'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Know-Your-Customer procedure
Last updated22 April 2022
Hacken OÜ (“Company” or “we”) processes your personal data. We care about your privacy — we protect your personal data and inform you about what we do with personal data. In the Privacy Policy of HackenProof Know-Your-Customer procedure (“Notice”), we will describe how we process, use and share personal data of:
Cyber security specialists (“Specialists”)All specialists who participate in HackenProof and are subject to the Know-Your-Customer Policy of the Company.
Scope of the document
The Notice applies to Specialists’ personal data we process when we are doing the Know-Your-Customer (KYC) procedure regarding the Specialists.
Information about us
Data controllerHacken OÜ. Registration number: 14351915.AddressKai tn 1-5M, Tallinn city, Harju county, 10111.Email [email protected]
Why we need your data
We need to know who you really are and whether we can lawfully work with you. That is why we are conducting the Know-Your-Customer due diligence procedure (“Due Diligence” or “DD”). During the DD we ask your ID/passport and other information for your identification and for other purposes. We briefly describe the DD below. We understand that we plan to request your ID/passport and other documents — something you (probably) wish you would not share with other persons. We understand and respect your privacy and desire to be anonymous wherever possible. However, we must comply with the law. The law requires, as part of the DD, to collect your documents.
Note: If you refuse to provide your data and documents, we will fail to conduct the DD. We do not want to violate the law, so, if you refuse to provide your data, we will not cooperate with you.
When we conduct the DD we follow the next regulations:
Council Decision (CFSP) 2019/797 of the European Union; Council Regulation (EU) 2019/796 of the European Union; Money Laundering and Terrorist Financing Prevention Act of Estonia; Council Implementing Regulation (EU) 2020/1744 of the European Union dated November 20, 2020; Anti Money Laundering Directives, etc. We will follow other regulations that are binding to us.
How we collect your data
We collect your personal data when we:
receive it from you; receive it from third parties; screen the sanctions lists. Note: We do not knowingly process personal data of the Specialists under the age of 13 without consent from their legal representative(s). If you are such a Specialist or the legal representative of the Specialist, please let us know by email at [email protected]
We look into the sanctions lists of different countries and organisations to see whether you are sanctioned by any country. We screen:
Annex to the Executive order 13694 of the President of the United States of America; Annex I to Regulation (EU) 2019/796; SDN List by OFAC (USA); List of persons/organisations, which are subject to the “most wanted” by Federal Bureau of Investigation of the US; List of persons/organisations wanted by Interpol; Consolidated list of Financial Sanctions targets in the UK. We are not limited to the EU and Estonian sanction lists, so we also check other important sanction lists.
Persons responsible for the Due Diligence
Responsible Persons will be doing the DD in the Company. Responsible Persons are
| Person | Description | Responsibilities |
|---|---|---|
| Chief Executive Officer | CEO of the Company. | The CEO is the main responsible person for the KYC in the Company. He ensures compliance of the Company with the KYC legal regulations.The CEO appoints the Compliance Executive. In the absence of the appointed Compliance Executive, the CEO will act as the one. |
| Responsible Officer | Employee or contractor of the Company who undertakes to do the DD. |
|
Also, the Compliance Executive will be conducting the DD, and the Lawyers will assist us with the KYC compliance and DD in particular.
| Person | Description | Responsibilities |
|---|---|---|
| Chief Executive Officer | CEO of the Company. | The CEO is the main responsible person for the KYC in the Company. He ensures compliance of the Company with the KYC legal regulations.The CEO appoints the Compliance Executive. In the absence of the appointed Compliance Executive, the CEO will act as the one. |
| Responsible Officer | Employee or contractor of the Company who undertakes to do the DD. |
|
Stages of the Due Diligence
We will conduct the Due Diligence before we give access to the information, resources, credentials in private programs. DD will take 3-7 business days. The procedure could take longer if we need to obtain and review additional information or to consult with the Lawyers. To speed up the DD we may use our KYC software, provided by the third company. We would not cooperate with this company unless it is trustworthy and respectful to privacy. Due Diligence will be conducted in the following way:
You send us:
copy of your national ID or another document that verifies your identity; additional documents and information if it is negotiated between us. We also ask you to take a selfie of you holding an opened document so we can see the document and your face.
