GDPR Compliance
TrustGate is designed to help you meet GDPR requirements for processing personal data during identity verification and compliance checks.
GDPR Overview
The General Data Protection Regulation (GDPR) applies when you:
- Process personal data of EU/EEA residents
- Have an establishment in the EU/EEA
- Offer goods or services to EU/EEA residents
Data Controller vs Processor
| Role | Description | Responsibilities |
|---|---|---|
| Data Controller | You (the customer) | Determine purposes and means of processing |
| Data Processor | TrustGate | Process data on your behalf per instructions |
TrustGate acts as a data processor, processing personal data according to your instructions under a Data Processing Agreement (DPA).
Lawful Basis for Processing
For KYC/AML verification, common lawful bases include:
| Lawful Basis | When Applicable |
|---|---|
| Legal Obligation | AML regulations require identity verification |
| Legitimate Interest | Fraud prevention, security |
| Contract | Verification required to provide services |
| Consent | Optional - for non-mandatory checks |
Data Subject Rights
Right to Access
Retrieve all data for a subject:
curl -X GET "https://api.bytrustgate.com/v1/applicants/{applicant_id}/data-export" \
-H "Authorization: Bearer YOUR_API_KEY"
Response
{
"applicant_id": "550e8400-e29b-41d4-a716-446655440000",
"export_format": "json",
"data": {
"personal_info": {
"first_name": "John",
"last_name": "Doe",
"email": "john.doe@example.com",
"date_of_birth": "1985-03-15"
},
"documents": [
{
"type": "passport",
"uploaded_at": "2025-01-15"
}
],
"verifications": [...],
"screening_results": [...],
"cases": [...]
},
"generated_at": "2025-01-20T14:30:00Z"
}
Right to Rectification
Update incorrect data:
curl -X PATCH https://api.bytrustgate.com/v1/applicants/{applicant_id} \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"first_name": "Jonathan",
"rectification_reason": "Name correction requested by data subject"
}'
Right to Erasure (Right to be Forgotten)
Delete applicant data:
curl -X DELETE "https://api.bytrustgate.com/v1/applicants/{applicant_id}" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"reason": "data_subject_request",
"request_reference": "DSR-2025-001"
}'
Erasure Response
{
"applicant_id": "550e8400-e29b-41d4-a716-446655440000",
"deletion_status": "scheduled",
"scheduled_at": "2025-01-20T14:30:00Z",
"completion_estimate": "2025-01-20T15:00:00Z",
"retention_hold": false,
"data_to_delete": [
"personal_info",
"documents",
"biometrics",
"verification_results"
],
"data_retained": [
"audit_logs (legal requirement)"
]
}
Right to Restriction
Restrict processing while disputes are resolved:
curl -X POST https://api.bytrustgate.com/v1/applicants/{applicant_id}/restrict \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"reason": "accuracy_contested",
"reference": "DSR-2025-002"
}'
Right to Portability
Export data in machine-readable format:
curl -X GET "https://api.bytrustgate.com/v1/applicants/{applicant_id}/export?format=json" \
-H "Authorization: Bearer YOUR_API_KEY"
Retention Limits
When legal retention periods don't apply, data is deleted per your configuration:
curl -X PUT https://api.bytrustgate.com/v1/settings/gdpr/retention \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"default_retention_days": 365,
"rejected_applicant_retention_days": 90,
"biometric_retention_days": 30,
"document_image_retention_days": 365
}'
Legal Holds
Prevent deletion when legally required:
curl -X POST https://api.bytrustgate.com/v1/applicants/{applicant_id}/legal-hold \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"reason": "regulatory_investigation",
"reference": "INV-2025-001",
"expires_at": "2026-01-20"
}'
Data Processing Records
View Processing Activities
curl -X GET "https://api.bytrustgate.com/v1/gdpr/processing-records" \
-H "Authorization: Bearer YOUR_API_KEY"
Response
{
"processing_activities": [
{
"activity": "identity_verification",
"purpose": "AML compliance",
"legal_basis": "legal_obligation",
"data_categories": ["identity", "documents", "biometrics"],
"recipients": ["internal_compliance_team"],
"retention_period": "5 years per AML regulations",
"safeguards": ["encryption", "access_controls", "audit_logging"]
},
{
"activity": "fraud_prevention",
"purpose": "Protect against fraud",
"legal_basis": "legitimate_interest",
"data_categories": ["device_data", "behavioral_data"],
"recipients": ["internal_fraud_team"],
"retention_period": "2 years",
"safeguards": ["encryption", "pseudonymization"]
}
]
}
Data Breach Notification
Report a Breach
curl -X POST https://api.bytrustgate.com/v1/gdpr/breach-report \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"breach_type": "unauthorized_access",
"detected_at": "2025-01-20T10:00:00Z",
"affected_subjects": ["applicant_123", "applicant_456"],
"data_categories_affected": ["personal_info"],
"description": "Unauthorized API access detected",
"containment_actions": ["API key revoked", "Access audit initiated"]
}'
TrustGate Breach Notification
We notify you within 24 hours of discovering any breach affecting your data, including:
- Nature of the breach
- Data categories affected
- Approximate number of records
- Remediation actions taken
Cross-Border Transfers
Data Location
curl -X GET "https://api.bytrustgate.com/v1/settings/data-location" \
-H "Authorization: Bearer YOUR_API_KEY"
{
"primary_region": "eu-west-1",
"data_residency": "EU",
"sub_processors": [
{
"name": "Cloud Provider",
"location": "EU",
"purpose": "Infrastructure"
}
],
"transfers_outside_eu": false
}
Transfer Mechanisms
When transfers outside EU/EEA are necessary:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions
- Binding Corporate Rules
Privacy by Design
TrustGate implements:
| Principle | Implementation |
|---|---|
| Data minimization | Only collect necessary data |
| Purpose limitation | Data used only for stated purposes |
| Storage limitation | Automatic deletion per retention rules |
| Integrity | Encryption at rest and in transit |
| Confidentiality | Access controls and audit logging |
DPIA Support
For Data Protection Impact Assessments:
curl -X GET "https://api.bytrustgate.com/v1/gdpr/dpia-info" \
-H "Authorization: Bearer YOUR_API_KEY"
Returns information needed for your DPIA including:
- Processing operations
- Data flows
- Security measures
- Risk assessments
Next Steps
- Audit Logging - Track all data access
- Data Retention - Configure retention policies
- Consent Management - Manage consent records