GDPR Compliance
TrustGate is designed to help you meet GDPR requirements for processing personal data during identity verification and compliance checks.
GDPR Overview
The General Data Protection Regulation (GDPR) applies when you:
- Process personal data of EU/EEA residents
- Have an establishment in the EU/EEA
- Offer goods or services to EU/EEA residents
Data Controller vs Processor
| Role | Description | Responsibilities |
|---|---|---|
| Data Controller | You (the customer) | Determine purposes and means of processing |
| Data Processor | TrustGate | Process data on your behalf per instructions |
TrustGate acts as a data processor, processing personal data according to your instructions under a Data Processing Agreement (DPA).
Lawful Basis for Processing
For KYC/AML verification, common lawful bases include:
| Lawful Basis | When Applicable |
|---|---|
| Legal Obligation | AML regulations require identity verification |
| Legitimate Interest | Fraud prevention, security |
| Contract | Verification required to provide services |
| Consent | Optional - for non-mandatory checks |
Data Subject Rights
Right to Access
Retrieve all data for a subject (GDPR Articles 15 & 20):
curl -X GET "https://api.bytrustgate.com/api/v1/applicants/{applicant_id}/export?format=json" \
-H "Authorization: Bearer YOUR_API_KEY"
Supported formats: json (machine-readable) or pdf (human-readable document).
Response
{
"personal_information": {
"first_name": "John",
"last_name": "Doe",
"email": "john.doe@example.com",
"date_of_birth": "1985-03-15"
},
"verification_status": {
"status": "approved",
"verified_at": "2025-01-15T10:30:00Z"
},
"documents": [
{
"type": "passport",
"uploaded_at": "2025-01-15"
}
],
"screening_results": [],
"cases": [],
"audit_trail": [],
"ai_assessments": [],
"export_metadata": {
"exported_at": "2025-01-20T14:30:00Z",
"exported_by": "user@example.com",
"export_format": "json",
"gdpr_articles": ["15", "20"],
"applicant_id": "550e8400-e29b-41d4-a716-446655440000"
}
}
Right to Rectification
Update incorrect data:
curl -X PATCH https://api.bytrustgate.com/api/v1/applicants/{applicant_id} \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"first_name": "Jonathan",
"rectification_reason": "Name correction requested by data subject"
}'
Right to Erasure (Right to be Forgotten)
Permanently delete applicant data (GDPR Article 17). This action is irreversible.
curl -X DELETE "https://api.bytrustgate.com/api/v1/applicants/{applicant_id}/gdpr-delete?confirmation=CONFIRM_DELETE&reason=data_subject_request" \
-H "Authorization: Bearer YOUR_API_KEY"
Safeguards enforced by this endpoint:
- Requires the
confirmationquery parameter to be exactlyCONFIRM_DELETE - Cannot delete if the applicant is under legal hold (returns
409 Conflict) - Cannot delete if AML retention requirements have not expired (returns
409 Conflict)
Erasure Response
{
"status": "deleted",
"applicant_id": "550e8400-e29b-41d4-a716-446655440000",
"deleted_at": "2025-01-20T14:30:00Z",
"deleted_data": [
"personal_info",
"documents",
"biometrics",
"verification_results",
"screening_results"
]
}
Right to Restriction
Coming soon. Processing restriction is not yet available as a dedicated endpoint. In the meantime, you can use Legal Holds to prevent deletion and processing changes while disputes are resolved.
Right to Portability
Export data in machine-readable format using the same export endpoint:
curl -X GET "https://api.bytrustgate.com/api/v1/applicants/{applicant_id}/export?format=json" \
-H "Authorization: Bearer YOUR_API_KEY"
See Right to Access above for the full response format.
Retention Policies
TrustGate enforces retention policies based on applicant status and AML regulatory requirements. These policies are applied automatically and are not configurable per-tenant at this time.
| Applicant Status | Retention Period | Rationale |
|---|---|---|
| Approved | 5 years | Standard KYC retention |
| Pending | 1 year | Incomplete verifications |
| Flagged | 7 years | Extended AML retention for confirmed hits |
| Rejected | 5 years | AML regulatory requirement |
Applicants past their retention period are eligible for automated cleanup. Retention can be overridden by placing an applicant under legal hold.
Legal Holds
Prevent deletion when legally required:
curl -X POST https://api.bytrustgate.com/api/v1/applicants/{applicant_id}/legal-hold \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"reason": "regulatory_investigation"
}'
Legal hold:
- Blocks GDPR deletion requests
- Blocks automated retention cleanup
- Blocks manual deletion
Use for pending litigation, regulatory investigations, or law enforcement requests.
To remove a legal hold:
curl -X DELETE https://api.bytrustgate.com/api/v1/applicants/{applicant_id}/legal-hold \
-H "Authorization: Bearer YOUR_API_KEY"
Data Breach Notification
TrustGate notifies you within 24 hours of discovering any breach affecting your data, including:
- Nature of the breach
- Data categories affected
- Approximate number of records
- Remediation actions taken
This supports your obligation to notify your supervisory authority within 72 hours (GDPR Article 33).
Cross-Border Transfers
When transfers outside the EU/EEA are necessary, TrustGate relies on:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions
- Binding Corporate Rules
Contact your account representative for details on current sub-processor locations and data residency.
Privacy by Design
TrustGate implements:
| Principle | Implementation |
|---|---|
| Data minimization | Only collect necessary data |
| Purpose limitation | Data used only for stated purposes |
| Storage limitation | Automatic deletion per retention rules |
| Integrity | Encryption at rest and in transit |
| Confidentiality | Access controls and audit logging |
DPIA Support
For Data Protection Impact Assessments, TrustGate can provide information about:
- Processing operations performed on applicant data
- Data flows between TrustGate and third-party verification services
- Security measures in place (encryption, access controls, audit logging)
- Risk assessments and mitigation strategies
Contact your account representative or email compliance@bytrustgate.com to request DPIA documentation.
Next Steps
- Audit Logging - Track all data access
- Data Retention - Configure retention policies
- Consent Management - Manage consent records