“Case Management Systems” means the systems provided by an Integration Partner which You use to access and order our Services through. and used by You as an integration.
“Consumer” means any person acting for purposes other than their trade, business or profession.
“Data Controller”, “Data Processor”, “processing”, and “data subject” shall have the meanings given to the terms “controller” “processor”, “processing” and “data subject” respectively in Article 4 of the GDPR. “Personal Data” means all such “personal data”, as defined in Article 4 of the GDPR, as is, or is to be, processed by the Data Processor on behalf of the Data Controller, as described in Clause 1.
“Integration Partner” means the provider of your Case Management Systems which You use to access and order our Services through.
“Service(s)” means the supply of services by InfoTrack to you including but not limited to property searches, reports and photographs, company searches, trademarks and domain names searches and other searches from time to time and includes our instructions to a Supplier, on your behalf and the dissemination of the information subsequently provided by the Suppliers.
“Sub-Processor” means any organisation or third party appointed by the Data Processor to process the Personal Data on your behalf for the purposes of providing the Services.
“Supplier” means any organisation or third party who provides data or information of any form to InfoTrack for the purposes of providing the Services.
The type of information we may collect and hold includes (but is not limited to) personal data you may give us when you place an order via Our Website (or other Ordering Methods) or contact our customer service team, or otherwise interact with us and provide personal data about:
Personal Data that you give us may consist of names, addresses, contact details, occupations and other information and generally will include:
You are not obliged to provide personal data to InfoTrack, however in many cases, if personal data we request is not provided, we may not be able to supply the relevant product or service that you have requested from us.
We collect the personal data you provide when you:
When you visit Our Website, we may collect any or all of the following technical data:
InfoTrack employ a variety of physical and technical measures to keep personal data safe to prevent unauthorised access to, use or disclosure of it. Electronic data and databases are stored on secure computer systems and we control who has access to them (using both physical and electronic means). Our staff receive data protection training and we have a set of detailed data protection policies and procedures which personnel are required to follow when handling personal data.
We store personal data in computer storage facilities, paper-based files and other records. We take steps to protect the personal data against loss, unauthorised access, use modification or disclosure, and against other misuse. These steps include password protection and access privileges for accessing our IT system, encryption of data stored and physical access restrictions to paper files. Some of these services, such as hosting our computer file servers, are provided by third parties in the UK and we endeavour to ensure that they also have adequate privacy safeguards in place through the use of contractual measures to protect personal data.
Because transmission of information over the internet is often insecure, we do not accept responsibility for the security of information you send to or receive from us over the internet, or for any unauthorised access or use of that information by others over the internet.
InfoTrack shall ensure that all personnel who access and/or process any of the personal data are contractually obliged to keep Personal Data confidential.
For the purposes connected with providing our products and services to you, we may share your data with third parties but we will not use or share your personal data for any other purpose without first obtaining your consent, unless required by law.
In any event we will only use your personal data for the purposes for which it is collected, or purposes which are very similar.
We may disclose your personal data (or the personal data of third parties that you may provide to us) to third party service providers who assist us in providing the services you request, including public authorities and providers of information services. This shall include as specifically set out on the Privacy Notice- Consent for Digital Identity Verification
We may also disclose your personal data to third parties who work with us in our business to promote, market or improve the services that we provide, including:
We may also combine your personal data with information available from other sources, including the entities mentioned above, to help us provide better services to you.
We may share your personal data within the InfoTrack Group of Companies, including InfoTrack, , and Perfect Portal (UK) Limited in connection with the fulfilment of the contract between us only.
You can withdraw your consent at any time to our processing of your personal data for any purpose at any time, by contacting us by email or at the postal address set out in paragraph 8. By submitting an Order, you understand that we use Sub-Processors for the purpose of providing the Services and by submitting the Order you give consent to use Sub-Processors for the purpose of providing the Services.
In the event we engage another Sub-Processor after you have placed your order for Services and before this order for Services is completed, we will give you prior written notice. If you object to any new Sub-Processor you may, despite anything to the contrary in the Terms, terminate the Agreement and your right to access and use the Services without penalty on written notice provided your notice is received by the effective date of our notice.
