RULES FOR HANDLING PERSONAL DATA

AMLsystem operated by XIXOIO LTD,
a company with its registered office at 1 Kings Avenue, London, United Kingdom, N21 3NA
Company number 11013311
(the “Company”)

1. INTRODUCTORY PROVISIONS

1.1.

For the purpose of summarising the basic rules for handing personal data, the Company is issuing this information document. When handling, processing and protecting personal data processed under the conditions of its operations, the Company shall observe generally binding legal regulations, particularly Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”).

1.2.

As part of its business activities, the Company is engaged in the operation of an AML system (the “Business Activity”). The essence of the Business Activity is thus also the retention of data (including personal data) for customers (third parties), where the Company is in the role of personal data processor.

1.3.

For the purposes of this document, personal data is understood, in compliance with Article 4 of the GDPR, as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.4.

In connection with the standing of a data subject, the processing concerns in particular the following personal data: name, surname, visual likeness in the form of a photograph, ID No., company name, residential address, address of permanent residence, place of business, electronic mail address, telephone number, information about employment or employer, citizenship, date of birth, birth registration number, place of birth, copy of personal identity card, copy of driving licence, copy of birth certificate, copy of travel document (passport), telephone number, bank account number, debt information (including information about amount of debt and payment thereof and information about executions and insolvencies), and information about ownership of moveable and immovable assets (“Personal Data”).

1.5.

For the purposes of this document, customer shall mean any party that orders and is interested in using the services of the Company and is the controller of the Personal Data that it provides to the Company, as the processor, with regard to the nature of the services rendered (the “Customer”).

3. PERSONAL DATA SECURITY

3.1.

Documents (or copies of documents) that contain Personal Data are secured and stored in places designated specifically for such purpose to ensure the protection of such documents (particularly lockable cabinets etc.) and to restrict access and familiarisation with Personal Data by unauthorised persons.

3.2.

Portable digital recording media containing Personal Data shall be stored in the same way as documents, i.e., in places that are designated specifically for such purpose and that do make it possible for third parties to access the data.

3.3.

Personal computers and data repositories shall be secured by technical means in a way that prevents free access by unauthorised persons to Personal Data stored on personal computers, and these must be protected against change, destruction, loss, unauthorised transmission or other unauthorised processing, or other unauthorised use of Personal Data stored on personal computers.

3.4.

The Company shall be bound to maintain Personal Data confidential and shall bind its employees and cooperating parties to such confidentiality obligation.

4. PURPOSE, SCOPE AND PERIOD OF PERSONAL DATA PROCESSING

4.1.

The purpose of processing Personal Data shall be fulfilment of the contractual relationship between the Company and a Customer, where the Customer uses the Company’s services (software solutions) to process Personal Data for the following purposes:

4.1.1.

Implementing the Customer’s measures prior to the conclusion of agreements between the Customer and its clients with the aim of assessing the risk (risk management) of the legal relationship between the Customer and the Customer’s (potential) clients (data subjects).

4.1.2.

Identifying and conducting due diligence of persons according to Act No. 253/2008 Coll., on selected measures against the legitimisation of proceeds of crime and financing of terrorism, as amended (the “AML Act”).

4.2.

The Personal Data shall be processed for the following periods:

4.2.1.

Personal Data of clients/Customers processed for the purpose of implementing the Customer’s measures prior to concluding agreements between the Customer and its clients shall be processed by the Company for the duration of the existence of the contractual obligations between the Company and the Customer under the respective agreement, but no longer than for the period set out in generally binding legal regulations.

4.2.2.

Personal data of clients/Customers processed for the purpose of identifying and conducing due diligence shall be processed by the Company for the duration of the existence of the contractual obligations between the Company and the Customer, but no longer than for the period set out in the AML Act and other generally binding legal regulations.

4.3.

The following categories of Personal Data shall be processed:

4.3.1.

Name, surname, visual identity in the form of a photograph, ID No., company name, residential address, address of permanent residence, place of business, e-mail address, telephone number, information about employment or employer, citizenship, date of birth, birth registration number, place of birth, copy of personal identity card, copy of driving licence, copy of birth certificate, copy of travel document (passport), telephone number, bank account number, debt information (including information about amount of debt and repayment thereof and information about executions and insolvencies), information about ownership of moveable and immovable assets, credit rating (risk assessment in connection with lending) and other data provided to the Company by the Customer.

5. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES

5.1.

The Company, as the processor, shall follow the Customers’ instructions when disclosing Personal Data to third parties.

5.2.

The Company shall not provide the Personal Data of data subjects to thirds countries outside the European Union with the exception of certified persons under the EU-USA Privacy Shield in accordance with Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield.

6. DATA SUBJECT REQUESTS

6.1.

Data subjects shall have certain rights under the GDPR and other generally binding legal regulations, particularly:

6.1.1.

the right to information about the processing of their personal data (the right of access to personal data)

6.1.2.

the right to rectification and erasure of personal data

6.1.3.

the right to restriction of processing

6.1.4.

the right to revoke consent if the personal data is provided based on the data subject’s consent, and the right to object against processing if the personal data is processed based on the Customer’s legitimate interests

6.1.5.

the right to portability of the personal data

6.1.6.

the right to lodge a complaint with a supervisory authority.

6.2.

In this connection, the Company states that it is solely the processor of Personal Data and that it is not authorised under the concluded Personal Data Protection Agreement to handle requests from data subjects. If the Company receives any of the above requests, they shall be forwarded to the Customer, as the controller, for handling, with the Company providing the Customer, as the controller, any and all possible cooperation. The Company shall inform data subjects about any forwarded requests.

7. ARCHIVING OF PERSONAL DATA AND SECURITY THEREOF

7.1.

The Company shall not archive the Customers’ data upon termination of the contractual relationship with the Customer. Upon termination of the contractual relationship with the Customer, the Customer’s data (including Personal Data) shall be deleted in a way the does not allow its restoration.

8. DESTRUCTION OF PERSONAL DATA

8.1.

Data containing Personal Data stored on personal computers, data media and data repositories shall, as soon as the purpose of processing of such Personal Data or the purpose for which the Personal Data was archived expires, be deleted in a way that makes restoration impossible, or access to such Personal Data shall be permanently blocked without it being possible to renew access to it

8.2.

Upon termination of the contractual relationship with a Customer, client data (including Personal Data) shall be deleted in a way that makes renewal thereof impossible.

8.3.

Personal Data stored with the Company must also be destroyed upon the data subject’s request under the conditions set out in Article 17 of the GDPR, provided that such Personal Data is not subject to the exemption under Article 17(3) of the GDPR. Personal Data must also be destroyed in the above way if the destruction of the Personal Data is imposed on the Company by the Office for Protection of Personal Data as a corrective measure as well as if the Company discovers that the processed Personal Data is incomplete or incorrect and the Customer fails to take appropriate measures to remedy the situation or if the Company is obliged to destroy the Personal Data under generally binding legal regulations.