Privacy policy

1. BASIC PROVISIONS

MONETLEY LTD is an Electronic Money Institution (EMI) authorized by the Financial Conduct Authority (the ‘FCA’) of the United Kingdom to issue electronic money (e-money) and provide payment services, FRN 900921, company registered number 10978538, registered office address is at 2nd Floor, Berkeley Square House, Berkeley Square, London, W1J 6BD (the ‘Company’ or ‘We’).
We have established and adopted this Privacy Policy (the ‘Policy’) with the aim to describe how personal data collected are processed by Us. The present Policy clearly sets out data processing basis, principles and practice.
We are bona fide personal data controller having mandatory obligation to inform Our clients how We achieve and apply appropriate safeguarding of personal data and data subject rights.
The Company is committed itself to protecting and respecting its clients and website visitors privacy while complying with the laws and regulations that apply to personal data processing, ensuring appropriate security and confidentiality of personal data.
For the purposes of this Policy, the client (the ‘Client’ or ‘You’) shall mean a natural person or a legal person’s representative, i.e. directors, board members, shareholders/ultimate beneficial owners, and other lawful representatives and key personnel declared and registered with Us.
For the purposes of this Policy, personal data means any information relating to identified or identifiable natural person - data subject, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Usually, You provide personal data to Us to obtain Our services. We irrevocably presume, that by submitting Your personal data to Us, You agree to such data transfer, storing and processing. We will take all steps reasonably necessary to ensure that Your data is treated securely, in accordance with the highest security and privacy standards, best market practice. We are under unconditional obligation to ensure confidentiality and adequate protection of Your personal data.
The present Policy provides detailed description of main personal data processing principles and data purposes, according to which We process personal data obtained from You, submitted by You or otherwise lawfully collected by Us, while using/providing Our services.
We assume that before using Our services and becoming Our Client, You have read this Policy and have agree to its terms and provisions.
This is the most recent version of the Policy. We reserve the right to make amendments and/or update this Policy from time to time, including new data processing and safety practices and guidelines.
We ensure that Your personal data is processed based on main regulatory enactments and guidelines:
• United Kingdom Data Protection Act 2018 (hereinafter also referred to as the UK GDPR);
• United Kingdom Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019;
• United Kingdom Adequate Regulations and appropriate safeguarding principles;
• United Kingdom Guide to Data Protection;
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter also referred to as the EU GDPR);
• European Union and United Kingdom Standard Contractual Clauses (hereinafter referred to as the SCCs);
• European Union Rules for the protection of personal data, including data protection inside and outside EU.

2. DATA CONTROLLER. DATA PROTECTION OFFICER. SUPERVISORY AUTHORITY

MONETLEY LTD is a data controller (hereinafter also referred to as ‘the Controller’) with exclusive prerogative to determine purposes and means of Your personal data processing. The purposes and means of processing Your personal data are set below in this Policy.
We, being a Controller, are fully responsible for Your personal data collection, processing and storage. 
Our Supervisory Authority regarding personal data issues is Information Commissioner’s Office (ICO), having address at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, telephone: 0303 123 1113.
You can at any time obtain information about Your personal data being at Our disposal, about how We collect, use and store Your personal data or exercise Your other rights as the data subject. 
Please do not hesitate to contact our Data Protection Officer on any questions regarding Your personal data processing and this Policy by e-mail address dpo@monetley.com or info@monetley.com for attention of Data Protection Officer.
Our Data Protection Officer, as well as any other our staff member, involved in or being responsible for personal data processing, is a well-trained and highly experienced. Data Protection Officer is responsible for ensuring communication with Clients, as well as, with the supervisory authorities regarding personal data processing.

3. GROUNDS FOR PERSONAL DATA PROCESSING

We are entitled to process Your personal data only in the following events:
(a) We have previously determined the purposes of processing of Your personal data,
(b) We have determined the minimum amount of Your personal data reasonably required to accomplish the pre-determined purpose,
(c) We have clearly defined legal basis to process Your personal data, 
(d) We have provided You with information on Your rights within the context of personal data processing, and
(e) We have obtained Your consent for data processing.
 
