Status: September 2023
Dear ZignSec clients, users, visitors, guests, employees, shareholders, and website visitors:
ZignSec provides a Compliance Orchestration Platform via the ZignSec Portal (the Portal) that enables clients to access data from multiple vendors that provide customer due diligence products, specifically for identity and AML purposes.
First, we would like to let you know who is taking care of your personal data:
ZignSec AB is a Swedish company, with its main office in Gävlegatan 12, SE-113 30 Stockholm. ZignSec is a RegTech company listed on the NASDAQ composite. Wyzer and Web Shield are ZignSec daughter companies. The CEO of ZignSec is Mr Glenn Mac Donald.
ZignSec’s DPO is Mr Jason Coombes. You can reach out to him at email@example.com if you would like to exercise any of your data protection rights or have more information about our privacy policies and technical measures. We are ready to process your request and keep you informed in a timely manner.
Next, we would like to inform you about how we process your personal data.
1. Our data subjects and how we get personal data from them
Our data subjects are the following:
Legal representatives of our Clients, the Master user and invoicing contact: We obtain data on this personal client (controller) in the context of the contractual negotiation and we process these data until the contract is terminated and/or as required by law.
- Users: The Master User provides information about the system users which may or may not include name, company name, email, address, telephone, and other relevant data. This information is processed by ZignSec to identify the users and grant them access to the Portal. ZignSec also uses the personal data of users to provide them with support and service-related information.
- Applicants to the job positions: we receive personal data directly from job applicants, in the context of job applications. We keep their personal information for longer than legally allowed, ONLY after obtaining consent.
- Employees: We obtain their personal data in the context of recruitment, employment contract negotiation and signature, and in the context of carrying out background checks. We only use pictures with employee consent.
- Legal representatives and contact persons of our service providers: In the context of the provision of a services contract, we receive their personal data directly from them or from their company. We process this data until the contract is terminated and/or as required by law.
- Sales prospects: We obtain personal data of potential clients from different sources such as LinkedIn. We only send offers after consent from the prospects.
- Newsletter subscribers: We receive personal data directly from newsletter subscribers when they subscribe to our newsletters.
- Website visitors: We may process your personal data when you visit this website. We may also process information collected by way of pageview activity. Furthermore, we may collect and process any personal data that you share with us in our website’s forms, such as when you register for information and newsletters, after requesting consent.
2. The personal data that we process
As controllers, we process the following personal data:
- Names and email addresses
- Job title
- Postal addresses
- IP addresses
- Phone numbers
- Invoicing information
- Job applications information
- Geographic location data
For the provision of the service, we process the following data on behalf of the controller:
- Names and email addresses
- Personal identification number/Social security number
- Identity documentation number
- Complete address
- Email address
- Bank account information
3. Basis for the processing of personal data
We may process your personal data based on the following legal basis:
- Contractual basis: In the case of service contracts with our clients, employment contracts with our employees, service contracts with our service providers, non-disclosure agreements, and other types of contracts.
- Compliance with legal obligations: For instance, tax and employment law obligations.
- Consent: We process personal data for marketing and sales purposes based on freely given, specific, informed, and unambiguous consent provided by you.
- Legitimate interest: After a balancing test, to make sure the rights of our data subjects are duly protected.
At ZignSec we neither sell nor lease any personal data.
A cookie is any kind of file or device that is downloaded to a user’s system for the purpose of storing data that may be updated or retrieved by the company responsible for its installation. The main purpose of cookies is to make it quicker for users to access the selected services. In addition, cookies make it possible to tailor the services offered by the website, allowing information of interest to be provided.
- We process your personal data by using a cookie that stores your Login credentials. This is a session cookie that is automatically invalidated after your visit. We need this cookie to collect your User ID only for user validation. Without fulfilling this validation process is impossible for us, because of legal, contractual and security reasons, to grant you access to our system.
- We also use the LinkedIn Insight Tag on our corporate LinkedIn page. In this case, data is pseudonymized after 7 days and deleted after 90 days.
5. Measures to keep your personal data safe
The following is a summary of the technical and organisational measures implemented by ZignSec to ensure the security of personal data processing:
- Training: to make sure that everybody at ZignSec understands their data protection responsibilities.
- Contract management: to ensure contracts with service providers offer accurate protection of personal data.
- On-Premises security measures: to make sure that no malicious entity can access the data you entrust us with.
- Restricted access to documentation: to strictly ensure that the individuals who do not need to have access to your personal data do not have access to it.
- Confidentiality clauses: to ensure that our employees and subcontractors keep your personal information confidential.
- Virus scans and firewalls: to review and identify technological threats that could affect our information.
- Data backup and data restoration: to prevent your personal data from getting lost
- Tests and audits: to verify security measures.
- Automated security tests: to ensure that each software release is subject to constant adjustments to new hazards. Each year, the Company performs a comprehensive penetration test for this purpose.
6. Geographical location data
As ZignSec offers its Portal service worldwide, ZignSec offers a number of data regions. A data region is a set of data centres located within a defined geographical area where personal data is stored. Personal data is not transmitted between data regions. The personal data of European citizens is processed in the EEA.
7. Storage of personal data
Personal data collected by ZignSec will be stored exclusively in secure hosting facilities provided by Microsoft. ZignSec has a data processing agreement in place with its provider, ensuring compliance with GDPR. All hosting is performed in accordance with the highest security regulations. All transfers of data internally in the EEA are done in accordance with this data processing agreement.
8. Retention of personal data of the controller
ZignSec retains and deletes personal data processed on behalf of the controller under the instructions of the controller. The Master User is the entity that has control over the duration of the Personal Data kept by ZignSec.
9. Retention of personal data of the processor
At ZignSec we know you have the right to be forgotten. At the same time, we are aware of other legal responsibilities that derive from different types of contractual relationships. That is why we have designed an erasure concept that balances your data protection rights with legal obligations in line with tax, civil and commercial, regulatory, corporate, employment and criminal law. We erase your personal information at the end of the retention period allowed or required by those laws.
The personal data erasure concept designed by ZignSec is the following:
- Personal data of shareholders: deleted after 10 years unless financial year tax evaluation has not yet been completed.
- Personal data of employees: deleted 10 years after the conclusion of the employment contract unless financial year tax evaluation has not yet been completed.
- Personal data of job applicants: deleted after one year upon recruitment process termination. If we are required to keep your personal data longer, we will request your consent.
- Personal data in the archives of the Portal: anonymised after 10 years.
- Personal data of newsletter recipients and sales prospects: after 5 years or as soon as they withdraw consent.
10. Reasons and circumstances under which we share your personal data
We might share your personal data within the ZignSec Group in the context of our Intercompany Data Protection Agreement, which includes Standard Contractual Clauses (“SCC”), for sharing personal data with Web Shield Limited.
We may also share personal data with third parties in the following context:
- We may share your personal data with some of our service providers under strict contractual clauses established in data protection agreements and after a diligent screening.
- We might also share your personal information if required by a competent authority.
- We might also share the personal data we collect after receiving your explicit consent.
11. Countries to which we transfer personal data
We transfer your personal data within the group, meaning Germany, the UK, Malta, and Poland. Our servers are in Germany.
We could transfer your personal data to third countries because of contractual relationships between ZignSec and our service providers. We would only transfer personal data to third countries in exceptional circumstances. If we do, we will make sure that we do it in the context of the contractual relationship and according to the following standards:
- If necessary, SCC will be signed with the data importer. Before concluding such SCC and carrying out such transfer, ZignSec will perform a legal assessment to evaluate whether the legislation and/or practices of the third country could ensure compliance with a level of protection substantively equivalent to that guaranteed in the EU by the GDPR.
- If the measures mentioned above do not provide a sufficient level of protection, ZignSec shall use its best endeavours to implement appropriate complementary measures in order to provide a substantively equivalent level of protection as that provided in the EEA and further assess whether the law of the third country will have a negative impact on these complementary measures, preventing them from being effective.
12. Enforcement of your rights
Under GDPR, you are entitled to exercise the following rights:
- Right to request from the controller access to personal data: you may require (i) information on whether your personal data is retained and (ii) access to your personal data retained, including the purposes of the processing, the categories of personal data concerned, and the data recipients as well as potential retention periods.
- Right to rectification, erasure, or restriction of personal data: you may request rectification, removal or restriction of your personal data, e.g., because (i) it is incomplete or inaccurate, (ii) it is no longer needed for the purposes for which it was collected, or (iii) the consent on which the processing was based has been withdrawn.
- Right to withdraw your consent: you may refuse to provide and – without impact to data processing activities that have taken place before such withdrawal – withdraw your consent to the processing of your personal data at any time.
- Right to object: you may object, on grounds relating to your particular situation, that your personal data shall be subject to processing. In this case, please provide us with information about your particular situation. After the assessment of the facts presented by you, we will either stop processing your personal data or present you with compelling legitimate grounds for an ongoing processing.
- Right to data portability: you may require (i) to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and (ii) to transmit those data to another controller without hindrance from our side; where technically feasible you shall have the right to have the personal data transmitted directly from us to another controller.
- Right to lodge a complaint with a supervisory authority: you may take legal actions in relation to any potential breach of your rights regarding the processing of your personal data, as well as to lodge complaints before the competent data protection regulators.
If you need to enforce any of your rights please send your request to firstname.lastname@example.org with a copy to email@example.com.
ZignSec AB, Gävlegatan 12 B in 113 30 Stockholm, Sweden