InfoTrack will only use suppliers that meet the requirements of the Data Protection legislation.
For some of the services we provide to you that require credit and identity checks such as our Bank Account Verification Search, we will use a Credit Reference Agency (CRA) to help us to deliver you with the best services.
If you use these services, from time to time we will also search information that the CRA has. The personal data we may exchange with the CRA is:
This data will then be used to:
When we use the CRA, this is called a credit search and the CRA will make note of this on your credit file. This is visible to lenders and other companies who perform a credit check on you in the future.
Please follow the link below for further information on how the Credit Reference Agency, Equifax, uses your data and your data protection rights.
Where you are a Supplier, and as an existing customer, we may wish to send you details regarding:
We may contact you inviting you to opt-in to receiving this information. This means that you will be given the choice as to whether you want to receive these messages and will be able to select how you want to receive them (email, telephone or post).
You may opt-out of receiving direct marketing or the disclosure of your personal data for the purpose of direct marketing by:
The information we hold is never used for marketing purposes and is never marketed, rented or sold to any third parties.
The data that we collect from you will be transferred, stored and processed using Amazon Web Servers (AWS) which are held at a destination within the European Economic Area (“EEA”). AWS servers offer the highest level of security and are ISO 27001 compliant. If we transfer any data outside the EEA we will take steps to make sure adequate levels of privacy protection, in line with UK Data Protection legislation, are in place. This shall include as specifically set out on the Privacy Notice- Consent for Digital Identity Verification
The data we collect will be stored and kept for as long as is necessary.
The duration of processing is limited to the duration in which we provide the Services to you.
If you wish to opt out of communications from us or withdraw your consent, your data will be deleted without undue delay. We continually review the personal data we hold and delete what is no longer required.
We want to ensure you remain in control of your personal data. Part of this is making sure you understand your legal rights which are as follows:
InfoTrack will, on one months’ prior written notice, submit to audits and inspections and provide you with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR.
If you would like further information on your rights or you wish to exercise them please write to us at DPO@infotrack.co.uk or InfoTrack Limited, Level 11, 91 Waterloo Road, London, SE1 8RT.
Please bear in mind that there are exceptions to the rights above and, though we will always try to respond to your satisfaction, there may be situations where we are unable to do so. If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you should contact the UK Information Commissioner’s Office, which oversees data protection compliance in the UK. Details of how to do this can be found at www.ico.org.uk
Lloyd Smith - InfoTrack Data Privacy Officer DPO@infotrack.co.uk
writing to us at InfoTrack Limited, Level 11, 91 Waterloo Road, London, SE1 8RT
We will acknowledge and investigate any complaint about the way we manage personal data as soon as practicable. We will take reasonable steps to remedy any failure to comply with our privacy obligations. We are not responsible for the privacy policies or privacy practices of the organisations we provide links to from Our website. We suggest that you check the privacy policies and practices of those organisations.
A 'cookie' is a piece of information that allows the server to identify and interact more effectively with your computer. The cookie assists us in identifying what our users find interesting on Our website.
When you use Our website we allocate you a unique identification number (cookie). A cookie will be allocated each time you use Our website. The cookie does not identify you as a user in our data collection process. It does identify your Internet Server Provider.
1. About this notice
1.1 This is the Privacy Notice for InfoTrack Limited (We, Us) in relation to managing Consent for Digital Identity Verification and the processing of special category data in order to electronically verify the identity of a Data Subject.
1.3 This document meets the requirement of the Data Protection Act 2018 that an appropriate policy document be in place where Processing Special Categories of Personal Data in certain circumstances.
Controller: the person or organisation that determines when, why and how to Process Personal Data.
Data Retention Policy: explains how the organisation classifies and manages the retention and disposal of its information.
Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programmes involving the Processing of Personal Data.
DPA 2018: the Data Protection Act 2018.
Data Protection Officer (DPO): the person required to be appointed in specific circumstances under the GDPR. Where a mandatory DPO has not been appointed, this term means a data protection manager or other voluntary appointment of a DPO or refers to the organisation's data privacy team with responsibility for data protection compliance.
GDPR: the General Data Protection Regulation ((EU) 2016/679).
Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably possess. Personal Data includes Special Categories of Personal Data.
