What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is an EU law which will be in effect from 25 May 2018 onwards. It updates the currect Data Protection Act (DPS), keeping many of its main concepts and principles in play. However, there are new elements and significant enhancements, such as new transparency and individuals’ rights provisions. The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability.
How will the new GDPR laws affect Coinomi users?
The GDPR includes the following rights for individuals:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling
Is Coinomi GDPR compliant?
Our processes cover all the rights individuals have, including how we collect, store, share and delete personal data:
There are no accounts in Coinomi Wallet. The application is freely available for download from Google and iTunes stores, while users can directly download the application from our website. We have no information about users' profiles in those platforms apart from the statistical data available to developers who use those stores to publish their product.
Installation of the application requests no personal data from users, and neither does its use. We keep no logs of users transactions and exchanges, and our servers' records are cleared on a scheduled basis. Coinomi is a decentralised non-custodian application which users can use totally anonymously, and their personal data are not collected, logged, sold, forwarded or communicated in any way.
Coinomi will never ask users for their passwords, passphrases, real names or locations while providing support.
Users' email addresses are required for registration to our Helpdesk. Those emails are never resold or used for in any other promotional way by Coinomi, and users can opt to use a pseudonymous nickname when registering. Ticket correspondences are archived for reference, and a user can always request deletion of his account from the Helpdesk, which will then be done immediately and all his records of communication with our support team via the Helpdesk will be purged.
Our website's privacy statement can be found under https://www.coinomi.com/privacy/
The partner company's jurisdiction is irrelevant - if it serves EU based customers then it must comply with GDPR.
KYC requires the users' consent before submitting the documents therefore there is no violation of the directive whatsoever.
However, this is a rather delicate matter. There is lawful and unlawful processing of the user data - GDPR's article 6 describes the legal grounds that should apply for the processing to fall under the former. User consent is only on of the possible legal grounds but not the only one.
A more relevant term is "purpose limitation", which defines that the purposes of collecting user data must be communicated to the customers before their actual processing by means of a privacy statement. If the purpose changes along the way (for example in the case of an m&a where the sale of user data is typically a crucial part of the deal) then customers must be informed of the sale and they must be allowed for an adequate timeframe to object against the sale. If they do, no transfer is possible.
If KYC is performed by an external data controller then a separate privacy statement applies. Again, the jurisdiction of said controller is also irrelevant, if the partner is serving EU customers.
Note: For the upcoming Shapeshift KYC, consult their own privacy information page: https://info.shapeshift.io/privacy-policy/