Data privacy policy

Table of Contents




1. INTRODUCTION

1.1 This Data Protection Policy (the “Policy”) sets out the policy adopted by Dirham Express Ltd (referred to as “We” in this document) in order to comply with the Data Protection Act of 1998 (“DPA”) when we build and manage relationships with clients, and carry out transactions.

1.2 The DPA regulates the "processing” of “Personal Data”. Its definition of “Personal Data” includes all information related to identifiable details regarding individuals that are computerized, stored under any other form that can be automatically processed or stored in a manual filing system structured to facilitate access to information on the individual. (Information on companies and other corporate body are not considered). Its definition of “processing” includes all possible activities in relation to personal data, including storage, disclosure, international transfer and deletion.

1.3We process personal data under different circumstances and for different categories of people. This policy specifically addresses personal data collected in connection with the establishment and management of our relationships with customers, and the execution of transactions depending on our customers’ orders (“management of clients and/or transactions”). For instance, it does not address data protection issues that may arise in connection with our human resources or direct marketing activities.

1.4 It should be borne in mind that the DPA regulates the processing of personal data relating to all individuals, not just clients. Information on the various representatives of clients companies, or individuals (or representatives of clients companies) located elsewhere in a payment chain - for example, the final beneficiary or an individual representing an aggregator - are also protected by the DPA.

1.5 People whose personal data refers to, whether clients or other, are defined as the “relevant persons”.

1.6 The Information Commissioner of the United Kingdom (the “Commissioner”) is responsible for the implementation of the DPA and published a series of guidelines on issues relating to Data Protection, that are available on his website: ico.org.uk

1.7 Our main obligations under the DPA are: (i) process personal data fairly, legitimately, legally et proportionately; (ii) inform people about our processing of their personal data; (iii) comply with the restrictions on international transfer of personal data; (iv) keep personal data safely, taking measures to ensure that they are accurate and updated, and deleted when they are no longer needed; (v) be registered at the Commissioner Office, and (vi) respond appropriately when the relevant persons seek to exercise their statutory rights of access, rectification and objection.

1.8 A copy of this policy will be provided to each employee of Dirham Express Ltd. The requirements mentioned in this policy are compulsory, unless stated otherwise and must be followed by all our employees and officers. Each one must familiarize with these requirements. Failure to comply with this policy can constitute a serious disciplinary offense and may lead to a lay off

1.9 This policy complements our other published policies, including our policies governing the conduct of business, the fight against money laundering and complaints.

2. OFFICER IN CHARGE OF DATA PROTECTION

The Vice President, responsible for the Information Technologies, has been designated as the Officer in charge of the Data Protection for Dirham Express (designated as the “Responsible for Data Protection”). If you have any question regarding this Policy or its implementation under specific circumstances, you should consult the In Charge for Data Protection.

3. FAIR AND PROPORTIONAL PROCESSING

3.1 The DPA requires that all our processing of personal data be fair and lawful, and that they must comply with the various conditions specified. In establishing and implementing each management procedure of clients and/or transactions including the processing of personal data, we must take into account these requirements and ensure that they are respected.

3.2 We hope that our routine processing of personal data under the management procedure of clients and/or transactions will comply with the most general available conditions, known as the conditions of “legitimate interests”. The condition of legitimate interests shall be applicable, and will enable us to process personal data, if:

3.2.1 A: processing is necessary for legitimate interests that we, or any other person to whom we disclose these data, have (which can be for business purposes, for compliance or any other purpose), and

3.2.2 B: processing is not” unreasonable” because it infringes the rights, freedom and legitimate interests of the relevant persons.

3.3 Each processing operation should be assessed in order to ensure that part A of this condition is satisfied – meaning that we have a legitimate business, compliance, or any other reason to perform processing. If part A is satisfied, then you must consider whether the processing will not affect the relevant person in any way – our expectation is that, subject to compliance with other provisions of this Policy, our standard processing for the management of clients and/or transactions shall not prejudice the rights, freedom and legitimate interests of the relevant persons. If you consider that a risk of prejudice may occur in a particular case, the prejudice must be balanced against our interests, and a decision must be taken to know whether our interests outweigh the prejudice caused to the relevant persons..