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Special Categories of Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.
3. Why we process Special Categories of Personal Data
3.1 As part of our services we offer Digital Identity Verification checks. As part of the Digital Identity Verification service your Personal Data will be subject to cross referencing checks to establish your identity.
3.2 An element of this service involves ‘biometric’ data which shall include processing an image of you next to other key identifiers – like your name – as shown on the identity information you provide to us.
3.3 The use of biometric data is necessary for the provision of the Digital Identity Verification and as this involves Special Categories of Personal Data we need your express consent to engage in this processing.
3.4 It is only envisaged that we will process biometric data not any other kind of Special Category data.
3.5 To enable us to process Special Categories of Personal Data we need your consent.
4.1 The Information Commissions Office has produced Consent Guidance which states that Consent to processing should be "freely given" and this means that you have "genuine choice and control" over the use of your data.
4.2 When you agree to the use of your data as part of a Digital Identity Verification check you will be expressly consenting to the use of your data for this purpose.
4.3 If you choose to consent to a Digital Identity Verification we will process the data you provide to us in accordance with this Privacy Notice.
4.4 You will provide us with your identity documents containing such information as your address, date of birth and your physical image. This will allow us to seek the electronic verification of your identity. This will involve the transfer of your data as set out in this Privacy Notice and the processing of this information for this purpose.
4.5 You do not have to consent to a Digital Identity Verification check. Your identity can be checked manually if you would prefer. You will not be subjected to a detriment for not giving consent to this processing. Please note that manual checks on your identity will normally take longer than digital checks and will involve you undertaking physical steps to satisfy identity requirements. This is a logistical and operational point that does take some time and does require some action.
4.6 You may withdraw your consent to processing at any time. This can be undertaken by emailing DPO@infotrack.co.uk. As we are a Data Processor, we will inform the Data Controller of your withdrawal request.
5. Transfer of Data
5.1 In order to perform the Digital Identity Verification check we share your personal data with Jumio Corporation 395 Page Mill Rd, Suite 150, Palo Alto, California 94306 (Jumio). Jumio will perform the identity check on request and following receipt of your Personal Data and the results of this check will be provided back to us.
5.2 This will involve transferring your data outside the European Economic Area (EEA).
5.3 Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
(a) We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission
(b) Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
5.4 Jumio is based in the United States of America which is outside of the EEA. As at the date of this notice there is no adequacy decision for the United States of America, however, the European Court of Justice has confirmed that the use of specific contracts approved by the European Commission will allow for data transfers to be undertaken with the United States of America as this will allow you as the Data Subject to be afforded the same protections as you enjoy for data transfers within the EEA.
5.5 We have engaged in a review of the data security measures of Jumio and have ensured that binding contractual agreements are in place and they have provided us with comprehensive information confirming the security of their systems and the protection of your data.
5.6 We have undertaken a DPIA to establish that we are acting in accordance with the data protection legislation to give you peace of mind regarding this transfer of your data.
5.7 Jumio uses sub processors to process your data for this purpose also. These are within the Jumio group of companies based in United States of America, Jumio India and Jumio Colombia. Jumio also deploys Next Wealth Inc, Orculus Inc, Loqate Inc, & Melissa data GmbH. Jumio have contracturally confirmed to us that all sub processors are bound by the principles of the GDPR in the same manner as Jumio.
5.8 Your data will also be stored with Amazon Web Services and this is inside the EEA in Ireland and Frankfurt.
6. Personal data protection principles
6.1 The GDPR requires personal data to be processed in accordance with the six principles set out in Article 5(1). Article 5(2) requires controllers to be able to demonstrate compliance with Article 5(1).
6.2 We comply with the principles relating to Processing of Personal Data set out in the GDPR which require Personal Data to be:
(a) Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency);
(b) collected only for specified, explicit and legitimate purposes (Purpose Limitation);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation);
(d) accurate and where necessary kept up to date (Accuracy);
(e) not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation); and
(f) processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
6.3 We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).
7. Compliance with data protection principles
7.1 Lawfulness, fairness and transparency
Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
We will only Process Personal Data fairly and lawfully and for specified purposes. The GDPR restricts our actions regarding Personal Data to specified lawful purposes. We can Process Special Categories of Personal Data if we have a legal ground for Processing or you expressly consent to the same.
