OpenKYC Africa is fully committed to protecting the privacy and personal data of all individuals, including EU citizens, in accordance with the General Data Protection Regulation (GDPR).
What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It governs how organizations collect, process, store, and share personal data of individuals within the European Union (EU) and European Economic Area (EEA).
Even though OpenKYC is headquartered in Africa, we process data from EU citizens and therefore must comply with GDPR requirements.
Your Rights Under GDPR
As a data subject, you have the following rights:
π Right to be Informed
You have the right to know how your data is being collected, used, and shared. We provide this through our Privacy Policy and this GDPR page.
π Right of Access
You can request a copy of all personal data we hold about you. We will respond within 30 days.
βοΈ Right to Rectification
If your personal data is inaccurate or incomplete, you can request that we correct or complete it.
ποΈ Right to Erasure
Also known as the "right to be forgotten." You can request deletion of your data in certain circumstances.
βΈοΈ Right to Restrict Processing
You can request that we limit how we process your data while disputes are being resolved.
π¦ Right to Data Portability
You can request your data in a structured, machine-readable format to transfer to another service.
β Right to Object
You can object to processing of your data for direct marketing or based on legitimate interests.
π€ Rights Related to Automated Decisions
You have the right to not be subject to solely automated decisions that significantly affect you.
How We Comply with GDPR
1. Lawful Basis for Processing
We only process personal data when we have a valid legal basis:
- Consent: You have given clear consent for us to process your data
- Contract: Processing is necessary to fulfill a contract with you
- Legal Obligation: Processing is required to comply with the law
- Legitimate Interests: Processing is necessary for our legitimate business interests, balanced against your rights
2. Data Minimization
We only collect data that is strictly necessary for KYC verification. We don't collect unnecessary information.
3. Purpose Limitation
We only use your data for the purposes stated at the time of collection (identity verification and fraud prevention).
4. Storage Limitation
We retain your data only as long as necessary for legal and regulatory requirements. Biometric data is deleted within 30 days of verification completion unless legally required otherwise.
5. Security Measures
- AES-256 encryption for data at rest
- TLS 1.3 for data in transit
- Regular penetration testing
- Employee access controls and training
- Incident response procedures
International Data Transfers
When transferring data outside the EU/EEA, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs): EU-approved contractual terms for data transfers
- Data Processing Agreements: With all sub-processors
- Technical Safeguards: Encryption and pseudonymization
We prioritize keeping EU citizen data within jurisdictions with adequate data protection laws.
Data Subject Request Process
How to Exercise Your Rights
Data Processing Agreements
As a data processor, we enter into Data Processing Agreements (DPAs) with all our business clients. Our DPA includes:
- Description of processing activities
- Data security requirements
- Sub-processor management
- Audit rights
- Data breach notification procedures
- Data return and deletion procedures
Contact legal@openkyc.africa to request a copy of our DPA.
Data Breach Notification
In the event of a personal data breach:
- We will notify the relevant supervisory authority within 72 hours
- We will notify affected individuals without undue delay if the breach poses high risk
- We will document all breaches and remediation steps
- We will notify our business clients immediately
Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance:
Data Protection Officer
OpenKYC Africa
Email: dpo@openkyc.africa
Phone: +263 772 123 456
Sub-Processors
We use the following sub-processors to deliver our services:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud Infrastructure | South Africa (Cape Town) |
| Cloudflare | CDN & Security | Global (with African PoPs) |
| Twilio | SMS Notifications | USA (with SCCs) |
We will notify clients of any changes to our sub-processor list.
Complaints
If you believe your data protection rights have been violated, you can:
- Contact us directly at gdpr@openkyc.africa
- Lodge a complaint with your local Data Protection Authority
- For EU residents: Contact your national supervisory authority