GDPR & Data Protection Guidelines

GDPR

Below is a GDPR-oriented document you can use alongside the Financer Partners Program guidelines. It is written as a standalone “Financer Partners – GDPR & Data Protection Guidelines” that can sit on your legal/compliance section or be adapted into a DPA. It reflects common GDPR requirements for financial services and controller/processor relationships. [1][2][3]

Financer Partners – GDPR & Data Protection Guidelines

Version 1.0 | December 2025

These GDPR & Data Protection Guidelines explain how personal data is handled in the context of the Financer Partners Program and set out the respective roles and responsibilities of Financer and its partners under EU and UK data protection law. [1][2]

They are intended to complement the Financer Partners Program operational standards and may be supplemented by a separate Data Processing Agreement (DPA) where required. [1]

1. Scope, roles, and definitions

1.1 Scope of these guidelines

These guidelines apply to all processing of personal data arising from:

  • Consumers using Financer’s comparison tools and being directed to partner products.
  • Lead generation, click tracking, and conversion measurement linked to partner campaigns.
  • Any additional integrations or services implemented under the Financer Partners Program. [4][5]

They apply in particular where the General Data Protection Regulation (GDPR) or equivalent UK legislation governs the processing. [1][3]

1.2 Roles under GDPR

Depending on the integration and data flows, Financer and the partner may act as:

  • Independent controllers: Each party separately determines purposes and means of processing for its own environment (e.g., Financer for comparison activity, partner for its own application flow). [2][6]
  • Controller–processor: Where one party processes personal data on documented instructions from the other. In most partner listing scenarios, partners act as independent controllers once the user lands on their site. [2][7]

The specific role allocation for a given integration may be set out in the commercial agreement or an associated DPA. [1][8]

2. Lawful basis and purpose limitation

2.1 Lawful bases for processing

Financer typically relies on:

  • Legitimate interests to operate the comparison platform, measure performance, and prevent fraud, balanced against user rights and expectations. [5][7]
  • Consent where required for setting cookies or similar technologies that are not strictly necessary. [1][3]

Partners must determine and document their own lawful bases for processing personal data once users engage with their websites or applications, such as contract performance, compliance with legal obligations, or their own legitimate interests. [7][5]

2.2 Purpose limitation

Personal data must only be processed for:

  • Operating and improving the Financer comparison experience.
  • Routing users to partner products and measuring campaign effectiveness.
  • Compliance with legal, regulatory, and security obligations. [1][9]

Partners must not repurpose data obtained via Financer for materially incompatible uses (e.g., unrelated marketing) without a valid lawful basis and, where required, explicit consent. [1][2]

3. Data categories, retention, and minimization

3.1 Types of personal data

Depending on the integration, the following categories may be processed:

  • Technical and usage data (IP address, device identifiers, browser data, event logs). [4][10]
  • Preference and interaction data (comparison selections, clicked products, campaign parameters). [5]
  • Limited contact or lead data where collection occurs within Financer-controlled forms, as specified in the relevant integration. [1]

Sensitive categories (such as special categories under GDPR) must not be intentionally collected via Financer unless explicitly agreed and safeguarded by appropriate legal bases and additional protections. [1][9]

3.2 Data minimization and retention

  • Personal data should be adequate, relevant, and limited to what is necessary for the defined purposes. [1][2]
  • Financer will define retention periods for platform data (e.g., logs and analytics) and implement deletion or anonymization when data is no longer required. [1][3]
  • Partners must implement their own retention policies for data they obtain directly, aligned with legal and regulatory requirements in financial services (e.g., mandated record-keeping periods). [9][7]

4. Transparency, consent, and data subject rights

4.1 Transparency obligations

Financer and partners each must maintain clear, accessible privacy notices that explain:

  • What personal data is collected.
  • For which purposes and on which legal bases it is processed.
  • With whom it is shared and whether data is transferred internationally.
  • How long it is retained and what rights individuals have. [1][2]

Where Financer directs users to partner websites, partners must ensure that their own notices are up to date and consistent with their actual processing practices. [7][5]

4.2 Consent management

Where consent is required (e.g., for non-essential cookies, certain types of direct marketing, or specific categories of data), each party is responsible for:

  • Obtaining consent in a compliant, granular, and freely given manner.
  • Recording and honoring consent choices, including withdrawals. [1][3]

If a joint or coordinated consent mechanism is used, the roles and responsibilities for collection and honoring of consent will be documented in the relevant agreement. [8][11]

4.3 Data subject rights

Data subjects may have the right to:

  • Access, rectify, or erase their personal data.
  • Restrict processing or object to certain processing activities.
  • Data portability where legally applicable. [1][2]

Each party will handle rights requests for the data it controls. If a request is received by the “wrong” party, that party should:

  • Redirect the individual, where appropriate and lawful.
  • Or, where collaboration is needed, coordinate in good faith to ensure that the request is addressed within legal timeframes. [3][6]

5. Security, sub-processors, and international transfers

5.1 Security measures

Financer and partners must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account:

  • Encryption and pseudonymization where suitable.
  • Access controls, authentication, and least-privilege principles.
  • Logging, monitoring, and incident response procedures.
  • Regular testing, assessment, and evaluation of controls. [1][10][5]

Partners should be prepared to evidence their security posture where reasonably necessary to satisfy Financer’s due diligence and regulatory expectations. [7][9]

5.2 Use of sub-processors

Where a party acts as a processor:

  • It may only engage sub-processors with the controller’s prior authorization (general or specific).
  • It must impose data protection obligations on sub-processors that are at least as protective as those in the main contract. [1][12][8]

Lists of material sub-processors should be made available or notified to the relevant controller, consistent with contractual commitments. [1][13]

5.3 International transfers

If personal data is transferred outside the EU/EEA or UK:

  • The transferring party must ensure an appropriate transfer mechanism, such as Standard Contractual Clauses (SCCs), an adequacy decision, or other recognized safeguard. [1][8]
  • Where SCCs are used, parties may need to carry out transfer impact assessments and implement supplementary measures as necessary. [1][10]

Partners must not export data obtained via Financer to third countries in a way that undermines data subject protections. [1][7]

6. Controller–processor obligations and DPA structure

6.1 Processor obligations

Whenever a partner or Financer acts as a processor for the other party, it must:

  • Process personal data only on documented instructions.
  • Ensure persons authorized to process personal data are bound by confidentiality.
  • Assist the controller with data subject rights requests and DPIAs where relevant.
  • Delete or return personal data at the end of the engagement, unless retention is required by law. [1][3]
  • Make information available to demonstrate compliance and allow audits under agreed conditions. [1][12]

6.2 Key elements of a DPA

Where required, a dedicated DPA between Financer and a partner will typically specify:

  • Subject matter, duration, nature, and purposes of processing.
  • Types of personal data and categories of data subjects.
  • Roles of the parties (controller, joint controllers, or processor).
  • Security measures, sub-processor terms, transfer mechanisms.
  • Liability, audit, and termination provisions. [1][8][11]

Partners should review and, where necessary, sign the DPA or equivalent document before any processor-type processing begins. [1]

7. Data breaches, incident handling, and regulatory cooperation

7.1 Personal data breach notifications

Each party must maintain procedures to detect, investigate, and respond to personal data breaches. [1][10]

If a breach occurs that affects personal data processed in connection with the Financer Partners Program:

  • The affected party must notify the other without undue delay, providing relevant details (nature of breach, categories of data, likely consequences, and mitigation steps). [1][3]
  • Where a party is the controller, it is responsible for deciding whether to notify supervisory authorities and affected individuals, taking into account GDPR requirements and local law. [1][2]

Where both parties’ processing is affected, they will cooperate in good faith to ensure consistent and accurate communication. [10][9]

7.2 Regulatory inquiries and audits

If a supervisory authority or other competent body requests information or initiates an investigation relating to data processed under the partnership:

  • Each party will handle its own regulatory communications as controller or processor, as appropriate. [6][3]
  • Where reasonable and lawful, the parties will support each other with relevant information to demonstrate compliance. [1][9]

8. Governance, accountability, and updates

8.1 Accountability measures

Financer and partners are expected to:

  • Maintain internal records of processing activities as required by GDPR.
  • Conduct Data Protection Impact Assessments (DPIAs) where the nature of the processing warrants it, particularly in higher-risk financial contexts.
  • Appoint a Data Protection Officer (DPO) or equivalent where legally required. [1][4][7]

Partners should be prepared to demonstrate how their internal governance supports compliant processing of data related to Financer-generated traffic and leads. [5]

8.2 Updates to these guidelines

These GDPR & Data Protection Guidelines may be updated from time to time to reflect:

  • Changes in data protection law or regulatory guidance.
  • Evolution of the Financer platform and partner integrations.
  • Feedback from partners, users, or supervisory authorities. [1][9]

Material changes may be communicated through Financer’s usual partner channels. Continued participation in the Financer Partners Program after such updates may be treated as acceptance of the revised guidelines, subject to applicable contractual terms. [1]

9. Contact for privacy and data protection matters

Partners with questions about these guidelines, or about how GDPR applies to their participation in the Financer Partners Program, should contact their usual Financer representative or the designated privacy contact made available in Financer’s privacy notice. [1][7]

Data subjects can find information on how to exercise their rights and contact Financer’s privacy team in the Financer.com privacy policy, and should contact partners directly for data processed on partner-managed systems. [1][2]

If you want, the next step can be turning this into a formal DPA template with clause numbering and signature blocks, or tailoring it for specific controller–processor setups (e.g., when Financer acts as processor for a white-label comparison solution).

Sources [1] Data Processing Agreement (Template) - GDPR.eu https://gdpr.eu/data-processing-agreement/ [2] Data Controllers and Processors - GDPR https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/ [3] What responsibilities and liabilities do controllers have ... https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/contracts-and-liabilities-between-controllers-and-processors-multi/responsibilities-and-liabilities-for-controllers-using-a-processor/ [4] GDPR for Financial Services: Best Practices for Compliance https://www.innreg.com/blog/gdpr-for-financial-services [5] GDPR Compliance for Financial Institutions https://growthdot.com/gdpr-compliance-for-financial-institutions/ [6] Controller and Processor relationships https://www.dataprotection.ie/en/organisations/know-your-obligations/controller-and-processor-relationships [7] GDPR for Financial Institutions: Compliance Roadmap https://gdprlocal.com/gdpr-for-financial-institutions/ [8] GDPR: What Is a DPA (Data Processing Agreement)? - Scytale https://scytale.ai/resources/gdpr-what-is-a-dpa-data-processing-agreement/ [9] Guidelines on data protection in EU financial services regulation https://www.edps.europa.eu/sites/default/files/publication/14-11-25_financial_guidelines_en.pdf [10] GDPR for Startups: A practical compliance guide for 2025 - Scrut https://www.scrut.io/hub/gdpr/gdpr-for-startups [11] [PDF] Data Processing Agreement v.2025.1.docx https://assets.ctfassets.net/gwbpo1m641r7/2ANblV1bOSC5Rlkr6IW74N/6e9f050152e93ad76a6b01af7baa4384/Data_Processing_Agreement_v.2025.1.docx.pdf [12] Data Controller vs Data Processor: Practical Guide https://gdprlocal.com/gdpr-article-28/ [13] Data Processing Agreement - Partners - ChannelEngine https://www.channelengine.com/dpa-partners/