Applicant Privacy Policy

If you are an Applicant, this is what you need to know:

Welcome to our Privacy Policy! Here we explain:

  • the personal data we collect from you when our Client uses our Software and Services
  • how we obtain your consent to collect and use that data
  • how we keep your data secure
  • how you can contact us

For the purposes of conducting a Service for our Client, we are joint data controllers together with our Client. Our due diligence Software is called Spotlite.

If you want to contact us directly, our details are: -

CDD Management Services Ltd
2 Mount Street,
M2 5WQ
United Kingdom

The contact details for our Data Protection Officer are: -

David Crack
CDD Management Services Ltd
2 Mount Street,
M2 5WQ
United Kingdom

Our Client has requested that we conduct due diligence checks on you

We require information from you for the purposes of regulatory compliance, due diligence, correspondence, security and prevention of abuse. Our Client, or their representative – the Spotlite User – will make it clear to you why they have asked us to perform these checks and what they are going to do with information once our checks are complete.

You are in control, nothing can happen until you provide consent

Whilst we are providing a Service to our Client, we can only provide that Service with your consent.

The app will provide you with a summary of the main points of our privacy policy as well as provide a link to this document. You should read both before proceeding. To confirm your consent, the app will ask you to take a selfie (the picture will only be taken when you blink at the camera) and then tick the box to confirming you consent for your data and photograph to be used to conduct the checks associated with our Client’s requested Service.

This is the information we collect from you

Besides your selfie, we will ask you to provide your phone number, email address, selected identity documents, nationality, age and address. You may also be asked to provide or confirm any social media profile details. The specific identity documents required, and the detail collected depends on the Service requested by our Client. They will provide more information to you on request.

How we use your information

We use your identity information to perform multiple checks with Third Party Data and Service Providers across the globe. Some of these checks are automatic data provision; some are manual processes.

In some circumstances, we may ask you some additional questions to confirm your identity or to resolve ambiguities in any external data we have found about you.

Where we share or disclose your information

We only share your data with Third Party Data and Service Providers for the purpose of completing the Service checks requested by our Client. We do not provide your information to third-parties for the purposes of sales and marketing or for third-party research. We may ask your consent to keep you informed about developments within CDD Services group of companies.

Assuming we can verify your identity and we are legally empowered to do so, we will securely disclose to you the results of our checks by sending you a link to a copy of the Certificate we send to our Client. If there are any inaccuracies in the data, you should let our Client know immediately.

We will also provide you with the contact details of each of the third-parties who have provided us with information. You may contact them directly concerning the data they provide about you.

If we suspect you are abusing our services for criminal intent, any wrong doing or any other conduct we deem inappropriate, then we will report our suspicions to the relevant law enforcement agencies for your jurisdiction as well as other relevant third-party organisations. It is illegal for us to tell you that we have reported our suspicion or that a criminal investigation is in progress.

How long do we store your personal data

Unless otherwise requested by our Client and specifically communicated to you, we only retain a copy of your certificate for a period of 30 days; after that date, we remove your selfie and biometric details from our systems and you will need to contact our Client directly for a copy of the Certificate. Thereafter, we only retain your name, our Client’s reference and third-party references for our legitimate interest of reconciling and billing our accounts and for audit purposes.

The exception to this is if we suspect you are abusing our services for criminal intent, any wrong doing or any other conduct we deem inappropriate. In these circumstances, we may securely retain your biometric details, Certificate and third-party verification data as part of our criminal prevention services and to support criminal investigations.

Where we do retain data about you, this data is held up to a period of seven years.

Your rights in respect to your personal data

As previously stated, we cannot perform our Services until you provide consent. You can then exercise your rights to withdraw consent as follows:

  • the right to withdraw consent as to the processing of your personal data
    You can withdraw your consent after your documents have been scanned and before the Spotlite User submits your details for processing. Once the Submit button is pressed, your identification data is automatically sent to our third-party suppliers. In most cases the third-party checks are completed in seconds; where the process is manual you can withdraw at any time by notifying our Client who will inform us accordingly.
  • the right to have your personal data erased from our records
    If you withdraw your consent before the Submit button is pressed and the User cancels the Service, then all your personal data is removed from the device and our servers immediately.

    Once our certificate is produced, we only hold your details for 30 days unless our Client has explicitly asked us to do otherwise. In these cases, you need to inform our Client who will contact us directly.

    The exception to this is if we suspect you are abusing our services for criminal intent, any wrong doing or any other conduct we deem inappropriate. In these circumstances, it is of vital interest that we retain your biometric details to support investigations and protect our clients from future abuse by you. We may retain your biometric information for a period of seven years as part of our criminal prevention service.
  • the right to restrict further processing of your personal data
    Following the completion of the automated checks, you can contact our Client to prevent further processing of your data. Our Client will inform us accordingly.
  • the right to have your data transmitted to another data controller
    You may email your certificate to another data controller of your choosing.
  • the right to object to the processing of your personal data
    You can object to the use of our Services to perform these due diligence checks. You will need to agree an alternative course of action with our Client directly.

    If you are unhappy with our data protection policy, please let us know how we may improve. Alternatively, you may lodge a complaint with the UK’s Information Commissioners’ Office.

Where we store your personal information

The information that we collect from you is stored in the UK.

Depending on the Service, we may need to share data with some third-party providers outside of the jurisdiction of the UK, EU or EEA. In these cases, the third-party concerned may retain a record of our enquiry for technical monitoring, service quality improvements, troubleshooting and billing purposes. We contractually ensure that such third parties do not use your information for any purpose other than supporting our enquiries and that they maintain appropriate administrative, technical and physical security measures to protect this information against unauthorized access or disclosure.

You can find out if we use such third-parties for enquiries on you by asking the Spotlite User to click on Privacy Policy link and click on the ‘View Control Standards’ button for the Service they are requesting. This information will also be supplied to you on the Certificate.

Information Security

We use a range of technical and organisational measures to safeguard access to and use of, your personal information. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training.

Subject Access Requests

We fully disclose the information we hold about you within the Certificate, unless there is a legal reason prevent us from doing so or we cannot validate your identity. It is illegal for us to disclose to you information pertaining to reporting our suspicions concerning your potential criminal behaviour or of ongoing criminal or regulatory investigations concerning your information.

Contact Us