At GBG we use the power of data to help companies improve digital access, deliver a seamless experience and establish trust so they can transact quickly, safely and securely with their customers online. We’re proud to operate to the highest standards, both meeting our privacy obligations from around the world to our customers and data subjects, whilst also delivering the innovative solutions our customers expect. We are continually assessing and evolving our products and as such we are pleased to confirm that we will become a Data Controller for some of the products and services we provide to you, moving forwards. This is a standard that other data businesses may not yet be adhering to, but we are setting a standard that regulators around the world are coming to expect. Becoming a controller means we have made changes to our products, continue to update the agreements we have with our data suppliers and customers, and are taking greater responsibility in the sourcing, management and protection of data, ultimately giving our customers greater confidence in the data underpinning our services.
We’re proud to operate to the highest standards, meeting our privacy obligations from around the world to our customers and data subjects, whilst also delivering the innovative solutions our customers expect. As a result, we have taken the decision to act as a data controller for some of our products and services.
Becoming a controller, means we have made changes to our products, continue to update the agreements we have with our data suppliers and customers, and are taking greater responsibility in the sourcing, management and protection of data, ultimately giving our customers greater confidence in the data underpinning our services.
For more information about our approach to Privacy see here.
Information for our customers on our transition to a data controller
The information on this page is intended to provide our customers with further information about our transition to become a data controller for some of our products and services. If you have a question that is not covered here, please get in touch with your Customer Success Manager or ask for help on our customer support page.
We have a selection of frequently asked questions which can be found below.
If you have a question that is not covered here, please get in touch with your Customer Success Manager or via our customer support page.
As a data controller we need to understand your use of our services to ensure the data that is presented to you aligns to your use.
Each of our products have their own pre-defined use cases which can be found on our legal product pages linked below.
The GDPR sets out six lawful processing conditions for processing personal data. For customers based in the UK or EU and/or processing UK/EU personal data at least one must apply.
A reminder of the six lawful processing conditions can be found below.
What is a Customer Use Case?
A Customer Use Case describes what you are using our service for. In order for us to meet our controller obligations under applicable data protection law, we need to understand your use of our services so that the data presented to you, aligns to your use. If your use of the service is not reflected in the links below, please discuss this with your Customer Success Manager or ask for help on our customer support page.
Discover which use cases apply and access other relevant legal documents for the following services:
For products delivered by our parent company GBG:
Lawful Processing Conditions
The GDPR sets out six ‘lawful processing conditions’ for processing personal data. At least one of these must apply in order for data to be processed lawfully.
Consent
The individual has given clear consent for you to process their personal data for a specific purpose.
Contract
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation
The processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests
The processing is necessary to protect someone’s life.
Public task
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests
The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).
Frequently Asked Questions
Please see a selection of frequently asked questions.
If you have a question that is not covered here, please get in touch with your Customer Success Manager or ask for help on our customer support page.
Why is Loqate, a GBG solution, becoming a data controller?
What is the impact of GBG becoming a data controller for my organisation?
We are asking all customers and suppliers to accept updated terms to ensure that our contracts accurately reflect the roles and responsibilities of each party. Without accepting updated terms, we will be unable to continue to provide the service to you.
Why have I been asked to login to accept new Terms and Conditions?
Your existing agreement for the use of our services, does not reflect our new position as a data controller and is therefore out of date. We’ve had to make necessary changes to the privacy and data protection obligations to reflect our status as a data controller.
When does Loqate act as a controller?
We act in different capacities depending on the service you take from us. There may also be a difference between the role taken in the provision of the service and the post processing activities.
The capacity we will act in when supplying Loqate Services is set out at https://www.gbgplc.com/en/legal-and-regulatory/local-laws/data-privacy-roles-loqate-services-only/.
What is the lawful basis of processing for the services provided by Loqate?
We process on the basis of the Legitimate Interests of a third party, to help ensure your customers receive the goods/services they have ordered, and their details are accurate and up to date.
Further details of the lawful basis of processing is published in our privacy notice at https://www.gbgplc.com/en/legal-and-regulatory/products-services-privacy-policy/#legalbasis.
The processing that GBG performs as a Controller does not deviate from the original purpose as it allows us to continually improve the service and ensures the accuracy of the addresses validated by the service.
We do not process on the basis of consent.
Has Loqate, a GBG solution, made any changes to my service?
There have been no changes made to the way you receive our service as a result of our move to controllership.
In order to meet our controller obligations, GBG requires visibility of what personal data is processed, when, how and who this has been shared with. To achieve this, we have created a GBG Audit Trail for relevant products* in which we hold evidence of each transaction for 12 months. Retention of this data is necessary to enable GBG to respond when an individual wishes to exercise a data subject right. GBG’s Audit Trail is independent of the one (if you have one), you as our Customer can control. There have been no changes to your Audit Trail, which you can continue to manage as you see fit, as a separate Independent Controller to GBG.
*Which for Loqate includes Data Maintenance, our Email, Phone and Bank validation services. For clarity there is no GBG Audit Trail required for our Address Capture and Verify services.
