies, (hereinafter - the “Service Provider” or “Sumsub”) through which the Company collects and processes my PII and the biometric information. Please refer to the Privacy Notice for details about the identity and contact details of Sumsub.

 

1. My name and other means of identification for the purposes of obtaining this consent shall be established in the course of the processing of my PII carried out in accordance with this consent. My biometric information, the processing of which I hereby agree and express my voluntary, unequivocal and informed consent, includes facial features or facial scans.

 

2. The following types of PII are subject to processing

 

    The consent for the processing expressed hereby includes the following PII:

 

·  general personal data: full name, sex, personal identification code or number, date of birth, legal capacity, nationality and citizenship, location (street, city, country, postcode);

 

·  facial image data; photos of a face (including selfie images) and photo or scan of a face on the identification document, videos, and sound recordings;

 

·   biometrical data: facial scan(s); 

 

·  identity document data: document type, issuing country, number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features;

 

·  banking details: cardholder name, expiry date, first 6 and last 4 digits of the card number, data extracted from documents provided as proof of source of funds/wealth;

 

·   contact details: address, e-mail address, phone number, IP address;

 

·  technical data: information regarding the date, time and activity in the Services; IP address and domain name; software and hardware attributes (camera name and type); general geographic location (e.g., city, country) from Data Subject’s device;

 

·   unique identifier (Applicant ID) created only for the association Data Subject and its PITT inside the Informational System;

 

·   relevant publicly available data: information regarding a person being a Politically Exposed Person (PEP) or included in sanctions lists;

 

personal information that the Data Processor has received from the Controller, such as contact details.

Some of these PII types may not be processed depending on the Company's requirements.

 

I hereby acknowledge and agree that facial images of myself are processed to confirm the liveliness of my face and/or to confirm that a given identity document is presented by me, its legitimate owner.

 

3. I hereby acknowledge and agree that processing shall be done for the purposes of the Company and may include matters of compliance with applicable AML/CFT, anti-fraud laws and regulations, age restrictions acts and/or other laws and regulations and/or the Company customer due diligence procedures in accordance with the laws governing the intended business relationship.

 

The processing will also be carried out for other compatible purposes of the Service Provider acting as a separate business. Such compatible purposes include service development, fraud and criminal activity prevention, as well as ‘litigation hold’ and statutory obligations of the Service Provider, and are explained in detail in the Privacy Notice available here. The PII processed by the Service Provider for its own purposes are provided in point 2 above and include biometric data.

 

4. I hereby acknowledge the delegation of PII processing by the Company:

 

4.1. I hereby acknowledge and agree that I know the company details (including the address) of the Company, which holds control over my PII and biometric information. Any orders, directions or instructions for processing, designation of the purposes of the processing, determination of PII subject to processing and other similar matters are the responsibility of the Company.

 

4.2. I hereby acknowledge and agree that the Company may entrust the processing of my PII and biometric information to contractors (e.g. Service Provider) through which the Company collects and processes my data if it is necessary for the processing purposes as set out above; the PII may be disclosed to entities associated with Service Provider to achieve the purpose of the processing under this Consent. The Service Provider stores biometric information in AWS Amazon or Google Cloud (depending on the requirements of the Company on the place of data storage).

 

4.3. I hereby acknowledge and agree that my PII and biometric information may be disclosed to entities associated with the Service Provider to achieve the purpose of the processing under this Consent. The Service Provider guarantees that such entities, as well as other contractors to which it discloses PII implement appropriate technical and organisational measures to ensure the safety of the personal data.

 

5. Data processing methods

 

I hereby acknowledge and agree that my PII and biometric information shall be processed by means of automated text extraction, verification of authenticity/validity and other methods of automated processing of photos and scanned copies of documents.

 

I hereby acknowledge and agree that Company and Service Provider shall process my biometric information by means of automated reading, verification of the authenticity and other automated processing as stated in the Privacy Notice available here, which includes the processing of facial scan while passing liveness, video-selfie or video identification process, biometric authorisation, face comparison from the photo of an identity document and the facial image, searching of multiple identity creation, work and development of fraud control network to detect and prevent fraud and criminal activity. The biometric processing methods are provided below:

 

·  Sumsub may process biometrics to verify whether provided facial images are likely to match depending on the service chosen by a particular client. The processing of biometrics means extracting facial features from uploaded or recorded facial images on government-issued identity documents submitted by the User and comparing them. Service Provider stores this biometric information for a period our client instructs.

