PERSONAL DATA PROCESSING POLICY
1. About this Policy

1.1. This Data Processing Policy applies to data that SIA «CLOUD PAYMENTS INTERNATIONAL» (hereinafter referred to as SIA «CLOUD PAYMENTS INTERNATIONAL», «we», «us» or «our») (registration number 50103762261 from February 24, 2014; Latvia, Jurmala, Engures Street 5A-4, LV-2016, owner contact email: sales@cloudpayments.eu) can obtain through the use of a website located on the Internet on a domain name: https://cloudpayments.eu. SIA «CLOUD PAYMENTS INTERNATIONAL» takes its responsibilities with regard to the management of the requirements of the General Data Protection Regulation (GDPR) very seriously. This policy sets out how the SIA «CLOUD PAYMENTS INTERNATIONAL» manages those responsibilities. This Policy can be extended to countries outside the EU. In countries where the data of legal entities is protected in the same manner as personal data, this Policy also applies in the same manner to the data of legal entities.

1.2.This Policy and any other documents referred to in it sets out the basis on which we will process any Personal Data we collect from Data Subjects, or that is provided to us by Data Subjects or other sources. Data Users are obliged to comply with this policy when Processing Personal Data on our behalf. Any breach of this policy may result in disciplinary action and statutory responsibility. This policy focuses on our obligations as a Data Controller and we may be under different or additional obligations in respect of any Processing which we carry out as a Data Processor.

1.3. The User's use of the website means that they agree to the Privacy Policy and the terms of data processing. In case of disagreement with the terms of the Privacy Policy, the User must stop using the website.

1.4. This Policy is intended to ensure proper protection of information about Users, including their Personal data, from unauthorized access and disclosure.


2. Definitions

2.1. Data Subjects means all living identifiable individuals about whom we hold Personal Data. All Data Subjects have legal rights in relation to their personal information.

2.2. Personal Data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

2.3. Data Controllers are the people who, or organizations which, determine the purposes for which, and the manner in which, any Personal Data is processed. They are responsible for establishing practices and policies. Data Users are those of our employees, agents, partners and contractors whose work involves Processing Personal Data. Data Users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.

2.4. Data Processors include any person or organization that processes Personal Data on our behalf and on our instructions. Employees of Data Controllers are excluded from this definition, but it could include suppliers that handle Personal Data on our behalf.

2.5. Website means our website at https://cloudpayments.eu.

2.6. Processing is any activity or set of activities which is performed on Personal Data or sets of Personal Data, whether or not by automated means. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Data to third parties.

2.7. Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

2.8. Personal Data Processing Policy is the most recent version of our policy, available via the Website, relating to the collection, storage and use of Personal Data (as amended from time to time).

2.9. Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

2.10. Sensitive Personal Data includes information about a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. The DPA includes biometric data and genetic data as Sensitive Personal Data. Sensitive Personal Data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned, if applicable laws do not state otherwise.

2.11. Services means:

· access to the relevant SIA «CLOUD PAYMENTS INTERNATIONAL» solutions provided via Customer's login link at the SIA «CLOUD PAYMENTS INTERNATIONAL» website or another designated web site or IP address;

· and/or ancillary online or offline products and services provided or licensed to Customer by SIA «CLOUD PAYMENTS INTERNATIONAL».


3. Data Protection Principles

Anyone Processing Personal Data must comply with principles of good practice. These provide that Personal Data must be:

· Processed fairly, lawfully and in a transparent manner in relation to individuals.

· Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

· Adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.

· Accurate and where necessary, kept up to date. Where Personal Data is inaccurate with regards to the purpose for which it is processed, every reasonable step must be taken to either erase or rectified it without delay.

· Not kept longer than necessary for the purpose for which the Personal Data is processed.

· Processed in line with Data Subjects' rights.

· Processed in a manner that ensures appropriate security of the Data Subject, including protection against unauthorized Processing and accidental loss, destruction or damage.

· Not transferred to people or organizations situated in countries without adequate protection without putting in place appropriate safeguards.


4. Accountability

4.1 The DPA accountability principle requires organizations to be able to demonstrate compliance with data protection requirements. We need to ensure data protection compliance is integrated into any new technology planning or new Processing activities.

4.2 The Data Protection Officer ("DPO" hereinafter) is responsible for ensuring compliance with the DPA and with this policy.

