1.1. Company - PAYSTREE LTD (a licensed electronic money institution incorporated in England and Wales with company number 11100986 and whose registered office is at Southbank House Black Prince Rd, Lambeth, London, England, SE1 7SJ, authorised by the Financial Conduct Authority as an Electronic Money Institution under the Electronic Money Regulations 2011 for the issuing of electronic money).
1.2. Data Subject - Identified or identifiable natural person(s), just people—human beings from whom or about whom Company collects information in connection with it’s business and operations.
1.3. EU - European Union (Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden).
1.4. EEA - European Economic Area (EU countries + Iceland, Liechtenstein and Norway).
1.5. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
1.6. Personal data (data) - Any information relating to an identified or identifiable User (natural person), for example: name, surname, identification number, birth data, telephone number, postal address or e-mail address, and any other information that makes it possible to identify the User.
1.8. Principles - Principles of personal data processing according to the Data Protection Act 2018, which is the UK’s implementation of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
1.9. Processing - Operation or set of operations, which is performed on information, or on sets of information, such as (a) collection, recording, organisation, structuring or storage; (b) adaptation or alteration; (c) retrieval, consultation or use; (d) disclosure by transmission, dissemination or otherwise making available; (e) alignment or combination; or (f) restriction, erasure or destruction.
1.10. Services - Company services, which are provided to registered Users, Company customers. Company engaged in payment services provision, providing individual IBANS, cards issuing, detailed description of Company services is specified in the Terms & Conditions.
1.11. Third countries - Countries, which are not included in EU / EEA.
1.12. User - Company customer, customer’s representative, employee, any natural person, which personal data can be collected and processed by the Company.
1.13. Website - Company’s website www.paystree.com.
This Policy governs the manner in which Company collects, uses, maintains and discloses information collected from users (each, a “User”).The goal of this Policy is to protect rights and freedoms of individuals (Users) regarding processing their Personal data by the Company. This Policy defines instructions and contact details, pursuant to which User may exercise his rights and lodge complaints. Company strictly follows industry best practices in the industry and adhere to the rules set forth in GDPR and UK Data Protection Act 2018. Detailed information on the processing of Personal data might be additionally described in agreements and other documents related to the services.
3. GENERAL PROVISIONS
3.1. The Company shall process personal data in compliance with the GDPR requirements and requirements of UK Data Protection Act 2018.
3.2. Processing of Personal data performed by the Company may have several legal grounds, for example, a person's consent to data processing, contractual relationship between a person and the Company, performance of the legal obligation relating to the Company according to the applicable legal acts or ensuring of compliance with the Company's legitimate interests.
3.3. When submitting a written application to the Company, a data subject has the right to access to, request rectification or restrict the processing of his/her data, withdraw his/her consent and object to processing of data performed by the Company, as well as the right to data portability.
3.4. Personal data is processed with accurate manner and kept up to date. Company and its employees do every reasonable step to make the personal data processed is accurate. If Company has doubts regarding correctness of User’s data, Company employee will contact the User regarding User’s providing personal data. Personal data that are inaccurate will be erased or rectified without delay.
3.5. User’s personal data is processed for no longer than is necessary for the purposes for which the personal data are processed. Company processed personal data for the period for business relations with User. After terminating business relationship with User Company will keep data at least 5 (five) years from the moment of business relationship termination and User account closure. Customer’s data to be kept for 5 years after termination of business relationship is envisaged in The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which is based on Directive (EU) 2015/849 of the European Parliament and of the Council.
3.6. Personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). Company protects User’s Personal Data, using modern technologies and standards (firewalls, data encryption, and other data protection methods). Access to Users personal data granted only to relevant Company employees.
3.7. Personal data is processed for clear purposes, Company doesn’t process Users personal data for the purposes with is not described in this policy.
4. DATA PROCESSING PURPOSES
4.1. Data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
4.2. The Company performs processing of data for the following purposes:
4.2.1. compliance with legal acts;
4.2.2. Identification and due diligence of customers;
4.2.3. Performance of a service agreement and provision of services;
4.2.4. Ensuring information security;
4.2.5. Protection of the Company’s and customers’ interests;
4.2.6. Risk management;
4.2.7. Personnel management;
4.2.8. Commercial communications, promoted marketing campaigns and similar activities;
4.2.9. Satisfaction of customers' claims, to reply on customer’s or potential customer’s queries, if User contacts Company.
4.2.10. To improve customer service: information provided by Users helps us respond to customer service requests and support needs more efficiently.
