Lawful bases for processing personal data at Telesign

Introduction

Telesign processes personal data to deliver our products and services to our customers. To do so we rely most commonly on the lawful basis of either consent or legitimate interest. 

We obtain personal data in two ways, either (1) directly from individuals; or (2) via third party providers.

‍

(1) Personal data obtained directly from individuals

When Telesign is acting as a Data Controller and the personal data in question is from our own databases, it will have been obtained directly from the individual in one of the following ways:

a)     Phone or email correspondence with Telesign directly

b)     Participation in Telesign surveys, evaluations, and promotions

c)     Signing up to Telesign’s email mailing list

d)     Submitting personal data through Telesign’s websites and customer portals.

For what purposes do we use the personal data?

Telesign collects personal data to provide outstanding customer service, operate the services we provide to customers, for marketing of our services, and to detect, prevent, mitigate, and investigate fraudulent or illegal activities.

Telesign may process personal data for one or more of the following business purposes:

• To provide information, goods, or services.
• To improve and enhance services.
• To conduct research and maintain statistics.

Telesign ensures complete transparency to individuals and provides appropriate privacy information in line with applicable laws in our Privacy Notice; ensuring individuals are fully aware of the purposes for which their personal data is being processed, the lawful basis being relied upon for such processing, the categories of information being collected, and all other information as required under applicable laws.

What lawful basis does Telesign rely on?

As a Data Controller, we collect and use personal data only when the individual has provided us with consent, or where there exists a legitimate interest to process the personal data, for example to develop solutions that prevent fraudulent and illegal behaviors in provision of our services to customers.

(2) Personal data obtained from third parties 

The third parties that provide Telesign with personal data can be split into two groups: a) Providers and b) Customers.
‍

a)    Providers

Telesign’s third party providers acquire personal data from a variety of different sources including publicly available databases, public search engines, telecom operators’ directories, consumer transaction records and scoring services. Telesign conducts due diligence on all such third-party providers to ensure that their sources of personal data are legitimate and in line with applicable data privacy laws and regulations.

What lawful basis does Telesign rely on?

Where personal data is provided to Telesign by a third party, the party certifies in their agreement with Telesign that they have obtained the required consent of the individuals to whom the personal data relates (the ‘data subject’), or that they have another lawful basis to process the data under applicable data privacy laws, such as a legitimate interest under Article 6(1)(f) of the GDPR. Telesign’s third party providers are also more generally contractually obliged to fully comply with all applicable data privacy laws in their processing of personal data.

Risk assessments 

Telesign carries out a comprehensive risk assessment to thoroughly assess every third party provider’s data privacy and security practices. We only contract with providers that provide sufficient answers and guarantees that ensure us they are acting in compliance with data privacy laws and treating personal data in a manner aligned with the key principles of data protection, namely: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. If the provider does not pass this initial assessment, then Telesign will not contract with them.

Business contracts 

Once the provider has passed this initial assessment, they can then enter a business contract with Telesign. All our business contracts obligate the provider to adhere to Telesign’s information security and privacy policies and standards as well as complying with all applicable data privacy laws. This again ensures that the personal data provided to Telesign for use in our products is only sourced via lawful means, based on a lawful basis and with respect for the rights and freedoms of individuals.

Transparency 

Individuals are made aware of the fact their personal data will be shared with Telesign by the provider via the providers own consent forms, privacy notices and/or other privacy information. Telesign’s privacy notice also provides full transparency regarding the sources we obtain personal data from, including where such data is not obtained directly from data subjects.
‍

b)    Customers

Telesign’s Customers provide personal data to Telesign through their use of Telesign’s services. In these situations, Telesign is the Data Processor and the Customer the Data Controller. Our Customers give us instructions in contracts (usually, Data Processing Agreements) on what to do with the personal data they are sending to us. 

Customers use Telesign’s services to:

• Send SMS / text messages or make voice calls to end-users containing alerts, reminders, notifications, or one-time passcodes.
• Send SMS / text messages or make voice calls for automatic verification to end-users and to power private two-way communications on digital platforms owned by our Customers.
• Gather data intelligence and/or fraud risk assessment about end-user phone numbers. Data intelligence includes device information, SIM swap detection, subscriber status, contact information, location, risk score, etc., to strengthen authentications, evaluate fraud risks, prevent fraudulent behaviors and enhance the user experience. 

Telesign’s Customers obtain end-user consent for use of personal data in the data services that Telesign provides.

What lawful basis does Telesign rely on?

In the delivery of our products and services, we only use personal data for Customer approved purposes or legitimate interests such as fraud prevention, based on applicable data protection laws.