LawDebenture

Data Processing Addendum - ID Verification

This Data Processing Addendum forms part of the IDV Agreement. It is in addition to, and does not relieve, remove, modify, or replace, each party's obligations under Data Protection Legislation and the IDV Laws.

1. Definitions

1.1. In addition to the definitions and rules of interpretation in the IDV Agreement, the following definitions will apply in this Addendum:  

Data Protection Legislation means the Data Protection Act 2018, the UK GDPR, and any other applicable data privacy or data protection laws, as introduced or amended from time to time.

IDV Laws means all laws, regulations and codes of conduct as applicable in England and Wales in relation to identity verification, including but not limited to The Registrar (Identity Verification and Authorised Corporate Service Providers) Regulations 2025, and the Companies Act 2006, as amended by the Economic Crime and Corporate Transparency Act 2023, all as amended from time to time. 

2. Relationship

2.1. We act as data processor for any personal data collected in connection with ID Verifications, and you act as data controller.

2.2. You agree that you will only share personal data with us where you have appropriate authority and legal basis to do so, and that there will be no prohibition or restriction which prevents us (or any sub-processor appointed) from conducting the processing permitted by this Agreement.

2.3. Both parties agree to provide reasonable cooperation and information to the other in order to assist in the other’s compliance with their own obligations under Data Protection Legislation.

3. Scope

3.1. The scope and purpose of processing by Us, the duration of the processing and the types of personal data and categories of data subject are set out below:

(a) Scope: personal data required by Companies House in order to complete ID Verifications and such additional personal data that is reasonably required to manage the IDV Services;

(b) Purpose of processing: to perform the IDV Services, to contact Clients and Users, to manage invoices due under the IDV Agreement, to exercise rights and perform obligations under the IDV Agreement, to monitor, review and improve the delivery of the IDV Services;

(c) Duration of the processing: the duration of the IDV Services and, following termination of the Services, such period as we may be required in order to comply with IDV Laws and all applicable legal and regulatory requirements, and/or with our bona fide data retention policy;

(d) Types of personal data: full name, previous name (if relevant), residential addresses (including historical addresses and relevant move in and move out dates), date of birth, email addresses, identification numbers, professional titles, biometric data; and

(e) Categories of data subjects: your employees, directors, shareholders, company officers, and other stakeholders involved in the IDV Services.

4. Sub-contractors

4.1. By entering into the Agreement, you provide us with a general authorisation to appoint sub-processors as required to assist in our provision of the IDV Services from time to time, provided that we comply with the requirements for doing so under Data Protection Legislation. This shall include entering into a written agreement with the sub-processor that includes data protection and security measures which are no less stringent than those set out in this Data Protection Addendum. We will remain responsible for any sub-processor's performance to the same extent as we are responsible for our own performance under the IDV Agreement.  

4.2. Our right to appoint sub-processors under paragraph 4.1 is limited to the following categories:

(a) Professional services providers;

(b) Providers of digital ID verification tools;

(c) IT service providers (such as but not limited to billing and payment, consulting, customer support, infrastructure, document scanning and/or copying applications, data storage, security, staffing etc.); and

(d) Couriers and other providers of logistics services.

4.3. If we make any changes to the types of sub-processors that we may appoint, we will notify you in writing. If you wish to object to any changes, you must do so within 30 days of receipt of such notice to your usual LawDeb contact and legal@lawdeb.com. Please note that objections may have an impact on our ability to continue to provide the IDV Services. 

5. Processor requirements (Article 28 requirements)

5.1. We will, in respect of personal data processed pursuant to the IDV Agreement:

(i) only process personal data in accordance with this Data Protection Addendum and your additional written instructions, if any;

(ii) ensure that we have appropriate technical and organisational measures in place to ensure a level of security appropriate to the risk involved (including via confidentiality obligations on our personnel);

(iii) provide reasonable assistance in relation to your compliance with Data Protection Legislation;

(iv) ensure an adequate level of protection for any personal data transferred to or shared with a sub-processor;  

(v) notify you of any data breaches without undue delay once we become aware of it;

(vi) promptly notify you of any complaints or notices (including any data subject access requests) received which relate to the processing of personal data in connection with this Agreement, and co-operate with you in relation to the same;

(vii) on written request, provide you with such information as is reasonably necessary to evidence our compliance with this Data Protection Addendum (including allow for audits subject to: i) prior entry into written confidentiality provisions concerning the audit; (ii) a maximum of one (1) audit in each consecutive twelve (12) month period; and (iii) You giving Us at least ten (10) Business Days' notice of such audit); and

(viii) on termination of the IDV Agreement, destroy (or if you request, return) your personal data, unless we are otherwise required to retain it.

5.2.    Notwithstanding paragraph 5.1.(viii), you hereby acknowledge that we, as an ACSP, are required under IDV Laws to retain a record of all identity verification activities, including copies of the identity documentation and proof of address shared by each individual (whether via the online or in-person identity verification service provision).

6. Technical and organisational measures

For more  details about the technical and organisational measures we have implemented to ensure an appropriate level of security and to prevent a personal data breach, please see our Information Security Standard available here: https://media.umbraco.io/lawdebenture/oa2lyy4h/information-security-standard-v12-2024.pdf.

7. International Transfers

7.1. Our IDV Services do not typically involve a transfer of personal data to third countries or international organisations. We will have no responsibility to make any such transfer (or liability resulting from not making such a transfer) until the parties have supplemented this Data Processing Addendum with such additional provisions that we reasonably require.