The Currency Cloud Ltd. and its Group Companies (“we” or ”us”) are committed to processing your Personal Data in accordance with applicable law. This Data Processing Policy (the “Policy”) will apply when, and to the extent that, we act as a Data Processor for you.
Capitalized terms that are not defined in the body of this Policy are defined in Exhibit 1 to this Policy.
1.Compliance with Data Protection Legislation.
2.Personal Data processing.
To the extent we process Personal Data of you or End Customers in the course of providing the Services, we shall:
(b) take reasonable steps to ensure that our employees who are authorised to process such Personal Data are committed to confidentiality or under an appropriate statutory obligation of confidentiality;
(c) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, implement appropriate technical and organisational measures and procedures to ensure a level of security for such Personal Data appropriate to the risk, including the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access;
(d) send Personal Data to our Group Companies outside the European Economic Area where: (i) the transfer is based on an “adequacy decision”, is otherwise “subject to appropriate safeguards” or a “derogation for specific situations” applies (each within the meanings given to these terms in Articles 45, 46 and 49 of the GDPR respectively); and (ii) we ensure that the receiving Group Companies are under substantially the same data protection obligations as are set out in this Policy;
(e) inform you, without undue delay, on becoming aware of any such Personal Data that is subject to a personal data breach (as defined in Article 4 of the GDPR) while in our, our Group Companies’ or our subcontractors’ possession or control;
(h) provide you and any DP Regulator, at your cost, all information and assistance reasonably necessary to demonstrate or ensure compliance with the Data Protection Legislation;
(i) permit you or your representatives to access our relevant premises, personnel or records on reasonable notice to audit and otherwise verify compliance with this Policy, subject to the following requirements: i. you may perform such audits no more than once per year or more frequently if required by Data Protection Legislation; ii. before using a third party to perform the audit on your behalf, such third party shall execute a confidentiality agreement acceptable to us; iii. audits must be conducted during regular business hours, subject to our policies, and may not unreasonably interfere with our business activities; iv. you must provide us with any audit reports generated in connection with any audit (unless prohibited by applicable law), and you may only use the audit reports for the purposes of meeting your audit requirements under Data Protection Legislation and/or confirming compliance with the requirements of this Policy. The audit reports shall be confidential; v. to request an audit, you must first submit a detailed audit plan to us at least 6 (six) weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration and start date of the audit. We will review the audit plan and inform you of any concerns or questions (for example, any request for information that could compromise our confidentiality obligations or our security, privacy, employment or other relevant policies). We will work cooperatively with you to agree a final audit plan; vi. nothing in this paragraph 2.(i) shall require us to breach any duties of confidentiality owed to any of our clients, employees or third party suppliers; and vii. all audits shall be at your sole cost and expense.
(j) take such steps as are reasonably required to assist you in ensuring compliance with your obligations under Articles 32 to 36 (inclusive) of GDPR;
(k) notify you if we receive a request from a Data Subject to exercise its rights under the Data Protection Legislation in relation to that person’s Personal Data (a “Data Subject Request”); and
(l) if you so request in writing, provide you with reasonable co-operation and assistance (at your cost) in relation to a Data Subject Request.
You generally agree that we may engage Third Party Providers including any advisers, contractors, or auditors to Process Personal Data (“Sub-Processors”). If we engage a new Sub-Processor (“New SubProcessor”), we shall inform you of the engagement by sending an email notification to you and you may object to the engagement of such New Sub-Processor by notifying us within 10 Business Days of our email, provided that such objection must be on reasonable, substantial grounds, directly related to such New Sub-Processor’s ability to comply with substantially similar obligations to those set out in this Policy. If you do not object, the engagement of the New Sub-Processor shall be deemed accepted by you. We shall ensure that our contract with each New Sub-Processor shall impose obligations on the New Sub-Processor that are substantially equivalent to the terms of this Policy.
Annex to the Policy
The Personal Data processing activities carried out by us under this Policy may be described as follows:
1. Subject matter of processing
Provision of payment services and foreign exchange of services
2. Nature and purpose of processing
3. Categories of Personal Data
Banking Details, Name Details, Address Details, Email Details, Payment Transactions.
4. Categories of Data Subjects
Officers, employees, consultants, sub-contractors and agents of each Client.
The term specified in the relevant Commercial Agreement.
Exhibit 1 – DEFINITIONS
“Client” means the person who is contracting with us for the provision of the Services;
“Commercial Agreement” means the agreement between you and us setting out the commercial terms for the provision of one or more of the Services;
“Data Controller” has the meaning set out in the Data Protection Legislation (or, in respect of the GDPR, means the same as “controller” in Article 4 of GDPR);
“Data Processor” has the meaning set out in the Data Protection Legislation (or, in respect of the GDPR, means the same as “processor” in Article 4 of GDPR);
“Data Protection Legislation” means in each case as such are updated, amended or replaced from time to time): (a) the UK Data Protection Act 1998 (as amended or replaced from time to time), or from its effective date (25 May 2018), the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) (the “GDPR”), and any laws or regulations ratifying, implementing, adopting, supplementing or replacing GDPR (including the UK Data Protection Act 2018), in each case, to the extent in force; and (c) any other relevant data protection legislation in any jurisdiction which is applicable to the Services, including but not limited to the Privacy and Electronic Communications (EC Directive) Regulations 2003.
“Data Subject” means an individual who is the subject of Personal Data;
“DP Regulator” means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Legislation;
“End Customer” means any person other than us who contracts with you, including without limitation any client you engage in connection with the Platform Services;
“Group Companies” means in relation to a company those companies which are subsidiaries, holding companies or subsidiaries of any holding company of such company, where the terms “subsidiary” and “holding company” bear the meaning given to them in section 1159 of the Companies Act 2006;
“Personal Data” has the meaning given to it by the Data Protection Legislation;
- Data Processing