The General Data Protection Regulation (GDPR) applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Under GDPR, organisations collecting personal data must identify the specific grounds on which they are collecting the data, and must consider several rights afforded to the data subject. The ICO has an excellent guide to GDPR, and your company’s data protection officer will also be a good person to talk to.
This guide briefly touches on some of the rights and principles of GDPR and how they relate to Ravelin’s service. In short, Ravelin provides a fraud prevention service and consequently:
A fully detailed discussion will take place between you and Ravelin when establishing a Data Protection Agreement (DPA) as part of your contract. Some introductory information is provided below, however bear in mind that the contents of this GDPR guide do not constitute legal advice and are provided for general information purposes only. If you require specific legal advice you should contact your company’s legal counsel.
In the context of GDPR, Ravelin is the data processor responsible for processing personal data on behalf of Ravelin’s clients, who are the data controllers. However, depending on the solution in question, Ravelin’s GDPR position might change.
Ravelin’s GDPR position for the Connect product remains the same throughout the entire processing period. Ravelin is the data processor and the client is the data controller.
Ravelin’s GDPR position for Detect changes during the processing period.
When the data subject signs up with the client, Ravelin is a processor and the client is the controller. At this point Ravelin only holds the data that the data subject has shared with the client, who then shares that with Ravelin.
Once the data subject places an order with the client, Ravelin runs the data provided by the client through a set of machine learning algorithms to provide a probabilistic score of the likelihood of the data subject being fraudulent. While running the shared data through our own technological environment (Ravelin Databases), Ravelin becomes the data controller in common with the client.
Data Controllers (in common)
Ravelin and the client are data controllers in their own right (i.e. data controllers in common, and not joint controllers) in respect of the processing of the shared customer personal data, on the basis that they each determine on their own (i.e. alone) the purposes and means of the Processing of such shared customer personal data when it is processed within their respective technology environments.
Ravelin collects data in the following categories:
For processing of personal data to be lawful, both the data controller and the data processor need to identify specific grounds to justify the processing. This is covered in Article 6 and known as the ‘lawful basis’ for processing. To comply with the accountability principle in Article 5 (2), you must be able to demonstrate that a lawful basis applies.
Ravelin’s lawful basis for the processing is because it is in the legitimate interest of the controller to whom we supply fraud prevention services. This is covered in Recital 47 which cites fraud prevention:
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.
As the data controller, you need to define your lawful basis for processing personal data, which may differ from this.
Article 22 of GDPR affords data subjects the right not to be subject to automated decision making and profiling unless necessary to enter or fulfil a contract, authorised by law, or undertaken with the subject’s consent.
Ravelin uses a variety of automated monitoring techniques to analyse patterns, detect anomalies, and identify links between different accounts. Techniques such as machine learning, graph networks and rules are combined with manual reviews carried out by analysts. This combination of methods is used to evaluate the risk of fraud and provide feedback to clients with recommendations. In the context of fraud prevention, this automated decision making is permitted without the End User’s consent in Recital 71:
… decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes
GDPR offers data subjects many other rights, including:
For each of the rights above there is an exemption when the data is processed:
for the establishment, exercise or defence of legal claims
Recital 47’s overriding legitimate interest of fraud prevention can also be taken into account. With respect to data retention, Recital 65 also confirms that retention is lawful where it is necessary to perform a task carried out in the public interest. In the case of Ravelin, personal data is retained in order to protect the public from fraud.
As established in Recital 47, the lawful basis of processing data to prevent fraud constitutes a legitimate interest of the controller. Historical data falls under this scope. Ravelin works with clients to collect historical data with the explicit goal of providing better fraud prevention. The data sharing must be covered in the data controller’s terms and conditions - see what you’ll need to do below.
It is essential that as the data controller you reflect in your terms and conditions that users’ data is shared with Ravelin for the purpose of fraud prevention. Ravelin can provide you with details of the information which needs to be included in your terms.