- General Data Protection Regulation (2016/679) (hereinafter – GDPR);
- Law on Money Laundering and Terrorist Financing Prevention of the Republic of Lithuania;
- Law on Legal protection of personal data of the Republic of Lithuania and;
- other applicable legal acts.
When writing “you”, we refer to you as a potential, existing, former client of the Company, our client’s employee or other related party such as beneficial owner, authorized representatives, business partners, other associated parties or a user of our Website.
We process your personal data with the following principles:
- principle of legality, fairness and transparency – which means that the Personal Data with respect to you is processed in a lawful, honest and transparent way;
- purpose limitation principle – which means that the Personal Data is collected for specified, clearly defined and legitimate purposes and shall not be further processed in a way that is incompatible with those purposes;
- data reduction principle – which means that the Personal Data must be adequate, appropriate and is only necessary for the purposes for which it is processed;
- accuracy principle – which means that the Personal Data must be accurate and, if necessary, updated. All reasonable steps must be taken to ensure that Personal Data which is not accurate in relation to the purposes for which it is processed shall be immediately erased or corrected;
- the principle of limitation of the length of the storage – which means that the Personal Data shall be kept in such a way that your identity can be determined for no longer than is necessary for the purposes for which the Personal Data is processed;
- integrity and confidentiality principle – which means that the Personal Data shall be managed by applying appropriate technical or organizational measures in a way, which would ensure the proper security of the Personal Data, including the protection from an unauthorized processing or processing of an unauthorized data against accidental loss, destruction or damage.
If you are a potential client, or register with us as a client, we will ask you for information about yourself. The categories of personal data that we may collect about you are as follows:
|Type of information||Personal data|
|Basic Personal Data||Name, surname, job title etc.|
|Identification information and other background verification data (your or your representative’s, ultimate beneficiary owner’s of legal entities)||(your or your representative’s, ultimate beneficiary owner’s of legal entities) name, surname, personal identity code, date of birth, address, nationality, gender, passport or ID card copy, evidence of beneficial ownership or the source of funds, number of shares held, voting rights or share capital part, title, visually scanned or photographed image of your face or image that you provide through a mobile application or camera, video and audio recordings for identification, telephone conversations to comply with client due diligence/”know your client”/anti-money laundering laws and collected as part of our client acceptance and ongoing monitoring procedures.|
|Financial data||Transactional data (e.g. beneficiary details, date, time, amount and currency which was used, name/IP address of sender and receiver), accounts, amount of transactions, income, location, etc.|
|Information related to legal requirements||Data resulting from enquiries made by the authorities, data that enables us to perform anti-money laundering requirements and ensure the compliance with international sanctions, including the purpose of the business relationship and whether you are a politically exposed person and other data that is required to be processed by us in order to comply with the legal obligation to “know your client”.|
|Contact data||Registered/actual place of residence, phone number, email address etc.|
|Special category data||Biometrical data, i.e. physical, or behavioral characteristics resulting from specific technical processing used during remote identification which confirms the unique identification of a person, e.g. facial images. We do not process special category data related to your health, ethnicity, or religious or political beliefs unless required by law or in specific circumstances where, for example, you reveal such data while using services (e.g. in payments details).|
|Any other Personal Data related to you that you may provide|
Your personal data is processed in accordance with the purposes and legal basis indicated in the table below.
The definitions from the table above are understood as follows:
Legitimate Interest: The interest of ours as a business in conducting and managing our services to enable us to provide to you and offer the most secure experience.
Contract performance: Processing your Personal Data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Legal Obligation: Processing your Personal Data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
Consent: Your consent shall mean any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify your agreement to the processing of personal data relating to you. We can request from you a consent for processing when we do not have another legal basis for processing of your data.
We collect information you provide directly to us. For example, when becoming a new client (if you have entered into or seek to enter into an agreement with us). The Company also collects information which you provide to us, such as messages that you have sent to us, by access and use of our website or mobile application, by setting up an account with us, when you subscribe to our electronic publications (e.g. newsletters).
Personal Data that we may collect from third parties:
- when it is provided to us by a third party which is connected to you and/or is dealing with us, for example, business partners, subcontractors, service providers, merchant etc.;
- third party sources, for example, register held by governmental agencies or where we collect information about you to assist with “know your client” check-ups as part of our client acceptance procedures;
- from publicly available sources – we may, for example, use sources to help us keep your contact details that we already possess accurate and up to date or for professional networking purposes or for providing our services;
- from other entities which we collaborate with.
In order to make your identity verification, we are using several tools/solutions provided by our partners.
“iDenfy” solution is used for comparing live photographic data or video record of yourself and your ID card/passport, to comply with legal obligations (e.g. implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention of the Republic of Lithuania and other fraud and crime prevention purposes) and risk management obligations.
The result of the face similarity (match or mismatch) will be retained for as long as it is necessary to carry out verification and for the period required by anti-money laundering laws.
We ensure that the checks disclosed above are a process of comparing data acquired at the time of the verification, i.e. this is a one-time user authorization.
