Privacy Statement for Penneo KYC

Penneo provides the service Penneo KYC, which is an identity validation service related to helping our customers perform and document their Know Your Customer and anti-money laundering obligations.

When Penneo retrieves and, if applicable, stores data from the external source, it acts as a data processor on behalf of our customer (Company). Penneo’s customer is the data controller.

This responsibility is regulated by an agreement, including a data processing agreement (DPA), between Penneo and its customer. End users are managed by the customer (Company) that acts as a data controller.

Purpose and processing

The controllers and responsible entities for such content are Penneo’s customers. As the data processor, Penneo enters a data processor agreement with the customer as data controller. The data processor agreement establishes the framework for Penneo’s personal data processing activities.

The purpose of Identity validation is to perform anti-money laundering and attribute validation services. These services can retrieve or periodically monitor person or company information from central registries, determine roles and verify the authority to sign, and check details against PEP/sanction lists.

Data is retrieved from an external source and loaded into the Penneo KYC application. The data is stored in the respective customer’s Penneo KYC profile for 5 years (from the date which the client relationship is created), in accordance with the Danish Accounting Act. If a shorter storage period is required, the customer can at any time configure the different profiles and delete the data in accordance with their own retention policies. If a client has questions about when their specific information will be deleted, they should contact the customer.

Penneo’s customers can add and remove or edit the access to the information within Penneo KYC, for any user at any time.

Categories of data subjects

End users of the Controller: End users of the Controller’s solutions or Processor’s solutions used by Controller

The following types of personal data may be processed for end users/clients of the controller:

  • Names
  • Identity numbers
  • Date of birth
  • Date of death
  • Gender
  • Addresses
  • Nationality
  • Compliance/risk rating information
  • Roles in an organization
  • Organizational ownership details

The processed data is retrieved from external sources both public and commercial registers, as well as entered manually by client and customer users. All retrieved is based on the instruction of the Controller.


Back to top

Penneo Sign

Få underskrevet dokumenter hurtigere. Indsaml den nødvendige information og håndter dine dokumentprocesser på en nem og kompatibel måde.

Penneo KYC

Automatiser klient-onboarding og opretholdelse af hvidvaskningsloven (AML). Udfør risikovurdering og indsaml klient dokumentation på en sikker og effektiv måde.