Last updated 31 January 2023
We are categorised as a “data controller” under data protection law when operating our business and providing services to our clients. We have established this position based on our analysis of the flow of personal data in light of the European Union’s General Data Protection Regulation 2016/679 (“EU GDPR”), the UK’s version of the EU GDPR (known as the “UK GDPR”) and guidance from regulatory bodies and data protection supervisory authorities including the European Data Protection Board (“EDPB”) and the UK’s Information Commissioner’s Office (“ICO”).
Kyckr offers two main services:
1. API Service – This service enables Kyckr’s customers to have access to structured profiles and original registry documents and filings across multiple jurisdictions via a central source. In order to provide this service, Kyckr has built and keeps up to date an API which allows it to extract data from public registries and restructure it into a user-friendly format for it to then be passed on to its customers in real-time.
2. UBO Verify Service – This service enables Kyckr’s customers to have analysis and insight on the corporate ownership of other entities so that they can then verify the beneficial owners. In order to provide this service, Kyckr performs automated processing on its information on the corporate ownership structure of other entities and subsequently shares this with its customers in real-time through a report.
When Kyckr is extracting information from a registry or a pool of registries for its customers, Kyckr processes information on a company’s name, address, date of incorporation etc. As part of Kyckr’s API Service, it provides a “Lite Company Profiles” product whereby it provides only basic corporate information.
When providing certain components of Kyckr’s API Service or UBO Verify Service, Kyckr may also process the personal data of data subjects, and the type of personal data that it would process in these circumstances include:
- Director’s name
- Director’s address
- Director’s date of birth
- Shareholder’s name
- Shareholder’s address
- Shareholder’s date of birth
Within the context of these services, the personal data (when concerned), is recalibrated or processed by automated means (depending on the service being provided) – all of which is at Kyckr’s discretion due to the algorithms which Kyckr has set.
The exact flow of data is as follows:
1. Kyckr’s customer makes an information request such as via Kyckr’s API by reference to a company name or company number.
2. Kyckr’s API, for example, extracts information from each relevant registry. Each registry is an independent data controller.
3. Kyckr process the information using Kyckr’s unique and standard reporting tool over which Kyckr is the only party having control and for which Kyckr is the data controller with respect to the personal data contained in the report. A report is subsequently produced; the content of the report will vary depending on the type of request made by the customer.
4. The report is issued to the customer.
5. A copy of each report sits on Kyckr’s server (with a unique identification number). Kyckr maintains this report for one month only after which it is deleted.
Kyckr would be considered to be a data controller by regulatory bodies and data protection supervisory authorities. Examples are provided below.
1. The EDPB and the ICO provides detailed self-assessment tools on their respective websites in order for organisations to determine their categorisation under data protection law. From our review of these tool and the number of factors that indicate that Kyckr is a data controller as opposed to a data processor, we have determined that our categorisation is that of a data controller. To see the full list of factors demonstrating that Kyckr is a data controller, please see below.
2. Guidelines from the EDPB in particular note the importance of reviewing the purpose of each processing activity and their “essential means”. As Kyckr has its own discretion in how and the way (such as the format) in which it delivers its services, it is deemed to be a data controller.
3. The Personal information Charter from the UK Companies House explains that the UK Companies House is a data controller and that commercial organisations may sometimes use data from it (and other registries) to create their own products. It then states that these commercial organisations become data controllers of the personal data. This provides further evidence that Kyckr, as a commercial organisation using data from the UK Companies House (and other registries), is a data controller.
The following factors show that Kyckr is a data controller:
1. Kyckr decides on the purposes for which the personal data will be used. Kyckr decides on how the service is provided. Whether to recalibrate data or use certain algorithms to produce its unique reports. Kyckr also decides how to create the network of information and registries and how to set the APIs used for this purpose.
2. Kyckr decides to process the personal data (to produce its restructured reports as part of the API Service or its analytical reports as part of the UBO Verified Service).
3. Kyckr decides on the outcome of the processing (in that the report is restructured or the analysis is subject to automated processing).
4. Kyckr decides on what personal data should be collected (in that it determines the level of the personal data collected and whether to not to use certain personal data in delivering certain products, such as the “Company Lite Profiles”).
5. Kyckr decides if and what personal data to collect from (or on) individuals and if additional information is necessary to be included in its reports. Kyckr also decides how to recalibrate personal data for the reports to be presented to customers in the most efficient possible way.
6. Kyckr is interested in the end result of the processing to the point that its unique selling point and its core business depends on it.
7. Kyckr obtains a commercial gain from the processing (in that the reports are key to its service – Kyckr decides how the reports are produced, the information contained in the reports and how they are presented; all of this is part of Kyckr’s knowhow, brand and reputation).
8. Kyckr exercises professional judgement in the processing of personal data to produce its reports when delivering its services.
9. Kyckr has complete autonomy as to how personal data is processed to produce its reports.
10. Kyckr does not follow instructions regarding the processing of personal data other than the request by customers for Kyckr to search for “any personal data” in selected public registries on an entity (in order for the customer to determine more information on the entity including beneficial ownership). The request for “any personal data” is not narrow enough to be considered a data processing instruction.
11. Kyckr’s involvement in the decision on how personal data is processed goes beyond “making some decisions on how data is processed” as providing the personal data is an essential part of its business which it determines (and is not dictated by its customers or other third parties).
12. Kyckr decides how long to retain the data and where to store it.
Take a look at our Privacy Notice here which includes more information.
If you have any questions, please do get in touch with us on dataprivacy@kyckr.com.
