Data Privacy Notice
1. Introduction
In line with our current license standing, Andaria Financial Services Limited Malta and UK (“AFSG”, “we”, “our”, “us” or “the Group”) operate individually as:
- a payment institution/service provider, serving companies (B2B) through the issuance of payment accounts and enabling global payments to companies and individuals via the open loop network of card schemes. (the “Customers”)
- an e-money institution/EMI that issues e-money in its own right or in conjunction with other parties.
We are committed to protecting and respecting your privacy. We are pleased to provide you with our privacy notice and request you to read it carefully.
We have created this privacy notice to explain to you:
- how we use any personal data that we receive from you or may collect about you, and
- your privacy rights under applicable privacy laws.
Our use of your personal data is subject to your instructions, the EU General Data Protection Regulation ("EU GDPR"), other relevant Maltese and EU legislation, the UK General Data Protection Regulation ("UK GDPR") and the UK Data Protection Act (2018) (collectively the “Data Protection Laws”), and our professional duty of confidentiality.
For the purposes of the EU GDPR, the Data Controller and/or Data Processor is:
Andaria Financial Services Limited, a company registered and incorporated under the laws of Malta with Company Registration Number C 97170 and having its registered office at Phoenix Business Centre, Old Railway Track, Santa Venera, SVR 9022, Malta.
For the purposes of the GDPR, we have appointed a Data Protection Officer (DPO). Should you wish to request any clarification or additional information in relation to this Privacy Notice, or you may wish to exercise any of your rights in relation to your personal data, please send us an email on dpoeu@andaria.com or via postal mail to Phoenix Business Centre, Old Railway Track, Santa Venera, SVR 9022, Malta.
For the purposes of the UK GDPR, the Data Controller and/or Data Processor is:
Andaria Financial Services UK Ltd, a company registered and incorporated under the laws of England and Wales with Company Registration Number 12840774 and having its registered office at 36-38 Cornhill, International House, London, England, EC3V 3NG.
For the purposes of the UK GDPR, we have appointed a Data Protection Officer (DPO). Should you wish to request any clarification or additional information in relation to this Privacy Notice, or you may wish to exercise any of your rights in relation to your personal data, please send us an email on dpouk@andaria.com or via postal mail to 20 Little Britain, London, England, EC1A 7DH.
By using our services, you acknowledge that you have read, and agree to, the terms of this Privacy Notice and that you acknowledge that we will use your personal data for the purposes as set out in this Privacy Notice. If you do not wish to provide your person information on the basis set out in this Privacy Notice, you should not enter the relevant information on the website or provide your personal data to us in any other way. However, you understand that if you do not provide your personal data, we will not be able to provide you with our services.
This Privacy Notice is effective as of November 5, 2021. You can request previous versions of this document by sending us an email at the abovementioned e-mail addresses. Any changes we may make to our Privacy Notice in the future will be published on the Institution’s website and will be effective from the time of their posting.
2. Key Terms
| Data Controller | |
|---|---|
| Data Processor | Any natural or legal person that processes personal data for and on behalf of the Data Controller. |
| Personal data | Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
| Processing | Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| Sensitive Personal Data |
Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Genetic and biometric data. Data concerning health, sex life or sexual orientation. |
3. Scope
This notice applies in all cases where we act as data controller or data processor of personal data, regardless of who created the data and where it is stored.
4. Collection and Processing of Personal Data
We are bound by data protection laws to respect and protect any personal data we collect from you and we will abide by such duty. We take all safeguards necessary to prevent unauthorised access. All data collected is processed in accordance with the Data Protection Laws.
Most of the information we process is given to us directly by you. This includes information that you input via our website (including our web application), mobile application and that you provide us with via email and/or over the telephone and/or mail.
We can only use your personal data if we have a lawful reason for doing so. In terms of the data protection laws, we may process personal data if you have given us your consent or it is necessary:
- for our legitimate interests
- to carry out our contractual obligations, or
- to comply with a legal obligation.
We collect 2 types of data from you: (i) personal data like contact details to enable us to fulfil our service and (ii) behavioural data to better improve our service to you, which we will only collect if you opt In.
The below table sets out the types of personal data that we may process, for what we may use it and our legal bases, which are our reasons for processing:
When you register for our Services and/or maintain an E-Money Account with us
Personal data we may process:
Contact details that you provide to us in order to create an account.
These include:
- Full name
- Identification Number (ID)
- Tax Identification Number (TIN)
- Email address
- Address
- Mobile/Phone Number
- Account details
- Biometric data
- The specific transaction details
Where our customer is a business, we will also collect the business’s name, VAT number, contact person’s full name, mobile/phone number and email address.
