We may collect and process your individually identifiable information, namely information that identifies a person or can, with reasonable efforts, identify a person (hereinafter – “Personal data”) in order to provide proper services for you.
We respect your privacy, protect and process your Personal data in accordance with the rules of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter – “GDPR”), Law on Legal Protection of Personal Data of the Republic of Lithuania and other applicable regulatory enactments.
3. THE PURPOSES AND LEGAL JUSTIFICATION OF PERSONAL DATA PROCESSING
We collect and process your Personal data only for legitimate purposes in accordance with the rules of data protection and processing established by GDPR and other applicable rules.
As a regulated EMI, we are obliged to comply with the legal obligations provided by the following legal regulations (but not limited): the Law on Payments of the Republic of Lithuania, the Law on Electronic Money and Electronic Money Institutions of the Republic of Lithuania, Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (hereinafter – “Regulation (EU) 2015/847”) and the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania Money Laundering and Terrorist Financing Prevention legislation (hereinafter – “Applicable legislation”).
While processing your Personal data we will comply with GDPR and other Personal data protection applicable laws and regulatory enactments, as well as with data processing principles, which means that your Personal data will be:
- Used lawfully, fairly and in a transparent way;
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
- Relevant to the purposes we have informed you about and limited only to those purposes;
- Accurate and kept up to date;
- Maintained only for as long as necessary for the purposes we have informed you about;
- Kept securely and protected against unauthorized or unlawful processing and against loss or destruction using appropriate technical and organizational measures.
3.1. The commencement and provision of services – electronic money issuance, redemption, payment services, currency conversion – and for the fulfilment of obligations under the services agreement:
As part of this, we will process the following Personal data: name, surname, personal identification number, tax identification number, address, date of birth, data from an identity document/residence permit and a copy of the identity document/residence permit , photo, direct video transmission (live video broadcast records) recording, citizenship, email address, phone number, payment account number, bank statements, pay slips, employment agreements, contracts, invoices, employment history, IP address, current activity, current public function, information about main business partners (and their Personal data), source of funds and wealth, data from a power of attorney and other data required by the Applicable legislation.
Below you can find the details and additional information why, for what sub-purposes and/or what data for certain sub-purpose (where explained) we will process.
We will process your Personal data to:
- identify you as a prospective client and/or client’s – legal entity’s director/legal representative/management board/supervisory board member/ authorized person or employee, and implement relevant “Know your customer” procedures;
- to understand your financial circumstances;
- identify ultimate beneficial owner or controlling person of the account;
- collect information regarding client’s main business partner;
- verify your mobile number and e-mail address;
- conclude an agreement (General Terms and Conditions for the Provision of services) for services with you/your represented legal entity;
- open an account to you/your represented legal entity;
Within the client onboarding process, in addition to Personal data processing for the purposes of client identification and contact details verification, in compliance with the requirements of AML and KYC, we will use document authenticity verification services provided by external vendor, including validation of KYC documentation, business documentation required for legal entity onboarding, verification of beneficial ownership and information checking in national registers of Member States as required by the Applicable legislation. We will use vendor’s overnight screening services for potential sanctions and politically exposed person (PEP) matches, negative information in adverse media.
If you are indicated as the beneficial owner or a controlling person of a legal client, we shall process the following your Personal data: name, surname, date of birth, residency/nationality, identification document’s/residence permit’s data, nature and description of the beneficial ownership, source of funds and wealth (where required) and other data required by the Applicable legislation
If you are indicated as the client’s main business partner we may process the following your Personal data: name, surname, date of birth, citizenship, invoices, data revealing business relationship between you and the client and other Personal data according to the Applicable legislation.
- process your/legal entity’s payment orders and execute payment transactions;
- process electronic money issuance and remittance;
- process currency exchange transactions;
As part of transaction processing we will process your identification data and your payment account data, payment transaction data, payment recipients Personal data (name, surname, account number and the recipient bank details), IP address, other data required by the Applicable legislation;
- handle necessary procedures according to anti-money laundering and terrorist financing regulations;
- make relevant risk assessments;
- monitor transactions;
- ensure proper risk and organizational management;
- keep contact and necessary communication with you;
- process client’s requests and complaints, where relevant.
In order to communicate with you and process the requests and complaints received from you in accordance with the General Terms and Conditions for the Provision of services, where relevant, we may process the following your Personal data: name, surname, position/representation rights, e-mail address, telephone number and other Personal data that is indicated in your requests/complaints.
The main legal grounds of Personal data processing for these purposes are:
1) your consent to the personal data processing (Article 6 (a) of GDPR) and (Article 9 (2) (a) of GDPR, in case in your identification process we get any of special categories of your Personal data, e.g., identification via “liveness check” – direct video transmission (live video broadcast records);
2) conclusion and performance of the contract with data subjects (Article 6 (b) of GDPR);
3) fulfilment of legal obligations under Applicable legislation (Article 6 (c) of GDPR);
4) legitimate interests of the controller (Article 6 (f) of GDPR), such as identifying you as a client and/or client’s representative/beneficial owner/controlling person , ensuring contact with you.
3.2. AML/CTF and transaction monitoring
As part of this, we would need to comply with AML/CTF legal framework, establish your/your represented legal entity’s client risk classification, monitor transactions, carry out risk score and AML/CTF risk exposure assessment.
For the implementation of our legitimate interest within the AML/CTF framework we may verify information relating to you against credible publicly available information sources; ensure monitoring of your transaction and provide information to the supervisory authorities and investigative authorities in the cases provided by legal enactments, ensure the maintenance of relevant registers, e.g., risk register, beneficial owners’ register.
As a regulated entity, we are obliged to conduct retrospective monitoring of clients’ activities. In order to fulfil these obligations, additional information request for Personal data may be sent to verify information required by Applicable legislation. While monitoring payment transactions, we may also require to provide us the documents confirming economic substance/legitimacy of the transaction, that might also contain Personal data.
The legal ground of Personal data processing for this purpose is:
1) fulfilment of legal obligations under Applicable legislation (Article 6 (c) of GDPR);
2) legitimate interests of the controller (Article 6 (f) of GDPR), such as identifying you as a client and/or client’s beneficiary, ensuring contact with you.
3.3. Providing marketing activities and/or informing you on our services
As part of this we may send you commercial communications to e-mail according to your consent or our legal relationships (agreement) with you. If you subscribe for our newsletters or you are our existing client/client’s representative/contact person, we may send you information and offers/special offers regarding our products and services that might interest you. We may also provide you with information about other goods and services we offer that are similar to those you have already used or asked for. We may also provide you with (push) notifications of our new products and offers via our applications if you are using them, if you have subscribed to them.
If you are not willing to receive our commercial communications, you can inform us and refuse the further receipt of commercial communications any time, we also providing you free of charge and easy-to-implement opportunity to unsubscribe in our commercial communication sent to you by e-mail. If you don’t want to further receive push notifications via our applications, you can manage user preferences by switching off this option.
For this purpose, we might need at least the following personal data: your name, surname, data of legal entity you represent, e-mail address, location, services and products you have used or asked for or looked for in our applications and other user experience data.
The legal grounds of Personal data processing for this purpose are:
1) your consent to the Personal data processing (Article 6 (a) of GDPR);
2) conclusion and performance of the contract with data subject (Article 6 (b) of GDPR);
3) legitimate interests of the controller (Article 6 (f) of GDPR), such as informing you about our services, sending you information on our special offers/products etc.
3.4. Prevention of security threats to property interests and other essential legitimate interests of the Controller or of third parties
As part of this, we should carry out video surveillance of our territory, buildings and other property, make telephone records, use personal data processors to provide a variety of functions, if necessary, to disclose information to supervisory authorities, judicial bodies, agencies, courts and other public authorities or officials, to exercise the rights conferred by law to ensure other legitimate interests of the Controller or third parties.
For this purpose, we might need to process at least the following Personal data: client’s/visitor’s appearance (image), name, surname (if possible), object address, location and time, and other data as necessary.
The legal ground for the processing of Personal data for this purpose is:
1) legitimate interests of the Controller (Article 6 (f) of GDPR).
3.5. Ensuring proper supply of our services
The legal ground for the processing of Personal data for this purpose is:
1) legitimate interests of the Controller (Article 6 (f) of GDPR).
We shall take appropriate measures to process your personal data in accordance with the Applicable legislation and to ensure that your Personal data is not accessed by third parties who do not have the appropriate legal basis for the processing of your Personal data.
6. THE RECEIPIENTS/POSSIBLE RECEIPIENTS OF YOUR PERSONAL DATA
Your Personal data could be accessed as needed by and shared with:
1) our employees or directly authorized persons who are required to process this Personal data to perform their duties;
2) Personal data processors;
3) Third parties, carefully assessing whether such Persona data transfer has an appropriate legal basis.
Personal data processors:
Your Personal data will be transmitted to third parties that we use to provide our services; these parties have been rigorously assessed and offer a guarantee of compliance with the legislation on the processing of Personal data. These parties have been designated as data processors and carry out their activities according to the written agreement, the instructions given by us and under our control.
We may work with the following categories of Personal data processors:
- outsourcing accountants, auditors, financial management and legal advisers;
- Internet/computer software services providers, companies specializing in IT and marketing services;
- IT infrastructure services providers;
- companies that carry out KYC/AML database checks and fraud database checks;
- global financial messaging infrastructures that are subject to oversight by relevant authorities (e.g., SWIFT);
- global network infrastructures (e.g. Visa, MasterCard);
- video surveillance/security services provider/s;
- other persons connected with the provision of our services.
We may also be required to share your Personal data with various financial institutions, payment services providers and/or law enforcement bodies and officials, supervisory authorities/regulatory bodies and financial crime investigation service to comply with Applicable legislation, prevent fraud or enforce an agreement we have with you;
We may also share your personal data to comply with applicable laws and regulations, to respond to a legal requests of law enforcement bodies and officials, supervisory authorities/regulatory bodies, or to other third parties if it is provided by applicable law, and/or if it is relevant for the protection of our and our employees legitimate interests, property or safety, or legitimate interests of third parties or data subject.
10. YOUR RIGHTS AS DATA SUBJECT
Restoring your personal data
If there are changes to Personal data that you have provided to us, please contact us at e-mail firstname.lastname@example.org and provide us with the relevant data so that we can achieve the relevant Personal data processing purposes.
Your right to access and correct your Personal data
In accordance with the provisions of the GDPR, you have the right to require us to have access to your Personal data at our disposal, to request their rectification, erasure, processing limitation, to object to the processing of your Personal data, as well as the right to data portability in the cases and procedures set out in the GDPR.
We respect your right to access and control your Personal data, so if we receive your request, we will respond to it within the time limits laid down in the regulatory framework (usually not later than one month if there is no specific request that takes longer to prepare the answer), and if it is possible, we will correct or delete your Personal data accordingly, or undertake the necessary measures to enable your Personal data portability as possible.
You may obtain information about your Personal data or exercise other rights as a data subject in one of the following ways:
- by submitting an appropriate application in person and identifying yourself at our office at the address: Mėnulio str. 11-101, LT-04326 Vilnius, Republic of Lithuania, each working day from 10-16;
- by submitting an appropriate application to us by post to the following address: Mėnulio str. 11-101, LT-04326 Vilnius, Republic of Lithuania;
- by submitting an appropriate application to us by e-mail: email@example.com ; it is recommended that you sign it with a secure electronic signature when submitting a relevant application, sending it via e-mail.
Upon receipt of your submission, we will evaluate the content and the possibility of identifying you, and, depending on the situation, we reserve the possibility of asking you to further identify yourself in order to ensure the security and disclosure of your Personal data to the person concerned.
Withdrawal of consent
If the processing of your Personal data is based on your consent, you have the right to withdraw it at any time and we will no longer process your Personal data processed on the basis of your consent. However, please be informed that the withdrawal of consent cannot affect the processing of Personal data which is necessary for the fulfilment of the requirements of regulatory enactments or which is based on a contract, our legitimate interests or other legal bases for the lawful processing of Personal data provided for in regulatory enactments.