We have decided to perform know-your-customer (“KYC”) checks. This is a best practice measure that has become the norm for blockchain projects. We will process your personal data in accordance with the European Union (“EU”) General Data Protection Regulation (“GDPR”), which is considered by many as the world’s strictest data protection regime.
This KYC Privacy Notice informs you about how we process your personal data when conducting our KYC checks as well as your rights in connection with your personal data.
1. Our commitment to data protection principles
We are responsible for the processing of your personal data (as a “data controller” pursuant to the GDPR). In order to protect your personal data in connection with our KYC checks, we are committed to adhere to the GDPR principles below. Every individual working for us must also adhere to these principles in performing his or her day-to-day duties. We will therefore make sure that your personal data is:
(a) processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (data minimisation);
(d) accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that your personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (accuracy);
(e) kept in a form which permits your identification for no longer than is necessary for the purposes for which personal data is processed (storage limitation); and
(f) processed in a manner that ensures appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures (integrity and confidentiality).
2. For what purposes and on what grounds is your data processed?
We perform KYC checks as necessary for our and our contributors’ legitimate interests to (i) make sure that we are not involved with individuals or entities who are designated as terrorists or are otherwise subject to sanctions or export control restrictions or with parties engaged in money laundering; (ii) communicate with you, including to respond to any requests you may have; (iii) make sure that the Tezos Foundation is not misused for terrorism or money laundering purposes and to protect the Tezos Foundation from government interference by not giving government authorities a reason to unduly investigate the Foundation.
3. Which of your data is processed in connection with the KYC checks?
To perform a KYC check, our KYC service providers collect certain personal data about you. The personal data collected is (i) data provided by you in the course of the online identity verification process or (ii) data that was made publicly available, to include:
- country of residence;
- date of birth;
- copy of a government-issued photo ID and a photo;
- IP address concerning your access to the KYC portal;
- information about you that was made publicly available;
- sum of contribution; and
- other data provided by you in the context of the KYC check.
We process your personal data in strict compliance with the data protection principles set out under point 1 above and we make sure that your personal data is appropriately secured (see point 5 below for details).
In case you or the organization for which you are acting does not provide the relevant information, we may not be able to provide the activation code that is required for you to access the recommended allocation.
4. Disclosure and transfer of your data
The Tezos Foundation is based in Switzerland and we use a service provider to help us conduct the KYC checks. We are permitted to transfer your personal data to our servers in Switzerland because Switzerland is currently on the European Commission’s list of countries found to provide adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data.
We also disclose your personal data to IT and other KYC service providers which are under strict confidentiality obligations and process your data only as instructed by us, in particular TokenSoft, Inc., 700 N Valley St Ste B, Anaheim, CA 92801, United States of America, and Chartwell Compliance, 6701 Democracy Boulevard, Suite 300, Bethesda, MD 20817, United States of America, as necessary to conduct the KYC checks. The United States may have data protection laws less stringent than or otherwise different from the laws in effect in the country in which you are located. Where we transfer your personal data out of the EU we will take steps to ensure that your personal data receives an adequate level of protection where it is processed and your rights continue to be protected.
We will not voluntarily share any of your personal data with any government authorities. If we receive a request to disclose your personal data to a government authority, we will thoroughly assess the request and will in particular consider possible legal challenges against such request. We will only comply with any such request that is binding, enforceable and issued in full compliance with applicable law.
To receive information on the measures and safeguards we take when your personal data is transferred outside your country of location, you may contact us.
5. Securing your data
We have implemented various technical and organizational security measures to ensure that your personal data is adequately protected from unauthorized access or other unlawful use. This includes contractual arrangements with all of our IT and KYC service providers that require them to also implement the necessary security measures.
Our commitment to security also means that we have imposed strict confidentiality obligations on all of our staff and that we have implemented various data security policies to protect your data.
6. Data retention
In accordance with the principle of storage limitation set out in point 1 above, we retain your personal data for five years from the completion of the KYC check. Following the five year retention period, the data will be destroyed.
7. Your rights in connection with your data
Under applicable law, you have, among others, the rights (under the conditions set out in applicable law): (i) to request access to your personal data, including to obtain a copy of such data, (ii) to request correction of inaccurate personal data or to have incomplete personal data completed; (iii) to request deletion of your personal data in certain circumstances, such as if the data has been processed in non-compliance with applicable requirements, (iv) to request us to restrict the processing of your personal data, (v) to object for legitimate reasons to the processing of your personal data when we process it on the basis of a legitimate interest; (vi) to revoke any consent previously granted (if applicable) for the processing, but this will not affect the lawfulness of the processing until the revocation, (vii) to request data portability where the data is processed on the basis of your consent or the necessity for the performance of a contract concluded with you, and (viii) to lodge a complaint with the competent authority.
If you would like to exercise your rights listed under point 7 above or if you have any request regarding our use of your personal data you may contact us by emailing [email protected] or by letter to:
Attention: Data Protection
If you are an individual in the EU, you can also contact VeraSafe, which has been appointed as Tezos Foundation’s representative in the EU pursuant to Article 27 GDPR, only on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative.
Alternatively, VeraSafe may be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road