3.4 If you have any doubt about the compliance with the condition of legitimate interests, you must consider whether the processing can be justified on the basis that it meets one of the other statutory conditions available in the DPA. The other conditions must likely to be applied are:

3.4.1 Processing is justified if it’s required to perform a legal obligation of the United Kingdom. For instance, it can be a processing to perform an audit legally necessary within the framework of the fight against money laundering, or in response to an order of a Court of the United Kingdom.

Foreign legal requirements are not automatically sufficient to justify disclosure or any other processing of personal data.

3.4.2 processing is justified if it is required to execute a contract with the relevant person, or take measures at the request of the relevant person to enter into such a contract. This will justify a certain processing of personal data relating to clients

3.4.3 processing can be justified on the basis of the relevant person consent. Our contracts with clients should therefore include consent for processing clients’ data that will be required as part of our management procedures of clients and/or transactions.

3.5 The requirement that personal data be processed legally cannot be met in a number of circumstances, not covered by this Policy, because they do not fall within the scope of the DPA - for example, processing for fraudulent purposes would be illegal and will therefore constitute a violation of the DPA.

3.6 The DPA also prohibits processing of excessive, irrelevant or inadequate personal data. Systems and procedures should be designed so as not to collect excessive and irrelevant personal data (in particular: Personal data should not be collected on a “just in case” basis) and, of course, you must ensure that data collected are appropriate for the purposes in question.

3.7 Personal data collected for any purpose should not be used for any other purpose that is incompatible with the original purpose – however, we do not believe that it is a problem in the normal course of the management of clients and/or transactions.

3.8We expect that the general obligation of processing personal data is satisfied if all requirements of this Policy are met.

4. Transparency / Information

4.1We are required, under the DPA, to ensure that the relevant persons have easy access to various information. This requirement is subject to exceptions, however, and the exceptions are relatively broad applications in the context of the management of the clients’ transactions and/or transactions. In particular, (a) the information shall only be available in an appropriate location; (b) in the case of personal data that are not directly collected from the relevant person (for example, the beneficiary data collected from the ordering client), we do not have to provide information if this would involve disproportionate efforts, and (c) we believe we can assume that the relevant persons have, and do not need to have available, an information that should reasonably be obvious for them

4.2 The information available is (a) our identity; (b) reasons why we process data, et (c) any additional information that must be provided to ensure that our processing is accurate.

4.3 We must ensure that our contracts with clients clearly indicate the following:

4.3.1 our identity:

4.3.2 reasons why we process data (including for the purpose of knowing your customer and the associated compliance, as well as the execution of transactions and the management of clients in general), and

4.3.3 the following additional information that, we believe, must be provided to ensure that our handling of clients data is accurate:

(A) the categories of persons to whom we can disclose the clients data (including, for instance, payers and non-client beneficiaries, aggregators, any person with whom we may share data to prevent fraud, and regulatory and judicial authorities);

(B) the fact that, if payment is made to people outside the European Economic Area, this may involve transfers of clients personal data to jurisdictions that do not have data protection laws as stringent as those of the United Kingdom (see also paragraph 5 below), and

(C) information on clients’ right of access and rectification under the DPA (see paragraph 10 below), and the coordinates so that they can contact the Officer in charge of Data Protection if they want to exercise these rights.

Our contracts with clients should also make it mandatory to them to transmit this information to anyone that provides us with personal data.

4.4 We believe that we do not need to provide information to the relevant persons other than individual clients to justify our processing of their personal data for the routine management of clients and/or transactions. In particular:

4.4.1 We believe that the effort required to contact a payer or non-client beneficiary, whose personal data is given to us by a client, in order to provide information about our processing of his personal data, would be disproportionate, given that we process his information only to facilitate an operation he or she is fully aware of.

4.4.2 We adopt the same point of view for our clients’ representatives who obligate our clients to give them the required information; we believe that the efforts required to directly contact the representatives would be disproportionate.

5. INTERNATIONAL TRANSFER

5.1 The DPA limits the transfer of personal data to most other countries and territories outside the European Economic Area (European Union plus Iceland, Liechtenstein and Norway).

5.2 transfers can be made, when necessary, to facilitate a transaction, on the basis that they are required to execute a contract with the relevant person (when the data relate to a client), or concluded in the interest of the relevant person (when the data relate to a beneficiary abroad).