4.3 The DPO will be an independent officer, appointed to carry out the following tasks on behalf

· Inform and advise us or our Data Processors who carry out Processing activities of their

· obligations under the DPA or particular jurisdiction data protection provisions.

· Monitor our compliance with the DPA, or relevant data protection legislation which may apply to us and monitor our compliance with our policies or the policies of the Data Processor's.

· Provide advice where requested with regards to the data protection impact assessment and monitor its performance.

· To cooperate with the supervisory authority and act as a contact point for the supervisory authority on issues relating to Processing.

4.4 Data Subjects may contact the DPO with regards to all issues related to Processing of their Personal Data and in respect of their rights under the DPA.

4.5 All SIA «CLOUD PAYMENTS INTERNATIONAL» employees have a responsibility to comply with the DPA and are required to complete appropriate training to ensure compliance with this policy. To ensure the DPO has the necessary support in carrying out their obligations, this position reports to SIA «CLOUD PAYMENTS INTERNATIONAL» Executive Management team.


5. Fair and Lawful Processing

5.1 The DPA is not intended to prevent the Processing of Personal Data, but to ensure that it is done fairly, transparently and without adversely affecting the rights of the Data Subject. The specific purposes for which Personal Data is being processed should be explicitly and legitimately communicated to the Data Subject's and should be determined at the time of the collection of the Personal Data.

5.2 For Personal Data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the DPA. These include, among other things, the Data Subject's consent to the Processing, or that the Processing is necessary for the performance of a contract with the Data Subject, for the compliance with a legal obligation to which the Data Controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed. When Sensitive Personal Data is being processed, additional conditions must be met. When Processing Personal Data as Data Controllers in the course of our business, we will ensure that those requirements are met.


6. Processing for limited purposes

6.1 In the course of our business, we may collect and Process Personal Data. This may include data we receive directly from a Data Subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise).

6.2. We will only Process Personal Data for the specific purposes set out in our Personal Data Processing Policy or for any other purposes specifically permitted by the DPA. We will notify those purposes to the Data Subject when we first collect the data. We will continually review our notices to ensure that they accurately reflect our Processing activities and where we Process the data for a new purpose which was not indicated in the initial notification, then we will provide a new notice to cover this.


7. Categories of Data Subjects

7.1 SIA «CLOUD PAYMENTS INTERNATIONAL» collects and processes a range of information about you. This includes:

· how to contact you

· contact details of the organization - email address and phone number;

· other information and data about you, depending on our mutual relationship or any other personal data processed by SIA "CLOUD PAYMENTS INTERNATIONAL" in accordance with the law, other local laws or international laws/regulations.

7.2. SIA «CLOUD PAYMENTS INTERNATIONAL» collects this information in a variety of ways. For example, data is collected through application forms; from forms completed by you at the start of or during employment; from correspondence with you or other assessments.


8. Adequate, Relevant and Non- Excessive Processing

8.1. If we collect Personal Data directly from Data Subjects, it will only be:

· Used for the purpose or purposes as set out in our Personal Data Processing Policy or as permitted by the DPA;

· Processed as set out in our Personal Data Processing Policy or as permitted by the DPA;

· Disclosed to the third parties set out in our Personal Data Processing Policy or as permitted by the DPA.

8.2. If we receive Personal Data about a Data Subject from other sources, we will provide the Data Subject with this information as soon as possible thereafter.

8.3. SIA «CLOUD PAYMENTS INTERNATIONAL» needs to process data to enter into an customer contract with you and to meet its obligations under your customer contract.

8.4. In some cases, SIA «CLOUD PAYMENTS INTERNATIONAL» needs to process data to ensure that it is complying with its legal obligations. For example, Anti-Money Laundering laws.


9. Retention period

9.1. We will not keep Personal Data longer than is necessary for the use or provision of the Services and/or the purpose or purposes for which they were collected.

9.2. Personal Data will only be retained for the period reasonably necessary to perform the Services and to fulfil the purposes as set out in our Personal Data Processing Policy.


10. Data protection impact assessment

10.1. In the event new Processing activities are introduced or we develop new technologies into our business, an assessment of the impact of the change in operations on the protection of such Personal Data shall be carried out in order to address any Processing operations that present a high risk to the rights and freedoms of the Data Subjects or risk non-compliance with the DPA.

