Data Processing Policy

Last Updated: 3rd June 2021

Sciopay Ltd and its Group Companies (“we” or “us”) want to ensure the processing of your Personal Data is managed in accordance with applicable law. This Data Processing Policy (“the Policy”) will apply when, and to the extent that, we act as a Data Processor for you.

1.Compliance with Data Protection Legislation.

You and we shall comply with the obligations and provisions imposed on you and us by the Data Protection Legislation when processing Personal Data in connection with these Terms. Such processing shall be in respect of the types of Personal Data, categories of Data Subjects, nature and purposes, and duration, set out in the Annex to this Policy. Any instructions that you issue shall to us shall comply with the Data Protection Legislation.

2.Personal Data processing.

To the extent we process Personal Data of you or Customers in the course of providing the Services, we shall:

  1. (a) process such Personal Data only:
    1. (i) in accordance with your written instructions from time to time (including those set out in these Terms or any Business Introducer Agreement) provided such instructions are lawful; and
    2. (ii) as we are otherwise required to do by applicable law;
  2. (b) take reasonable steps to ensure that our employees who are authorised to process such Personal Data are committed to confidentiality or under an appropriate statutory obligation of confidentiality;
  3. (c) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, implement appropriate technical and organisational measures and procedures to ensure a level of security for such Personal Data appropriate to the risk, including the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access;
  4. (d) send Personal Data to our Group Companies outside the European Economic Area where:
    1. (i) the transfer is based on an “adequacy decision”, is otherwise “subject to appropriate safeguards” or a “derogation for specific situations” applies (each within the meanings given to these terms in Articles 45, 46 and 49 of the GDPR respectively); and
    2. (ii) we ensure that the receiving Payment Partners are under substantially the same data protection obligations as are set out in this Policy;
  5. (e) inform you, without undue delay, on becoming aware of any such Personal Data that is subject to a personal data breach (as defined in Article 4 of the GDPR) while in our, our Group Companies’ or our subcontractors’ possession or control;
  6. (f) not disclose any Personal Data to any Data Subject or to a third party other than at the written request of you or as expressly provided for in these Terms and/or the Business Introducer Agreement;
  7. (g) except for Personal Data for which we are also a Data Controller and as required by law or in order to defend any actual or possible legal claims, take reasonable steps to return or irretrievably delete (as you may direct) all Personal Data on termination or expiry of these Terms and the Business Introducer Agreement;
  8. (h) provide you and any DP Regulator, at your cost, all information and assistance reasonably necessary to demonstrate or ensure compliance with the Data Protection Legislation;
    1. (i) permit you or your representatives to access our relevant premises, personnel or records on reasonable notice to audit and otherwise verify compliance with this Policy, subject to the following requirements:
      1. i. you may perform such audits no more than once per year or more frequently if required by Data Protection Legislation;
      2. ii. before using a third party to perform the audit on your behalf, such third party shall execute a confidentiality agreement acceptable to us;
      3. iii. audits must be conducted during regular business hours, subject to our policies, and may not unreasonably interfere with our business activities;
      4. iv. you must provide us with any audit reports generated in connection with any audit (unless prohibited by applicable law), and you may only use the audit reports for the purposes of meeting your audit requirements under Data Protection Legislation and/or confirming compliance with the requirements of this Policy. The audit reports shall be confidential;
      5. v. to request an audit, you must first submit a detailed audit plan to us at least 6 (six) weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration and start date of the audit. We will review the audit plan and inform you of any concerns or questions (for example, any request for information that could compromise our confidentiality obligations or our security, privacy, employment or other relevant policies). We will work cooperatively with you to agree a final audit plan;
      6. vi. nothing in this paragraph 2.(i) shall require us to breach any duties of confidentiality owed to any of our clients, employees or third party suppliers; and vii. all audits shall be at your sole cost and expense.
  9. (j) take such steps as are reasonably required to assist you in ensuring compliance with your obligations under Articles 32 to 36 (inclusive) of GDPR;
  10. (k) notify you if we receive a request from a Data Subject to exercise its rights under the Data Protection Legislation in relation to that person’s Personal Data (a “Data Subject Request”); and
  11. (l) if you so request in writing, provide you with reasonable co-operation and assistance (at your cost) in relation to a Data Subject Request.
  12. 3.Sub-processing.

    You generally agree that we may engage Third Party Providers including any advisers, contractors, or auditors to Process Personal Data (“Sub-Processors”). If we engage a new Sub-Processor (“New SubProcessor”), we shall inform you of the engagement by sending an email notification to you and you may object to the engagement of such New Sub-Processor by notifying us within 10 Business Days of our email, provided that such objection must be on reasonable, substantial grounds, directly related to such New Sub-Processor’s ability to comply with substantially similar obligations to those set out in this Policy. If you do not object, the engagement of the New Sub-Processor shall be deemed accepted by you. We shall ensure that our contract with each New Sub-Processor shall impose obligations on the New Sub-Processor that are substantially equivalent to the terms of this Policy.

    4.Responsibility.

    Any sub-contracting or transfer of Personal Data pursuant to this Policy shall not relieve us of any of our liabilities, responsibilities and obligations to you under these Terms and we shall remain liable for the acts and omissions of our Sub-Processor(s). Where Personal Data is processed by us under or in connection with these Terms on behalf of you as the Data Controller, you agree that we may disclose the Personal Data to our employees, subcontractors (including third party suppliers), agents, Group Companies and Group Company employees as we reasonably consider necessary:

    1. (i) for the performance of our obligations under these Terms and/or Business Introducer Agreement;
    2. (ii) for compliance with applicable law; and
    3. (iii) to defend any actual or possible legal claims.

    Annex to the Policy

    The Personal Data processing activities carried out by us under this Policy may be described as follows:

    a. Subject matter of processing

    Provision of payment services and foreign exchange of services

    b. Nature and purpose of processing

    Processing of Personal Data as required for us to provide the Services to you and to perform our other obligations under the Terms and Business Introducer Agreement.

    c. Categories of Personal Data

    Banking Details, Name Details, Address Details, Email Details, Payment Transactions.

    d. Categories of Data Subjects

    Customers, Officers, employees, consultants, sub-contractors and agents

    4. Duration

    The term specified in the relevant Business Introducer Agreement.

    Glossary

    “Client” means the person who is contracting with us for the provision of the Services;

    “Business Introducer Agreement” means the agreement between you and us setting out the commercial terms for the provision of one or more of the Services;

    “Customer” means any person other than us who contracts with you, including without limitation any client you engage in connection with the Services;

    “Data Controller” has the meaning set out in the Data Protection Legislation (or, in respect of the GDPR, means the same as “controller” in Article 4 of GDPR);

    “Data Processor” has the meaning set out in the Data Protection Legislation (or, in respect of the GDPR, means the same as “processor” in Article 4 of GDPR);

    “Data Protection Legislation” means in each case as such are updated, amended or replaced from time to time): (a) the UK Data Protection Act 1998 (as amended or replaced from time to time), or from its effective date (25 May 2018), the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) (the “GDPR”), and any laws or regulations ratifying, implementing, adopting, supplementing or replacing GDPR (including the UK Data Protection Act 2018), in each case, to the extent in force; and (c) any other relevant data protection legislation in any jurisdiction which is applicable to the Services, including but not limited to the Privacy and Electronic Communications (EC Directive) Regulations 2003.

    “Data Subject” means an individual who is the subject of Personal Data;

    “DP Regulator” means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Legislation;

    “Group Companies” means in relation to a company those companies which are subsidiaries, holding companies or subsidiaries of any holding company of such company, where the terms “subsidiary” and “holding company” bear the meaning given to them in section 1159 of the Companies Act 2006;

    “Personal Data” has the meaning given to it by the Data Protection Legislation;

    “Services” means the Payment Services – provided by Scio to you as described in the Terms;

    “Terms” means our terms and conditions that govern your use of the Services and any other terms and conditions referred to therein, the Privacy and Data Protection Policy, the Cookies Policy, all as amended from time to time;