US Privacy Laws 2023 – Identity (Third Party & Service Provider)
Local Laws – United States of America (Service Provider and Third Parties)
The following terms apply when a Customer is subject to US Data protection Laws when sending Customer Data or receiving Results from a GBG Entity. These Local Laws are supplementary to the General Terms agreed by the Parties and referenced in the Order Form and shall together with the Product Terms apply to the provision of the Service purchased by the Customer Entity from the GBG Entity. Where there is a conflict between the General Terms and these Local Laws, these Local Laws shall take precedence.
1. DEFINITIONS
1.1 In these Local Laws, the following definitions shall apply in addition to the definitions set out in the General Terms and Product Terms unless the context expressly states otherwise:
Definitions.
“Applicable US Data Protection Laws” means the California Consumer Privacy Act of 2018 and its corresponding regulations (“CCPA”) and the California Privacy Rights Act and its corresponding regulations, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, Utah’s Consumer Privacy Act, the Connecticut Data Privacy Act, and any other U.S. federal, state, or local data protection and privacy laws, regulations, or guidance, as amended from time to time, that are applicable in relation to the processing of personal information under the Agreement.
“collects,” “consumer,” “processes,” “personal information”, and any other terms not defined hereunder, but which are defined under Applicable US Data Protection Laws, shall have the definition allocated to that term under the relevant Applicable US Data Protection Laws.
“CPRA” means the CCPA, as amended by the California Privacy Rights Act, and its corresponding regulations, as amended from time to time.
“Customer” means as applicable, the Customer or a provider of services to the Customer such as an intermediary or reseller.
“Customer Personal Information” means the personal information provided by the Customer to GBG, or which GBG collected on Customer’s behalf to perform the service(s) for the Customer under the Agreement.
2. Service Provider Obligations.
2.1 GBG Entity agrees:
(a) it shall not sell or share any Customer Personal Information that it collects pursuant to the Agreement;
(b) it is processing the Customer Personal Information pursuant to the Agreement, and the Customer is disclosing the Customer Personal Information to GBG Entity only for the following limited and specified Business Purpose(s) listed in subclause (c) below;
(c) the specific Business Purpose for which GBG Entity is processing Customer Personal Information pursuant to the written Agreement with Customer is to perform services on behalf of the Customer by verifying Customer’s consumers’ information, provide customer support, as further detailed in the Agreement and in accordance with the CPRA (the “Business Purposes”). GBG Entity shall not retain, use, or disclose any Customer Personal Information that it collected pursuant to the Agreement for any purpose other than Business Purpose(s), or as otherwise permitted by the CPRA;
(d) it shall not retain, use, or disclose the Customer Personal Information that it collected pursuant to the Agreement for any purpose other than the Business Purposes, unless expressly permitted by the CPRA;
(e) it shall not retain, use, or disclose the Customer Personal Information that it collected pursuant to the Agreement for any commercial purpose other than the Business Purpose, outside the direct business relationship between the GBG Entity and the Customer, unless expressly permitted by the CPRA;
(f) it shall not retain, use or disclose the Customer Personal Information that it collected pursuant to the Agreement outside of the direct business relationship between the Customer and GBG Entity, unless expressly permitted by the CPRA;.
(g) it shall comply with all applicable sections of the CPRA, including – with respect to the Customer Personal Information it collected pursuant to the Agreement providing the same level of privacy protection as required of businesses by the CPRA. This includes using reasonable commercial efforts to cooperate with the Customer in responding to and complying with consumers’ requests made to Customer in relation to GBG Entity’s processing under the Agreement pursuant to the CPRA, and implementing reasonable security procedures and practices appropriate to the nature of the Customer Personal Information to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with the CPRA;
(h) it grants the Customer the right to take reasonable and appropriate steps to ensure that GBG Entity uses the Customer Personal Information that it collected pursuant to the Agreement in a manner consistent with the Customer’s obligations under the CPRA, at Customer’s cost. This may include ongoing manual reviews of GBG Entity’s system and regular internal or third-party assessments, audits, or other technical and operational testing once every twelve (12) months, with twenty-eight (28) days advance notice, in accordance with any audit clauses set out in the Agreement;
(i) it shall notify the Customer after it makes a determination that it can no longer meet its obligations under the CPRA;
(j) it grants the Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate GBG Entity’s unauthorized use of Customer Personal Information.