Your provided data is not created, recorded and stored. It is not possible to regenerate the raw data from retained information. These processes shall allow us to verify you more precisely and will make the process quicker and easier to execute.
Using “iDenfy” services, personal data is used for your identification since “iDenfy” verifies the identity of the person in the identity document and the person captured in the photo.
If you do not feel comfortable with these identification methods disclosed above, you may contact us by email email@example.com for alternative way to identify yourself.
You as a data subject shall have the rights in respect of Personal Data that we hold on you. You have the following rights for your Personal Data that we have about you:
- a right to get familiar with your Personal Data and how it is processed: you have the right to know about processing of your Personal Data as well as to have the access to your Personal Data and processing. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for the Company’s business concept and business practices. The Company’s know-how, business secrets as well as internal assessments and material may restrict your right of access;
- a right to have your Personal Data erased: at any time you can make a request for us to erase or delete all or some of your personal data, however, in certain cases we may not be able to erase all of your Personal Data, due to the fact that we need to store your Personal Data due to a contractual relationship or law;
- a right demand rectifying incorrect or incomplete Personal Data: in cases where you find out that the Personal Data of yourself is incorrect, you always have the right to request a rectification of the Personal Data. You may do it by yourself, by logging in into your account and changing the profile settings. If your Personal Data was transferred to third-parties data processors, they will be notified of any editing or deletion of your Personal Data;
- a right to request to restrict the processing of your Personal Data: you shall always be able to demand that our processing of your Personal Data be restricted for a period of time. It may happen in situations for example when you believe that Personal Data about you is inaccurate and we need to verify it. It can also pertain to a situation where you object to processing that we base on a legitimate interest. In such case we must verify if our grounds override yours;
- a right to obtain a copy of your Personal Data: you may always be able to request us to receive a copy of your Personal Data, except in the cases when the provision of such data may affect and harm rights and freedoms of others;
- a right to your Personal Data portability: transfer your Personal Data to another data controller or provide directly to you in a convenient format (NOTE: applicable to Personal Data which is provided by you and which is processed by automated means on the basis of consent or on the basis of conclusion and performance of the contract);
- a right to object to any processing based on the legitimate interests: you may always object to the processing of your Personal Data when the processing is based on a legitimate interest.
- a right to withdraw your consent: you always are able to withdraw your consent to process your Personal Data when the Personal Data is being processed based on your consent. However, such consent withdrawal does not affect the lawfulness of processing based on consent before its withdrawal;
- a right not to be a subject to a decision based solely on automated processing;
- other rights established in GDPR and legal acts;
- a right to lodge a complaint and a right to lodge an appeal to the State Data Protection Inspectorate: In cases when you believe that the Personal Data of yourself is processed by not complying with GDPR or other applicable legal acts, you may always submit a complaint for us.
For complaints regarding the services of UAB “B4B Payments Europe”:
You can contact us via email: firstname.lastname@example.org or by personally appearing at our registered office address at Lvovo g. 105A LT-08104, Vilnius, Lithuania, or by ordinary mail sent to our registered address.
For complaints regarding the services of “B4B Payments”:
You can contact us via email: email@example.com or by personally appearing at our registered office address at Millbank Tower, 21-24 SW1P 4QP, Millbank, London, United Kingdom of Great Britain and Northern Ireland, or by ordinary mail sent to our registered address.
We ask you to clearly disclose your name, surname, contact details and the relevant information, which you should indicate why you reasonably feel that we may process your personal data by violating GDPR or other applicable legal acts.
Your requests addressed both for UAB “B4B Payments Europe” and “B4B Payments” shall be fulfilled or fulfilment of your requests shall be refused by specifying the reasons for such refusal within 30 (thirty) calendar days from the date of submission of the request meeting our internal rules and GDPR. The afore-mentioned time frame may be extended for 30 (thirty) calendar days by giving a prior notice to you if the request is related to a great scope of Personal Data or other simultaneously examined requests. A response to you will be provided in a form of your choosing as the requester. We, after examining the complaint, report the results and actions taken to satisfy your complaint, or provide relevant information on what further actions you may take if your complaint was not satisfied.
However, please be informed that if you believe that the Personal Data is processed in a way that violates your rights and legitimate interests stipulated by applicable legislation You may lodge a complaint to relevant authorities.
For complaints regarding UAB “B4B Payments Europe” services: you may address the State Data Protection Inspectorate with a claim regarding the processing of your Personal Data if you believe that the Personal Data is processed in a way that violates your rights and legitimate interests stipulated by applicable legislation. You may apply in accordance with the procedures for handling complaints that are established by the State Data Protection Inspectorate and which may be found by this link: https://www.ada.lt/go.php/lit/Asmens-skundu-nagrinejimas-del-duomenu-valdytojo-veiksmu-neveikimo/4/1
For complaints regarding “B4B Payments” services: you may address the UK data protection regulator, the Information Commissioner’s Office (ICO) which may be found by this link: https://ico.org.uk/make-a-complaint/
We may use your data for as long as reasonably necessary for the limited purpose of providing our services to you.
