GDPR Compliance

1. Our Commitment to GDPR Compliance

VettlyGlobal is committed to protecting the personal data and privacy rights of all individuals in the European Union (EU), European Economic Area (EEA), and the United Kingdom (UK). We comply with the General Data Protection Regulation (GDPR) and related data protection laws.

This document outlines our GDPR compliance framework and explains your rights as a data subject under the GDPR.

2. Data Controller and Processor Roles

2.1 VettlyGlobal as Data Controller

When we determine the purposes and means of processing personal data, we act as a Data Controller. This includes:

• Processing customer account and contact information
• Managing employee and contractor data
• Processing website visitor data and analytics
• Marketing and communication activities
• Business operations and administration

2.2 VettlyGlobal as Data Processor

When we process personal data on behalf of our clients, we act as a Data Processor. This includes:

• Identity verification services for client organizations
• Background screening and due diligence services
• Risk assessment and fraud detection services
• Data analytics and reporting services

When acting as a Data Processor, we process data only according to documented instructions from our clients (Data Controllers) and maintain appropriate Data Processing Agreements.

2.3 Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance:

3. Legal Basis for Processing Personal Data

We process personal data only when we have a valid legal basis under GDPR Article 6:

3.1 Consent (Article 6(1)(a))

We obtain your explicit, informed consent for:

• Marketing communications and newsletters
• Processing special categories of personal data (where applicable)
• Using cookies and tracking technologies (non-essential)
• Sharing data with third parties for specific purposes

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

3.2 Contract Performance (Article 6(1)(b))

We process data necessary for:

• Providing services under our contract with you
• Processing transactions and payments
• Account management and customer support
• Delivering reports and service outputs

3.3 Legal Obligations (Article 6(1)(c))

We process data to comply with legal obligations, including:

• Anti-money laundering (AML) and counter-terrorism financing requirements
• Know Your Customer (KYC) regulations
• Tax and accounting requirements
• Court orders and legal process
• Regulatory reporting obligations

3.4 Legitimate Interests (Article 6(1)(f))

We process data based on legitimate interests when:

• Preventing fraud and ensuring security
• Improving and optimizing our services
• Conducting business analytics and research
• Network and information security
• Direct marketing to existing customers

We conduct Legitimate Interest Assessments (LIAs) to ensure our interests do not override your fundamental rights and freedoms.

3.5 Vital Interests (Article 6(1)(d))

In rare cases, we may process data to protect vital interests, such as preventing serious harm or threats to life.

4. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

4.1 Right of Access (Article 15)

You have the right to obtain:

• Confirmation of whether we process your personal data
• Access to your personal data
• Information about the purposes, categories, and recipients of processing
• Information about the retention period
• A copy of your personal data (first copy provided free of charge)

4.2 Right to Rectification (Article 16)

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data
• Update outdated information

We will respond to rectification requests within one month and notify third parties where feasible.

4.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes collected
• You withdraw consent and no other legal basis exists
• You object to processing and no overriding legitimate grounds exist
• The data has been unlawfully processed
• Erasure is required to comply with legal obligations

Limitations: We may retain data when required by law, for legal claims, or for archiving purposes in the public interest.

4.4 Right to Restriction of Processing (Article 18)

You can request restriction of processing when:

• You contest the accuracy of personal data (during verification)
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You object to processing (pending verification of legitimate grounds)

4.5 Right to Data Portability (Article 20)

You have the right to:

• Receive personal data in a structured, commonly used, machine-readable format
• Transmit data to another controller where technically feasible

This right applies to data processed by automated means based on consent or contract.

4.6 Right to Object (Article 21)

You can object to processing based on:

• Legitimate Interests: We will cease processing unless we demonstrate compelling legitimate grounds
• Direct Marketing: We will immediately cease marketing activities
• Profiling: You can object to automated decision-making and profiling

4.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or significantly affects you.

When we use automated decision-making, we will:

• Inform you about the logic involved
• Provide meaningful information about the consequences
• Implement safeguards including human intervention
• Allow you to contest the decision

4.8 How to Exercise Your Rights

To exercise any of these rights, contact us at:

We will respond to your request within one month (extendable by two months for complex requests). We will verify your identity before processing requests to protect your data security.

5. Data Protection Principles

We adhere to the six GDPR data protection principles (Article 5):

5.1 Lawfulness, Fairness, and Transparency

• We process data lawfully with valid legal basis
• We provide clear, accessible privacy information
• We are transparent about data processing activities

5.2 Purpose Limitation

• We collect data for specified, explicit, and legitimate purposes
• We do not process data in ways incompatible with original purposes
• We document and communicate processing purposes clearly

5.3 Data Minimization

• We collect only data adequate, relevant, and necessary
• We avoid excessive or unnecessary data collection
• We regularly review data needs and delete unnecessary data

5.4 Accuracy

• We maintain accurate and up-to-date personal data
• We correct inaccuracies without undue delay
• We implement processes for data quality assurance

5.5 Storage Limitation

• We retain data only as long as necessary for the purposes
• We maintain documented retention schedules
• We implement secure deletion procedures

5.6 Integrity and Confidentiality (Security)

• We implement appropriate technical and organizational measures
• We protect against unauthorized or unlawful processing
• We prevent accidental loss, destruction, or damage

6. Technical and Organizational Security Measures

We implement state-of-the-art security measures to protect personal data:

6.1 Technical Measures

• Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA)
• Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS)
• Pseudonymization: Data pseudonymization where appropriate
• Backup and Recovery: Regular encrypted backups with tested recovery procedures
• Logging and Monitoring: Comprehensive audit logs and security monitoring
• Vulnerability Management: Regular security assessments and patching

6.2 Organizational Measures

• Data Protection Policies: Comprehensive privacy and security policies
• Staff Training: Regular GDPR and security awareness training
• Access Management: Strict access control procedures and regular reviews
• Vendor Management: Due diligence and contractual safeguards for processors
• Incident Response: Documented breach response procedures
• Privacy by Design: Data protection integrated into system development
• Regular Audits: Internal and external security and compliance audits

6.3 Certifications and Standards

Our security program is aligned with industry standards:

• ISO 27001 - Information Security Management
• ISO 27701 - Privacy Information Management
• SOC 2 Type II - Security, Availability, and Confidentiality
• NIST Cybersecurity Framework

7. International Data Transfers

We may transfer personal data outside the EEA/UK to provide our services. We ensure adequate protection through:

7.1 Transfer Mechanisms

• Adequacy Decisions: Transfers to countries with adequacy decisions from the European Commission
• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs for transfers to third countries
• Binding Corporate Rules (BCRs): Internal BCRs for intra-group transfers
• Certifications: EU-U.S. Data Privacy Framework (where applicable)
• Derogations: Explicit consent or necessary for contract performance (limited use)

7.2 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) to ensure that transfers to third countries provide essentially equivalent protection to GDPR, considering:

• Laws and practices in the destination country
• Supplementary measures to ensure adequate protection
• Practical experience with data transfers

7.3 Countries We Transfer Data To

We may transfer data to the following regions (subject to appropriate safeguards):

• United States (with SCCs and supplementary measures)
• United Kingdom (adequacy decision)
• Canada (adequacy decision for commercial organizations)
• Other countries with appropriate safeguards in place

8. Data Breach Notification

8.1 Breach Response Procedures

We maintain comprehensive data breach response procedures aligned with GDPR requirements:

• Incident detection and containment
• Risk assessment and impact analysis
• Notification decision-making process
• Communication with authorities and data subjects
• Post-incident review and remediation

8.2 Notification to Supervisory Authority (Article 33)

If a breach is likely to result in a risk to rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware
• Provide details of the breach, affected data, consequences, and remedial measures
• Document all breaches, including those not reported

8.3 Notification to Data Subjects (Article 34)

If a breach is likely to result in a high risk to rights and freedoms, we will:

• Notify affected individuals without undue delay
• Describe the breach in clear and plain language
• Provide information about consequences and mitigation measures
• Offer contact information for further inquiries

9. Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for processing operations that are likely to result in high risk to data subjects, including:

• Large-scale systematic monitoring
• Large-scale processing of special category data
• Automated decision-making with legal or significant effects
• Processing of biometric or genetic data
• New technologies or processing methods

DPIA Process

Our DPIA process includes:

• Description of processing operations and purposes
• Assessment of necessity and proportionality
• Identification of risks to data subjects
• Evaluation of measures to address risks
• Consultation with DPO and, where required, supervisory authority

10. Third-Party Processors and Sub-Processors

10.1 Processor Due Diligence

We carefully select and monitor third-party processors, ensuring they:

• Provide sufficient guarantees of GDPR compliance
• Implement appropriate technical and organizational measures
• Process data only on documented instructions
• Maintain confidentiality obligations
• Assist with data subject rights requests

10.2 Data Processing Agreements

We maintain GDPR-compliant Data Processing Agreements (DPAs) with all processors, including:

• Subject matter, duration, nature, and purpose of processing
• Types of personal data and categories of data subjects
• Obligations and rights of the controller
• Security measures and breach notification procedures
• Audit rights and compliance verification

10.3 Sub-Processor List

We maintain a list of authorized sub-processors available upon request. We will notify clients of any changes to sub-processors and obtain consent where required.

11. Processing Children's Data

We recognize that children's data requires special protection under GDPR:

• Our services are not directed at children under 16
• We obtain parental consent where required for processing children's data
• We implement age verification mechanisms where appropriate
• We delete children's data if collected without proper authorization

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement.

Lead Supervisory Authority

Our lead supervisory authority is:

You can find your local data protection authority at: https://edpb.europa.eu/about-edpb/board/members_en

13. Updates to This Policy

We may update this GDPR Compliance policy to reflect changes in:

• Our data processing activities
• Legal or regulatory requirements
• Industry best practices
• Technical capabilities

We will notify you of material changes through our website and, where appropriate, via email.

14. Contact Us

For questions about GDPR compliance or to exercise your rights: