Data Processing
The Currency Cloud Ltd. and its Group Companies (“we” or ”us”) are committed to processing your Personal Data in accordance with applicable law. This Data Processing Policy (the “Policy”) will apply when, and to the extent that, we act as a Data Processor for you.
Capitalized terms that are not defined in the body of this Policy are defined in Exhibit 1 to this Policy.
1.Compliance with Data Protection Legislation.
You and we shall comply with the provisions and obligations imposed on you and us by the Data Protection Legislation at all times when processing Personal Data in connection with these Terms of Use. Such processing shall be in respect of the types of Personal Data, categories of Data Subjects, nature and purposes, and duration, set out in the Annex to this Policy. You shall ensure that any instructions that you issue to us shall comply with the Data Protection Legislation.
2.Personal Data processing.
To the extent we process Personal Data of you or End Customers in the course of providing the Services, we shall:
(a) process such Personal Data only: (i) in accordance with your written instructions from time to time (including those set out in these Terms of Use or any Commercial Agreements) provided such instructions are lawful; and (ii) as we are otherwise required to do by applicable law;
(b) take reasonable steps to ensure that our employees who are authorised to process such Personal Data are committed to confidentiality or under an appropriate statutory obligation of confidentiality;
(c) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, implement appropriate technical and organisational measures and procedures to ensure a level of security for such Personal Data appropriate to the risk, including the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access;
(d) send Personal Data to our Group Companies outside the European Economic Area where: (i) the transfer is based on an “adequacy decision”, is otherwise “subject to appropriate safeguards” or a “derogation for specific situations” applies (each within the meanings given to these terms in Articles 45, 46 and 49 of the GDPR respectively); and (ii) we ensure that the receiving Group Companies are under substantially the same data protection obligations as are set out in this Policy;
(e) inform you, without undue delay, on becoming aware of any such Personal Data that is subject to a personal data breach (as defined in Article 4 of the GDPR) while in our, our Group Companies’ or our subcontractors’ possession or control;
(f) not disclose any Personal Data to any Data Subject or to a third party other than at the written request of you or as expressly provided for in these Terms of Use and/or the Commercial Agreement;
(g) except for Personal Data for which we are also a Data Controller and as required by law or in order to defend any actual or possible legal claims, take reasonable steps to return or irretrievably delete (as you may direct) all Personal Data on termination or expiry of these Terms of Use and the Commercial Agreement;
(h) provide you and any DP Regulator, at your cost, all information and assistance reasonably necessary to demonstrate or ensure compliance with the Data Protection Legislation;
(i) permit you or your representatives to access our relevant premises, personnel or records on reasonable notice to audit and otherwise verify compliance with this Policy, subject to the following requirements: i. you may perform such audits no more than once per year or more frequently if required by Data Protection Legislation; ii. before using a third party to perform the audit on your behalf, such third party shall execute a confidentiality agreement acceptable to us; iii. audits must be conducted during regular business hours, subject to our policies, and may not unreasonably interfere with our business activities; iv. you must provide us with any audit reports generated in connection with any audit (unless prohibited by applicable law), and you may only use the audit reports for the purposes of meeting your audit requirements under Data Protection Legislation and/or confirming compliance with the requirements of this Policy. The audit reports shall be confidential; v. to request an audit, you must first submit a detailed audit plan to us at least 6 (six) weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration and start date of the audit. We will review the audit plan and inform you of any concerns or questions (for example, any request for information that could compromise our confidentiality obligations or our security, privacy, employment or other relevant policies). We will work cooperatively with you to agree a final audit plan; vi. nothing in this paragraph 2.(i) shall require us to breach any duties of confidentiality owed to any of our clients, employees or third party suppliers; and vii. all audits shall be at your sole cost and expense.
(j) take such steps as are reasonably required to assist you in ensuring compliance with your obligations under Articles 32 to 36 (inclusive) of GDPR;
(k) notify you if we receive a request from a Data Subject to exercise its rights under the Data Protection Legislation in relation to that person’s Personal Data (a “Data Subject Request”); and
(l) if you so request in writing, provide you with reasonable co-operation and assistance (at your cost) in relation to a Data Subject Request.
3.Sub-processing.
You generally agree that we may engage Third Party Providers including any advisers, contractors, or auditors to Process Personal Data (“Sub-Processors”). If we engage a new Sub-Processor (“New SubProcessor”), we shall inform you of the engagement by sending an email notification to you and you may object to the engagement of such New Sub-Processor by notifying us within 10 Business Days of our email, provided that such objection must be on reasonable, substantial grounds, directly related to such New Sub-Processor’s ability to comply with substantially similar obligations to those set out in this Policy. If you do not object, the engagement of the New Sub-Processor shall be deemed accepted by you. We shall ensure that our contract with each New Sub-Processor shall impose obligations on the New Sub-Processor that are substantially equivalent to the terms of this Policy.
4.Responsibility.
Any sub-contracting or transfer of Personal Data pursuant to this Policy shall not relieve us of any of our liabilities, responsibilities and obligations to you under these Terms of Use and we shall remain liable for the acts and omissions of our Sub-Processor(s).
Where Personal Data is processed by us under or in connection with these Terms of Use on behalf of you as the Data Controller, you agree that we may disclose the Personal Data to our employees, subcontractors (including third party suppliers), agents, Group Companies and Group Company employees as we reasonably consider necessary: (i) for the performance of our obligations under these Terms of Use and/or Commercial Agreement; (ii) for compliance with applicable law; and (iii) to defend any actual or possible legal claims.
Annex to the Policy
The Personal Data processing activities carried out by us under this Policy may be described as follows:
1. Subject matter of processing
Provision of payment services and foreign exchange of services
2. Nature and purpose of processing
Processing of Personal Data as required for us to provide the Services to you and to perform our other obligations under the Terms of Use and Commercial Agreements.
3. Categories of Personal Data
Banking Details, Name Details, Address Details, Email Details, Payment Transactions.
4. Categories of Data Subjects
End Customers
Officers, employees, consultants, sub-contractors and agents of each Client.
4. Duration
The term specified in the relevant Commercial Agreement.
Exhibit 1 – DEFINITIONS
“Client” means the person who is contracting with us for the provision of the Services;
“Commercial Agreement” means the agreement between you and us setting out the commercial terms for the provision of one or more of the Services;
“Data Controller” has the meaning set out in the Data Protection Legislation (or, in respect of the GDPR, means the same as “controller” in Article 4 of GDPR);
“Data Processor” has the meaning set out in the Data Protection Legislation (or, in respect of the GDPR, means the same as “processor” in Article 4 of GDPR);
“Data Protection Legislation” means in each case as such are updated, amended or replaced from time to time): (a) the UK Data Protection Act 1998 (as amended or replaced from time to time), or from its effective date (25 May 2018), the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) (the “GDPR”), and any laws or regulations ratifying, implementing, adopting, supplementing or replacing GDPR (including the UK Data Protection Act 2018), in each case, to the extent in force; and (c) any other relevant data protection legislation in any jurisdiction which is applicable to the Services, including but not limited to the Privacy and Electronic Communications (EC Directive) Regulations 2003.
“Data Subject” means an individual who is the subject of Personal Data;
“DP Regulator” means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Legislation;
“End Customer” means any person other than us who contracts with you, including without limitation any client you engage in connection with the Platform Services;
“Group Companies” means in relation to a company those companies which are subsidiaries, holding companies or subsidiaries of any holding company of such company, where the terms “subsidiary” and “holding company” bear the meaning given to them in section 1159 of the Companies Act 2006;
“Personal Data” has the meaning given to it by the Data Protection Legislation;
“Services” means the Payment Services – Global Account, Foreign Exchange Service, EUR Collection Service, and Platform Services provided by Currencycloud to you as described in the Terms of Use and on the Client Help Centre;
“Terms of Use” means our terms and conditions that govern your use of the Services, including the schedules and any other terms and conditions referred to therein, the Privacy and Data Protection Policy, the Cookies Policy, and the Client Help Centre, all as amended from time to time;
Contents