For what reasons we may use your personal data:
- To provide you with our service.
- To improve your user experience.
- To communicate with you in relation to any product or service which we may deem of interest to you, or such entity as may be required.
- To update you of any developments in relation to activities or services and to issue statement and other relevant material thereof.
- Contacting you and responding to your communications with us.
Updating and enhancing our client database.
Our legal bases:
- Performance of a contract: Enabling us to perform the contract with you and provide you with our services.
- For our legitimate interests: Responding to your communications with us. Processing is necessary for us to conduct our business, as long as our interests are not overridden by your interests or rights.
- Performance of a legal obligation: In satisfaction of any obligation imposed on us by law.
When requesting a quote for our Services
Personal data we may process:
General information required for the processing of your request, being:
- Full name
- Email address;
- Address
- Mobile/Phone number
- Any additional personal data you may provide us with.
Where our customer is a business, we will also collect the business’s name, VAT number, contact person’s full name, mobile/phone number and email address
For what reasons we may use your personal data:
- To provide you with our service.
- Contacting you and responding to your communications with us
Our legal bases:
- For our legitimate interests: Responding to your communications with us. Processing is necessary for us to conduct our business, as long as our interests are not overridden by your interests or rights.
- Performance of a legal obligation: In satisfaction of any obligation imposed on us by law.
When you visit our website
Personal data we may process:
We may automatically collect technical information, including:
- Your IP Address;
- Cookies;
- Date and time when you accessed the website;
- Details of the requested webpage and/or downloaded;
- Whether your request was successful or not;
- Biometric data.
- Website usage patterns (e.g. navigation).
For what reasons we may use your personal data:
- To improve the content and functionality of our website.
- To better understand the categories of visitors to our website.
- To improve our services.
- For system administration, bug tracking and producing usage statistics. This information may be kept indefinitely and will not be disclosed to third parties.
Our legal bases:
- For our legitimate interests: To understand the category of visitors of our website and to ensure that the visitors have the best possible experience when visiting the website.
- Consent: On the basis of the consent that you have provided us, where this is required.
Making use of our website when you make a general enquiry or complaint
Personal data we may process:
Contact details that you provide to us when you request information through our “Contact Us” form and/or our online chat system on our website.
These include your full name, email address and other personal data that you may provide us in your message, including but not limited to your mobile number.
For what reasons we may use your personal data:
- To be able to trace the computer used in cases of any kind of misuse of our website.
- Responding to your communications with us.
- Updating and enhancing our contacts/client base.
Our legal bases:
- For our legitimate interests: Managing business communications.
- Responding to your communications with us.
- Resolving any enquiry, complaint or claim raised.
- Communicating with us whether by email, call, or online (via the website, web application or mobile application)
Personal data we may process:
Any data you may provide us during our discussions.
For what reasons we may use your personal data:
- To provide you with our service.
- To improve your experience.
- Contacting you and responding to your communications with us.
Our legal bases:
- Performance of a contract: Enabling us to perform the contract with you and provide you with our services.
- For our legitimate interests: Responding to your communications with us.
- Concluding digital contracts (e-signs)
Personal data we may process:
General information required for the concluding of the contract, including:
- Full name
- Email address;
- Address
- Mobile/Phone number.
- Any additional personal data relevant to the contract.
Where our customer is a business, we will also collect the business’s name, VAT number, contact person’s full name, mobile/phone number and email address.
For what reasons we may use your personal data:
- To provide you with our service.
- Contacting you and responding to your communications with us.
Our legal bases:
- Performance of a contract: Enabling us to perform the contract with you and provide you with our services.
- For our legitimate interests: Responding to your communications with us. Processing is necessary for us to conduct our business, as long as our interests are not overridden by your interests or rights.
- Performance of a legal obligation: In satisfaction of any obligation imposed on us by law.
You shall take full responsibility for the integrity and the accuracy of the data provided. All personal data provided to us shall be in all respects true, accurate and up to date and is not, in any respect, misleading, deceptive or inaccurate or likely to mislead or deceive.
We typically do not carry out profiling of our customers and their activities using automated processes. Should this happen, any decisions taken based on these profiles and information will be taken by natural persons.
5. Cookies and Data Tracking
AFSG uses cookies to optimise the functionality of our website. Cookies are small text files that contain certain data such as the site’s name and unique user ID and is downloaded to and stored on your device when you visit a website. We use cookies to help identify your computer so we can tailor your user experience. These cookies may obtain information about you, your device and your use of our website.
