The Policy commits to establish the main principles of the Data processing and provides the main principles of the Data protection. These the Data processing and protection principles apply only to individuals.
The Company performs the Processing of the Data only in compliance with the Data protection principles enacted by the Data protection law, but the Company also follows requirements of the GDPR, if they are not in the contrary with legal regulation of the UK.
The Company is the one, who determines the Processing purposes and means, therefore it has developed this Policy to provide the Data subject with information, which might be necessary to decide, whether to entrust the Company the Processing of the Data.
The Data subject gives the Consent and entrusts the Company to process the Data with its’ acceptance of this Policy. Therefore, the Policy makes the Data subject aware of the following issues:
- reasons of the Processing;
- type of the processed Data and the way of its’ collecting;
- the Data subject rights;
- the Data transfer;
- the Data storage.
The Company may appoint the Data Protection Officer to assist the Company to monitor internal compliance of the Processing of the Data with the Data protection law.
This Policy is annually reviewed and amended if the Company considers such amendments are necessary. The amended version of the Policy is published on the Company’s website not later than one Business day after it has been accepted by the Company. The amended and updated Policy is in force from the moment of its publication on the Company website. If the Request had been submitted before publication of the amended Policy, it is processed in accordance with the Policy, which was in force on the day of submission of the Complaint.
THE PROCESSING REASONSThe Company performs the Processing of the Data only because of the following reasons:
Reason | Meaning |
---|---|
Contract |
Relationship between the Company and the Data subject may be established only on a contractual basis. For example, employment agreement, agreement on provision of the Services to the Customer. In most cases, the Company needs to collect the Data in advanced, before conclusion of a contract, in order to perform due diligence of relevant counterparty. This obligation is defined by regulatory requirements the Company has to comply with. |
Fulfilment of contractual obligations | The Company is obliged to fulfil terms and condition defined in concluded contracts. For example, to provide the Customer with the Services or to pay salary to employee. |
Legal obligation | The Company is obliged to fulfil regulatory requirements laid down in the UK or international law. For example, to process the Data to submit a Suspicious Activity Report. |
Legitime interests | The Company protects its’ legal interests. For example, settlement of disputes with the Customer. |
The most of the Data is collected by the Company directly from the Data subject and the Customer, but it also can be obtained from other available sources, provided that it is not prohibited with the UK or international legal regulation.
TYPES OF DATAThe Company determines a number of types of the Data to be processed for the above-mentioned reasons. However, as the Company’s activity is supervised and regulated by the Authorities, some types of the processed Data might be defined either by regulatory requirements.
The Data is being processed by the Company is strictly limited to what is necessary for the reasons is has been collected for.
Type | Examples |
---|---|
Personal data | Names, surnames, date of birth, etc. |
Employment details during the process of recruitment | Education, previous employers and job positions, etc. |
Financial information on the Customers | Business activity, business partners, accounts, business contacts. |
Identity verification data | Video and photo image, sounds records, etc., when the Customer identity verification is performed or in the instances of contacting with the Customer or getting in touch with other individuals via phone or other communication means. |
Due diligence data | Status a politically exposed person or a designated entity, information about ultimate beneficial owner, etc. |
Tax residence data | Country of residence, taxpayer number, nationality, etc. |
Information from devices, used during receiving of the Services | Cookie files. |
The Company does not process the Special categories of the Data, but in some instances, if it is defined by legal requirements and when the Data protection legal regulation allows it, the Special data categories or criminal data about the natural person might be processed.
THE DATA PROTECTION RIGHTSThe Data subject has its’ Data protection rights, defined by the Data protection law.
Right | Meaning |
---|---|
Right to be informed | The Data subject is entitled to request the Company to provide it with any information related to the Data Processing measures, reasons, basis and any other information. |
Right to access |
The Data subject is entitled to request the Company to provide it with copies of its Data, handled by the Company.
This right is not related to information, generated by the Company during performance of its’ internal processes, for example, results of due diligence. |
Right to rectification |
The Data subject is entitled to request the Company to correct the inaccurate Data and to complete the incomplete Data.
However, the Company keeps the right to verify, whether the Data shall be rectified. |
Right to erasure |
The Data subject is entitled to request the Company to delete its’ Data.
The right to erasure can be restricted or limited by legal requirement. |
Right to restriction |
The Data subject has the right to restrict the Company to process its’ Data and to withdraw the given Consent.
The Company cannot guarantee fully fulfilment of its’ obligation in this case. The right to restriction can be limited by legal requirement. |
Right to object | The Data subject has the right to object the Processing of its’ Data. |
Right to portability |
The Data subject has the right to request the Company to transfer its’ Data, handled by the Company to another organization.
This right is not related on information, generated by the Company during performance of its’ internal processes, for example, results of due diligence. The right to portability can be restricted or limited by legal requirement. |
The Data subject submits the Request on execution of its’ Data protection rights in written form by sending it to the Company by ordinary post or, alternatively, by sending it electronically from e-mail, defined as a contact e-mail, to the Company’s official e-mail address:
By post |
Data Protection Officer 2-4 Eastern Road Imperial Offices Romford, England RM1 3PJ |
By e-mail | info@paymentz.co.uk |
The Company responds the Requests without undue delay within a month of the date it has been received. That period may be extended by two further months where necessary, taking into account the complexity and number of the Requests.
The Company informs the Data subject on the respond extension period and reasons of such delay or rejection of the Request. Therefore, in order to avoid delay of the respond or possible rejection of the Request, the Company recommends to submit the Request with a clearly defined essence and, when the Request is submitted by an authorized person of the Data subject, to provide the Company with a document, which proves relevant representation rights.
The Data protection rights execution is free of charge, but the Company keeps the right to refund administrative expenses, associated with dealing with the continuously repeating or obviously unreasonable Requests.
The Company respond to the Request is provided in electronic form by sending it to e-mail address, defined as a contact address, unless otherwise is provided in the relevant Request.
If the Data subject has any concern about the way the Company performs the Processing of the Data and is not satisfied with the Company respond to the Request or has detected the Data protection rights breaches, it may complain to the ICO https://ico.org.uk/make-a-complaint/
The ICO’s address post |
Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire, United Kingdom SK9 5AF |
By e-mail | icocasework@ico.org.uk |
The Company stores the Data securely and follows it to be accurate and kept up to dated.
The stored Data is protected against any unauthorized and unlawful Processing, destruction or damage by appropriate level of technical and organizational protection measures, ensured by the Company.
The Company follows the Data storage time limits determined in the legal requirements. The Data storage periods are limited to a strict minimum, and are continuously followed by the Company, which deletes and erasures the Data in appropriate way after their expiration.
The detailed information on the periods of the Data storage is defined in internal procedures of the Company and is available upon the Request.
The Data is available only to the Company employees, whose direct job responsibilities and duties include the Processing of the Data, and to the Authorities upon their authorized and legal request.
Disclosure of the Data is restricted and every employee is obliged to take care about security of the Data.
TRANSFER OF THE DATAThe Company provides access to the Data, sharing it with other organization, only if it is necessary for the legitims purposes connected with business activity of the Company, especially provision of the Services.
The Company ensures confidentiality of the Data during such sharing and chooses only secured organizations, which ensure appropriate safeguards measures and compliance with requirements of the Data protection law. Mutual responsibilities for complying with the Data protection law are defined in agreements concluded between the Company and relevant organizations. However, both, the Company and an organization, the Data has been transferred to or received from, are liable for the Data subject rights.
The Company has necessity to perform also international transfers of the Data to the Third countries. The transfer to the EEA countries and to any country, which were covered by the Adequacy decision. However, the Company continuously follows to the UK government adequacy decisions, because it has the power to make its own adequacy regulation.
International transfer or the Data to the Thirds country, in relation to which the Adequacy decision has not been made, is possible only, if:
- The Data subject has given the Consent for such transfer;
- The Data transfer is necessary to fulfil contractual obligation;
- The Data transfer is necessary for conclusion of an agreement between the Company and another person in the interests of the Data subject or for the fulfilment of concluded contracts;
- The Data transfer is necessary for a reason of public interests;
- The Data transfer is necessary for fulfilment of regulatory requirements;
- The Data transfer is necessary for protection of vitally important interests.
The Data Protection Officer (DPO) holds a critical role within our organization, ensuring the protection and responsible management of personal data in accordance with data protection laws and regulations. The DPO's responsibilities encompass a range of tasks aimed at upholding privacy, safeguarding data, and promoting compliance. The following outlines the key responsibilities of the Data Protection Officer:
1) Monitoring Compliance: The DPO is responsible for monitoring the organization's compliance with data protection laws and regulations. This involves staying current with changes in legislation, assessing our practices, policies, and procedures, and ensuring that they align with relevant data protection standards.