 

·   There are several reasons why clients ask for such biometrics processing. Generally, clients may wish to check whether an identity document genuinely belongs to the user by comparing a provided facial image to the facial image contained in the identity document.

 

·  In addition, clients may ask us to check whether a user is alive and genuine. To do this, Service Provider uses its Liveness check to determine if the user isn’t holding a mobile phone, showing any signs of constraint, or attempting to defraud the system using emulators, static images, or ‘deep fakes’. As a rule, the user is prompted to blink, smile, or move their device while passing Liveness. During such checks, the Service Provider may also detect signs of fraud or other spoofing attacks by comparing the user's facial features to those of known masks. Simultaneously, the Service Provider may also check whether the user may be generating multiple identities by inspecting whether the Service Provider has previously verified him/her on behalf of a particular client. To determine if the user is known to a specific client, Service Provider compares the user's facial image to the facial images of other users previously verified on behalf of that particular client.

 

·   When required by a client, the Service Provider assists in the authentication process. For this, the client may ask the user to pass liveness. During this process, the user’s face is recognized, and the result is compared with the biometric information records of the said user obtained previously.

 

·    For each authentication attempt, Service Provider will compare the new liveness facial image with the biometrics of the said user obtained previously.

 

The PII may be checked against multiple databases, including International Politically Exposed Persons (PEPs), Sanctions, Country-Specific Sanctions Lists and other ‘watch’ lists. It may also be reviewed in adverse media information sources.

 

The consent expressed hereby covers the following processing activities: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission to the Company and the Service Provider and other subcontractors, dissemination or otherwise making available for the performance of a task carried out in the public interest or in the exercise of official authority, transfer (including cross-border transfer, where necessary), alignment or combination, restriction, erasure and destruction.

 

Whenever a transfer of PII outside the EEA is carried out, the Company and Sumsub implement appropriate safeguards as set out in the applicable laws by transferring on the basis of the EU adequacy decisions (or UK adequacy regulations) or by concluding standard contractual clauses. Third-party processors likewise rely on appropriate safeguards, which include binding corporate rules, standard contractual clauses, or other means as allowed by applicable laws. Cross-border personal data transfers from the UK to the EU/EEA countries are permitted by the UK Government.

 

6. Data subject rights

 

    I hereby represent that I have been informed about my rights to:

·   withdraw this consent to PII processing;

·   access and adjust my PII;

·   make a justified demand in writing to suspend the processing of my PII due to a particular reason;

·   object to the processing of my PII;

·   object to being subject to a decision based solely on automated processing/profiling;

·   make a justified demand in writing to erase my PII subject to applicable laws and regulations;

 

all of which may be exercised by contacting the Company directly or the Service Provider with a respective notice at privacy@sumsub.com.

 

Some rights are not exclusive and may be limited to the statutory legal obligations vested in the Company or the Service Provider.

 

I also acknowledge that I have the right to lodge a complaint with the supervisory authority. When it is related to the processing activities of the Company, please refer to the methods specified in its privacy policies. When it relates to the processing activity of Sumsub, please see here for more details.

 

7. I hereby represent that I have been informed that my PII will be retained and stored by Company and Service Provider and will be permanently destroyed based on the Company’s instructions when the Company’s initial purpose and/or retention period prescribed by applicable law expires. Where Service Provider independently defines the compatible purposes or under the legal obligation, the personal data, including biometric information, will be destroyed after Service Provider’s purposes for collecting the biometric information have been satisfied (and one (1) year of the date the purpose for collecting the data expires for residents of Texas) or after five (5) years from the provision of data to the Service Provider system, whichever occurs first. For the residents of Illinois, the retention period of personal data, including biometric information, will be three (3) years from the date of data provision to the Service Provider system. Please check how your PII will be deleted and destroyed in Service Provider’s Data Disposal and Destruction Policy.

 

8. I hereby represent that I have carefully read all of the above provisions and do voluntarily and unequivocally agree with them.

 

Was this article helpful?
4 out of 4 found this helpful

Comments

0 comments

Article is closed for comments.