Most, but not all, of the cookies we use are automatically deleted from your computer when you leave our website and close the browser session, or shortly afterwards. You can disable any cookies already stored on your computer, but these may stop our website from functioning properly.
Third party vendors, including Google, may show adverts for AFSG on the internet. These vendors may use cookies to serve ads based on a user’s visits to AFSG. Users can opt out of Google’s use of cookies by visiting the respective advertising opt-out page.
Opting Out:
You can set your browser to not accept cookies, but this may limit your ability to use the services.
For more information about our use of cookies and how you can change your settings to suit you, please refer to our Cookie Policy.
6. With whom we share your data
For us to be able to provide you with our service, data needs to be transferred both internally and externally.
Internal transfer of data is required for the provision of our Services to you, including for our communications with you.. Internal sharing of data is only limited to employees and authorised representatives who require the personal data and have been provided with relevant permission to accesses it.
We do not share your data with third parties, except with the following persons and in the indicated circumstances:
- Affiliates – we may need to transfer your personal data to our affiliated companies within our group.
- Business partners and service providers - we may disclose your personal data to third party service providers that provide us with services. These include credit institutions, payment service providers, payment initiators, acquiring and issuing entities, and also administrative services, cloud storage providers, website hosting providers, consultants and our legal service providers.
- Other third parties - where necessary and as required.
We may also disclose your personal data in response to any requests made from law enforcement agencies, government entities or public authorities, to comply with court orders, to obtain legal remedies and/or limit our damages, to protect your rights as well as our rights and the rights of our employees and where we deem necessary or appropriate under applicable laws and regulations. Furthermore, we may also use your personal data in connection with the exercise or potential exercise of our legal rights, including sharing with debt collection agencies in cases of defaulting any payment contractually or legally owed to us. We may need to use such information if we are involved in a dispute with you or a third party, for example, either to resolve the dispute or as part of any mediation, arbitration or court resolution or similar (i.e. for the assertion, exercise and/or defence of any legal claims and disputes). A list of our third-party suppliers with which we share personal data can be provided upon request.
We will also be required by law, to provide reports containing personal data to regulatory bodies within the EU/EEA, UK as well as within other jurisdictions for tax and other regulatory and compliance matters.
We may also share your personal data with other parties in the event of a corporate reorganisation and/or disposition of our business, such as potential buyers of all or part of our business. In such case and where allowable by Law, we will attempt to inform you of it, as well as of the identity of the new Data Controller either by directly contacting you, by placing public notices on our website or by using other appropriate media.
7. Where your personal data is held
We hold your personal data on our Microsoft Azure Infrastructure and servers of our third-party service providers as described in clause 6 above. Some of these service providers may be located either in the EU/ European Economic Area (‘EEA’) or outside the EEA. Any such transfers will be processed in accordance with specific EU, Maltese and UK data protection laws as also provided in clause 8 below.
8. Transfers of your personal data outside the EEA
In the event that personal data is stored or transferred outside the EEA/UK, the transfers shall be subject to specific EU, Maltese and UK data protection laws. Where such storage is provided or otherwise made available outside the European Union / Economic Area/ United Kingdom, AFSG will endeavour to ensure that such data is available on a principle of least privilege, is made secure (using the appropriate technological solution/s) and placed in a jurisdiction that is or has an adequacy status recognised to be in line with that of the EU/EEA/UK. AFSG also ensures that when it engages third party providers, the necessary contractual arrangements are in place, in line with the EU Commission’s Standard Contractual Clauses (SCCs)[1], as amended from time to time, and any additional measures as may be required. Additional information on the transfers mechanisms used can be provided upon request.
9. Personal Data retention period
Subject to your rights in Clause 10 hereunder, we retain your personal data included on your profile for as long as this is necessary to provide you with our services and for long as it is necessary for us to comply with our record-keeping requirements in terms of the law and to be able to respond to any questions, complaints or claims made by you or on your behalf. Hence, we will retain your personal data even after the completion of our services to you.
We will not collect more data than we require or retain your data for longer than necessary to fulfil the purposes outlined in this notice.
We will also keep personal data for the purpose of presenting and processing in case of a litigation or a legal process which you, the relevant authorities or us may be party to, due to our provision of services to you.
Should you require information about how long we hold your personal data, please do not hesitate to contact us in order to assist you with any information or clarifications you may have.