10.2 Such assessment will be carried out with the advice of the Data Protection Officer.


11. Processing in Line with Data Subject's Rights

11.1 We will Process all Personal Data in line with Data Subjects' rights, in particular their right, in certain circumstances, to:

· Request access to any data held about them by a Data Controller in a commonly used and machine-readable format.

· Transmit their data to another Data Controller, where such Personal Data is Processed on the basis of consent or contractual performance, unless in doing so, it would adversely affect the rights or freedoms of other Data Subject's or others e.g. including trade secrets or intellectual property.

· Prevent the Processing of their data or withdraw their consent at any time in certain circumstances.

· Ask to have inaccurate data amended.

· Erasure of their Personal Data where data is no longer required for the original purpose or where the Data Subject has withdrawn their consent and no other lawful Processing

· grounds apply.

· Object to the Processing of their Personal Data in certain circumstances.

· Be notified where their Personal Data is subject to automated decision making i.e. Profiling, including the logic involved, as well as the significance and the envisaged consequence of such Processing for the Data Subject and object to such Profiling in certain circumstances.

11.2. Where we stop Processing Personal Data or delete a Data Subject's Personal Data, it will possibly mean that that particular Data Subject is unable to continue using or contributing to the provision of some of our Services, and they shall be notified accordingly.

11.3. Where a Data Subject requests to rectify or erase (except data required by any legal obligations) their Personal Data or restrict any Processing of such Personal Data, we may be required to notify, certain third parties to whom such Personal Data has been disclosed of such request.


12. Data Security

12.1. This policy describes how SIA «CLOUD PAYMENTS INTERNATIONAL» handles personal data within its organization and the key data privacy principles which it complies with.

12.2. SIA «CLOUD PAYMENTS INTERNATIONAL» takes the security of your data seriously. SIA «CLOUD PAYMENTS INTERNATIONAL» has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. But remember that no method of transmission over the Internet, and no method of electronic storage, is 100% secure and reliable, and we cannot guarantee its absolute security.

12.3. Where SIA «CLOUD PAYMENTS INTERNATIONAL» engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and Company measures to ensure the security of data.

12.4. We will maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:

· Confidentiality means that only people who are authorized to use the data can access it.

· Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed.

· Availability means that authorized users should be able to access the data if they need it for authorized purposes.


13. Reporting Breaches

13.1 Where there has been a Personal Data breach and the breach is likely to result in a high risk to the rights and freedoms of the Data Subject we will report the breach to the Data Subject without undue delay. The communication to the Data Subject will describe the nature of the Personal Data breach as well as recommendations for the Data Subject concerned to mitigate potential adverse effects. Such communications to Data Subjects will be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities.


14. Data transfers to third countries and international organizations 14.1. SIA «CLOUD PAYMENTS INTERNATIONAL» may transfer the data of the Data Subject to third country providing safeguards and security measures, so the level of нour data protection is not undermined. Such transfers might take place in cases, if:

· we have to perform an agreement concluded between the Data Subject and SIA «CLOUD PAYMENTS INTERNATIONAL»

· we have to carry out pre-contractual measures in order to prepare a contract;

· he Data Subject to the proposed transfer;

· transfer is based on an international agreement, such as a mutual legal assistance treaty in force between the requesting third country and Latvia;

· transfer is based on standard data protection clauses adopted by the relevant authority;

· other cases may be applicable (the Data Subject must be informed prior to any such transfer).


15. Amendments and effective date

SIA "CLOUD PAYMENTS INTERNATIONAL" may make minor changes to this Privacy Policy which shall not have a negative impact on the privacy of the Data Subject, except if laws set otherwise.

In case of material changes SIA CLOUD PAYMENTS INTERNATIONAL will definitely publish such amendments and amended policy on our websites and, as far as possible, notify the Data Subject by email or by pop-up windows when the Data Subject next visits our websites.

Actual version of the Privacy Policy is published on our websites.


Contact details

If the Data Subject wishes to receive further information from us on privacy matters, please contact us at:

SIA «CLOUD PAYMENTS INTERNATIONAL»

Address: Latvia, Jurmala, Engures Street 5A-4, LV-2016

e-mail: sales@cloudpayments.eu