Privacy and Security

GDPR and UK GDPR

On this page:

About GDPR and UK GDPR

The General Data Protection Regulation (GDPR) applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Following Brexit, the retained version applicable in the UK is known as the UK GDPR. For ease, we refer to these collectively as “GDPR” in this article. Under GDPR, organisations collecting personal data must identify the specific grounds on which they are collecting the data, and must consider several rights afforded to the data subject. The ICO has an excellent guide to GDPR, and your company’s data protection officer will also be a good person to talk to.

Summary

This guide briefly touches on some of the rights and principles of GDPR and how they relate to Ravelin’s service. In short, Ravelin provides a fraud prevention service and consequently:

  • As a client, it is in your legitimate interest to use Ravelin for the processing of personal data; and
  • There are exemptions which apply to some of the data subject rights

A fully detailed discussion will take place between you and Ravelin when establishing a Data Processing Agreement (DPA) as part of your contract. Some introductory information is provided below, however bear in mind that the contents of this GDPR guide do not constitute legal advice and are provided for general information purposes only. If you require specific legal advice you should contact your company’s legal counsel.

Data Controllers (in common)

In the context of GDPR, Ravelin and the client are data controllers in their own right (i.e. data controllers in common, and not joint controllers) in respect of the processing of the customer personal data, on the basis that they each determine on their own (i.e. alone) the purposes and means of the Processing of such customer personal data when it is processed within their respective technology environments.

Image of Detect

When providing the services, Ravelin applies sophisticated metrics to assess the risks surrounding the proposed transaction. This necessarily involves the exercise of independent judgement by Ravelin as to what data is collected, which metrics are applied, and the conclusion reached. For this reason, the relationship must be structured so that Ravelin is an independent controller.

Personal Data Collected by Ravelin

Ravelin collects data in the following categories:

  • Identity Data
  • Contact Data
  • Financial Data
  • Transaction Data
  • Technical Data
  • Profile Data

Further detail on the data is in section 4 of the Ravelin privacy policy. We do not collect any special categories of personal data, criminal offence data or data relating to children.

Lawful Basis for Processing Personal Data

For processing of personal data to be lawful, both the data controller and the data processor need to identify specific grounds to justify the processing. This is covered in Article 6 and known as the ‘lawful basis’ for processing. To comply with the accountability principle in Article 5 (2), you must be able to demonstrate that a lawful basis applies.

Ravelin’s lawful basis for the processing is legitimate interests, because the processing is necessary in order to provide fraud prevention services to our clients. This is covered in Recital 47 which cites fraud prevention:

The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.

As the data controller, you need to define your lawful basis for processing personal data, which may differ from this.

Automated Decision-Making and Profiling

Article 22 of GDPR affords data subjects the right not to be subject to automated decision-making and profiling unless necessary to enter or fulfil a contract, authorised by law, or undertaken with the subject’s consent.

Ravelin uses a variety of automated monitoring techniques to analyse patterns, detect anomalies, and identify links between different accounts. Techniques such as machine learning, graph networks and rules are combined with manual reviews carried out by analysts. This combination of methods is used to evaluate the risk of fraud and provide feedback to clients with recommendations.

Ravelin’s platform has been designed to ensure that humans can intervene where necessary when making decisions based on our automated data processing. A fraud risk score is a measure of how likely a particular event, like a transaction, refund, or use of a promotional code, is to involve fraud or other malicious activity.

Although our platform may provide a recommendation, it is up to you to determine how you wish to use that recommendation (for example, a fraud risk score can be used to decide whether to accept, challenge, or reject an online order). Ravelin does not have any authority over this decision-making process.

In the context of fraud prevention, this automated decision-making may be permitted without the End User’s consent depending on individual Member State law, as described in Recital 71:

… decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes

Clients should check local laws and take advice as appropriate.

Right to Object, Right to Restrict Processing, Right to Erasure

GDPR offers data subjects many other rights, including:

  • The right to object to the processing of personal data, requiring the controller to stop the activity, covered in Article 21 of GDPR
  • The right to restrict processing, covered in Article 18
  • The right to erasure or ‘right to be forgotten’ covered in Article 17

For each of the rights above there is an exemption when the data is processed:

for the establishment, exercise or defence of legal claims

Recital 47’s overriding legitimate interest of fraud prevention can also be taken into account. With respect to data retention, Recital 65 also confirms that retention is lawful where it is necessary to perform a task carried out in the public interest. In the case of Ravelin, personal data is retained in order to protect the public from fraud.

Historical Data

As established in Recital 47, the lawful basis of processing data to prevent fraud constitutes a legitimate interest of the controller. Historical data falls under this scope. Ravelin works with clients to collect historical data with the explicit goal of providing better fraud prevention. The data sharing must be covered in the data controller’s terms and conditions - see what you’ll need to do below.

End User Requests

Ravelin will evaluate any requests received from users and either respond directly or refer them back to you. If a user wishes to exercise any of their legal rights they can contact our Data Protection Officer at privacy@ravelin.com.

What You’ll Need to Do

Typically, as part of the process of preparing to go live, after finalising the Data Processing Agreement you’ll need to perform a data protection impact assessment (if applicable) and update your privacy notice and any related documents in order to cover the processing of data by Ravelin.

It is essential that as the data controller you reflect in your terms and conditions that users’ data is shared with Ravelin for the purpose of fraud prevention. Ravelin can provide you with details of the information which needs to be included in your terms.

Feedback

© Ravelin Technology Ltd. All rights reserved