2) Providing Expertise: As the organization's data protection expert, the DPO provides guidance, advice, and education to our staff on data protection matters. This includes assisting in the development of policies and procedures, conducting training sessions, and offering insights into best practices for data privacy.
3) Data Protection Impact Assessments (DPIAs): The DPO oversees and assists in conducting Data Protection Impact Assessments for high-risk processing activities. This involves evaluating potential risks to individuals' privacy and proposing measures to mitigate those risks.
4) Liaising with Authorities: The DPO serves as a point of contact for supervisory authorities, such as the Information Commissioner's Office (ICO) in the UK. They facilitate communication, manage data breach notifications, and collaborate with authorities in investigations, as necessary.
5) Internal Data Protection Policies: Collaborating with relevant departments, the DPO helps develop and implement internal policies and procedures that ensure data protection compliance across the organization. This includes policies related to data retention, security measures, and data subject rights.
6) Data Subject Requests: The DPO manages and oversees the organization's handling of data subject requests, such as access requests, rectification requests, and erasure requests. They ensure timely and accurate responses while upholding individuals' rights.
7) Risk Management: Identifying and assessing risks related to data processing activities is a key responsibility of the DPO. They work to minimize potential risks by recommending appropriate safeguards and controls.
8) Monitoring Third-Party Compliance: The DPO evaluates the data protection practices of third-party service providers or vendors the organization collaborates with. They ensure that data shared with these entities is appropriately protected and compliant with data protection laws.
9) Data Breach Management: In the event of a data breach, the DPO coordinates the organization's response. This includes assessing the severity of the breach, notifying affected parties, reporting the breach to authorities if required, and implementing measures to prevent future breaches.
10) Accountability and Documentation: The DPO assists the organization in demonstrating compliance with data protection regulations. This involves maintaining comprehensive records of data processing activities, assessments, policies, and data protection measures.
11) Employee Training: The DPO ensures that employees receive adequate training and awareness programs related to data protection. This empowers staff to understand their roles and responsibilities in safeguarding personal data.
12) Data Privacy Culture: The DPO fosters a culture of data privacy and protection within the organization. This involves promoting awareness, advocating for ethical data handling, and embedding data protection principles in the organization's ethos.
13) Reporting to Senior Management: The DPO reports directly to senior management on data protection matters, compliance progress, identified risks, and recommended actions. This facilitates informed decision-making and strategic alignment.
In summary, the Data Protection Officer plays a vital role in ensuring that our organization maintains the highest standards of data protection, respects individuals' privacy rights, and operates in accordance with the laws and regulations governing data privacy.
GLOSSARYTerms | Definitions |
---|---|
Adequacy decision | The European Commission decision that a third country, its territory or specific sector in a third country, provides the Data protection at an adequate level, approved or by the UK government. |
Authorities | The UK state authorities mentioned, which regulate and control the Company’s business activities, provision of the Services and the related issues |
Business day | A day being a working day in the UK within the Company’s working hours |
Company | PAYMENTZ Ltd, a company incorporated in United Kingdom and registered in the Companies House under the registration number: 12431685, having its registered address at: 2-4 Eastern Road, Imperial Offices, Romford, England, RM1 3PJ |
Consent | The agreement given by the Data subject to process its Data |
Customer | A natural person or legal entity receiving the Services |
Data | Any information relating to an identified or identifiable natural person |
Data protection law | The Data Protection Act 2018 of the UK |
Data protection officer | The Company appointed employee whose responsibilities are to ensure the correct protection of the Data in accordance to the UK legislation |
Data subject | The identified or identifiable natural person to whom personal data relates |
EEA | European Economic Area |
GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC |
ICO | Information Commissioner’s Office |
Policy | This Privacy Policy |
Processing | An operation or set of operations which is performed on the Data, or on sets of the Data, such as a collection, recording, organization, structuring or storage, adaptation or alteration, retrieval, consultation or use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, or restriction, erasure or destruction, etc. |
Request | The written request to the Company submitted by the Data subject with a purpose to execute the rights in relation to its’ Data processed by the Company |
Service | The Company’s provided services, which are received by the Customer |
Special data category | The Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation |
Third country | A country outside the UK |
Transaction | Any action performed using the Customer’s funds and the Account with the Company within use of the Services |
UK | The United Kingdom of Great Britain and Northern Ireland |
The Terms used in this Policy and not listed above shall be defined in accordance with definitions provided by the Data protection Law.