SCENARIO
Please use the following to answer the next question:
Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based
company that allows anyone to buy and sell cryptocurrencies via its online platform.
The company stores and processes the personal data of its customers in a
dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on
the platform. They then must successfully pass a Know Your Customer (KYC) due
diligence procedure aimed at preventing money laundering and ensuring
compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by
reading a disclaimer written in bold and ticking a checkbox on a separate page in
order to get their account approved on the platform.
All customers must likewise accept the terms of service of the platform. The terms
of service also include a privacy policy section, saying, among other things, that if a
customer fails the KYC process, its KYC data will be automatically shared with the
national anti-money laundering agency.
The KYC procedure requires customers to answer many questions, including
whether they have any criminal convictions, whether they use recreational drugs or
have problems with alcohol, and whether they have a terminal illness. While
providing this data, customers see a conspicuous message saying that this data is
meant only to prevent fraud and account takeover, and will be never shared with
private third parties.
The company regularly conducts external security testing of its online systems by
independent cybersecurity companies from the EU. At the final stage of testing, the
company provides cybersecurity assessors with access to its central database to
review security permissions, roles and policies. Personal data in the database is
encrypted; however, cybersecurity assessors usually have access to the decryption
keys obtained while running initial security testing. The assessors must strictly
follow the guidelines imposed by the company during the entire testing and auditing
process.
All customer data, including trading activities and all internal communications with
technical support, are permanently stored in a secured AWS S3 Glacier cloud data
storage, located in Ireland, for backup and compliance purposes. The data is
securely transferred to the cloud and then is properly encrypted while at rest by
using AWS-native encryption mechanisms. These mechanisms give AWS the
necessary technical means to encrypt and decrypt the data when such is required
by the company. There is no data processing agreement between AWS and the
company.
Should Jane modify the required GDPR rights waiver for non-European residents?