Usually, We process Your personal data according to the standard procedure based on:
(a) necessity to offer and render services and manage effectiveness and quality checks of services provided,
(b) to register the Client with the system, where accounts are opened and maintained and payment transactions are executed. Private profile is created for the Client with the system,
(c) to provide Client with information on services that Client applies for or may be interested in,
(d) to discharge contractual obligations,
(e) to keep Client informed about any changes in respect of services provided and  this Policy, 
(f) necessity to meet regulatory requirements mandatory applicable to Us, inter alia, but not limited to, Anti Money Laundering and Counter Terrorism Financing (the ‘AML/CTF’) regulatory requirements, including, but not limited to, Clients’ due diligence and Know Your Client (the ‘KYC’) purposes (inter alia, prospective and existing Clients’ identification and verification). These personal data processing purposes mainly are mandatory set by the United Kingdom and European Union laws and regulations,
(g) consideration of legitimate interests,
(h)      Company’s overall risk assessment and management, 
(i) Your consent to process personal data, also when You sign up for any news or other information using Our website.
 
We may combine different categories of data and process the combined data in accordance with this Policy for as long as data is combined.
We ensure lawfulness, fairness and transparency when processing Your personal data. All data possessed by Us shall be used to the minimum extend reasonably required to render services in due manner, meet regulatory requirements mandatory applicable to Us and to fulfil certain purpose. We are fully accountable to follow all Our data protection obligations.
While collecting and processing Your personal data, We ensure that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner, 
(b) collected for limited, specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with this purpose,
(c)  minimised to the maximum extent permitted by applicable laws and regulations, is adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed,
(d)  accurate and, where necessary, kept up to date; every reasonable step must be taken by Us to ensure that personal data that is inaccurate, having regard to the purpose for which it is processed, is erased or rectified without delay,
(e)  kept in a form which permits identification of data subject for no longer than is necessary for the purpose for which the personal data is processed,
(f)   processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
 
We are entitled to determine a new purpose to use personal data previously/originally not  anticipated by You, only if:
(a) the new purpose is compatible with the original purpose,
(b) We have obtained Your consent for the new purpose, or
(c) We have pointed a clear legal provision requiring or allowing the new processing.

4. PERSONAL DATA STORAGE

We process Your personal data while business relationship established between You and Us are in full force and effect, as well as, after termination of established business relationship. 
We store Your personal data being at Our disposal at least for 5 (five) years period as from the moment of termination of business relationship, unless the laws and regulations applicable to Us set other time-limits for personal data storage.
We ensure centralized storage of personal data and data masking/deletion after expiry of the mandatory storage period. 
When assessing the personal data storage duration, We take into account the requirements of the applicable laws and regulations, contractual obligations fulfilment aspects, Your instructions (for instance, in the case of consent) as well as, Our legitimate interests. 
Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving specific mandatory purposes subject to implementation of the appropriate technical and organisational measures required by the UK and EU GDPR in order to safeguard the rights and freedoms of data subject.
If any legal grounds prohibiting personal data deletion after expiry of storage period specified above hereof exist, then personal data storage shall be ensured until such prohibiting grounds are still on. Our Data Protection Officer carefully verifies legitimacy and enforceability of each ground prohibiting data deletion.
We ensure accurate data storage and keeping data up-to-date, where necessary providing prompt personal data correction or deletion of incorrect data. 
We ensure that personal data is kept in a form which permits identification of data subject for no longer than is necessary for the purpose for which the personal data is processed.
We also ensure periodically review of data We hold, and erase or anonymize it when We no longer need it.