5.3 Except for transfers require to facilitate a transaction, personal data must not be transferred to other countries or territories outside the European Economic Area, except if the Officer in charge of the Data Protection has examined the proposed transfer and concluded, if necessary, on the basis of a legal advice, that it can be carried out without violating the DPA.

6. Security, Accuracy and Deletion of Data

6.1 We must have in place technical and organizational security measures to protect personal data that we process for the management of clients and/or transactions against the unauthorized or illegal processing, and loss, destruction or accidental damage.

6.2 We must identify the specific security measures "appropriate" in the context of our activities. They should provide a level of security appropriate to the nature of data and risks associated to the unauthorized or illegal processing, and loss, destruction or accidental damage. We must in particular, take reasonable measures to ensure the reliability of our employees who have access to the data.

6.3 If any aspect of our handling of personal data for the management of clients and/or transactions is entrusted to a third party service provider, involving outsourcing of any larger function including processing of personal data, we must:

6.3.1 1 ensure that the service provider possesses technical and organizational security measures as indicated in paragraphs 6.1 and 6.2 ;

6.3.2 ensure that the agreement is governed by a written agreement that requires the service provider to only handle the data in accordance with our instructions, and imposes obligations on the service provider equivalent to ours set out in paragraphs 6.1 and 6.2 , and

6.3.3 As the agreement is in place, take, from time to time, reasonable measures to ensure that the service provider meets with his security obligations in practice.

6.4 We must take reasonable measures to ensure that personal data we process are accurate and, if applicable, updated.

6.5 We must delete personal data when they is no longer needed, considering reasons why they are processed. This does not prevent us, for example, to keep records containing personal data that can be useful in case of a later dispute with the client or any other person; but we must delete these folders when a dispute is no longer a real possibility, except if we have another legitimate goal to continue to keep the personal data..

7. Sensitive Personal Data

7.1 We do not seek to collect or process personal data identified by the DPA as “sensitive” for the management of clients and/or transactions. You must not collect or process sensitive personal data for such purposes, and must delete them if you found out that they have been collected, except if the Officer in charge of Data Protection proved it after an assessment of the DPA requirements.

7.2 DPA definition of “sensitive personal data” includes personal data consisting of information such as: the racial or ethnic origin, political information, religious beliefs and other similar beliefs, a trade union membership, physical or mental health or their condition, sexual life, the commission or alleged commission of an offense, or any proceedings for any offense committed or alleged to have been committed, the invalidity of such proceedings or the sentence of any Court in such proceedings.

8. Automated Decision Making

8.1 We do not use the techniques of “Automated Decision making” for purposes of managing clients and/or transactions. You should not use such techniques, except with the approval of the Officer in charge of Data Protection provided on the basis of an assessment of the DPA requirements.

8.2 Restrictions of the DPA on the use of automated decision making systems involve systems which take decisions that significantly affect individuals on the basis of the automated processing of personal data, without human intervention. Examples could include the use of automated systems of credit rating to filter credit applications, and the use of automated tools to filter job applications. The semi-automatic systems, where the final decision is made or reviewed by a human being are not covered by these rules.

9. Registration

9.1 We maintain a registration with the Commissioner Office that covers our processing of personal data for the management (or any other reason) of clients and/or transactions.

9.2 You must inform the Officer in Charge of Data Protection of important changes for which we process personal data or, for a specific purpose, the categories of personal data that we process, the categories of relevant persons to whom these data are related, the categories of people to which we disclose these information or the countries or territories outside the European Economic Area to which we transfer the data, so that he or she can ensure that the registration is modified accordingly.

10. Rights of Access, Rectification and Objection

10.1 The relevant persons have the legal rights to access and rectify their personal data. They also have a legal right to oppose the processing of their personal data –that is to say to ask us to stop processing their data– although in very limited circumstances..

10.2 If a relevant person attempts to exercise his legal rights, you must immediately forward his request to the Officer in charge of Data Protection so that he/she can ensure that we respond appropriately and within the timeline set in the DPA.

10.3 While storing and processing personal data for the management of clients and/or transactions, you should keep in mind the rights of access of the relevant persons.

You will not store personal data that you'll not want the relevant person to see