1. Introduction

SEPA Cyber Technologies EAD (“SEPA”) provides an identity verification application (“SEPA ID”) that can be used to verify identity documents (especially passports, identity cards and driving licences) and match them to a person. SEPA offers this service to its business partners, such as banks, financial institutes, insurance companies, online platforms, car sharing providers, hire car providers and entertainment platform operators (“partners”), who have to carry out such verification measures to comply with legal requirements (e.g. laws against money laundering and terrorist financing and other applicable laws) or to increase security with regard to their users’ identity.

2. Purpose / Legal Basis

When verifying a user’s identity, SEPA acts as a “processor”, as defined in Art. 4 No. 8 of the General Data Protection Regulation (GDPR). This means the verification is carried out on behalf of the respective partner and SEPA acts exclusively on the partner’s instructions. The respective partner also decides which data is to be collected during the verification process and how this is to be processed by SEPA.

SEPA processes the data on the basis of Art. 6 (1) (b) GDPR in accordance with the contractual agreements made with the respective partner. All data collected by SEPA is only used to verify identity documents and/or identify the user. The data will only be used for other purposes with the user’s explicit consent.

3. Scope of the Data

Some of the personal data required for verification is collected by the respective partner and forwarded to SEPA to initiate the process, or it is entered by the user on the SEPA ID mobile app.

The scope of the personal data varies depending on the purpose and legal basis of the verification carried out for the partner. During the verification process, photographs and recordings are taken of the user and his/her identity documents.

SEPA therefore collects all personal data contained in the identity documents used for verification. Depending on the instructions issued by the partner, further data may also be processed during the verification process, such as email addresses and phone numbers. However, the extent of the data collected by SEPA generally does not exceed the scope described here.

Before each verification process, the partner informs the user about the data that will be collected by SEPA and transmitted to the partner. This information can be found in the general terms and

conditions of and the privacy statement of the partner for whom the verification is to be carried out.

If a user’s identity is to be verified in the SEPA ID app, SEPA will require access to his/her microphone and camera. This also includes access to the camera light, which is activated to increase the visibility of the holograms contained in identity documents. The verification and recording of these security features is absolutely necessary to ensure the successful identification of the user and comply with regulatory requirements.

Before the actual identification process, each user is informed that the app requires access to his/her microphone and camera, and the user must explicitly allow access to both. SEPA will only collect the data recorded by the camera and microphone during the identification process. At no point will SEPA gain access to the data and pictures saved on smartphones or tablets.

4. Identification via eID

The identification service integrated into the app uses the NFC function of the user’s mobile device to communicate with the chip of the user’s electronic identity card and to read and transmit the identification data required for electronic proof of identity. To carry out the proof of identity, the user must follow the instructions in the app and hold his electronic identity card to his mobile device.

The data obtained by the identification service is transmitted to SEPA and deleted from the servers of the service provider immediately after transmission.

5. Disclosure to Third Parties

SEPA uses third-party companies for the verification process. These third-party companies are either based in the Republic of Bulgaria or a Member State of the European Union.

Once the identification process is complete, the data collected and processed in an identification will be transmitted to the partner or made accessible to the partner for retrieval on the systems provided by SEPA. The transmitted data may include the verification process or merely confirmation of a successful verification.

6. Storage Period

As SEPA processes the data collected during the identification process on behalf of the partner, the storage period is determined by the instructions issued by each partner. However, the data is usually deleted from the SEPA servers after 90 days, unless the partner requests an earlier deletion.

If the identification is cancelled or inconclusive, the data collected directly through the verification process will be automatically deleted after 7 days the latest. Irrespective of the above, the partner may have transmitted other personal data to SEPA for the initiation of the process. This data will

also be deleted after the period that has been contractually agreed with the partner (usually 90 days).

On the other hand, this data may be stored by the partner for a different length of time to comply with statutory retention periods (e.g. those stipulated in the laws against money laundering and terrorist financing). Please refer to the respective partner’s privacy statement for more information on the scope of the stored data and the storage period.

7. Data Security

All of our centers used for remote identification have two-factor access control and also video surveillance.

The SEPA system is a software system that has been fully developed and programmed by us in-house. Within the framework of the SEPA ID solution. We run the system on our servers located in the Republic of Bulgaria. Security is also our maxim in the technical environment. From the outset, our system fulfils the required end-to-end encryption, as well as the requirements TR-02102.

Pursuant to Art. 32 GDPR, measures are adopted which are suitable for protecting the data processing system against unauthorized access.

Only system administrators can access the server systems and access always takes place using encrypted connections (SSH + IPsec). All accesses are personalized and secured by passwords and + 2-Factor Authentication (TOTP). Minimum requirements are set for passwords with regard to complexity, repetitions, etc.

Pursuant to Art. 32 GDPR, measures are adopted which are suitable for guaranteeing that personal information cannot be exposed to unauthorized reading, copying, modification or removal during its electronic transmission or storage on data carriers.

Pursuant to Art. 32 GDPR, measures are adopted which are suitable for guaranteeing that personal information is protected against accidental destruction or loss.

8. Rights of Data Subjects

In accordance with Art. 12 to 22 GDPR, data subjects are fully entitled to request access to their personal data and request the rectification, restriction and erasure of the same.

As SEPA carries out identification as a processor on behalf of each partner (Art. 4 No. 8 GDPR) and acts exclusively on the latter’s instructions, SEPA is not legally permitted to honour the rights of data subjects without the partner’s approval or instructions in such cases (Art. 28 GDPR).

SEPA will fully and immediately assist the partner in honouring the rights of data subjects as soon as it is instructed to do so.

9. Contacts

If you have any questions about this Privacy Statement, please contact our customer service team support@sepa-cyber.com, contact details …………………………

Status: April 2022