LexisNexis® IDU® App Privacy Notice

          
  1. Home
  2. Processing Notices
  3. LexisNexis® IDU® App Privacy Notice

What this Privacy Notice covers

This Privacy Notice applies to the processing of personal data through the LexisNexis® IDU® App (“App”) and is provided by Tracesmart Ltd, trading as LexisNexis Risk Solutions ("LNRS", "we" or "us"), part of the RELX Group™ of companies.

The App is used by our clients to carry out identification checks to help them check the identities of people applying for or receiving products or services; to assist them in complying with regulations such as anti-money laundering (AML), anti-bribery and corruption or other legal requirements; to help them to prevent and investigate fraud and other potential offences.

Our clients may also need to complete further identity checks for purposes such as the above as well as for the prevention and detection of fraud or other potential offences. This processing is done via our IDU® product and further details how your personal data is processed within IDU® can be found via - https://risk.lexisnexis.co.uk/processing-notices/business

Please see the ‘How we use your personal data’ section below, which will explain how LNRS will process your personal data via the App.

  • Who controls your personal data

LNRS are a data controller for the App and control the processing of the personal data obtained within it.

There may be cases where a client asks us to complete additional identification checks, where we process these on behalf of our clients we are data processors.

The clients who use our services are also data controllers. Their privacy notices will tell you more about how they use personal data. 

How we use personal data

We may process your personal information within the App for the purposes described in this Privacy Notice, with your consent.

Before you choose to use the App to verify your identity, your service provider (our client) will provide you an alternative method to complete identity verification, if you are happy with the App method the client will obtain your consent on behalf of LNRS.

We will only process your personal data within the App for the purposes of verifying your identity as described within this Privacy Notice. We will not use your personal data for any other purpose.

We use personal data in the App to perform identity verification services, this assists clients in checking the identities of people applying for or receiving products or services; in some cases this may be to assist them in their compliance with regulation, such as, anti-money laundering (AML), anti-bribery and corruption or other legal requirements. Additionally helping clients to prevent and investigate fraud and other potential offences.

The exact information that is collected depends on the check the clients instructs us to perform. For example, when verifying an identity, we may ask for an image of you and your identity document(s), we make an automated assessment on whether the document is authentic and whether the pictured individual is likely to be the same person as the image. Clients may also check your name and address against addresses obtained from trusted public sources, like the Electoral Register.

When we carry out an identity check on behalf of our clients, we produce a report of the results for the client. In some cases, the report from a check will be 'yes' or 'no'; in other cases we may provide more detail. We provided our clients with this information in order to empower them to make informed decisions about individuals. 

What data is collected and from whom it is obtained

In order to begin the process of verifying your identity via the App we will receive your personal data from the Client for you to use the App.

Personal data collected will be dependent upon the Client requirements. For specific details regarding the personal data collected, please contact the Client.

Your photographic image will be provided directly by you to us via the App.

If you have provided consent to the Client, LNRS may process personal data including (but not limited to).

  • your name
  • your date of birth
  • your address
  • email address
  • telephone number
  • documentation such as passport or driving licence; and
  • photographic image.

Sensitive personal data/Special category personal data

The App requires you to upload a photographic image or ‘selfie’. This photographic image is considered as biometric data and therefore a special category of personal data under the General Data Protection Regulation (GDPR). In order for us to process your photographic image, LNRS requires your consent. The Client service provider with whom you are receiving a service will obtain your consent on behalf of LNRS, as well as LNRS capturing consent within the App.

How personal data is shared and retained

  • With whom we share personal data and how we safeguard transfers of personal data 

    We share personal data with the categories of third parties described below. Where personal data transferred to a country outside the European Economic Area ("EEA"), we safeguard the data as described below. 
Category Description

Service providers and data partners

We share personal data with service providers who assist us with the provision of our products and services. These providers include customer support, IT service providers, and professional advisors. 

Where we share personal data with service providers in countries outside of the EEA, we make use of the EU-U.S. Privacy Shield Framework, European Commission approved standard contractual data protection clauses, binding corporate rules for transfers to data processors (approved under Article 46(2)(b) of the General Data Protection Regulation), and other appropriate legal mechanisms to safeguard the transfer.

Other affiliated companies of LexisNexis® Risk Solutions within the RELX Group of companies

Some of the service providers we use are other affiliated companies of LNRS within the RELX group of companies. These companies assist us in providing the products and services described in this Notice, such as to provide customer and product support. We have contracts in place with them to ensure they only use the personal data we provide them in accordance with our instructions. Some of our affiliated companies also act as resellers, distributors, integrators or agents for the sale of LNRS products or services. 

These affiliates are located in the United Kingdom, Israel the Republic of Ireland and the United States. Where we share personal data with LNRS affiliates in countries located in countries outside of the EEA, we make use of the EU-U.S. Privacy Shield Framework, European Commission approved standard contractual data protection clauses, binding corporate rules for transfers to data processors (approved under Article 46(2)(b) of the General Data Protection Regulation), and other appropriate legal mechanisms to safeguard the transfer.

If some or all of the LNRS or RELX business is acquired by, another company personal data may be disclosed to the prospective or actual purchasers. 

Third parties where required by law (or to protect our rights) 

We also share personal data in order to:

  • comply with the law;
  • investigate and help prevent security threats, fraud or other malicious activity;
  • enforce and protect the rights and property of LNRS or its affiliates; or
  • to protect the rights of our customers, employees and third parties. This may include sharing information for the purposes of crime prevention and fraud protection.

  

  • How long we retain personal data 

    We retain personal data as follows:
Category Retention Period

Identification data

We retain identification data (such as names and addresses) whilst there is a continuing need for us to utilise it. We keep this retention under review and we will remove data as and when we no longer require it. 

The photographic images will be stored securely by our Data Processors for as long as is needed to comply with applicable data protection laws and other regulatory obligations. 

 

How you can request to withdraw consent, access, correct, and delete your personal data or ask us not to process your personal data

In accordance with the GDPR, we provide you with the ability to exercise your rights in relation to your personal data in the following ways: 

  • Withdraw consent

If you do not wish to use the App to complete an identity check you can refuse to consent and withdraw your consent at any time by contacting the Client provider or by simply not using the App at all. 

  • Find out if we process your personal data, obtain a copy of the data or correct inaccurate data

To find out if we process any of your personal data to access a copy of such personal data we may hold about you or correct any personal data that you believe is inaccurate, incomplete or out of date, you may contact us as provided in the “How to contact us” section below; You can also direct this request through the Client. 

In order to provide you with an appropriate response we may ask for relevant identification documents to confirm your identity in handling your request and also send you a short form to complete to clarify the request and ensure it is dealt with efficiently and in accordance with the GDPR. Where you dispute the accuracy of personal data we receive from third parties, we may confirm its accuracy with the third party that supplied it. 

  • How you can object to, or request to restrict, delete or transfer your personal data

If you object to our processing of the personal data we may hold about you as a controller, or you wish to restrict our use of it or request its deletion, you may contact us as provided in the “How to contact us” section below. As stated above, we may also ask for relevant identification documents to confirm your identity in handling your request and also send you a short form to complete to clarify the request and ensure it is dealt with efficiently and in accordance with the GDPR. 

Your rights to object to, or request that we restrict our use of, or delete your personal data may be limited where we are legally required to process your personal data or have compelling reasons to overrule your request. 

The GDPR also gives individuals a right to ask for information which they have given to a company, to be sent to other companies (for example you can ask for services managed online such as utilities, phone or email to be switched between providers). The GDPR describes this as a “data portability” request. If you wish to apply this right, you may contact us as provided in the “How to contact us” section below. 

How to contact us

If you have any questions or wish to exercise any of the rights described in this Privacy Notice, please contact our Data Protection Officer at Officer (at the following address) whom we have appointed to respond to enquiries regarding any of the products connected to the data controllers described in this Notice:

Data Protection Officer
LexisNexis Risk Solutions
Global Reach
Dunleavy Drive
Cardiff
CF11 0SN
Email: DPO@lexisnexisrisk.com

If you have unresolved concerns, you have the right to complain to a data protection authority in the country where you live, where you work or where you feel your rights were infringed.

In the United Kingdom the relevant data protection authority are the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
www.ico.org.uk