5. PERSONAL DATA TRANSFER

We do not rent or sell Your personal data to anyone. In case of Your personal data transfer, We diligently consider the amount of data to be transferred and appropriate legal grounds for permitted data transfer.
We apply adequate and sufficient safeguarding measures regarding Your personal data transfer, ensuring that data transfer is legally permitted and is compliant with the United Kingdom adequacy regulations and good practice standards. We also use secure technical solutions to achieve Your personal data safety and confidentiality. Description of technical solutions used by Us is provided below hereof.   
We are entitled to transmit Your personal data to third parties only in cases directly allowed or requested to do so by the applicable laws and regulations, providing that the legal framework in data receiving country, territory, sector or international organization has been carefully assessed by Our Data Protection Officer as providing adequate protection for individual rights and freedoms regarding his/her personal data. 
We transfer Your personal data only with the aim to:
(i) duly provide  services, and
(ii) meet mandatory binding regulatory requirements applicable to Us.
We transfer Your personal data to Our cooperation partners exclusively on the basis of special agreements entered by and between Us and respective partner (a third party - Data Processor/Data Sub-processor), which contain nondisclosure and secure data exchange, processing and storage provisions. Data Processors/Data Sub-processors act on behalf of and only on the instructions of data controller, which is the Company.
We ensure that agreements entered or to be entered with the Data Processors/Sub-processors contain privacy and data processing safeguarding provisions with no less effect and force as those contained herein. 
The third parties in question belong to the following categories: banking and payment operators, internet providers, companies specializing in IT and SMS services; companies that provide KYC and AML/CTF solutions, external consultants. 
We may be required to share Your personal data with external advisors and auditors, various financial and payment institutions, supervisory and/or enforcement or court authorities, including, but not limited to, with the aim to comply with AML/CTF laws and regulations, provide lawful funds transfers, prevent fraud, enforce an agreement we have with You, or to protect Our rights and legitimate interests, property or safety, or the rights, property or safety of Our employees or others.
Additionally, We are entitled to reveal Your personal data to third-parties if: 
(a) You request or authorize it,
(b) to address emergencies or acts of God, and 
(c) to address disputes, claims, or to persons demonstrating legal authority to act on Your behalf. 
Transfer of Your personal data to third countries (outside the United Kingdom, as well as, European Union (EU) and European Economic Area (EEA), and international organizations) is allowed in cases determined by: 
(a) UK GDPR,
(b) EU GDPR,
(c) United Kingdom Adequacy Regulations,
(d) decisions made by the European Commission regarding the level of protection of a third country's personal data, available here: https://ec.europa.eu/info/law/law-topic/data-protection_en,
(e) UK and EU SCCs,
(f) exceptional legal grounds.
 
We are entitled to transfer Your personal data outside the United Kingdom and EU/EEA to a country, in relation to which there has not been made any decision regarding the adequacy of its security level and which does not provide the corresponding guarantees, if:
(a) You have provided Your consent to the proposed transfer; information about the potential risks that such a transfer could pose to You may be provided upon Your request, 
(b) transfer is necessary in order to fulfil the contractual obligations established between You and Us or to implement measures after entering into business relationship, which were approved at Your request, 
(c) transfer is necessary for conclusion of the agreement between Us and another private individual or legal entity, in the interests of the person or for the fulfilment of such an agreement, 
(d) transfer is necessary if there are important reasons of public interest, 
(e) transfer is necessary in order to raise, fulfil or defend regulatory requirements, or 
(f) transfer is necessary in order to protect the vitally important interests of the Client, if Client is physically or legally incapable of giving its consent.