4.2.11. For market research, analysing Company’s customers needs and opinions on Company’s products and Services. Company may use feedback provided by Users to improve products and services
4.2.12. Company may use information in the aggregate to understand how our Users as a group use the Services
4.2.13. Analyse usage and maintenance of Site and Company mobile application
4.2.14. To remember User’s previously selected preferences on Website.
5. CATEGORIES OF DATA SUBJECTS
5.1. Categories of individuals whose Personal data are processed by the Company:
5.1.1. The Company's customers (potential, existing and former) and persons related to them (representatives, authorised persons, beneficiaries, employees etc.);
5.1.2. The Company's employees (existing and former) and candidates;
5.1.3. Business partners, regulatory authorities, correspondent banks and financial institutions, agents, suppliers and service providers, advisors and persons related to them (representatives, authorised persons, beneficiaries, employees, etc.).
6. CATEGORIES OF DATA
6.1. Personal data of the following categories can be provided by data subjects themselves, can be obtained during the use of the Company's services or sending us a message/request by the customer, as well as from third parties (for example, public registers, social network):
6.1.1. an individual’s identification data, such as name, surname, personal identity number, date and place of birth, citizenship, identification document data (such as passport copy, ID card, residence permit) or other document containing User's Personal data;
6.1.2. an individual’s contact details (postal address, phone number, email, IP address, communication language with the User, other contact information, e.g. Skype, What’s App, etc.);
6.1.3. data on Users' tax residency (address of residence, country of tax residence, taxpayer number);
6.1.4. data of related persons (for example, beneficial owners, representatives and authorised persons of User, family members, employees, heirs, and other related persons of Users);
6.1.5. financial and wealth origin data such as accounts, income, ownership, transactions, commitments, data on the User’s counterparties and personal activities (information on accounts, payments made, agreement and invoice copies, information on business activities, origin of funds, certificates of income, loans and other liabilities, information on accounts with other credit institutions, information of customer’s payment cards);
6.1.6. Professional data such as education or professional career (for example, information on salary, previous places of employment, education etc.);
6.1.7. audio / visual data (for example, records of phone conversations of the Company and Users, records of surveillance cameras placed in objects belonging to the Company and areas adjacent to them), communication data collected when the User visits the Company, or communicates with the Company, email and other communications data obtained from visiting the Company’s website.
6.1.8. data on research that makes it possible to conduct User due diligence in relation to the prevention of money laundering and terrorist financing and to ensure compliance with international sanctions (e.g. data about payment behaviour, User connections with Politically Exposed Person, information from public sources, information about User from screening databases, information about activities for which Company services is used, transaction information);
6.1.9. data obtained when following regulatory requirements, such as data arising from requests for information from public authorities, the tax administration, investigative authorities, including the police, courts, sworn notaries and bailiffs.
7. CATEGORIES OF DATA RECIPIENTS
7.1. The Company may disclose personal data to the following recipients of data:
7.1.1. members of management bodies, employees, representatives, authorised persons of the Company, who need this access to fulfil the Company's obligations to the User or to comply with the requirements of regulatory enactments;
7.1.2. public institutions, public officials, investigatory authorities, courts, prosecutor's office, subjects of operational activities, orphans' courts, notaries, law enforcement officials, judicial and investigatory authorities of other member states and foreign countries, tax authorities, arbitration courts, out-of-court dispute resolution bodies — financial market participants (correspondent banks, insurance companies, payment systems, agency companies, business partners of the Company or customers, financial service intermediaries etc.);
7.1.3. the Company’s cooperation partners, agents, suppliers and service providers, auditors, advisors, whom Company has entrusted under the contract to perform certain functions or provide services necessary for provision of services and conducting or ensuring of activity by Company.
7.2. The Company provides to the third parties the User's personal data in the amount necessary for the provision of the respective service or performance of the respective activity.
8. DATA STORAGE PERIODS
8.1. The Company shall store Personal data no longer than it is reasonably required for the purposes for which particular personal data are processed. Personal data storage periods shall be determined based on applicable legal acts or the Company's legitimate interests. Company processes Personal data for the period for business relations with User. After terminating business relationship with User Company will keep data at for least 5 (five) years from the moment of business relationship termination and User account closure. According to The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 Customer’s data to be kept for 5 years after termination of business relationship.
8.2. The Company reserves the right to erase specific information before the expiry of the set period if this is not prohibited by the applicable legal acts and reserves right to keep data for more than expiry of the set period if it is required by law (e.g. active inquiries from regulatory authorities concerning customer).
