PRIVACY POLICY

STATEMENT AND OBJECTIVES

The Policy commits to establish the main principles of the Data processing and provides the main principles of the Data protection. These the Data processing and protection principles apply only to individuals.

The Company performs the Processing of the Data only in compliance with the Data protection principles enacted by the Data protection law, but the Company also follows requirements of the GDPR, if they are not in the contrary with legal regulation of the UK.

The Company is the one, who determines the Processing purposes and means, therefore it has developed this Policy to provide the Data subject with information, which might be necessary to decide, whether to entrust the Company the Processing of the Data.

The Company may appoint the Data Protection Officer to assist the Company to monitor internal compliance of the Processing of the Data with the Data protection law.

This Policy is annually reviewed and amended if the Company considers such amendments are necessary. The amended version of the Policy is published on the Company’s website not later than one Business day after it has been accepted by the Company. The amended and updated Policy is in force from the moment of its publication on the Company website. If the Request had been submitted before publication of the amended Policy, it is processed in accordance with the Policy, which was in force on the day of submission of the Complaint.

THE PROCESSING REASONS

The Company performs the Processing of the Data only because of the following reasons:

Reason	Meaning
Contract	Relationship between the Company and the Data subject may be established only on a contractual basis. For example, employment agreement, agreement on provision of the Services to the Customer. In most cases, the Company needs to collect the Data in advanced, before conclusion of a contract, in order to perform due diligence of relevant counterparty. This obligation is defined by regulatory requirements the Company has to comply with.
Fulfilment of contractual obligations	The Company is obliged to fulfil terms and condition defined in concluded contracts. For example, to provide the Customer with the Services or to pay salary to employee.
Legal obligation	The Company is obliged to fulfil regulatory requirements laid down in the UK or international law. For example, to process the Data to submit a Suspicious Activity Report.
Legitime interests	The Company protects its’ legal interests. For example, settlement of disputes with the Customer.

The most of the Data is collected by the Company directly from the Data subject and the Customer, but it also can be obtained from other available sources, provided that it is not prohibited with the UK or international legal regulation.

TYPES OF DATA

The Company determines a number of types of the Data to be processed for the above-mentioned reasons. However, as the Company’s activity is supervised and regulated by the Authorities, some types of the processed Data might be defined either by regulatory requirements.

The Data is being processed by the Company is strictly limited to what is necessary for the reasons is has been collected for.

Type	Examples
Personal data	Names, surnames, date of birth, etc.
Employment details during the process of recruitment	Education, previous employers and job positions, etc.
Financial information on the Customers	Business activity, business partners, accounts, business contacts.
Identity verification data	Video and photo image, sounds records, etc., when the Customer identity verification is performed or in the instances of contacting with the Customer or getting in touch with other individuals via phone or other communication means.
Due diligence data	Status a politically exposed person or a designated entity, information about ultimate beneficial owner, etc.
Tax residence data	Country of residence, taxpayer number, nationality, etc.
Information from devices, used during receiving of the Services	Cookie files.

The Company does not process the Special categories of the Data, but in some instances, if it is defined by legal requirements and when the Data protection legal regulation allows it, the Special data categories or criminal data about the natural person might be processed.

THE DATA PROTECTION RIGHTS

The Data subject has its’ Data protection rights, defined by the Data protection law.

Right	Meaning
Right to be informed	The Data subject is entitled to request the Company to provide it with any information related to the Data Processing measures, reasons, basis and any other information.
Right to access	The Data subject is entitled to request the Company to provide it with copies of its Data, handled by the Company. This right is not related to information, generated by the Company during performance of its’ internal processes, for example, results of due diligence.
Right to rectification	The Data subject is entitled to request the Company to correct the inaccurate Data and to complete the incomplete Data. However, the Company keeps the right to verify, whether the Data shall be rectified.
Right to erasure	The Data subject is entitled to request the Company to delete its’ Data. The right to erasure can be restricted or limited by legal requirement.
Right to restriction	The Data subject has the right to restrict the Company to process its’ Data and to withdraw the given Consent. The Company cannot guarantee fully fulfilment of its’ obligation in this case. The right to restriction can be limited by legal requirement.
Right to object	The Data subject has the right to object the Processing of its’ Data.
Right to portability	The Data subject has the right to request the Company to transfer its’ Data, handled by the Company to another organization. This right is not related on information, generated by the Company during performance of its’ internal processes, for example, results of due diligence. The right to portability can be restricted or limited by legal requirement.

