At GBG we use the power of data to help companies improve digital access, deliver a seamless experience and establish trust so that they can transact quickly, safely and securely with their customers online.

Our core business relies on personal data sourced from our data supplier. Because of the increasingly sophisticated nature of GBG's products, GBG determines the purposes and means of the processing of personal data that we receive from our third-party data supplier. This means that, going forward, GBG will be classified as a data controller for the purposes of the processing personal data under applicable privacy regulation around the world.

Moving from a data processor to becoming a data controller means GBG can offer our customers, data suppliers, and ultimately consumers, even greater confidence in the management, storage and protection of their data. As a data controller, GBG can also better support individuals by being able to deal with their requests for information regarding how GBG processes their data.

A data controller is an entity which, alone or jointly with others determines the purposes and means of the processing of personal data.

A data processor is an entity which processes personal data on behalf of the data controller. Previously GBG considered itself a data processor acting on behalf of its customers and data suppliers who are data controllers.

In the GDPR and other privacy regulations a data controller has full control to determine the purposes for processing data and takes full responsibility specifying how the data is used and processed by others, including ensuring legal compliance with data laws.

A data processor simply processes data that the data controller provides to them under specific contractual obligations.

In certain jurisdictions Location data is not classed as personally identifiable information (PII) data, however when combined with other data it will be classified as PII data.

Location data is classified as PII in certain jurisdictions around the world and therefore is included in this change.

Our core business relies on personal data sourced from our data suppliers. Because of the increasingly sophisticated nature of GBG's products, GBG determines the purposes and means of the processing of personal data that we receive from our third-party data suppliers. This means that, going forward, GBG will be classified as a data controller for the purposes of the processing personal data under applicable privacy regulation around the world.

Our transition from processor to controller affects the services we offer which are supported by your data.

This means that we may need you to complete a Data Privacy Questionnaire via our OneTrust portal and if so, your Commercial Data Manager will contact you directly to start this process. There will be two questionnaires to complete (initial and subsequent based on your responses) and they will need to be completed by a person with the authority to complete data protection provision questions on behalf of your organisation (this is likely to be your Data Protection Officer (DPO) or someone in their team.

As part of this process, we will be reviewing our existing agreement and where appropriate we may also need to send you an Information Security (InfoSec) Questionnaire to update/record relevant security information and if this is the case, you will be invited to our self-serve portal, Wax, to complete this accordingly.

It is also worth noting that as part of our overall review we may need to make changes to our agreement to ensure that it accurately reflects the needs of both parties and the services that are delivered.”

This change is occurring now. GBG is in the process of transitioning to become a data controller the first stage of which is to ensure that we have up to date and accurate agreements with all our data suppliers.

No. In most cases we consider ourselves and our data suppliers each as separate and independent Controllers. In some limited circumstances a data supplier may remain a data processor for example our validation service data suppliers. The roles and responsibilities of the parties is something we will discuss with you, once we have received your answers to our two data privacy questionnaires.

Where required, our updated agreement with you will set out our respective roles and responsibilities in relation to responses to subject access requests.

GBG has invested significantly in our Privacy and Data Compliance team, which now has over 18 members with combined privacy experience of over 200 years, ensuring that the data that is supplied to GBG, the foundation of our products and services, remains compliant with all applicable legislation, both now and in the future.

We have also made changes to our products and services and will be updating our agreements with both our data suppliers where necessary, and with our customers.

If you have any more questions, you can email Commercial.Datateam@gbgplc.com or your Commercial Data Manager.