Overview
Konfir helps organisations run employment and income verifications in a secure, consent-based way. Like any vendor handling personal data, it’s important to understand the UK GDPR roles involved, because those roles determine who is responsible for decisions such as why data is processed, what lawful basis applies, and how data subject rights are handled.
Disclaimer: This article provides a practical overview of the typical allocation of roles when using Konfir. For the authoritative legal position, always refer to:
Summary of roles
In most verification use cases:
Your organisation acts as the Controller for applicant verification data
Konfir acts as the Processor when processing that data on your behalf to deliver the service
This means your organisation typically decides:
Why a verification is requested
What lawful basis applies
How verification results are used internally
Konfir typically processes applicant data only to fulfil the verification workflow you configure.
Note: The exact allocation of GDPR roles can vary depending on product configuration and context (for example what data sources are used, what outputs are generated, and how the journey is presented). If you are uncertain for your specific use case, the legal terms remain the source of truth. See: https://www.konfir.com/client/security
Your obligations as Controller
As the Controller, your organisation is typically responsible for:
Lawful basis
You decide the lawful basis for requesting and using a verification (for example consent, legitimate interests, or contractual necessity). Konfir cannot determine this for you.
Transparency to applicants
You must provide applicants with clear information about:
That Konfir is being used to support verification
What data you will receive and how you will use it
Where they can find relevant privacy information
Internal access management
You control who inside your organisation can access verification results, exports, and downstream copies. Access should be restricted to those who need it.
Handling rights requests
If you receive a GDPR request (access, deletion, rectification, etc.), you remain accountable for responding appropriately, including coordinating with processors where relevant.
What Konfir provides as Processor
Konfir typically provides processor-side controls and operational measures, including:
Secure processing and platform access controls
Consent-based connection flows in the applicant journey
Data minimisation aligned to verification purpose
Subprocessor governance under contractual controls
Learn more:
For details on subprocessors, see: Subprocessors and third-party services
For help understanding how GDPR rights requests are handled operationally, see: GDPR rights requests (DSARs, deletion, correction)