2.1. The Company shall process personal data in compliance with the GDPR requirements.
2.2. Processing of personal data performed by the Company may have several legal grounds, for example, a person's consent to data processing, contractual relationship between a person and the Company, performance of the legal obligation relating to the Company according to the applicable legal acts or ensuring of compliance with the Company's legitimate interests.
2.3. When submitting a written application to the Company, a data subject has the right to access to, request rectification or restrict the processing of his/her data, withdraw his/her consent and object to processing of data performed by the Company, as well as the right to data portability.
2.4. In certain cases, an individual's rights may not be exercised or may be restricted, if this is justified by the Company's legitimate interests.
3.1. Data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3.2. The Company performs processing of data for the following purposes:
3.2.1. compliance with legal acts,
3.2.2. identification, due diligence and monitoring of individuals;
3.2.3. performance of a service agreement
3.2.4. provision of services;
3.2.5. management of relationship with customers, partners and other related persons;
3.2.6. ensuring physical and information security;
3.2.7. protection of the Company’s and customers’ interests;
3.2.8. risk management;
3.2.9. personnel management.
3.2.10. сommercial communications, promoted marketing campaigns and similar activities;
3.2.11. satisfaction of customers' claims;
4.1. Categories of individuals whose personal data are processed by the Company:
4.1.1. the Company's customers (existing and former) and persons related to them (representatives, authorised persons, beneficiaries, employees etc.);
4.1.2. the Company's employees (existing and former) and candidates;
4.1.3. business partners, agents, suppliers and service providers, advisors and persons related to them (representatives, authorised persons, beneficiaries, employees, etc.);
5.1. Personal data of the following categories can be provided by data subjects themselves, can be obtained during the use of the Company's services by the customer, as well as from third parties (for example, public and private registers):
5.1.1. an individual’s identification data, such as name, surname, personal identity number, date and place of birth, identification document data (such as passport copy, ID card, photo) or other document containing customer's personal data;
5.1.2. an individual’s contact details (postal address, phone, email, Skype name, IP address, communication language with the customer, etc.);
5.1.3. data on customers' tax residency (for example, nationality, country of residence, tax residence, taxpayer number, social insurance number);
5.1.4. data of related persons (for example, representatives and authorised persons of customer, family members of employees, heirs, guarantors and other related persons of customers);
5.1.5. financial and wealth origin data such as accounts, income, ownership, transactions, commitments, data on the customer’s counterparties and personal activities (information on accounts, payments made, agreement and invoice copies, information on business activities, origin of funds, certificates of income, loans and other liabilities, information on accounts with other credit institutions);
5.1.6. Professional data such as education or professional career (for example, information on salary, previous places of employment, education etc.);
5.1.7. audio / visual data (for example, records of phone conversations of the Company and customers, records of surveillance cameras placed in objects belonging to the Company and areas adjacent to them), communication data collected when the customer visits the Company, or communicates with the Company, email and other communications data obtained from visiting the Company’s website.
5.1.8. data on research that makes it possible to conduct customer research activities in relation to the prevention of money laundering and terrorist financing and to ensure compliance with international sanctions and whether the individual is a politically exposed person;
5.1.9. data obtained when following regulatory requirements, such as data arising from requests for information from public authorities, the tax administration, investigative authorities, including the police, courts, sworn notaries and bailiffs;
6.1. The Company may disclose personal data to the following recipients of data:
6.1.1. members of management bodies, employees, representatives, authorised persons of the Company;
6.1.2. public institutions, public officials, investigatory authorities, courts, prosecutor's office, subjects of operational activities, orphans' courts, notaries, law enforcement officials, judicial and investigatory authorities of other member states and foreign countries, tax authorities, arbitration courts, out-of-court dispute resolution bodies — financial market participants (correspondent banks, insurance companies, payment systems, agency companies, business partners of the Company or customers, financial service intermediaries etc.);
6.1.3. the Company’s cooperation partners, agents, suppliers and service providers, auditors, advisors.
7.1. The Company shall store personal data no longer than it is reasonably required for the purposes for which particular personal data are processed. Personal data storage periods shall be determined based on applicable legal acts or the Company's legitimate interests.
7.2. The Company reserves the right to erase specific information before the expiry of the set period if this is not prohibited by the applicable legal acts.
8.1. The Company shall ensure the following rights of data subjects:
8.1.1. a subject's data may be processed on the basis of his/her consent or some other legitimate basis;
8.1.2. a subject has the right to receive information on the processing of personal data performed by the Company and exercise of data subjects’ rights;
8.1.3. a subject has the right to receive a confirmation if his/her data are not processed;
8.1.4. a data subject has the right to access his/her data and receive information on the purpose and legal basis of data processing, category of data, recipient of data, storage period, information on other sources of data if personal data are obtained from third parties, and guarantees, if the data have been sent to a third party or international organisation;
8.1.5. a subject has the right to receive information on whether the provision of personal data is related to the law or an agreement, whether the provision of data is a precondition for the conclusion of an agreement, as well as information that the subject is required to provide personal data, and consequences in case such data are not provided;
8.1.6. a subject has the right to be informed about a new purpose of data processing in advance;
8.1.7. a subject has the right to object to data processing and withdraw his/her consent to data processing;
8.1.8. a subject has the right to request rectification of data if data are incorrect;
8.1.9. a subject has the right to data portability;
8.1.10. a subject has the right to request erasure of data if this does not contradict the UK and EU laws.
9.1. The Company shall process data in the territory of UK.
9.2. Transmission of personal data to third parties (irrespective of the data recipient's residency — UK, EU, EEA or outside it) is regulated by the legal acts of UK or an agreement between the Company and a third party, which includes nondisclosure and secure exchange provisions.
9.3. Transfer of data to third countries and international organisations is possible based on:
9.3.1. the decision made by the European Commission regarding the level of protection of a third country's data;
9.3.2. relevant guarantees (for example, applying binding corporate rules or standard data protection clauses adopted by the European Commission);
9.3.3. exceptional legal grounds.
10.1. A data subject may submit his/her questions, requests and complaints to a data protection specialist appointed by the Company by email to firstname.lastname@example.org or by post to PAYSTREE LTD, Southbank House Black Prince Rd, Lambeth, London, England, SE1 7SJ.
10.2. A data subject has the right to file a complaint on the processing of personal data performed by the Company with the Information Commissioner’s Office of the UK.
11.1. The Company shall ensure security of data storage and processing in accordance with the approved Sensitive payment data protection procedure. The requirements of the Sensitive payment data protection procedure shall be implemented according to the legal acts of UK — Data Protection Act, GDPR (in force from May 25, 2018), Payment Card Industry Data Security Standard, other legal acts, as well as considering the best international practice for information systems security, maintenance and development.
11.2. The Company shall ensure centralised storage of personal data and automatic data masking / erasure after expiry of the mandatory storage period according to the UK and EU laws.
12.1. The Principles are available on the Company’s website at www.paystree.com.
12.2. The Company may unilaterally amend the Principles. The Company shall publicly inform about amendments to the Principles on the Company's website at www.paystree.com (publishing the Principles text).
12.3. The Company has the right to additionally inform a customer about amendments to the Principles on an individual basis by sending a relevant notice via Internetbank, by email, post, or using other means of communication.