10. Your rights with respect to your Personal Data
You have the following rights if you reside in the EU or in the United Kingdom:
| Right to be informed | |
|---|---|
| Right of access | The right to access and be provided with a copy of your personal data. |
| Right to rectification | The right to require us to correct any inaccurate personal data about you. |
| Right to be forgotten | The right to require us to delete your personal data in certain circumstances. |
| Right to restriction of processing | The right to require us to restrict processing your personal data in certain circumstances. |
| Right to data portability | The right to receive your personal data which you provided to us, in a structured, commonly used and machine-readable format and the right to transmit that data to another data controller in certain circumstances. |
| Right to object | The right to object to the processing of your personal data in certain circumstances which include continued processing of your data carried out for the purpose of our legitimate interests. |
| Right not to be subject to automated processing | The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or significantly affects you. |
Should you require any further information on each of the above rights or would like to exercise any of them, please contact us on andaria.com or by e-mail on:
3.2.1 dpouk@andaria.com should you be domiciled in the United Kingdom;
3.2.2 dpoeu@andaria.com should you be domiciled outside the United Kingdom.
Where you request access to your personal data, we are required by law to use all reasonable measures to verify your identity before doing so; this is done to ensure that the request is legitimate and that there is no case of identity theft or equivalent. These measures are designed to protect you and reduce the risk of identity fraud, identity theft or general unauthorised access to your personal data. Where we possess appropriate personal data about you on file, we will attempt to verify your identity using that personal data. In default, we may require original or certified copies of certain documentation to verify your identity before we are able to provide you with access. Your rights may be exercised in accordance with the Law, which might include restrictions on when you can exercise these rights.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
11. Third Party Websites
Our website may contain links to other websites. Please note third party links are not associated with AFSG and we do not have control over how your personal data is collected, stored or used by other websites. Hence, you are advised to refer to their privacy policies prior to providing your data.
12. Protecting your personal data
We are committed to take all appropriate measures to protect the confidentiality and security of the data you provide to us. AFSG has implemented security measures to protect your personal data that we collect from being used or accessed unlawfully or accidentally lost. We only grant access to your personal data to those persons who have a genuine need to access it.
All our members, staff and data processors (including specific subcontractors, including cloud service providers established within the European Union), who may have access to and are associated with the processing of Personal Data, are further obliged (under contract) to respect the confidentiality of your Personal Data as well as other obligations as imposed by the Data Protection Laws.
We take appropriate organisational and technical measures to secure your personal data and to protect it against unauthorised or unlawful use and accidental loss or destruction, including:
only sharing and providing access to the minimum extent necessary, subject to confidentiality restrictions where appropriate, and on an anonymised basis where possible;
using secure servers to store your data;
verifying the identity of any individual who requests access to information prior to granting them access to information;
using Secure Sockets Layer (SSL) protocol (or other similar encryption technologies as may be required from time to time) to encrypt communication to / from our servers; and
whenever and to the extent possible, we anonymise or pseudonymise the personal data which we hold about you when it is no longer necessary to identify you from such data.
In the event of a Personal Data breach, that is, a breach (of security) leading to the accidental, unauthorised and/or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, or any other threatening enforcement proceeding against us pertaining to the processing of Personal Data, we will notify you about this without undue delay, except and unless:
we have implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
we have taken subsequent measures which ensure that risks to your rights and freedoms are not likely to materialise; or
it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
13. Complaints
We would like to resolve any concern that you may have about the processing of your personal data directly with you. However, you have the right to lodge a complaint with a supervisory authority, in the EU state in which you work, reside or where the alleged infringement of data protection laws took place. The supervisory authority in Malta is the Office of the Information and Data Protection Commissioner which may be contacted at:
Information and Data Protection Commissioner
Floor 2, Airways House, High Street, Sliema, SLM 1549. MALTA.
Telephone: (+356) 2328 7100
Email : idpc.info@gov.mt
Website: idpc.org.mt/en/Pages/contact/complaints.aspx
The supervisory authority in the United Kingdom is the Information Commissioner’s Office which may be contacted at:
Information Commissioners Office
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Telephone: 03031231113
Email: casework@ico.org.uk
Website: www.ico.org.uk/make-a-complaint
Last updated on September 12, 2022
Version 1.4
[1] The New SCCs combine general clauses with a modular approach, to cater for various transfer scenarios and the complexity of modern data-processing chains. The EU Commission requires both Data Controllers and Data Processors to use the general clauses and, in addition, select the modules applicable to their situations. (The modules vary based on the transfer scenario and designation of the parties under the GDPR and distinguish (1) controller-to-controller transfers; (2) controller-to-processor transfers; (3) processor-to-processor transfers; and (4) processor-to-controller transfers.)
ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries