GDPR Recital 47

The General Data Protection Regulation (GDPR) of European Union allows companies to share information with third parties for fraud prevention purposes. Recital 47 of the GDPR states that "the processing of personal data for the purposes of preventing fraud is a legitimate interest of the data controller concerned."

Full Text of Recital 47

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.

Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.

The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.

Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.

The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

While we receive personally identifiable information from our members for fraud prevention purposes, we do not store any of it in plaintext. Instead, we use a one-way encryption algorithm to hash the data before storing it in our database. This ensures that we never have access to the original data.

Requirements for GDPR Compliance

It is essential that members who submit reports about clients ensure that they have the right to share the information with us. This means that they must have obtained the necessary consent from the data subjects by declaring their intention to share data with third parties for fraud prevention purposes.

All members must include a legal disclaimer in their Terms of Service or Privacy Policy, stating that they may share client information with third parties for fraud prevention purposes. This is a requirement for GDPR compliance as well.

[Your Company Name] utilizes FraudRecord to screen new orders for fraudulent activity and to report existing clients who violate our Terms of Service or Acceptable Use Policy. In the event of a violation, your information may be reported to FraudRecord in a non-identifying, anonymized form.

Data Storage Location within the EU

Our servers are located in the European Union, and we store all data within the EU. We are also a registered EU company, registered as RecordWave OÜ in Estonia.