GDPR – European Parliament and of the Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Regulation on Personal Data Protection).
Payment Intermediary/Controller – Ungaro LLC, reg. no. 14562753, operating licence: FVT000088, address Laki business center, Värvi 5, 10621 Tallinn, Estonia, email [email protected]
Service/Transaction – the intermediation of payments via the Portal.
Portal – web-based online payment environment managed by the Payment Intermediary at https://www.swapin.com through which Clients can use the Service, communicate with the Payment Intermediary and perform other activities.
Processor – a person who in accordance with the law or contract is entitled to process the Client’s personal data on behalf of the Payment Intermediary. The names and contact details of processors are available on the Portal.
Data Protection Officer – Payment Intermediary’s employee or contractual partner, whose duty is to ensure the compliance of the Payment Intermediary’s activities with relevant regulations and who is the Payment Intermediary’s contact person in the field of data protection. The contact data of the Data Protection Officer are available on the Portal.
Third party – the person to whom the Client wishes to transfer the personal information given to the Payment Intermediary.
PEP (Politically Exposed Person) – a natural person who performs or has performed essential functions of a public authority. A person who has not fulfilled the essential functions of a public authority for at least a year by the date of the transaction is not considered a Politically Exposed Person.
Competent Surveillance Authority – Rahapesu andmebüroo, Tööstuse 52, Tallinn, 10416, email: [email protected]
Subject of international financial sanctions – either a state, specific territory, territorial unit, regime, organization, association or group, natural or legal person, institution, partnership or other entity designated as a subject of international sanctions or measures.
2. Purpose of processing personal data
The Payment Intermediary processes the Client’s personal data for the following purposes:
2.1. Statutory purposes:
2.1.1. Prevention of money laundering and terrorist financing;
2.1.2. Execution of inquiries from supervisory authorities and other law enforcement agencies;
2.1.3. Ensuring enforcement of international financial sanctions;
2.1.4. Ensuring safety of use of Services and mitigation of risks arising from malicious activity (minimizing fraud).
2.2. Contractual purposes:
2.2.1. Ensuring compliance with the agreements concluded between the Parties (performance of the Services) including the protection of the Payment Intermediary’s rights that have been infringed and contested
2.3. Analytical purposes:
2.3.1. Development and improvement of the quality of Service.
2.4. Marketing purposes, with the Client’s separate consent:
2.4.1. Sending marketing notifications.
3. Personal information being collected
The Payment Intermediary collects the following personal data for the Client for the purposes specified in clause 2, and in compliance with the general standards set out in the GDPR,:
3.1. First and last name;
3.2. Date of birth (day, month and year);
3.4. E-mail address;
3.5. Identity document, including nationality and residence;
3.6. Profession or field of activity;
3.7. Transaction details (data necessary for the execution of the service, eg IP address);
3.8. Data necessary for the performance of contracts entered into between the Parties;
3.9. Data on legal entities related to the Client (business area, registry code, address, taxable person’s number, right of representation, etc.);
3.10. Information about the Client’s assets and their origin;
3.11. Details of the purpose of the transaction;
3.12. Information on identity (organizations, PEP, PEP family member and/or co-worker, subject of international financial sanctions);
3.13. Data from third parties (registers and databases) collected and used for compliance with statutory diligence requirements;
3.14. Other data that the Client has deliberately or unintentionally filed.
4. Client’s rights
4.1. The Client is entitled to:
4.1.1. Request rectification of personal data if it is incorrect, incomplete or invalid;
4.1.2. Request restriction of personal data processing if the personal data are incorrect or incomplete or if processing of personal data is unlawful;
4.1.3. Receive information about the processed personal data;
4.1.4. Request the deletion of personal data collected on the Client, unless the Payment Intermediary is required to process the Client’s personal data under the relevant legislation or an agreement entered into by the Parties or if there is another legitimate basis for the continuing processing of personal data;
4.1.5. Withdraw the consent to process the Client’s personal data. It shall not affect the legitimacy of the processing of personal data that occurred before the consent was withdrawn;
4.1.6. At any time give and withdraw the consent to receive from the Payment Intermediary marketing notifications;
4.1.7. Request that the personal data provided by the Client to the Payment Intermediary which is processed with the Client’s consent is issued or forwarded to a Third Party in machine-readable electronic format;
4.1.8. Submit complaints about the processing and use of personal data to the Competent Supervisory Authority if there is reason to believe that the processing of personal data of the Client violates his or her rights.
4.2. The Client shall submit the requests referred to in clause 4.1 by e-mail to the Data Protection Officer.
5. Rights of the Payment Intermediary
5.1. The Payment Intermediary has the right to:
5.1.1. Respond to the Client’s request referred to in clause 4.2 not later than within 1 (one) month (GDPR Article 12 (3)). In case of a large number of applications and/or complexity of their nature, the Payment Intermediary has the right to respond to the request in the following 3 (three) months (GDPR Art. 12 (3));
5.1.3. Provide the Client with marketing notifications only on the basis of a specific consent, obtained separately from the Client.
6. Sharing of personal data
6.1. The Payment Intermediary may:
6.1.1. For the purposes specified in clause 2, divide the Client’s personal data with the Payment Intermediary’s subsidiaries or affiliates with Processors including:
188.8.131.52. Public authorities and other institutions and institutions to whom the Payment Intermediary is obliged or entitled to issue the Client’s personal data pursuant to the relevant legislation;
184.108.40.206. Server hosting providers;
220.127.116.11. Payment processors and payment system operators;
18.104.22.168. Identification service providers that help the Payment Intermediary to identify the Client and obtain the necessary data for it;
22.214.171.124. Communication service providers that deal with e-mails;
126.96.36.199. Other parties involved in the provision of the Service.
6.2. Upon transferring the personal data to the Processor, the Payment Intermediate shall:
6.2.1. Conclude a data processing agreement;
6.2.3. Ensure that the Client’s personal data is not transferred to countries not recognized by the European Commission as countries with a high level of data protection.
6.3. The security measures specified in clause 6.2 cannot be applied by the Payment Intermediary if the latter distributes the Client’s personal data to public authorities and institutions or institutions to whom the Payment Intermediary is required to issue Client personal data under relevant legislation.
6.4. The Client agrees that the Payment Intermediary divides the Client and related data with the Authorized processors in order for the Client to use the Service and the Payment Intermediary shall ensure that the technical, physical and organizational security measures applied to protect the Client’s personal data are implemented.
7. Preservation of personal data
7.1. The Payment Intermediary retains the Client’s personal data as follows:
7.1.1. Transaction data – 7 (seven) years after the completion of the Transaction;
7.1.2. Other information (for the identification and verification, and the data necessary for the Transaction to be performed, as well as the Notification Notices between the Parties) – 5 (five) years after the Transaction expires, except at the request of the competent authority. In the latter case, the right to retain data is additional 5 (five) years.
7.2. Upon the aforementioned deadline, the Payment Institution will delete the Client’s data.
7.3. The payment intermediary maintains the Client’s personal data at the servers located in the European Economic Area.
8. Other provisions
8.1. Sending notifications
8.1.1. Communications between the Parties shall be made by e-mail in English.
8.1.2. The message sent by e-mail is deemed to have been served on the other Party on the calendar day following its dispatch.
8.2. Dispute resolution and jurisdiction
8.2.2. All disputes will be resolved by negotiation. In the event of a failure in negotiations, disputes will be settled in the Republic of Estonia.