Loqate is becoming a data controller

At GBG we use the power of data to help companies improve digital access, deliver a seamless experience and establish trust so they can transact quickly, safely and securely with their customers online. We’re proud to operate to the highest standards, both meeting our privacy obligations from around the world to our customers and data subjects, whilst also delivering the innovative solutions our customers expect. We are continually assessing and evolving our products and as such we are pleased to confirm that we will become a Data Controller for some of the products and services we provide to you, moving forwards. This is a standard that other data businesses may not yet be adhering to, but we are setting a standard that regulators around the world are coming to expect. Becoming a controller means we have made changes to our products, continue to update the agreements we have with our data suppliers and customers, and are taking greater responsibility in the sourcing, management and protection of data, ultimately giving our customers greater confidence in the data underpinning our services.

We are asking all customers and suppliers to accept updated terms to ensure that our contracts accurately reflect the roles and responsibilities of each party. Without accepting updated terms, we will be unable to continue to provide the service to you.

Your existing agreement for the use of our services, does not reflect our new position as a data controller and is therefore out of date. We’ve had to make necessary changes to the privacy and data protection obligations to reflect our status as a data controller.

We act in different capacities depending on the service you take from us. There may also be a difference between the role taken in the provision of the service and the post processing activities.

The capacity we will act in when supplying Loqate Services is set out at https://www.gbgplc.com/en/legal-and-regulatory/local-laws/data-privacy-roles-loqate-services-only/.

We process on the basis of the Legitimate Interests of a third party, to help ensure your customers receive the goods/services they have ordered, and their details are accurate and up to date.

Further details of the lawful basis of processing is published in our privacy notice at https://www.gbgplc.com/en/legal-and-regulatory/products-services-privacy-policy/#legalbasis.

The processing that GBG performs as a Controller does not deviate from the original purpose as it allows us to continually improve the service and ensures the accuracy of the addresses validated by the service.

We do not process on the basis of consent.

There have been no changes made to the way you receive our service as a result of our move to controllership.

In order to meet our controller obligations, GBG requires visibility of what personal data is processed, when, how and who this has been shared with. To achieve this, we have created a GBG Audit Trail for relevant products* in which we hold evidence of each transaction for 12 months. Retention of this data is necessary to enable GBG to respond when an individual wishes to exercise a data subject right. GBG’s Audit Trail is independent of the one (if you have one), you as our Customer can control. There have been no changes to your Audit Trail, which you can continue to manage as you see fit, as a separate Independent Controller to GBG.

*Which for Loqate includes Data Maintenance, our Email, Phone and Bank validation services. For clarity there is no GBG Audit Trail required for our Address Capture and Verify services.

Becoming a data controller, means that we are taking greater responsibility in the sourcing, management and protection of data. The significant investment we have made in our global privacy and compliance team means we are better able to support our customers with their own

privacy obligations and deliver greater confidence that the data used within our products and services is gathered lawfully. This enables us to continue to innovate for our customers whilst providing peace of mind.

For our Loqate Address Capture and Verify solutions we have developed an Artificial Intelligence / Machine Learning (AI/ML) Algorithm (the Algorithm) for the purposes of helping us improve our postal address validation and verification services.

We use the Algorithm to create derived data. The Algorithm never uses customer data or personal data. Derived data is created from the calls that are made to our service and the meta data that our systems create when those calls are made. We retain only the de-identified address data searched and retrieved, ensuring all other customer data is removed (including, for example, any IP information or any metadata originating from the customer or our customer's end user).

The improvements we are seeking to make include:

· Faster detection rates.

· Improved address syntax especially in emerging markets.

· Improved confidence in deliverable addresses, even if the address does not exist in our reference data.

· Increased deliverable address coverage.

· When combined with other third-party data we may create risk scores or alerts e.g. for non-deliverable or new addresses.

The Algorithm does not engage in automated decision-making, including profiling that could produce legal effects or have any similar effects on data subjects. It is also not active in the delivery of the service itself but is instead use by us in our development process to improve our services.

This change is occurring now. Our initial focus has been to update our agreements with our data suppliers. We have also made changes to our products to align with our position as a data controller. We are now beginning the process of updating our existing customer agreements in a phased approach.

In the GDPR and other privacy regulations a data controller has full control to determine the purposes for processing data and takes full responsibility specifying how the data is used and processed by others, including ensuring legal compliance with data laws.

A data processor simply processes data that the data controller provides to them under specific contractual obligations.

Loqate acts in different capacities depending on the service you take from us. There may also be a difference between the role taken in the provision of the service and the post processing activities.

The capacity we will act in when supplying Loqate Services is set out at https://www.gbgplc.com/en/legal-and-regulatory/local-laws/data-privacy-roles-loqate-services-only/.

The contracts that we have in place between our customers and our data partners, clearly set out the roles and responsibilities of each party in relation to responses to subject access requests. You as our customer will be an independent data controller and will continue to have the same responsibility to data subjects as you do today. We will continue to support you where needed. Going forward, GBG will also act an independent data controller. This means that we also need to respond directly to individuals and to achieve this we will need greater visibility of the data we have processed and who we have shared this with. We have therefore created and will hold a GBG Audit Trail for relevant products* in which we hold evidence of each transaction for a period of 12 months. GBG’s Audit Trail is independent of the one (if you have one), that you as our Customer can control. The GBG Audit Trail will be retained so we can respond to an individual who is exercising their data subject rights with us. This is not further processed by GBG and is recorded as a “point in time” check for the sole purpose of responding to data subject rights, with access to this database restricted to the GBG Privacy Team only.

* Which for Loqate includes Data Maintenance, our Email, Phone and Bank validation services. For clarity there is no GBG Audit Trail required for our Address Capture and Verify services.

We have invested significantly in our Privacy and Data Compliance team, which now has over 20 members with combined privacy experience of over 200 years, ensuring that the data that is supplied to GBG, the foundation of our products and services, remains compliant with all applicable legislation, both now and in the future. We also need to understand how and why our customers use our products and services and will therefore be capturing a Customer Use Case. As a controller, we have an obligation to our customers, partners and data subjects to make sure that the use of our products is in line with the GDPR and to achieve this we need to understand how and why those products are used.

The Loqate Verify and Capture services including Email, Phone and Bank Verification may only be used for the purposes of Data Quality. This is when you have a need to ensure the data you capture is accurate, enabling you to onboard and interact with your customer effectively.

Whilst we may not choose specifically what data is collected from an individual (often our Supplier, or another third party does this), we still determine which data to collect for use within our products.

Our end customers have no outright control or say in the range of personal data that we collect or suppliers that we engage with in order to provide our overall product offerings. Regardless of specific customer requests, we ultimately decide what data is included within our products. In addition to this:

We assess, analyse, and determine the quality of the data received from our Suppliers.

For certain products, we interpret the data and makes decisions with it before supplying it to customers (subject to the scope of the licence granted by the supplier).

We do consider addresses as personal data when processed by the Loqate Services as it is gathered directly from an individual (either directly by GBG or by our customers). We are aware the regulator takes this position under GDPR, and globally there are privacy laws which are equivalent.

However, please note when de-identified as part of the derived data process, we do not consider addresses to be personal data.

Please speak to your Customer Success Manager or ask for help on our customer support page.