8.3. The Company automatically collects data obtained by the customer when visiting Company homepage and which is to be automatically deleted after 20 weeks. This information includes: information of technical nature, information about your visit.
8.4. The technical information may include the (IP) address of the Internet Protocol used to connect your computer to the Internet, browser type and version, time zone settings, types and versions of browser plug-ins, operating system and platform.
9. RIGHTS OF DATA SUBJECTS
9.1. The Company shall ensure the following rights of data subjects:
9.1.1. Data subject has the right to receive information on the processing of Personal data performed by the Company and exercise of data subjects’ rights;
9.1.2. Data Subject has the right to receive a confirmation if his/her data are not processed;
9.1.3. Data Subject has the right to access his/her data and receive information on the purpose and legal basis of data processing, category of data, recipient of data, storage period, information on other sources of data if personal data are obtained from third parties, and guarantees, if the data have been sent to a third party or international organisation;
9.1.4. Data Subject has the right to receive information about the purposes of and legal basis for the processing, the categories of Personal data concerned, of recipients to whom the Personal data has been disclosed, the period for which it is envisaged that the Personal data will be stored;
9.1.5. Data Subject has the right to be informed about a new purpose of data processing in advance;
9.1.6. Data Subject has the right to object to data processing and withdraw his/her consent to data processing; Withdrawal of Customer data processing leads to termination of business relationship. The withdrawal shall not affect the lawfulness of processing made before the withdrawal;
9.1.7. Data Subject has the right to request rectification of data if data are incorrect;
9.1.8. Data Subject has the right to request erasure of data (the right to be forgotten) if this does not contradict the UK and EU laws.
9.1.9. Data Subject has the right to lodge a complaint against processing of his/her Personal data to the Company and/or to the Commissioner’s Office of the UK if the User believes that processing of his/ her Personal data violates the User’s rights stated by regulatory enactments
10. DATA RESIDENCY
10.1. The Company shall process Personal data in the territory of UK and EU/EEA.
10.2. Transmission of Personal data to third parties (irrespective of the data recipient's residency — UK, EU, EEA or outside it) is regulated by the legal acts of UK or an agreement between the Company and a third party, which includes nondisclosure and secure exchange provisions and applies an equivalent level of Personal data protection to the processing of Personal data - the data processing will be lawful and proportionate, the data will be secure, the subject's right to control his data will be respected.
10.3. Transfer of data to third countries and international organisations is possible based on:
10.3.1. The decision made by the European Commission regarding the level of protection of a third country's data;
10.3.2. Relevant guarantees (for example, applying binding corporate rules or standard data protection clauses adopted by the European Commission);
10.3.3. Exceptional legal grounds.
10.3.4. Upon request a User can receive further details on Personal data transfers to countries outside of the EU/EEA.
11. CONTACT DETAILS
11.1. Data Subject have rights to obtain information regarding their Personal data processing or to lodge a complaint by submitting written request to the Company:
11.1.1. by sending information request in the Customer’s account via Internet bank;
11.1.2. by sending information request by email email@example.com. In case of information request by e-mail Company may ask User to provide additional documents for data subject identification;
11.1.3. by sending information by post to PAYSTREE LTD, Southbank House Black Prince Rd, Lambeth, London, England, SE1 7SJ.
11.2. If there is a request or a complaint from User about his data processing, Company will answer on it within 1 month from date of receipt. If Company unable to provide the answer according User’s request within one month, Company may extend the period of providing answer within two months, previously (within one month from request) informing the User about the reasons of such delay. If Company will not provide the answer to User, Company informs User within one month from the moment of request/complaint receipt of the reasons of not providing the answer; in this case User may lodge a complaint to the Commissioner’s Office of the UK.
11.3. User’s request is considered free of charge. If Company notices, that User’s requests submitted repeatedly and are unreasonable or excessive, Company may charge reasonable fee, previously informing User.
12. SECURITY OF PERSONAL DATA
12.1. The Company shall ensure security of data storage and processing in accordance with the legal acts of UK — UK Data Protection Act 2018, GDPR (in force from May 25, 2018), Payment Card Industry Data Security Standard, other legal acts, as well as considering the best international practice for information systems security, maintenance and development.
12.2. The Company shall ensure centralised storage of Personal data and automatic data masking / erasure after expiry of the mandatory storage period according to the UK and EU laws.