What are the benefits to me as a customer?
Becoming a data controller, means that we are taking greater responsibility in the sourcing, management and protection of data. The significant investment we have made in our global privacy and compliance team means we are better able to support our customers with their own
privacy obligations and deliver greater confidence that the data used within our products and services is gathered lawfully. This enables us to continue to innovate for our customers whilst providing peace of mind.
For our Loqate Address Capture and Verify solutions we have developed an Artificial Intelligence / Machine Learning (AI/ML) Algorithm (the Algorithm) for the purposes of helping us improve our postal address validation and verification services.
We use the Algorithm to create derived data. The Algorithm never uses customer data or personal data. Derived data is created from the calls that are made to our service and the meta data that our systems create when those calls are made. We retain only the de-identified address data searched and retrieved, ensuring all other customer data is removed (including, for example, any IP information or any metadata originating from the customer or our customer's end user).
The improvements we are seeking to make include:
· Faster detection rates.
· Improved address syntax especially in emerging markets.
· Improved confidence in deliverable addresses, even if the address does not exist in our reference data.
· Increased deliverable address coverage.
· When combined with other third-party data we may create risk scores or alerts e.g. for non-deliverable or new addresses.
The Algorithm does not engage in automated decision-making, including profiling that could produce legal effects or have any similar effects on data subjects. It is also not active in the delivery of the service itself but is instead use by us in our development process to improve our services.
When is this change happening?
This change is occurring now. Our initial focus has been to update our agreements with our data suppliers. We have also made changes to our products to align with our position as a data controller. We are now beginning the process of updating our existing customer agreements in a phased approach.
What is the difference between a data processor and a data controller?
In the GDPR and other privacy regulations a data controller has full control to determine the purposes for processing data and takes full responsibility specifying how the data is used and processed by others, including ensuring legal compliance with data laws.
A data processor simply processes data that the data controller provides to them under specific contractual obligations.
Loqate acts in different capacities depending on the service you take from us. There may also be a difference between the role taken in the provision of the service and the post processing activities.
The capacity we will act in when supplying Loqate Services is set out at https://www.gbgplc.com/en/legal-and-regulatory/local-laws/data-privacy-roles-loqate-services-only/.
As a data controller, how will Loqate, a GBG solution, comply with data subject rights?
The contracts that we have in place between our customers and our data partners, clearly set out the roles and responsibilities of each party in relation to responses to subject access requests. You as our customer will be an independent data controller and will continue to have the same responsibility to data subjects as you do today. We will continue to support you where needed. Going forward, GBG will also act an independent data controller. This means that we also need to respond directly to individuals and to achieve this we will need greater visibility of the data we have processed and who we have shared this with. We have therefore created and will hold a GBG Audit Trail for relevant products* in which we hold evidence of each transaction for a period of 12 months. GBG’s Audit Trail is independent of the one (if you have one), that you as our Customer can control. The GBG Audit Trail will be retained so we can respond to an individual who is exercising their data subject rights with us. This is not further processed by GBG and is recorded as a “point in time” check for the sole purpose of responding to data subject rights, with access to this database restricted to the GBG Privacy Team only.
* Which for Loqate includes Data Maintenance, our Email, Phone and Bank validation services. For clarity there is no GBG Audit Trail required for our Address Capture and Verify services.
What changes have Loqate, a GBG solution, made to support their new role as a data controller?
We have invested significantly in our Privacy and Data Compliance team, which now has over 20 members with combined privacy experience of over 200 years, ensuring that the data that is supplied to GBG, the foundation of our products and services, remains compliant with all applicable legislation, both now and in the future. We also need to understand how and why our customers use our products and services and will therefore be capturing a Customer Use Case. As a controller, we have an obligation to our customers, partners and data subjects to make sure that the use of our products is in line with the GDPR and to achieve this we need to understand how and why those products are used.
The Loqate Verify and Capture services including Email, Phone and Bank Verification may only be used for the purposes of Data Quality. This is when you have a need to ensure the data you capture is accurate, enabling you to onboard and interact with your customer effectively.
Why is Loqate, a GBG solution a separate and independent controller?
Whilst we may not choose specifically what data is collected from an individual (often our Supplier, or another third party does this), we still determine which data to collect for use within our products.
Our end customers have no outright control or say in the range of personal data that we collect or suppliers that we engage with in order to provide our overall product offerings. Regardless of specific customer requests, we ultimately decide what data is included within our products. In addition to this:
We assess, analyse, and determine the quality of the data received from our Suppliers.
For certain products, we interpret the data and makes decisions with it before supplying it to customers (subject to the scope of the licence granted by the supplier).
Are addresses considered to be personal data within Loqate services?
We do consider addresses as personal data when processed by the Loqate Services as it is gathered directly from an individual (either directly by GBG or by our customers). We are aware the regulator takes this position under GDPR, and globally there are privacy laws which are equivalent.
However, please note when de-identified as part of the derived data process, we do not consider addresses to be personal data.
Where can I go for further information?
Please speak to your Customer Success Manager or ask for help on our customer support page.