6. TYPES OF PERSONAL DATA BEING PROCESSED

To provide services that meet Your needs and simultaneously to ensure Our activity compliance with compulsory laws and regulations, We need to collect and process various types of personal data, including, but not limited to, identity documents, financial documents, documents proving Your professional biography, nature of business/occupation, technical information and IP addresses, and etc. 
At all circumstances We collect and process Your personal data only for specific, legitimate and explicit purposes. 
The personal data processed by Us is grouped into main types (categories) to manage it in the most efficient way and in the manner preferable for You to be able to see the amount of personal data managed by Us.
Regulatory requirementsLegitimate interests
Personal Data Types Short Description Legal Basis
Basic (identification/verification) data Name, surname, former name(s), identity number, date of birth, photo/copy of identity document, proof or residence (address), selfie, liveness video recording, e-mail address, phone number, etc. Consent Regulatory requirementsContractual obligations execution
ML/TF risk assessment For the purposes of money laundering and terrorism financing (ML/TF) risk assessment attributable to a particular Client/category of Clients and respective risk monitoring and management, the Company conducts Clients KYC and due diligence to assign the Client respective risk profile. In this regard We are under mandatory obligation to consider various factors subject to the Client and it’s transactions – Client’s age, gender, nationality, place of birth, citizenship/residence, GCP location, aim of establishment of business relationship, information on personal/business activity, transaction volume and value, transactions geography, education/ professional skills, employment history, the origin of funds, source of wealth, and etc.We do not involve fully automated decision-making in personal data processing for Clients’ ML/TF risk assessment and management purposes. Regulatory requirements Services quality checks and improvements
Financial data Information on income and assets, proposed turnover and amount/value of transactions, nature of transactions, tax information, and etc. Regulatory requirementsLegitimate interest
Special category data Information on a politically exposed persons and associated persons, financial sanction lists, criminal records, bankruptcy, insolvency, bailiff claims, and etc. Regulatory requirements Legitimate interests
Data obtained when fulfilling regulatory requirements Information obtained upon request of investigating authorities, supervisory and tax authorities, courts, arbitrations, bailiffs, etc. Regulatory requirementsLegitimate interests
Transaction data Account(s) statements, banks references, tax returns, information on parties to the transactions, contracts and invoices subject to the transactions conducted, transaction history, and etc. Regulatory requirementsLegitimate interests
Tele- and e-communication data Phone number, e-mail, social media (LinkedIn, Twitter, Facebook), Skype, Website and etc. Regulatory requirements Contractual obligations execution Legitimate interests Services quality checks and improvements
Authentication details Technical/LOG data - user name, password, login, device type, browser type, time zone settings and location, session time, PIN code, IP address (VPN), details of electronic stamp, IMEI, MAC, mobile network info, mobile operating system, type of mobile web browser used and others (device-specific information).Contact Us Data – data received when Client communicates with Us by means of our website, including email address, name, other data subject to question applied.URLs, products and services You viewed or searched for, page response times, download errors, length on visits on certain pages, page interaction information. Consent Contractual obligations execution Regulatory requirements Services quality checks and improvements
Protection of legitimate interests of the Company, including, but not limited to, the discovery, defense, conduct of legal rights Any information provided by You or obtained by Us to the maximum extent permitted by applicable laws and regulations Legitimate interestsRegulatory requirements
The above list of personal data types is not exhaustive and may be extended at Our reasonable discretion. 
We retain the right to request, obtain, collect personal data from Client him/herself or its representative, authorized person, or from publicly available information sources, registers, data bases or other third persons authorized to provide such data and information.
We are entitled to obtain personal data from other sources and combine that with data We independently collect through Our service partners, including, but not limited to, social media platforms and publicly available sources: public court documents, the ROC and the company registers, electronic data searches, online KYC searching tools and solutions (which may be subscription or license basis), anti-fraud databases and other third party databases, sanction lists, third-party KYC providers and from general searches carried out via online search engines (e.g. Google).
We ensure confidentiality of personal data and data protection from unauthorized and lawful access, illegal processing, disclosure, accidental change (amendments, corrections), loss or destruction by implementing organizational and technical measures in accordance with the requirements of the applicable laws and regulations. 

7. YOUR RIGHTS SUBJECT TO YOUR PERSONAL DATA PROCESSING

We irrevocable accept that the Client is entitled: 
(a) to access his/her personal data:
(i) to obtain additional information about the processing of Your personal data being at Our disposal, irrespective of what type of information You already have,
(ii)    to receive an electronic copy of Your personal data processed by Us,
(b) to amend or delete Your personal data:
(i) You are entitled to amend Your personal data if it changed or You have grounds to believe that Your personal data processed by Us is not accurate. Furthermore, under cooperation provisions for services provided, the Client is obliged to inform Us on any changes in his/her personal data and contact information or any information which may occur to be inaccurate or  non-updated without undue delay,
(c) to request Company to delete personal data, if:
(i) data deletion is not prohibited by applicable laws and regulations or is not contradicted to Our legitimate interests,
(ii) there are sufficient legal grounds for data deletion, and 
(iii) data storage term has not yet expired,
(d) to limit processing of Your personal data:
(i) You are entitled to request Company to limit processing of Your personal data (or certain processing activities),
(ii) You are entitled to limit the processing of Your personal data in cases when:
a. data is not accurate or updated,
b. data is being processed unlawfully but You are not intended/wish to delete the data, 
c. data processing is not required anymore but You want to establish, exercise or defend your legal claims,
d. You have already exercised Your right to object to the processing of Your personal data but You are waiting for Our assessment whether We are entitled to further processing of Your personal data based on Our or third party’s legitimate interests,
(e) to object processing of Your personal data:
(i) You are entitled to object processing of Your personal data if objection is based on Your legitimate interests, and Your rights, interests and freedoms are more important than Our or third parties,
(f) to be informed in advance about new purpose of data processing:
(i) You are entitled to receive information on whether processing of personal data is related to the law or an agreement, whether processing of personal data is a precondition for the conclusion of agreement, as well as, information on reasons why personal data  is required and consequences if data is not provided,
(g) in relation to the automated individual decisions, including profiling:
(i) You are entitled to make Our specialist participate in taking such decisions or request that We do not take a decision based on an automated calculation only. We do not involve fully automated decision-making in personal data processing,
(h) to lodge a complaint with the appropriate data protecting authority if You have concerns   about how We process your personal data,
(k)  to revoke Your consent to personal data processing,
(j)  to data portability, e.g. to receive personal data provided in a structured, commonly used and machine readable format, also the right to request that We transmit the data directly to another controller.
Regarding Your access to personal data, please note, that reasonable access to personal data will be provided at no cost upon request made at e-mail address dpo@monetley.com or info@monetley.com for attention of Data Protection Officer. 
If access cannot be provided within a reasonable time period, We will provide You with a certain date when the information will be provided. If for some reason access is denied, We will provide a reasonable explanation why access has been denied.

8. PERSONAL DATA RECIPIENTS

We are entitled to disclose Your personal data to the following recipients: 
(a) members of management bodies, employees, representatives, authorised persons of the Company,
(b) public institutions, public officials, investigatory authorities, courts, prosecutor's office, subjects of operational activities, orphans' courts, notaries, law enforcement officials, judicial and investigatory authorities of other member states and foreign countries, tax authorities, arbitration courts, out-of-court dispute resolution bodies — financial market participants (correspondent banks, insurance companies, payment systems, credit registers, securities registers, agency companies, stock exchanges, depositories, business partners of the Company or customers, financial service intermediaries etc.),
(c) the Company’s cooperation partners, agents, suppliers and service providers, auditors, advisors.
 
We strictly ensure that all persons entitled to get access to Your personal data are appropriately instructed subject to personal data processing principles and legal requirements. We bear full responsibility for any actions from such third parties side. We apply accurate and precautionary approach when choosing Our cooperation partners, We apply strict KYC for our partners both before establishment of coopetition and within cooperation lifetime. 

9. WEBSITE AND COOKIES

Our website is: www.monetley.com 
The purpose of our Website is to keep visitors informed about Company’s business, services provided.
Our website may include links to third - parties websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about You. 
We do not maintain joint controller relationship with any third party. 
We do not control these third parties websites and We are not responsible for their privacy notices, statements or policies. We encourage You to read in advance respective privacy documents of every website You visit.
None of the links to third parties and respective websites on Our website should be deemed to imply that We endorse or have any affiliation with these third parties.
Our website is not intended for infants (under 18 years old) and We do not knowingly collect and process infants personal data. In case We recognize that We have collected personal data from an infant, We shall inform our Data Protection Officer and delete that information as quickly as possible. If You suppose that a child under 18 may have provided Us a personal data, please contact Us at dpo@monetley.com or info@monetley.com for attention of Data Protection Officer. 
We use cookies on the website. Cookies are small files that a site or its service provider transfers to Your computers/devices through the web browser (if You allow), that enable websites or service providers’ systems to recognize Your browser, capture and remember certain information. 
We use the following cookies:
(a) session cookies (functional) – are necessary for ensuring the security and technical functionality. Cookies are not stored and are processed only during the actual website visiting time,
(b) persistent cookies (analytics) – remember information about the visitor's actions, such as language settings, login information or the statistics information about routing of the website visitors,
(c) third party cookies (advertising) – analytical software such as Google Analytics or Yandex Metrika cookies, which by analysing the data allow to track the visitors between two or more websites, and offers more appropriate website connections. 
Any information gathered by cookies is stored only until cookies expiration date and is not used for any purposes other than those specifically mentioned.
Each time You visit Our website from a new IP address, You have the right to accept or reject the processing of cookies. 
We are entitled to pass available technical data about the website visitors to the agencies and officials in cases and according to the order, established by the applicable laws and regulations.
You can choose to have Your computer/device warn You each time cookies are being sent, or You can choose to turn off all cookies. You can do this through Your browser (like Internet Explorer) settings. Information on settings You may find here http://www.allaboutcookies.org/manage-cookies/. 
If You disable cookies, some features will be disabled. It will turn off some of the features that make Your site experience more efficient and some of Our services will may not function properly.
Please be advised, that cookies cannot contain computer viruses, and with the assistance of cookies, it is not possible to install spyware or malware on Your computer. Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make Your visit to Our site as safe as possible.
We respect the privacy of website visitors and do not perform cookies processing without Your permission. Furthermore, We do not try to identify You when simply visiting Our website.
 