The Data subject submits the Request on execution of its’ Data protection rights in written form by sending it to the Company by ordinary post or, alternatively, by sending it electronically from e-mail, defined as a contact e-mail, to the Company’s official e-mail address:

By post	Data Protection Officer 2-4 Eastern Road Imperial Offices Romford, England RM1 3PJ
By e-mail	info@paymentz.co.uk

The Company responds the Requests without undue delay within a month of the date it has been received. That period may be extended by two further months where necessary, taking into account the complexity and number of the Requests.

The Company informs the Data subject on the respond extension period and reasons of such delay or rejection of the Request. Therefore, in order to avoid delay of the respond or possible rejection of the Request, the Company recommends to submit the Request with a clearly defined essence and, when the Request is submitted by an authorized person of the Data subject, to provide the Company with a document, which proves relevant representation rights.

The Data protection rights execution is free of charge, but the Company keeps the right to refund administrative expenses, associated with dealing with the continuously repeating or obviously unreasonable Requests.

The Company respond to the Request is provided in electronic form by sending it to e-mail address, defined as a contact address, unless otherwise is provided in the relevant Request.

If the Data subject has any concern about the way the Company performs the Processing of the Data and is not satisfied with the Company respond to the Request or has detected the Data protection rights breaches, it may complain to the ICO https://ico.org.uk/make-a-complaint/

The ICO’s address post	Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire, United Kingdom SK9 5AF
By e-mail	icocasework@ico.org.uk

STORAGE OF THE DATA

The Company stores the Data securely and follows it to be accurate and kept up to dated.

The stored Data is protected against any unauthorized and unlawful Processing, destruction or damage by appropriate level of technical and organizational protection measures, ensured by the Company.

The Company follows the Data storage time limits determined in the legal requirements. The Data storage periods are limited to a strict minimum, and are continuously followed by the Company, which deletes and erasures the Data in appropriate way after their expiration.

The detailed information on the periods of the Data storage is defined in internal procedures of the Company and is available upon the Request.

The Data is available only to the Company employees, whose direct job responsibilities and duties include the Processing of the Data, and to the Authorities upon their authorized and legal request.

Disclosure of the Data is restricted and every employee is obliged to take care about security of the Data.

TRANSFER OF THE DATA

The Company provides access to the Data, sharing it with other organization, only if it is necessary for the legitims purposes connected with business activity of the Company, especially provision of the Services.

The Company ensures confidentiality of the Data during such sharing and chooses only secured organizations, which ensure appropriate safeguards measures and compliance with requirements of the Data protection law. Mutual responsibilities for complying with the Data protection law are defined in agreements concluded between the Company and relevant organizations. However, both, the Company and an organization, the Data has been transferred to or received from, are liable for the Data subject rights.

The Company has necessity to perform also international transfers of the Data to the Third countries. The transfer to the EEA countries and to any country, which were covered by the Adequacy decision. However, the Company continuously follows to the UK government adequacy decisions, because it has the power to make its own adequacy regulation.

International transfer or the Data to the Thirds country, in relation to which the Adequacy decision has not been made, is possible only, if:

TRANSFER OF THE DATA

The Data Protection Officer (DPO) holds a critical role within our organization, ensuring the protection and responsible management of personal data in accordance with data protection laws and regulations. The DPO's responsibilities encompass a range of tasks aimed at upholding privacy, safeguarding data, and promoting compliance. The following outlines the key responsibilities of the Data Protection Officer:

1) Monitoring Compliance: The DPO is responsible for monitoring the organization's compliance with data protection laws and regulations. This involves staying current with changes in legislation, assessing our practices, policies, and procedures, and ensuring that they align with relevant data protection standards.

2) Providing Expertise: As the organization's data protection expert, the DPO provides guidance, advice, and education to our staff on data protection matters. This includes assisting in the development of policies and procedures, conducting training sessions, and offering insights into best practices for data privacy.

