In order to provide its services and enable issuers to reserve and issue virtual shares to recipients, both the issuer and KOOS need to process certain personal data concerning these persons. In this section we explain the main data processing related obligations that apply on the issuer and KOOS on the basis of the GDPR. Please note that depending on the specific jurisdiction where the services are used, additional local data processing laws and regulations may apply.
Before defining the data processing roles and reviewing main obligations related to personal data processing, let’s remind some important privacy related terms.
- means any information that relates to an identified or identifiable individual, this includes also the personal email address or a mobile phone number of the person.
- means any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, etc. In the context of the KOOS services, the data subject typically means the recipient for whom virtual shares are reserved or issued, respectively.
- means any operation that is done on personal data, such as collection, transfer, retention, deletion, etc.
- means the person who determines the purposes and means of the processing of personal data.
- means the person who processes personal data on behalf of the controller.
As explained in other sections of this manual, the legal relationship between the issuer and the recipient is created through terms of virtual shares, as agreed between them. Before the terms of virtual shares are agreed, the issuer may reserve virtual shares for its community members which they can collect by agreeing to the terms of virtual shares and becoming a recipient. KOOS is not a party to this legal relationship. The issuer solely and independently determines the conditions and means for reserving and issuing virtual shares. The issuer also decides what personal data and for what purposes is needed for reserving and issuing the virtual shares and maintaining the register of the virtual shares. This means that the issuer is data controller in the context of processing the recipient’s personal data for the purposes of reserving and issuing the virtual shares, and maintaining the register.
If the issuer has decided to use KOOS platform for registering the virtual shares issued to the recipients, KOOS acts as a data processor for the issuer.
You as the controller are responsible for ensuring that the personal data processing complies with the GDPR and other applicable data processing laws. The controller shall ensure that the data processing complies with data processing principles, there is a legal basis for data processing, etc.
One important obligation of the controller is to provide data subjects with transparent and clear information on how their personal data is processed. In the context of using KOOS.io application and service, this means that the issuer should amend its privacy notice (or adopt entirely new privacy notice, if this is preferred) where the issuer explains how the personal data of the recipients is processed in the context of the virtual share program through KOOS. The privacy notice should be drafted being guided by the Articles 13 and 14 of the GDPR (if EU law applies) and include, in particular, the following information: - : your business name, company registration code, address, email address;
- :
to enable participation in the virtual share program, keeping the register of virtual shares and to perform the terms of virtual shares as entered between you and the data subject. In order to carry out the virtual share program, you will transfer certain recipients’ personal data to KOOS as the data processor and request KOOS to collect certain personal data from them on your behalf. The legal basis for such personal data processing is therefore GDPR Article 6 (1) (b) (performance of the contract);
Programmable Equity OÜ (registry code 16320994, hereinafter “KOOS”) who acts as a data processor to you and provides software and technology at https://www.koos.io to reserve and register virtual shares; data retention period applied by you, which is presumably the term of the terms of virtual shares, i.e. contract entered between you and the data subject, plus appropriate additional period after the end of the contract (for example, you may be entitled to retain the personal data based on your legitimate interest under GDPR Article 6 (1) (f) until the end of the relevant limitation periods pursuant to applicable law related to the contract with data subject);
overview of data subject rights pursuant to GDPR Chapter III, including right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, right to lodge a complaint at supervisory authority.
The following types of personal data of the recipients are usually processed as part of the virtual share program:
- contact details: e-mail address; phone number, first and last name and number of reserved or issued virtual shares and reason for issuing
- identity data: full name; date of birth or personal identification code, address details (country of residence; city or county, municipality; street, house and apartment number and postal code); customer reference number; identity document number and other document details; and other personal information required for identification or verification purposes. In case of a legal person, information about the representative - first and last name, title of the representative, the date of birth or personal identification code, and identity document number and other document details
- service data: data on reserved or registered virtual shares, number of virtual shares, transfers of virtual shares, value of virtual shares, other relevant information and statistics
- payment data: payment account details and payment amount.
The processor may process personal data only in line with the instructions of the controller. Pursuant to GDPR Article 28, where the controller uses the processor, the processing shall be carried out on the basis of the data processing contract entered between the controller and the processor.
Being guided on the above, the issuer as the controller and KOOS as the processor have entered a data processing agreement, whereby the issuer authorises KOOS to perform certain data processing operations and KOOS grants to the issuer relevant assurances regarding data processing. Data processing agreement between the issuer and KOOS is entered as appendix to the Terms of Service for Issuers and is accessible here: https://koos.io/legal/terms-of-service-for-token-issuers .