Skip to main content

Overview

The General Data Protection Regulation (GDPR) governs how personal data of EU/EEA residents is collected, processed, and stored. Identity verification inherently involves processing sensitive personal data — documents, biometric data, and personal identifiers. iDenfy acts as a data processor on your behalf (Art. 4(8), Art. 28 GDPR). You remain the data controller responsible for establishing the lawful basis, ensuring transparency, and fulfilling data subject rights. iDenfy does not determine the purposes or legal bases for processing — these are determined exclusively by you as the controller.

Your responsibilities as data controller

ObligationWhat you need to do
Lawful basisEstablish a legal basis for processing. For AML-regulated entities this is typically Art. 6(1)(c) (legal obligation) or Art. 6(1)(e) (public interest) — not consent. For optional verification, consent under Art. 6(1)(a) may apply.
TransparencyInform users what data is collected, why, and how long it is retained — in your privacy policy. Per Art. 13(1)(c), identify yourself as controller, state your legal bases, and reference applicable legislation.
Data subject rightsRespond to access (Art. 15), rectification (Art. 16), erasure (Art. 17), and restriction (Art. 18) requests within 30 days. Note: data subjects cannot withdraw from AML-based identification requirements — Art. 7(3) does not apply to statutory grounds.
Data Protection Impact AssessmentConduct a DPIA for biometric processing (Art. 35). iDenfy maintains its own DPIA and can provide supporting documentation upon request.
Records of processingDocument the identity verification processing activity in your records of processing activities (Art. 30).

How iDenfy supports GDPR compliance

Data minimization

Configure token generation to collect only the data you need: 
{
  "clientId": "user-123",
  "generateDigitString": false,
  "address": null,
  "dateOfBirth": null
}
Only request fields required by your compliance obligations. Unnecessary data fields can be omitted from the token request. iDenfy processes only the data specified in your configuration — nothing more.

Right to erasure (Art. 17)

Delete verification data via API when a data subject requests erasure: 
curl -X DELETE https://ivs.idenfy.com/api/v2/delete \
  -u "API_KEY:API_SECRET" \
  -H "Content-Type: application/json" \
  -d '{"scanRef": "scan-reference-id"}'
See Identification Deletion for the full API reference.
Before deleting, check whether you have a legal obligation to retain the data. AML record-keeping requirements (typically 5-10 years depending on jurisdiction) override GDPR erasure rights. GDPR erasure does not override other regulatory retention obligations.

Data retention

Configure automatic data retention periods in your iDenfy dashboard. iDenfy supports:
  • Custom retention periods per service type
  • Automatic deletion after the configured period expires
  • Manual deletion via API at any time
  • Default retention: Up to 10 years for AML-related identification records; 60 days for expired/closed customer accounts

Data processing agreement

iDenfy provides a GDPR-compliant Data Processing Agreement (DPA) that covers:
  • Processing purpose and scope
  • Sub-processor list and obligations (all sub-processors are documented and contractually bound)
  • Data breach notification procedures (within 72 hours to the supervisory authority)
  • Data transfer mechanisms (EU Standard Contractual Clauses where applicable)
  • Technical and organizational security measures (ISO 27001, SOC 2 Type II)
The DPA is available at idenfy.com/agreement/#dpa-agreement. Contact your account manager or dpo@idenfy.com to execute a DPA before going live.

Biometric data (Art. 9)

Identity verification with liveness detection processes biometric data, which is a special category under GDPR. Your legal basis depends on your use case: For AML-regulated entities (banks, fintechs, crypto, gaming):
  • Art. 6(1)(c) — compliance with a legal obligation (AML law)
  • Art. 9(2)(g) — substantial public interest based on Union or Member State law
  • Consent is not the appropriate legal basis — per EDPB Guidelines 05/2020, consent should not replace statutory grounds
For non-regulated use cases (age verification, marketplace trust):
  • Art. 6(1)(a) — consent of the data subject
  • Art. 9(2)(a) — explicit consent for biometric processing
  • Ensure consent is freely given, specific, informed, and unambiguous
On the iDenfy “Agree & continue” button: This is a transparency and acknowledgment measure, not a consent mechanism. It fulfills your transparency obligations under Art. 13 GDPR and confirms that the data subject was informed prior to biometric capture. If you rely on consent as your legal basis, you must implement your own consent mechanism separately. You may display your own legal bases in a second verification window — we recommend identifying yourself as controller, stating your legal bases, and referencing applicable legislation per Art. 13(1)(c).
For accountability purposes (Art. 5(2)), iDenfy records:
  • Timestamp of user confirmation
  • Version of the information displayed
  • Whether the iDenfy policy, your policy, or both were shown
This demonstrates transparency compliance, not reliance on consent as a legal basis.

Cross-border data transfers

iDenfy processes and stores all data within the EU (Dublin, Ireland). Data is not transferred outside the EEA unless:
  • Standard Contractual Clauses (SCCs) are in place
  • A Transfer Impact Assessment has been completed
If your integration requires data transfer outside the EEA, contact your account manager for transfer impact assessment documentation.

Data subject rights — how iDenfy supports you

RightHow iDenfy supports it
Access (Art. 15)Verification data can be retrieved via API or dashboard. When iDenfy receives a direct request, it is forwarded to you as the controller.
Rectification (Art. 16)Contact iDenfy support to correct inaccurate verification data.
Erasure (Art. 17)Delete verification data via API or request deletion through your account manager.
Restriction (Art. 18)Supported where applicable, subject to AML statutory limitations.
Portability (Art. 20)Customers can export their verification data at any time before account closure.
When iDenfy acts as processor, all data subject requests received directly are transferred to you as the data controller. iDenfy supports you upon request in accordance with the DPA.

Security measures supporting GDPR compliance

MeasureDetail
Encryption in transitTLS 1.2-1.3 on all connections
Encryption at restAES-256-GCM on all stored data
Key managementManaged key service with automatic rotation every 12 months
Access controlRole-based access, IP whitelisting, 2FA enforced
MonitoringCloud-native logging, audit trails, and endpoint detection and response (EDR)
Breach notificationInternal DPO notification within 24 hours, supervisory authority within 72 hours, affected clients within 8-24 hours
Incident track recordZero security incidents in the past 12 months

Relevant certifications

  • ISO/IEC 27001:2022 — Continuously certified since 2020 (TUV Thuringen, DAkkS accredited)
  • SOC 2 Type II — Security, availability, and confidentiality (12-month examination period)
  • eIDAS Conformity — Remote ID proofing certified under EU Regulation 910/2014
Data Protection Officer: dpo@idenfy.com Security inquiries: security@idenfy.com