10. SECURITY MEASURES AND TECHNICAL SOLUTIONS

We ensure security of Your personal data. For these purposes We use safe technical solutions, providing use of such solutions also from third parties engaged by Us in data processing and lawful data recipients as stipulated hereof. We use reliable internal data protection mechanisms combined with a robust security system.
In order to prevent unauthorized access or disclosure of personal data possessed by Us, We have put in place suitable physical, electronic and managerial procedures to safeguard and secure personal data.
We use secure servers within the United Kingdom, EU/EEA, having adequate data protection legal frame and appropriate safeguarding methods.
The security measures We put in place seek to ensure that:
(a) Your personal data can be accessed, altered, disclosed or deleted only by those We have authorized to do so (and that those persons only act within the scope of the authority We give them),
(b) the data We hold is accurate and complete in relation to why We are processing it, and
(c) the data remains accessible and usable, i.e., if personal data is accidentally lost, altered or destroyed, We are always be able to recover it and therefore prevent any damage or distress to the data subject concerned.
We also use adequate and sufficient measures to ensure physical security of Your personal data, inter alia, but not limited to:
(a) the quality of doors and locks, and the protection of the premises by such means as alarms, security lighting or CCTV,
(b) We control access to the premises, and all visitors are supervised;
(c) We keep IT equipment, particularly mobile devices, secure.
When considering IT (cyber) security, We mean security measures in respect of:
(a) system security – the security of Our network and information systems, including those which process personal data,
(b) data security – the security of the data We hold within Our systems, e.g. ensuring appropriate access controls are in place and that data is held securely,
(c) online security – e.g., the security of Our website and any other online service or application that You use.
We will do Our best to protect Your personal data, but We cannot guarantee the security of Your information transmitted via the internet, any transmission is at Your own risk only. It is Your responsibility to choose secure websites and devices and keep safe website login and password credentials granted to You, and other authentication means confidential and not to share them with anybody. 
Once We have received Your data, We will use encryption (using SSL technology) and other security technologies to protect data from unauthorized access. 
We ensure that personal data is properly backed up and that arrangements for recovery processes are in place. 
We ensure regular update for technical solutions used by Us and ongoing safety monitoring over technical support and safety effectiveness. Once any lack is discovered, We act immediately, ensuring high level of security and technical backup.
 

11. MANAGEMENT AND CONTROL

Our Data Protection Officer ensures daily control over personal data processing within the Company and ensures compliance with all data protection laws and regulations, principles, standards and guidelines. Senior Management of the Company provides overall control of personal data processing compliance with applicable regulatory requirements and respective requirements observation by Data Protection Officer and Company’s employees, responsible for personal data processing, as well as, cooperation partners and data processors/sub - processors engaged. Senior Management of the Company exercises overall control over the purposes and means of the processing of personal data. Senior Management of the Company applies sufficient organizational arrangements for effective risk management which may arise through negligence or poor administration, as well as, fraud and misuse. Senior Management of the Company ensures continuous supervisory of regular review of the Policy by the Data Protection Officer. This Policy is to be updated as and when necessary, and must be reviewed at least once a year, considering regulatory changes, as well as changes in Company’s business strategy, operation or external circumstances affecting the services.