3) Data Protection Impact Assessments (DPIAs): The DPO oversees and assists in conducting Data Protection Impact Assessments for high-risk processing activities. This involves evaluating potential risks to individuals' privacy and proposing measures to mitigate those risks.

4) Liaising with Authorities: The DPO serves as a point of contact for supervisory authorities, such as the Information Commissioner's Office (ICO) in the UK. They facilitate communication, manage data breach notifications, and collaborate with authorities in investigations, as necessary.

5) Internal Data Protection Policies: Collaborating with relevant departments, the DPO helps develop and implement internal policies and procedures that ensure data protection compliance across the organization. This includes policies related to data retention, security measures, and data subject rights.

6) Data Subject Requests: The DPO manages and oversees the organization's handling of data subject requests, such as access requests, rectification requests, and erasure requests. They ensure timely and accurate responses while upholding individuals' rights.

7) Risk Management: Identifying and assessing risks related to data processing activities is a key responsibility of the DPO. They work to minimize potential risks by recommending appropriate safeguards and controls.

8) Monitoring Third-Party Compliance: The DPO evaluates the data protection practices of third-party service providers or vendors the organization collaborates with. They ensure that data shared with these entities is appropriately protected and compliant with data protection laws.

9) Data Breach Management: In the event of a data breach, the DPO coordinates the organization's response. This includes assessing the severity of the breach, notifying affected parties, reporting the breach to authorities if required, and implementing measures to prevent future breaches.

10) Accountability and Documentation: The DPO assists the organization in demonstrating compliance with data protection regulations. This involves maintaining comprehensive records of data processing activities, assessments, policies, and data protection measures.

11) Employee Training: The DPO ensures that employees receive adequate training and awareness programs related to data protection. This empowers staff to understand their roles and responsibilities in safeguarding personal data.

12) Data Privacy Culture: The DPO fosters a culture of data privacy and protection within the organization. This involves promoting awareness, advocating for ethical data handling, and embedding data protection principles in the organization's ethos.

13) Reporting to Senior Management: The DPO reports directly to senior management on data protection matters, compliance progress, identified risks, and recommended actions. This facilitates informed decision-making and strategic alignment.

In summary, the Data Protection Officer plays a vital role in ensuring that our organization maintains the highest standards of data protection, respects individuals' privacy rights, and operates in accordance with the laws and regulations governing data privacy.

GLOSSARY

Terms	Definitions
Adequacy decision	The European Commission decision that a third country, its territory or specific sector in a third country, provides the Data protection at an adequate level, approved or by the UK government.
Authorities	The UK state authorities mentioned, which regulate and control the Company’s business activities, provision of the Services and the related issues
Business day	A day being a working day in the UK within the Company’s working hours
Company	PAYMENTZ Ltd, a company incorporated in United Kingdom and registered in the Companies House under the registration number: 12431685, having its registered address at: 2-4 Eastern Road, Imperial Offices, Romford, England, RM1 3PJ
Consent	The agreement given by the Data subject to process its Data
Customer	A natural person or legal entity receiving the Services
Data	Any information relating to an identified or identifiable natural person
Data protection law	The Data Protection Act 2018 of the UK
Data protection officer	The Company appointed employee whose responsibilities are to ensure the correct protection of the Data in accordance to the UK legislation
Data subject	The identified or identifiable natural person to whom personal data relates
EEA	European Economic Area
GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
ICO	Information Commissioner’s Office
Policy	This Privacy Policy
Processing	An operation or set of operations which is performed on the Data, or on sets of the Data, such as a collection, recording, organization, structuring or storage, adaptation or alteration, retrieval, consultation or use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, or restriction, erasure or destruction, etc.
Request	The written request to the Company submitted by the Data subject with a purpose to execute the rights in relation to its’ Data processed by the Company
Service	The Company’s provided services, which are received by the Customer
Special data category	The Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
Third country	A country outside the UK
Transaction	Any action performed using the Customer’s funds and the Account with the Company within use of the Services
UK	The United Kingdom of Great Britain and Northern Ireland

The Terms used in this Policy and not listed above shall be defined in accordance with definitions provided by the Data protection Law.