πŸ›‘οΈ Data Protection Center

BlackStar Virtual Mint β†’ Regulatory β†’ GDPR & Data Protection
← Dashboard
94%
Compliance Score
7
Open DSR Requests
1
Overdue Requests
Active Consents
3
Breaches (12mo)
284
Erasures YTD
πŸ›‘οΈ Data Protection Management
Data Subject Rights
Consent Registry
Breach Register
Record of Processing
Data Transfers
Compliance Status
GDPR Articles 15–22 β€’ 30-day response deadline
🚨 1 overdue request: Request DSR-2024-0041 (Right to Erasure) exceeded 30-day deadline by 3 days. Escalate immediately.
Request ID Type Subject Submitted Deadline Days Remaining Status Actions
πŸ“œ GDPR Rights Reference
Article 15
Right of Access
Subject may request confirmation of processing and a copy of personal data held.
Article 16
Right to Rectification
Subject may request correction of inaccurate or completion of incomplete data.
Article 17
Right to Erasure
"Right to be forgotten" β€” erasure of personal data without undue delay.
Article 18
Right to Restriction
Subject may restrict processing under specified circumstances.
Article 20
Right to Portability
Receive data in structured, commonly-used, machine-readable format.
Article 21
Right to Object
Object to processing for direct marketing or legitimate interest purposes.
GDPR Article 7 β€’ Lawful basis for processing
Essential Service Processing
Processing necessary for the performance of the BlackStar Virtual Mint service contract, including account management, transaction processing, KYC/AML compliance, and IBAN/BIC operations.
Legal Basis: Article 6(1)(b) β€” Contract Performance | Retention: Duration of account + 7 years
12,847 active subjects | Cannot be withdrawn while account is active
Regulatory Reporting & AEOI Compliance
Mandatory disclosure of financial account information to tax authorities under OECD CRS and US FATCA frameworks. Includes LEI reporting to GLEIF and SWIFT network participation.
Legal Basis: Article 6(1)(c) β€” Legal Obligation | Retention: 10 years post-reporting year
Required by law β€” cannot be withdrawn
Marketing & Personalisation
Use of account data to provide personalised product recommendations, market updates, and promotional communications via email, SMS, and in-app notifications.
Legal Basis: Article 6(1)(a) β€” Consent | Retention: Until withdrawal or 3 years inactivity
Analytics & Service Improvement
Aggregated and pseudonymised analysis of platform usage patterns to improve service quality, detect fraud, and optimise trading infrastructure.
Legal Basis: Article 6(1)(a) β€” Consent | Retention: 24 months rolling
Third-Party Data Sharing
Sharing of aggregated, anonymised financial data with authorised research partners and regulatory bodies for market analysis and systemic risk monitoring.
Legal Basis: Article 6(1)(a) β€” Consent | Retention: Per partner agreement
GDPR Article 33-34 β€’ 72-hour DPA notification requirement
ℹ️ Under GDPR Article 33, personal data breaches must be reported to the supervisory authority within 72 hours of becoming aware. Article 34 requires notifying affected individuals if high risk.
Breach ID Date Discovered Type Severity Records Affected DPA Notified Individuals Notified Status
GDPR Article 30 β€” Record of Processing Activities (ROPA)
GDPR Chapter V β€” International Data Transfers & Safeguards
⚠️ Any transfer of personal data to a third country requires an appropriate safeguard under GDPR Chapter V. Verify all transfer mechanisms are current.
Transfer Destination Country Adequacy Decision Transfer Mechanism Data Categories Volume/Year Last Reviewed Status
Overall GDPR Compliance Assessment β€” Last reviewed: 2025-01-10
Lawful Basis Documentation
100%
Privacy Notice Completeness
92%
DSR Response Timeliness
87%
Data Minimisation
95%
Retention Policy Compliance
78%
Breach Notification Timeliness
100%
International Transfer Safeguards
96%
Consent Management
100%
DPO Appointment & Training
100%
Privacy by Design Implementation
82%
πŸ“Š Overall Compliance Score: 94%
Priority actions: (1) Resolve overdue DSR request DSR-2024-0041. (2) Review data retention for inactive accounts older than 7 years. (3) Complete Privacy by Design assessment for new settlement module.
πŸ‘€ Data Protection Officer
Alexandra K. Mercer, CIPP/E
Title:Chief Data Protection Officer Email:dpo@blackstar.ip Phone:+44 20 7946 0800 ext. 201 Registered:ICO Registration Z3842190 Jurisdiction:UK GDPR / EU GDPR Appointed:2022-03-01 Next Review:2026-03-01
Supervisory Authorities
πŸ‡¬πŸ‡§ ICO β€” UK Information Commissioner's Office
https://ico.org.uk | Reg: Z3842190
πŸ‡ͺπŸ‡Ί EDPB β€” European Data Protection Board
Lead Authority for EU operations
πŸ“¦ Data Inventory Summary
πŸͺͺ
Identity & KYC Data
Name, DOB, nationality, passport/ID, selfie, address verification
Retention: Duration + 7 years | Encryption: AES-256
Active
πŸ’³
Financial Account Data
IBAN, account balances, transaction history, currency holdings
Retention: 10 years (regulatory) | Encryption: AES-256
Active
πŸ“Š
AEOI/Tax Reporting Data
Tax residency, TIN, reportable account information, CRS/FATCA records
Retention: 10 years post-report | Lawful: Legal obligation
Active
🌐
Domain Registration Data
Registrant details, WHOIS records, DNS configurations
Retention: Domain duration + 3 years | Privacy: Shielded
Active
πŸ“±
Usage & Analytics Data
Login times, IP addresses, browser fingerprints (pseudonymised)
Retention: 24 months rolling | Basis: Consent
Consent-gated
πŸ””
Marketing Preferences
Email opt-ins, notification preferences, product interests
Retention: Until withdrawal | Basis: Consent
Consent-gated
πŸ”
Audit & Security Logs
System access logs, API calls, authentication events, settlement logs
Retention: 7 years | Lawful: Legitimate interest + Legal obligation
Active