Back to Home

GDPR Compliance

Last Updated: March 5, 2026

ICP Verification is committed to ensuring compliance with the European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), in addition to our obligations under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. This page explains how we comply with the GDPR when processing the personal data of individuals in the European Economic Area (EEA), and describes the rights available to data subjects under the GDPR. This policy should be read alongside our Privacy Policy.

1. Lawful Basis for Processing

Under Article 6 of the GDPR, we must have a lawful basis for processing your personal data. We rely on the following lawful bases:

  • Consent (Article 6(1)(a)): We process your personal data based on your consent when you voluntarily provide information to us, such as when you register for an account or submit a verification request. You may withdraw your consent at any time by contacting us at support@icpverification.ae.
  • Performance of a Contract (Article 6(1)(b)): We process your personal data when necessary to perform our obligations under a contract with you, such as processing your verification requests and delivering the services you have purchased.
  • Legal Obligation (Article 6(1)(c)): We process your personal data when necessary to comply with our legal obligations under UAE and applicable international laws, including AML and KYC requirements.
  • Legitimate Interests (Article 6(1)(f)): We process your personal data when necessary for our legitimate business interests, such as improving our services and preventing fraud, provided that such processing does not override your rights and freedoms.

For special categories of personal data (such as biometric data used for identity verification), we rely on explicit consent as required by Article 9 of the GDPR.

2. Data Subject Rights

Under the GDPR, data subjects within the EEA have the following rights:

  • Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and access to a copy of that data.
  • Right to Rectification (Article 16): You have the right to request the correction of inaccurate personal data and completion of incomplete data.
  • Right to Erasure / "Right to Be Forgotten" (Article 17): You have the right to request deletion of your personal data when it is no longer necessary or when you withdraw consent.
  • Right to Restriction of Processing (Article 18): You have the right to request restriction of processing in certain circumstances.
  • Right to Data Portability (Article 20): You have the right to receive your data in a structured, machine-readable format and have it transmitted to another controller.
  • Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal effects.

To exercise any of these rights, contact our Data Protection Officer at support@icpverification.ae. We will respond within thirty (30) days and may request identity verification.

3. Data Processing Activities

We process personal data for the following specific purposes:

  • Identity Verification: Processing personal identification data for verifying identity through UAE Pass, government databases, and financial institutions.
  • Service Delivery: Processing verification-related data to deliver and manage our services, including criminal record checks and watchlist screening.
  • Account Management: Processing account-related data to manage your account, authenticate access, and provide customer support.
  • Payment Processing: Processing financial data to process payments and manage billing in compliance with financial regulations.
  • Security and Fraud Prevention: Processing technical data to detect and prevent fraud and ensure platform security.
  • Communication: Processing contact data to send service-related notifications and OTP codes.

4. Data Protection Officer

In compliance with Article 37 of the GDPR, ICP Verification has appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and compliance. Our DPO operates independently and reports directly to the highest level of management.

  • Informing and advising ICP Verification about GDPR and UAE data protection obligations
  • Monitoring compliance with the GDPR, including staff training and audit participation
  • Providing advice on Data Protection Impact Assessments (DPIAs)
  • Acting as the contact point for data subjects and supervisory authorities

You may contact our Data Protection Officer at any time at support@icpverification.ae.

5. International Data Transfers

As our services are based in the UAE, the transfer of personal data from the EEA to the UAE constitutes an international transfer under the GDPR. We ensure compliance with Chapter V of the GDPR by implementing:

  • Adequacy Decisions: Where the European Commission has determined that a country provides adequate data protection, transfers may proceed on that basis.
  • Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs for transfers to third countries.
  • Binding Corporate Rules: Where applicable, we implement BCRs approved by relevant supervisory authorities.
  • Additional Safeguards: We implement encryption, pseudonymization, and access controls to ensure essentially equivalent protection.

6. Breach Notification

In compliance with Articles 33 and 34 of the GDPR, we have established procedures for data breaches:

  • Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach.
  • Data Subject Notification: When a breach is likely to result in high risk, we will communicate directly with affected data subjects.
  • Breach Documentation: We maintain records of all breaches as required by Article 33(5).
  • Preventive Measures: We implement robust security measures including encryption, intrusion detection, and employee training.

7. Data Protection Impact Assessments

In accordance with Article 35 of the GDPR, we conduct DPIAs for processing activities that are likely to result in high risk to data subjects. Our DPIAs include a systematic description of processing operations, assessment of necessity and proportionality, assessment of risks, and measures to address those risks. We review and update our DPIAs regularly, particularly when processing activities change. We consult with the relevant supervisory authority before processing where a DPIA indicates high risk that cannot be mitigated.

8. Your Right to Lodge a Complaint

Under Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. You may also seek a judicial remedy under Article 79. We encourage you to contact us first at support@icpverification.ae so that we can address your concerns before you approach a supervisory authority.

9. Contact Us

For any questions about our GDPR compliance or to exercise your data subject rights:

Data Protection Officer — ICP Verification
P.O. Box 1493 Dubai - United Arab Emirates
support@icpverification.ae
icpverification.ae / icpselfserviceportal.ae