Privacy Statement for Penneo KYC

Penneo provides the service Penneo KYC, which is an identity validation service related to helping our customers perform and document their Know Your Customer and anti-money laundering obligations.

When Penneo retrieves and, if applicable, stores data from the external source, it acts as a data processor on behalf of our customer (Company). Penneo’s customer is the data controller.

This responsibility is regulated by an agreement, including a data processing agreement (DPA), between Penneo and its customer. End users are managed by the customer (Company) that acts as a data controller.

Purpose and processing

The controllers and responsible entities for such content are Penneo’s customers. As the data processor, Penneo enters a data processor agreement with the customer as data controller. The data processor agreement establishes the framework for Penneo’s personal data processing activities.

The purpose of Identity validation is to perform anti-money laundering and attribute validation services. These services can retrieve or periodically monitor person or company information from central registries, determine roles and verify the authority to sign, and check details against PEP/sanction lists.

Data is retrieved from an external source and loaded into the Penneo KYC application. The data is stored in the respective customer’s Penneo KYC profile for 5 years (from the date which the client relationship is created), in accordance with the Danish Accounting Act. If a shorter storage period is required, the customer can at any time configure the different profiles and delete the data in accordance with their own retention policies. If a client has questions about when their specific information will be deleted, they should contact the customer.

Penneo’s customers can add and remove or edit the access to the information within Penneo KYC, for any user at any time.

Categories of data subjects

End users of the Controller: End users of the Controller’s solutions or Processor’s solutions used by Controller

The following types of personal data may be processed for end users/clients of the controller:

  • Name
  • Email addresses
  • National identity numbers
  • Mobile phone number
  • Date of birth
  • Date of death
  • Gender
  • Addresses
  • Nationality
  • Compliance/risk rating information (PEP and Sanction list)
  • Roles in an organization
  • Affiliated company organizational ownership details
  • User meta data (IP address, Language settings, Device type, Browser)

The processed data is retrieved from external sources both public and commercial registers, as well as entered manually by client and customer users. All retrieved is based on the instruction of the Controller.

Last updated: 14th of February 2023

Discover what you can achieve with Penneo