When collecting Special Categories of Personal Data from Data Subjects, either directly from Data Subjects or indirectly (for example from a third party or publicly available source), we are required to provide Data Subjects with confirmation of all the information required by the GDPR in a privacy notice which is concise, transparent, intelligible, easily accessible and in clear plain language which can be easily understood.
This is what we have endeavoured to undertake in this Privacy Notice. Further clarification of this is set out in the table below:
Lawful Processing basis
Processing condition for Special Categories of Personal Data
Data concerning biometric data
Article 9(2) of the GDPR requires one of several special conditions to be met for the processing of special categories of personal data such as, racial or ethnic origin, health data or biometric data.
Obtaining "explicit consent" is one such condition.
Sections 10 and 11 and Schedule 1 of the Data Protection Act 2018 (DPA 2018) implement these derogations in the UK
7.2 Purpose limitation
Personal Data must be collected only for specified, explicit and legitimate purposes. They must not be further Processed in any manner incompatible with those purposes.
We will only collect personal data for specified purposes and will inform Data Subjects what those purposes are in this published Privacy Notice.
We will not use Personal Data for new, different or incompatible purposes from those disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have consented where necessary.
7.3 Data minimisation
Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
We will only collect or disclose the minimum Personal Data required for the purpose for which the data is collected or disclosed. We will ensure that we do not collect excessive data and that the Personal Data collected is adequate and relevant for the intended purposes.
Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
We will ensure that the Personal Data we hold and use is accurate, complete, kept up to date and relevant to the purpose for which it is collected by us. We check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. We take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
7.5 Storage limitation
We only keep Personal Data in an identifiable form for as long as is necessary for the purposes for which it was collected, or where we have a legal obligation to do so. Once we no longer need Personal Data it shall be deleted or rendered permanently anonymous.
We maintain a Data Retention Policy and related procedures to ensure Personal Data is deleted after a reasonable time has elapsed for the purposes for which it was being held, unless we are legally required to retain that data for longer.
The information you provide to us is stored in line with our Data Retention Policy which can be provided to you on request to our DPO.
7.6 Security, integrity, confidentiality
Personal Data shall be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We will implement and maintain reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of or damage to Personal Data.
7.7 Accountability principle
We are responsible for, and able to demonstrate compliance with these principles. Our DPO is responsible for ensuring that we are compliant with these principles. Any questions about this policy should be submitted to the DPO.
(a) Ensure that records are kept of all Personal Data Processing activities, and that these are provided to the Information Commissioner on request.
(b) Carry out a DPIA for any high-risk Personal Data Processing to understand how Processing may affect Data Subjects and consult the Information Commissioner if appropriate.
(c) Ensure that a DPO is appointed to provide independent advice and monitoring of Personal Data handling, and that the DPO has access to report to the highest management level.
(d) Have internal processes to ensure that Personal Data is only collected, used or handled in a way that is compliant with data protection law.
8. Controller's policies on retention and erasure of personal data
We take the security of Special Categories of Personal Data and Criminal Convictions Data very seriously. We have administrative, physical and technical safeguards in place to protect Personal Data against unlawful or unauthorised Processing, or accidental loss or damage. We will ensure, where Special Categories of Personal Data are Processed that:
(a) The Processing is recorded, and the record sets out, where possible, a suitable time period for the safe and permanent erasure of the different categories of data in accordance with our Data Retention Policy.
(b) Where we no longer require Special Categories of Personal Data or Criminal Convictions Data for the purpose for which it was collected, we will delete it or render it permanently anonymous as soon as possible.
(c) Where records are destroyed we will ensure that they are safely and permanently disposed of.
9.1 This policy on Processing Special Categories of Personal Data will be reviewed by our DPO periodically.
9.2 The policy will be retained where we process Special Categories of Personal Data and for a period of at least six months after we stop carrying out such processing.
(a) Lloyd Smith - InfoTrack Data Privacy Officer DPO@infotrack.co.uk
(b) Or write to us – Data Protection Officer, InfoTrack Limited, Level 11, 91 Waterloo Road, London, SE1 8RT