First AML and the General Data Protection Regulation (GDPR)
This guide is for informational purposes only and should not be relied upon as legal advice.
- First AML Data Processing Addendum (DPA)
- How First AML ensures ongoing compliance with the GDPR
- How we help you comply with your obligations under the GDPR
- Helpful GDPR resources
The European General Data Protection Regulation 2016/679 and the UK Data Protection Act 2018 (together, GDPR) is – as most now know – a broad-sweeping and comprehensive data protection law. The GDPR likely applies to any First AML customer which has clients (or individuals within client entities being verified) based in the EU/UK.
First AML Data Processing Addendum (DPA)
What is a DPA?
If the GDPR applies to you, a DPA enables the lawful transfer of EU/UK personal data from you to First AML.
Do you need to sign the DPA?
If you’re a new First AML customer and the GDPR applies to you, our DPA will automatically apply to your use of our services – there is no need to separately sign.
If you’re an existing First AML customer based outside of the EU/UK and your business is expanding to the EU/UK, please get in touch to ensure our DPA applies.
How First AML ensures ongoing compliance with the GDPR
As an organisation at the forefront of data protection and privacy, we’re extremely passionate about ensuring compliance with data protection laws to the highest standard. We do this by:
- regularly reviewing our internal data systems, processes and documentation;
- monitoring and reviewing our third party service providers; and
- continuing to invest in our security infrastructure.
Our customer documentation has been prepared, and is regularly reviewed, with the highest standards of data privacy in mind.
We’ve also gone to great lengths to ensure your clients – who we’re engaging with in the course of providing our services – have a clear understanding of our respective roles in the handling of their personal data, and the manner in which they can exercise their rights under relevant data privacy laws.
How we help you comply with your obligations under the GDPR
If you have clients (or individuals within client entities being verified) based in the EU/UK, your handling of their personal data through use of our service is as a ‘data controller’. We, in turn and in most situations, are a ‘data processor’.
The GDPR gives the subjects of the data you collect various rights, such as the right to access, correct, delete, and restrict how their data is used. As the data controller, it is your responsibility to ensure data subjects can exercise those rights. We help to facilitate your compliance wherever possible, including by:
- continually improving our platform to provide tools which make your handling of data requests easier and faster;
- making sure that, when personal data is deleted from the platform (in relation to the exercise of a ‘right to be forgotten’) it is actually, and permanently, deleted;
- facilitating the export of verification information from within the platform (in relation to the exercise of a ‘right to access’); and
- facilitating the correction of any incorrect information from within the platform (in relation to the exercise of a ‘right to rectification’).
We will assist in any other way we can to ensure our joint compliance with relevant data privacy laws.
Helpful GDPR resources
Need more information? Below are links to some helpful GDPR resources: