From 25 May 2018 the European Union starts applying General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) (the “Regulation”).

The Regulation sets out new framework for protection of personal data of natural persons (data subjects).

You have received this electronic letter because there is an active agreement(s) between you and Payoma Limited, English company having company No 09016606 and legal address at Level 18, 40 Bank Street, London E14 5NR, UK (“Payoma”, “we”).

In this electronic letter we would like to provide some information we have to provide to data subjects under the Regulation.

We send you this letter even though you as our client are an entity corporate while the Regulation provides regulation for protection of personal data of natural persons. This letter is to apply to your existing or potential customers who are natural persons, to your officers, agents, employees and other natural persons who are in any possible way related to you.

Issues related to protection of personal data are addressed by our Privacy Policy accessible on our website www.payoma.com.

In this electronic letter we use the terms “personal data”, “to process”, “controller” and “processor” in the same meaning these terms have in the Regulation.

Payoma is the controller in the understanding of the Regulation. Data subjects may contact us using all means indicated on our website www.payoma.com.

We are processing personal data for the following purpose:

1. For performance of the agreement we have between us, inter alia for processing payments your customers have made,
2. To perform our statutory duties, inter alia counter-terrorism financing (“CTF”) and anti-money laundering (“AML”) requirements,
3. To fulfil our contractual and similar obligations, inter alia our obligations to payment systems, partner banks and insurance companies,
4. To ensure normal business operations, e.g. putting name of your officer in correspondence exchange between us etc.,
5. To protect our legitimate interests, e.g. for dispute resolution purpose.

The legal basis for the processing of personal data is the agreement(s) between us and consent of data subjects (where applicable).

The potential recipients of personal data of data subjects are:

1. Supervising and other competent authorities, e.g. UK Financial Conduct Authority, CTF and AML authorities, courts etc.,
2. Payment systems, banks and other financial institutions involved in processing of payments,
3. Our partner banks,
4. Our affiliates,
5. Our outsourced services providers, e.g. our accountants and legal advisers,
6. Our IT service providers,
7. Payoma officers and employees.

We may transfer personal data to a third country (i.e. non-EU country) provided the respective requirements laid down by the Regulation are complied with and such transfer will not decrease level of protection of the personal data transferred.

We may appoint a processor to process the personal data for us. If we will do so we will approach selection of such processor with due care and properly appoint the processor using agreement or other means that are both legally valid and permitted by the Regulation.

The personal data will be stored depending on category of particular personal data. The term of storage will be as laid down in the law, e.g. no shorter than applicable limitation term, but no longer than it is reasonably necessary.

Data subject has the right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.

Where processing of the data subject’s personal data is based on consent of that data subject, the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

We acquire personal data mainly from the data subjects themselves and from you. We may receive personal data also from our partner companies, such as banks. We may also acquire personal data from various registries and professional identity search service providers, used mainly to identify CTF, AML and politically-exposed person-related risks.

The data subject has the right to lodge a complaint with UK Information Commissioner’s Office.

Processing of personal data is necessary for performance of the agreement(s) between us and for us to be able to provide our services to you and your clients.

We may apply automated decision-making, including profiling, in respect of processing of financial service-related personal data. Automated decision making may be used mainly to protect rights and legitimate interests of other parties, e.g. to automatically identify transactions having high fraud and/or CTF/AML risk etc. The data subject that became subject to automatically-made decision may apply for manual decision of their issue.