DORDLE
1.1 This Legitimate Interest Assessment (“LIA”) and lawful basis framework has been prepared by DORDLE Ltd. (“DORDLE”) to ensure that its processing of personal data complies with the Cayman Islands Data Protection Act (Revised) (the “DPA”) and the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
1.2 DORDLE, as a credit bureau, plays a vital role in the financial ecosystem by collecting, analyzing, and disseminating credit information. In the Cayman Islands, credit bureaus must comply with the DPA.
1.3 The purpose of this document is to outline the lawful bases upon which DORDLE processes personal data and to provide a detailed assessment of processing activities carried out on the basis of legitimate interests. This document also defines the categories of data subjects to which the processing applies and sets out the safeguards and accountability measures applied to protect their rights.
2.1 Overview of Lawful Basis
2.1.1 Under the DPA and GDPR, personal data may only be processed where there is a lawful basis for doing so. DORDLE relies on multiple lawful bases depending on the nature of the processing activity. The GDPR provides six lawful bases for processing personal data, and similar provisions exist under the DPA. Each processing activity is assessed and justified under one or more of these lawful bases, including consent, performance of a contract, compliance with a legal obligation, legitimate interests, protection of vital interests, and public task/official authority.
2.2 Lawful Bases for Processing
2.2.1 DORDLE may process personal data with the consent of the data subject, such as for marketing purposes or where a Consumer uses DORDLE’s platform to track their own credit score. Consent is always freely given, informed, and revocable at any time.
2.2.2 Where personal data is necessary to fulfil contractual obligations, such as providing credit reports or other services to subscribers, the processing is undertaken under the performance of a contract.
2.2.3 Legal obligations, including AML/CFT legislation, the Proceeds of Crime Act (Revised), FATCA, or CRS, require processing for identity verification, record-keeping, and reporting.
2.2.4 DORDLE also relies on legitimate interests where processing is necessary for the provision of credit rating services, fraud prevention, service improvement, analytics, and proportionate business development. Where this basis is relied upon, a detailed Legitimate Interest Assessment is conducted.
2.2.5 In rare instances, processing may be undertaken to protect vital interests or to assist public authorities, although these are not routine bases for DORDLE’s operations.
3.1 “Consumer” refers to individuals and businesses whose personal data DORDLE holds. A Consumer may or may not be a direct client of DORDLE. Consumers include all individuals whose data is processed through subscriptions or via Subscribers, and they are subject to DORDLE’s lawful bases, safeguards, and privacy protections.
3.2 “Direct Client” means a Consumer who has subscribed to DORDLE for the purposes of accessing their own credit score, viewing their credit history, and receiving alerts regarding changes to their credit profile. Processing of Direct Client data relies on contract performance, consent for optional services, and legitimate interests such as fraud prevention and service improvement.
3.3 “Not a Direct Client” means a Consumer whose data has been supplied to DORDLE by a Subscriber but who has not directly subscribed to DORDLE’s services. Processing of Not a Direct Client data relies primarily on legitimate interests, including credit assessment, fraud prevention, analytics, and model development. Appropriate safeguards, balancing tests, and objection handling are applied to protect these individuals’ rights.
3.4 “Subscriber” refers to entities such as banks, utilities and service providers, strata agencies, and similar organisations that supply DORDLE with data on their clients or customers and use DORDLE services to conduct credit checks on potential customers or to monitor ongoing credit status and account activity of existing customers. Processing of Subscriber data relies on contract performance, legal obligations, and legitimate interests. Access is restricted to authorised personnel, and periodic compliance monitoring is conducted.
4.1 All data subjects retain rights of access, rectification, erasure, restriction, objection, and portability.
4.2 Where legitimate interests are relied upon, data subjects may object to processing at any time, and such objections are carefully evaluated.
4.3 DORDLE ensures transparency through clear privacy notices and maintains records of lawful bases, data categories, processing purposes, recipients, and retention periods.
5.1 Purpose Test
5.1.1 The primary purposes for relying on legitimate interests include providing credit rating and scoring services, protecting against fraud and financial crime, improving service quality and analytics, and supporting proportionate business development. Below are examples of these primary purposes:
5.1.1.1 Preventing Fraud and Financial Crime
Interest holder: DORDLE, financial institutions, and the broader financial system.
Interest description: Preventing fraud and financial crime through the use of credit data, fraud alerts, and public records.
Legitimacy Analysis: - Fraud prevention is recognized as a legitimate interest under data protection laws - The Cayman Islands Financial Reporting Authority (FRA) emphasizes the critical role of fraud alerts in protecting individuals and businesses - Early detection and prevention of fraud is key to protecting against financial crimes - Fraud prevention contributes to the stability and integrity of the Cayman Islands' financial system - The interest is genuine and represents a real benefit to DORDLE, financial institutions, and data subjects.
5.1.1.2 Assessing Creditworthiness
Interest holder: DORDLE, financial institutions, and consumers.
Interest description: Using credit account information and credit scores to assess lending risks.
Legitimacy Analysis: - Creditworthiness assessment is a core function of credit bureaus globally - proper credit administration and risk rating are important within financial ecosystems - Accurate credit assessment helps prevent over- crediting, which benefits both lenders and borrowers - The interest is genuine and represents a real benefit to DORDLE, financial institutions, and the broader economy - Proper credit assessment contributes to financial stability by ensuring loans are extended to those who can repay them.
5.1.1.3 Enhancing Financial Services
Interest holder: DORDLE, financial institutions, and consumers.
Interest description: Using credit data to improve financial service offerings and customer experience.
Legitimacy Analysis: - Credit bureaus help improve financial inclusion for residents of the Cayman Islands - They provide information that can result in improved terms for those with good credit behavior - Enhanced financial services contribute to economic growth and development - The interest is genuine and represents a real benefit to DORDLE, financial institutions, and consumers - Better financial services can lead to improved financial outcomes for individuals and businesses.
5.1.1.4 Promoting the Integrity of the Cayman Islands' Financial System
Interest holder: DORDLE, financial institutions, regulatory authorities, and the Cayman Islands as a jurisdiction.
Interest description: Using credit data to maintain and enhance the integrity and stability of the financial system.
Legitimacy Analysis: - Credit bureaus contribute to the stability of the financial system by helping prevent over-crediting - They assist credit issuing institutions to mitigate preventable write-offs - The regulatory framework emphasizes the importance of proper credit administration and risk management - The interest is genuine and represents a real benefit to DORDLE, financial institutions, and the Cayman Islands as a financial jurisdiction - Financial system integrity is essential for economic stability and growth.
5.2 Necessity Test
5.2.1 Processing of personal data is necessary because the accurate assessment of creditworthiness, detection of fraud, and service improvement cannot be achieved without processing identifiable data. Aggregation and anonymization are applied wherever possible, but identifiable data remains essential in specific contexts. Below are examples of these necessity purposes:
5.2.1.1 Preventing Fraud and Financial Crime
Is processing necessary? Yes, processing credit data is necessary to effectively prevent fraud and financial crime.
Could the objective be achieved through less intrusive means? No, comprehensive credit data analysis is essential for detecting patterns indicative of fraud.
Specific data elements needed: - Identity information (to verify identities and detect identity theft) - Credit account history (to identify unusual patterns) - Public records (to identify known fraudsters) - Fraud alerts (to warn of potential fraud risks).
5.2.1.2 Assessing Creditworthiness
Is processing necessary? Yes, processing credit data is necessary to accurately assess creditworthiness.
Could the objective be achieved through less intrusive means? No, comprehensive credit history is the most reliable predictor of credit risk.
Specific data elements needed: - Credit account information (payment history, outstanding balances, credit limits) - Credit scores and ratings - Public records related to financial obligations - Length of credit history.
5.2.1.3 Enhancing Financial Services
Is processing necessary? Yes, processing credit data is necessary to enhance and tailor financial services.
Could the objective be achieved through less intrusive means? No, comprehensive understanding of credit profiles is required to improve service offerings.
Specific data elements needed: - Credit history and behavior patterns - Financial product usage information - Credit scores and ratings - Demographic information (within legal limits).
5.2.1.4 Promoting the Integrity of the Cayman Islands' Financial System
Is processing necessary? Yes, processing credit data is necessary to maintain the integrity of the financial system.
Could the objective be achieved through less intrusive means? No, system-wide credit data analysis is essential for identifying risks to financial stability.
Specific data elements needed: - Aggregated credit exposure data - Credit performance metrics - Default and delinquency patterns - Cross-institutional credit relationships.
5.3 Balancing Test
5.3.1 DORDLE has implemented safeguards to ensure that its legitimate interests do not override data subject rights. These include transparency through privacy notices, data minimization, procedures for accuracy and correction, robust security controls, and mechanisms for handling objections.
5.3.1.1 Data Minimization: DORDLE will collect and process only the personal data that is necessary for the specified purposes. Data collection will be limited to what is required for each legitimate purpose, and data will not be used for purposes incompatible with those for which it was collected.
5.3.1.2 Data Accuracy: DORDLE will take reasonable steps to ensure that personal data is accurate and kept up-to-date. This includes: - Regular data quality reviews - Processes for correcting inaccurate data - Verification of data sources - Mechanisms for data subjects to access and correct their information.
5.3.1.3 Data Security: DORDLE will implement appropriate technical and organizational measures to protect personal data, including: - Encryption of sensitive data - Access controls and authentication mechanisms - Regular security assessments and audits - Staff training on data security - Incident response procedures.
5.3.1.4 Transparency: DORDLE will be transparent about its data processing activities by: - Providing clear privacy notices - Explaining how personal data is used - Informing data subjects of their rights - Publishing information about data sharing practices - Making this LIA available upon request.
5.3.1.5 Data Subject Rights: DORDLE will respect and facilitate the exercise of data subject rights under the DPA, including: - Right of access to personal data - Right to rectification of inaccurate data - Right to object to processing - Rights in relation to automated decision-making - Right to complain to the Ombudsman.
5.3.2 Special category data is generally not processed; profiling and automated decision-making in credit scoring are subject to human oversight and contestability.
5.3.3 Children’s data is not targeted; if processed, additional safeguards are applied.
5.3.4 Below are examples of the balancing test:
5.3.4.1 Preventing Fraud and Financial Crime
Impact on individuals: - Positive impacts: Protection from identity theft and fraud, maintaining integrity of financial system, preventing financial losses - Negative impacts: Processing of personal data, potential for false positives in fraud detection.
Safeguards to mitigate negative impacts: - Strict data accuracy standards - Regular data quality reviews - Clear processes for correcting false information - Transparent fraud alert mechanisms - Limited retention periods for fraud-related data.
Outcome: The legitimate interest in preventing fraud and financial crime outweighs the potential impact on individuals, especially when appropriate safeguards are implemented.
5.3.4.2 Assessing Creditworthiness
Impact on individuals: - Positive impacts: Fair access to credit, better loan terms for responsible borrowers, prevention of over-indebtedness - Negative impacts: Potential for negative credit decisions, processing of sensitive financial information.
Safeguards to mitigate negative impacts: - Accurate and up-to-date information - Transparent credit scoring methodologies - Right to access and correct credit information - Regular review of creditworthiness assessment models - Staff training on fair credit assessment.
Outcome: The legitimate interest in assessing creditworthiness outweighs the potential impact on individuals, especially when appropriate safeguards are implemented.
5.3.4.3 Enhancing Financial Services
Impact on individuals: - Positive impacts: Better tailored financial products, improved access to credit, enhanced financial inclusion - Negative impacts: Processing of personal financial data, potential for exclusion from certain services.
Safeguards to mitigate negative impacts: - Limiting data use to specific service enhancement purposes - Anonymization or pseudonymization where possible – Clear opt-out mechanisms for certain types of processing - Regular review of data minimization practices - Staff training on responsible data use.
Outcome: The legitimate interest in enhancing financial services outweighs the potential impact on individuals, especially when appropriate safeguards are implemented.
5.3.4.4 Promoting the Integrity of the Cayman Islands' Financial System
Impact on individuals: - Positive impacts: Stronger financial system, reduced systemic risk, increased trust in financial institutions - Negative impacts: Processing of personal data for system-wide analysis.
Safeguards to mitigate negative impacts: - Aggregation and anonymization of data for system-level analysis - Strong data security measures - Clear regulatory oversight - Transparent reporting on system integrity measures - Limited retention of identifiable data.
Outcome: The legitimate interest in promoting the integrity of the financial system outweighs the potential impact on individuals, especially when appropriate safeguards are implemented.
5.4 Public Interest Considerations
5.4.1 DORDLE recognizes that its services support broader public interest objectives, including financial system stability, responsible lending, and prevention of financial crime.
5.5 High-Risk Processing
5.5.1 The LIA is cross-referenced with any Data Protection Impact Assessments (DPIAs) where high-risk processing is identified.
6.1 DORDLE retains personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, resolve disputes, enforce agreements, and meet regulatory requirements. In general, records and documentation supporting lawful basis assessments, including Legitimate Interest Assessments, are retained for a minimum of seven (7) years or as otherwise required by applicable law or regulatory guidance.
6.2 This LIA and associated policies are reviewed and updated at least annually, or more frequently if there are material changes to processing activities, regulatory requirements, or applicable guidance. All updates are documented, and prior versions are retained for accountability purposes.
7.1 DORDLE’s data processing framework ensures compliance with the DPA and GDPR.
7.2 By identifying lawful bases, documenting reliance on legitimate interests, defining data subject categories, and implementing appropriate safeguards, DORDLE demonstrates accountability, protects data subject rights, and enables the provision of essential credit rating services,
DORDLE
This checklist should be completed alongside the narrative LIA and retained in internal compliance records. Each section reflects a core element of the DPA and GDPR requirements.
☐ 1.1 Have the legitimate interests pursued by DORDLE been clearly identified for each data subject category (Direct Clients, Not a Direct Client, Consumers, Subscribers)?
☐ 1.2 Do these include credit reporting, fraud prevention, regulatory compliance, financial system stability, and service improvement?
☐ 1.3 Is any use of data for marketing purposes limited to anonymized/aggregated data or done only with explicit consent?
☐ 1.4 Has the wider public interest, including financial system integrity and responsible lending, been acknowledged?
☐ 2.1 Is the processing necessary for achieving the stated legitimate interests for each category of data subject?
☐ 2.2 Have less intrusive alternatives, such as anonymization or pseudonymization, been considered?
☐ 2.3 Has it been documented that certain activities (e.g., fraud detection, credit scoring) cannot be performed without identifiable data?
☐ 3.1 Has the potential impact on data subjects been assessed (misreporting, denial of credit, reputational harm)?
☐ 3.2 Have the reasonable expectations of data subjects been considered, including differences between Direct Clients and Not a Direct Client data supplied by Subscribers?
☐ 3.3 Have safeguards been documented, such as accuracy checks, dispute mechanisms, retention limits, and regular audits?
☐ 3.4 Has the sensitivity of the data (financial/credit data) been acknowledged?
☐ 3.5 Has the conclusion been reached that legitimate interests are not overridden by data subject rights?
☐ 4.1 Are data subjects informed of their rights to access, rectify, erase, restrict, and object to processing?
☐ 4.2 Is there a mechanism for data subjects to object at any time to processing based on legitimate interests?
☐ 4.3 Can objections be handled fairly, balancing individual rights against overriding legitimate grounds for each data subject category?
☐ 4.4 Are data subjects informed of their right to challenge automated decision-making and profiling outcomes?
☐ 5.1 Has it been confirmed that DORDLE does not normally process special category data (health, biometric, etc.)?
☐ 5.2 If such processing arises, is a lawful basis under Article 9 GDPR / DPA identified?
☐ 5.3 Are enhanced safeguards in place if special category data is processed?
☐ 6.1 Has profiling inherent in credit scoring been identified and documented for relevant data subjects?
☐ 6.2 Is credit scoring restricted from being solely determinative of lending or service decisions, with human review required?
☐ 6.3 Are individuals informed about profiling and given the right to request human intervention or challenge results?
☐ 7.1 Has it been confirmed that DORDLE does not knowingly process children’s data?
☐ 7.2 If children’s data is processed, are additional safeguards documented?
☐ 8.1 Has this LIA been reviewed periodically and updated where processing changes materially?
☐ 8.2 Are supporting DPIAs documented for high-risk processing activities?
☐ 8.3 Are records maintained for accountability, including decision-making, assessments, and safeguards applied?