2.2 CPRA Subcontractors. If GBG Entity subcontracts with another person in providing services to Customer, GBG Entity shall have a contract with the subcontractor that complies with the CPRA.
2.3 California Consumer Requests.
(a) If GBG Entity receives a request made pursuant to the CPRA directly from a Consumer in regards to any processing it is conducting as a service provider, GBG Entity shall inform the Consumer that the request cannot be acted upon because the request has been sent to a service provider.
(b) GBG Entity shall enable the Customer to comply with consumer requests made pursuant to the CPRA.
3. Scope of Processing.
3.1. The parties agree that:
(a) GBG Entity shall be bound to the processing instructions, requirements, and limitations set out in the Agreement;
(b) the nature and purpose of the processing are as set out in the Agreement;
(c) the duration of the processing shall last throughout the duration in which the Agreement is in effect;
(d) the rights and obligations of both parties are set out in the Agreement;
(e) the types of personal data which are subject to GBG Entity processing depends on the product(s) you contracted to take from us under your Agreement, and may be as follows, respectively:
|
Product |
Consumer Personal Information Processed under the relevant Product |
|
ID3global |
Personal Identification: Driving license number, Date of Birth, National Identification Number, National identity card details, Passport Number, Full Name, Photo User Account Information: Account Number Browsing Information: IP Address Contact Information: Home Address, Previous Residence Address, Phone Numbers, Email, Contact details Financial Information: Bank account information Geolocation: Country |
|
IDScan Enterprise (web) |
Personal Identification: National Identification Number, Date of Birth, National identity card details, Signature, Gender, Photo, Age, Marital Status, Citizens Status, Full Name, Nationality, Physical Characteristics, Government Identification Document (e.g. driver’s license or passport, and all personal information contained therein) Contact Information: Home Address Family Information: Relationships, Parents’ Names Information that could be deemed Sensitive Personal Information, depending on the jurisdiction: Biometric data, Racial or Ethnic Origin, Driving license number, Social Security Number, Passport Number |
3.2 GBG Obligations. GBG Entity shall, in accordance with Applicable US Data Protection Laws:
(a) Adhere to Customer’s instructions.
(b) Assist Customer to meet its obligations under Applicable US Data Protection Laws. Therefore, GBG Entity shall, taking into account the nature of the processing and information available to the GBG Entity and in accordance with its obligations under Applicable US Data Protection Laws, assist the Customer by:
i. taking appropriate technical and organizational measures, insofar as reasonably practicable;
ii. aiding in the fulfilment of the Customer’s obligation to respond to consumer requests to exercise their rights, insofar as such obligations are related to GBG Entity’s processing of the Customer Personal Information under the Agreement;
iii. helping to meet the Customer’s obligations in relation to the security of processing the Customer Personal Information and in relation to the notification of a breach of the security system;
iv. providing information to the Customer necessary to enable the Customer to conduct and document any data protection assessments required from Customer under Applicable US Data Protection Laws, but GBG Entity shall only be responsible for the measures that are allocated to it; and
v. Notwithstanding the instructions of the Customer, GBG Entity shall ensure that each person processing the Customer Personal Information is subject to a duty of confidentiality with respect to the Customer Personal Data.
3.3. Subcontractors
GBG shall engage a subcontractor only after providing the Customer with an opportunity to object within thirty (30) days of notification to legal@gbgplc.com and pursuant to a written contract, which requires the subcontractor to meet the obligations of the GBG Entity with respect to the Customer Personal Information. If Customer does not provide such written objection within thirty (30) days of the notification date, then Customer shall be deemed to have approved the new subcontractor if it continues to utilize the relevant GBG Service. The subcontractors that will serve as sub-processors under the Agreement are set out in the following link: https://www.gbgplc.com/en/legal-and-regulatory/identity-authorised-sub-processor-list/ and are hereby deemed to be approved by the Customer. Customer acknowledges and understands that GBG Entity is not providing a bespoke service to Customer and GBG Entity may be unable to accommodate Customer requests in regards to specific subcontractors. Thus, if Customer objects to any subcontractor it shall have the right to terminate this Agreement within thirty (30) days of notice to GBG Entity.
3.4 Data Security. GBG Entity and Customer shall implement appropriate and technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.
3.5. GBG’s Obligations at Termination or Expiration of the Agreement.
At the Customer’s selection, GBG Entity shall delete or return all Customer Personal Information at the end of the provision of the services, unless retention is required by applicable law. However, Customer agrees that GBG Entity may instead delete the Customer Personal Information if returning it is commercially unreasonable.
3.6 Customer Reviews and Audits. GBG Entity shall:
(a) make available to Customer all information necessary to demonstrate compliance with its obligations under Applicable US Data Protection Laws.
(b) allow for and contribute to reasonable audits and inspections by the Customer or Customer’s designated auditor, as further detailed in the Agreement. Alternatively, Customer consents that GBG Entity may, at its discretion, arrange for a qualified and independent auditor to conduct, annually, and at GBG Entity’s expense, an audit of GBG Entity’s policies and technical and organizational measures in support of its obligations under Applicable US Data Protection Laws using an appropriate and accepted control standard or framework and audit procedure for the audits, as applicable. GBG Entity shall provide a report of the audit to Customer on request.
4. CPRA Third Party Contract Requirements (Sale of Data)
4.1 The terms set out in this clause 4 shall only apply to the Agreement if the Customer has selected the following Datasets (as set out in the Order Form):
(a) GBG DATA|ID NUMBER 201493; and/or
(b) 0388 USA IDENTITY |ID Number 201038
4.2 The Customer understands and acknowledges that such processing of the Customer Personal Information may be construed as a sale of Customer Personal Information to GBG Entity. For the avoidance of doubt, this clause 4 does not apply to any processing GBG Entity conducts when GBG Entity supports any products GBG Entity provides to the Customer, such as when GBG Entity provides customer support, which would be governed under clause 2 and 3 above of these Local Laws.
4.3 The limited and specified purpose(s) for which the Customer Personal Information is made available to the GBG Entity under the Agreement is to perform services on behalf of the Customer by verifying Customer’s consumers’ information, as further detailed in the Agreement and in accordance with the CPRA. However, the performance of such services includes retaining, utilizing, and disclosing the Customer Personal Information so that GBG Entity may, for its own commercial purposes outside of the direct business relationship with the Customer, improve and develop GBG’s existing and future products by: using the Customer Personal Information to assess Dataset match rates, population coverage, service uptime and customer experience; derive data from the Customer Personal Information and utilize such data in its service offerings to generate risk scores or create fraud and/or identity alerts for the Customer and/or third parties.
4.4 The Customer is making the Customer Personal Information available to the GBG Entity only for the limited and specified purposes set forth above and within the Agreement and requires the GBG Entity to use it only for those limited and specified purposes.
4.5 GBG Entity must comply with all applicable sections of the CPRA, including—with respect to the Customer Personal Information that the Customer makes available to the GBG Entity—providing the same level of privacy protection as required of businesses by the CPRA.
4.6 GBG Entity grants the Customer the right—with respect to the Customer Personal Information that the Customer makes available to the GBG Entity—to take reasonable and appropriate steps to ensure that GBG Entity uses it in a manner consistent with the Customer’s obligations under the CPRA.
4.7 GBG Entity grants the Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information made available to the GBG Entity.
4.8 The GBG Entity shall notify the Customer after it makes a determination that it can no longer meet its obligations under the CPRA.
5. Miscellaneous
5.1 Additional US Data Protection Laws.
(a) In the event that additional applicable privacy laws are enacted, the Parties shall in good faith negotiate any additional terms that may be required thereunder.
(b) In the event the California Privacy Protection Agency makes any edits to the latest version of the CPRA regulations that are not substantive, those edits will be deemed to be incorporated herein verbatimvia reference.