The second #rooftopmeetup: KYC & GDPR basics explained

Share this post:

The second #rooftopmeetup: KYC & GDPR basics explained

Share this post:

Yesterday PayCore.io once again opened its doors to everyone who wanted to enhance their expertise in compliance for fintech.

Together with Avitar, we are organising a series of educational events #rooftopmeetups to share our knowledge in payment and legal fields. The first event provided an introduction to compliance in payments. On the second one, we discussed the KYC and GDPR for fintech in more detail.

We prepared the gist of yesterday’s speeches for everybody who couldn’t make it to the event.

GDPR in a snap

Our co-founder and COO Den Melnykov shared a summary of the key principles of GDPR:

  • GDPR is a regulation with extraterritorial scope, meaning it applies to any business that provides services to EU residents, even if the business doesn’t have a physical establishment in the EU.
  • All the information on the objectives, methods, and volumes of personal data processing must be expressed as accessible and simple as possible.
  • Users’ (company employees) data can only be collected in terms of claimed and declared purposes.
  • Organisations are not allowed to collect more data than they need for their stated objectives’ achievement.
  • Inaccurate personal data must be removed or corrected at the request of the user.
  • Periods and forms of data storage must comply for processing purposes.
  • A company that processes personal data must ensure they are protected from unauthorised access, destruction, or damage.
  • GDPR implies appointing a Data Protection Officer (DPO) to conduct compliance monitoring, and an EU representative if the company doesn’t have an EU office.

How to comply

Maria Skakun, Senior Associate and Head of Business Development at Avitar, explained the KYC procedures and gave practical advice on how to comply with GDPR:

  • Map all your data flows to assess privacy risks and prepare relevant and viable documents.

  • Do not process the personal data of a child without the consent of the holder of parental responsibility over the child.

  • Have the relevant and comprehensive Terms of Use and Privacy Notice and cookies popup in place.

  • Don’t use pre-checked checkboxes for data processing-related popups on your website.

  • Timely update your data privacy policies and make sure your business truly follows them.

  • Your contact information should be easily accessible to users. Give them a chance to reach out to you first in case they want to clarify or complain about something.

  • Ensure you signed data processing agreements with everyone who has access to users data and processes it on your behalf.

  • Don’t fall outside the data retention periods required under GDPR for each kind of data.


The next joint event by PayCore.io and Avitar will be dedicated to chargebacks and refunds, and all the legal issues related. We would be delighted to meet you and answer all your questions!

Share this post: