GDPR compliance

Owned by TurnKey Lender
Aug 17, 2022
4 min read

Jira issue
EL-2933 - Getting issue details... STATUS

General Requirement

General Data Protection Regulation (hereinafter referred to as "GDPR") is a European regulation to strengthen and unify the data protection of EU citizens. 

This article contains the key points of the GDPR as well as information on the сhanges that must be implemented in order to get Turnkey Lender system compliant with the regulation.

Official document: https://gdpr-info.eu/

Useful article for understanding main items of GDPR: https://www.braze.com/resources/library/faq/gdpr-need-to-know/thanks/



Rights in Relation to Autimated Decision Making and Profiling:

One of the mains item in the GDPR is "Individuals have the right to opt out of the use of their personal data by automated systems, such as artificial intelligence."

We are talking about using AI in our System - Big Data Scoring, so we should talk about it in Privacy Policy. For example, in my opinion, we can configure in Web.config wich one of the Privacy Policy to show for the Customer (Borrower/Investor) if the System can reject or approve new loan applications.

It's the subject for discussion with all interested parties.

GDPR enabling

How to enable GDPR?

Web.config <add key="GdprEnabled" value="true" />

Privacy Notice

Template

EL-2940 - Getting issue details... STATUS

Location

Front Office: Customer DashboardPersonal Privacy Tab

Back office: System → Documents

Breach Notification

EL-2975 - Getting issue details... STATUS

Organizational Benefits: Implementation of described use cases will help Turnkey Lender to be compliant with GDPR data portability requirements "Notification of a personal data breach to the supervisory authorityand "Communication of a personal data breach to the data subject"

Use case nameBreach Notification for Borrowers
ActorsSystem, Admin
PreconditionsPersonal data breach has occurred.
Post-conditions

Breach notification is sent to the Customer(s).

Main Course
  1. An Admin goes to Customers workplace and selects a certain Customer.
  2. The Admin clicks 'Send Breach Message' button in the Customer details area and specifies the details of the Breach of the individual personal data.
  3. An information message with the Breach notification and details of the Breach appears in the Customer's Personal Account.
  4. The System logs the Breach description which was provided to the Customer, the time when the Customer is notified and the time when he/she acknowledged the notice in the Personal account.
Alternate Courses
  1. An Admin goes to Customers workplace.
  2. The Admin clicks 'Send Breach Message' button and specifies the details of the Breach to be sent to all Customers.
  3. The information messages appear in the Personal Accounts of all Customers.
  4. The System logs the Breach description which was provided to the Customers, the time when the Customers were notified and the time when the Breach notice was acknowledged in the Personal account.

EL-3027 - Getting issue details... STATUS

Use case nameBreach Notification for Investors
ActorsSystem, Admin
PreconditionsPersonal data breach has occurred.
Post-conditions

Breach notification is sent to the Investor(s).

Main Course
  1. An Admin goes to Users/Investors tab of System workplace.
  2. The Admin clicks Manage link in front of a certain Investor; clicks 'Send Breach Message' button in the dialog box and specifies the details of the Breach of the individual personal data.
  3. An information message with the Breach notification and details of the Breach appears in the Investor's Personal Account.
  4. The System logs the Breach description which was provided to the Investor, the time when the Investor is notified and the time when he/she acknowledged the notice in the Investor's personal account.
Alternate Courses
  1. An Admin goes to Users/Investors tab of System workplace.
  2. The Admin clicks 'Send Breach Message' button and specifies the details of the Breach to be sent to all Investors.
  3. The information messages appear in the Personal Accounts of all Investors.
  4. The System logs the Breach description which was provided to the Investors, the time when they were notified and the time when the Breach notice was acknowledged in the Personal account.

Data Portability

EL-2943 - Getting issue details... STATUS

EL-3024 - Getting issue details... STATUS

Use case nameData Access
ActorsCustomer (Borrower/Investor), System
Organizational BenefitsImplementation of described use case will help Turnkey Lender to be compliant with GDPR data portability requirement - the right for a data subject to receive a copy of the personal data (as outlined in article 15, 20(1)), free of charge, in an electronic format so the Customer is able to transmit that data to another controller.
PreconditionsA Customer has an existing account and access to the personal account in the System.
Post-conditionsThe Customer receives the copy of his personal data in a PDF format
Main Course
  1. A Customer logs into his personal account.
  2. The Customer clicks 'Export personal data' button.
  3. All the customer's details stored in the System are downloaded to the device in PDF format.

Personal Data Modification 

EL-2935 - Getting issue details... STATUS

EL-2936 - Getting issue details... STATUS

Use case nameCustomer's Personal Data Modification 
ActorsCustomer (Borrower/Investor)
Organizational Benefits

Implementation of described use case will help Turnkey Lender to be compliant with GDPR requirement - the right for modification of personal data if it's accurate or incomplete.

PreconditionsA Customer has an existing account and access to the personal account in the System.
Post-conditionsThe Customer's personal details are updated thus all his/her previous loan application contain the personal data which was relevant at the time of application.
Main Course
  1. A Customer logs in to his personal account.

  2. The Customer goes to Personal Details page and can view and edit all his personal details which were provided by himself.
    If there are any additional fields in Application Form (see System → Application Form Editor), then these fields should be visible and editable to Customer too. 

    If GBPR is enabled, then all Customer details are shown and editable on  Personal Details page.

    If GBPR is not enabled, then only part of Customer details can be shown and editable on Personal Details page depending on business needs.

  3. The Customer details are updated while the previous loan applications store personal details which were relevant at the time of application.
Alternative Course (Borrower)
  1. Admin logs into Back-Office and goes to Customers workplace.
  2. Admin chooses Customer and clicks EDIT button and edits all Customer's Personal Details.
  3. The Customer details are updated while the previous loan applications store personal details which were relevant at the time of application.
Alternative Course (Investor)
  1. Admin logs into Back-Office and goes to Admin WP → Users → Investors Tab.
  2. Admin chooses Investor and clicks EDIT and edits all Customer's Personal Details.
  3. The Customer details are updated

GDPR compliance. Borrower

link to sub-article /wiki/spaces/TLKB/pages/3281289404

GDPR compliance. Investor

link to sub-article /wiki/spaces/TLKB/pages/3281289481


Read more

Previous version of this article can be found here: /wiki/spaces/TKL/pages/535527511