Compliance Executive / Responsible Person:
double-checks provided documents; asks for additional documents: bank statement for the past year; tax declaration, if applicable, for the past 3-5 years; CV, work experience for the past 10 years; other documents or information that may be necessary. Personal data we process
| We collect data when | Categories of personal data | Purposes of processing | Legal basis |
|---|---|---|---|
| We start the DD |
| Verify your identity. Discover your whereabouts to know that you are not located in the sanctioned jurisdictions. | Legal obligation. Legitimate interest |
| We screen sanctions lists | If you are mentioned in a sanction list:
| Check your sanction status. | Legal obligation. Legitimate interest |
| We identified that you are a risky or suspicious person |
| Establish that we can lawfully and without risks work with you. | Legal obligation. Legitimate interest |
To whom we share your data
To conduct the DD, we need to share your data with other persons. If it is necessary, we will ask for your consent.
| Person | Who they are and what we share |
|---|---|
| KYC software company (Germany) | We use your name and other data to run the DD through the software of another company. |
| Lawyers (Slovakia) | Lawyers who occasionally help us with the DD. We may share your data so they assist us with the DD. |
| Service providers | Contractors, vendors who provide the services that require access to data collected during the DD. |
| Government authorities | Under a lawful request of an authorised government authority, we will disclose your data in the requested amount. |
Transfer outside the EEA
We transfer personal data to the Lawyers that reside in Ukraine. Ukraine does not provide the adequate level of personal data protection. We will use the Standard Contractual Clauses to ensure the protection of your personal data.We may share your personal data to the non-EEA countries that do not provide the adequate level of personal data protection. In this case, we will use safeguards to ensure that your personal data is duly protected.
Storing of personal data
Under article 47(1) of the Money Laundering and Terrorist Financing Prevention Act of Estonia we must store documents received during the DD for 5 years after we end a business relationship with you. After that, we will delete your documents.Since we are legally obliged to store these documents, you cannot send us a request to delete data about you before the 5 years period ends.We store information from the sanctions lists for 1 year after we end a business relationship with you. You can request deletion of this data.We store personal data on our servers in Estonia.
Security
To protect your personal data, we implement appropriate organizational and technical measures. Given the sensitivity of the data we store — your ID/passport — we are serious about data protection.
| Organizational measures | Technical measures |
|---|---|
| Non-disclosure agreements with employees and contractors | Servers that comply with ISO 27001 |
| Security and privacy policies | Separate data storage for your personal data |
| Limiting access to personal data only to authorized persons | Passworded access to storage with your personal data |
| Security checkups and training | Encryption |
| Strong passwords, periodic change | Careful use of email and Internet (using the licensed antivirus software, doing security check of the emails from the third parties) |
| Physical security of premises and data servers | Data backups |
Your privacy rights
As the data subject, you have the following rights:
Right to accessYou can request an explanation of the processing of your personal data.Right to portabilityYou can request all the data that you provided to us, as well as request to transfer data to another controller.Right to restrict processingYou may partially or completely prohibit us from processing your personal data.Right to file a complaintYou can file a complaint to the data protection authority.Right to be forgottenYou can send us a request to delete your personal data from our systems unless there is a legal obligation to keep it..Right to withdraw consentYou can always withdraw your consent for the processing of personal data, and we will stop processing it.
To exercise your rights, email us at [email protected]. We will answer you as soon as possible.
Note: We may ask you to verify your identity before responding to a request.
You can file a complaint to the regulatory authority — the Data Protection Inspectorate (Andmekaitse Inspektsioon) at email [email protected] or address Tatari 39, 10134 Tallinn.
Update of the Notice
General Data Protection Regulation applies to the Notice and the relationships falling under its effect.Existing laws and requirements for the processing of personal data or KYC may be changed. In this case, we will notify you by email or in another way.