- we retain your personal data as long as your consent remains in force, if there are no other legal requirements which shall be fulfilled concerning personal data’s processing;
- in case of the conclusion and execution of contracts – we retain your personal data until the contract concluded between you and us remains in force and up to 10 (ten) years after the contractual relationship between you and us has ended;
- the data of our registers shall be stored for at least 8 (eight) years from the day of termination of transactions or other business relationship with you. The storage period may be extended additionally upon a reasoned instruction of a competent institution, nevertheless the extension cannot last longer than 2 (two) years;
- documents confirming monetary operation or transaction or other documents having legal force related to the performance of the monetary operations or conclusion of the transactions shall be stored for 8 (eight) years from the day of the performance of the monetary operation or conclusion of the transaction. The storage period may be extended additionally upon a reasoned instruction of a competent institution, nevertheless the extension cannot last longer than 2 (two) years;
- copies of the documents proving your identity, invoices and/or contractual documentation (original documents) shall be stored for 8 (eight) years from the day of termination of the transactions or business relationship with you. The storage period may be extended additionally upon a reasoned instruction of a competent institution, nevertheless the extension cannot last longer than 2 (two) years;
- written or electronic correspondence relating to the business relationship with you shall be stored for 5 (five) years from the day of the termination of the transactions or business relationship with you. The storage period may be extended additionally upon a reasoned instruction of a competent institution, nevertheless the extension cannot last longer than 2 (two) years;
- results of investigations of complex or unusually large transactions and unusual transaction structures are stored for 5 (five) years in paper format or on an electronic medium. The storage period may be extended additionally upon a reasoned instruction of a competent institution, nevertheless the extension cannot last longer than 2 (two) years;
- your personal data which has been submitted by you through our website is kept for a period which is necessary for the fulfilment of your request and to maintain further cooperation, but no longer than 6 (six) months after the last day of the communication, in case there are no legal requirements to keep them longer.
In the cases when the terms of data keeping are indicated in the legislative regulations, the legislative regulations are applied.
Your Personal Data might be stored longer if:
- it is necessary in order for us to defend ourselves against claims, demands or action and exercise our rights;
- there is a reasonable suspicion of an unlawful act that is being investigated;
- your Personal Data is necessary for the proper resolution of a dispute/ complaint;
- under other statutory grounds.
In some cases, we may use automated decision-making which refers to a decision taken solely on the basis of automated processing of your Personal Data.
Automated decision-making refers to the processing using, for example, a software code or an algorithm, which does not require human intervention.
We may use forms of automated decision making on processing your Personal Data for some services and products. You can request a manual review of the accuracy of an automated decision in case you are not satisfied with it.
We may transfer your Personal Data in accordance with the principles of confidentiality to the following categories of recipients:
– between the companies belonging to B4B companies’ group;
– our business partners, agents or intermediaries who are a necessary part of the provision of our products and services, as well as, card organizations (such as VISA or MasterCard) – in connection with our payment services;
– governmental bodies and/or supervisory authorities (in accordance with the requirements and obligations under the provisions of legal acts concerning anti-money laundering, fraud prevention, counter terrorist financing), credit, financial, payment and/or other electronic money institutions;
– pre-trial investigation institutions, the State Tax Inspectorate, ICO;
– lawyers, bailiffs, auditors etc.;
– service providers, who make your identity verification by using their IT solutions;
– companies providing services for money laundering, politically exposed persons and terrorist financing check-up and other fraud and crime prevention purposes and/ or companies providing similar services;
– external service providers (that provide such services as, for example, system development and/or improvement, audit services);
– beneficiaries of transaction funds receiving the information in payment statements together with the funds of the transaction;
– other entities that have a legitimate interest or the Personal Data may be shared with them under the contract which is concluded between you and us;
– other entities under an agreement with us.
For the purpose to provide you our services we can engage third-party service providers outside the European Economic Area (hereinafter – EEA). The transfer of Personal Data may be considered as needed in such situations as, e.g.:
– in order to conclude the contract between you and us and/or to fulfill the obligations under such contract;
– in cases indicated in laws and regulations for protection of our lawful interests, e.g. in order to bring proceedings in court/other governmental bodies;
– in order to fulfill legal requirements or in order to realize public interest.
– the country to which we send the Personal Data, a territory or one or more specified sectors within that third country, or the international organization is approved by the European Commission as having an adequate level of protection;
– the recipient has signed standard data protection clauses which are approved by the European Commission;
– special permission has been obtained from a supervisory authority.
We may transfer Personal Data to a third country by taking other measures if it ensures appropriate safeguards as indicated in the GDPR.
From time to time we may offer to distribute news and other marketing content to individuals who have asked us to do so. We will do this via mailing lists.
You always have the chance to withdraw your consent once you give your consent for us, even before receiving your first email with our news or other marketing content. In cases when you do not object to the use of your e-mail for the marketing of our similar goods and services you are granted with clear, free of charge and easily realizable unsubscribe link in all emails from our mailing lists, so that you can remove your contact information at any time. We shall state in each notification sent by email that you are entitled to object to the processing of the personal data or refuse to receive notifications from us.
We will only contact you via your email address in the way which you have given your consent and we will only send you emails on topics as described during the mailing list signup, for instance, news about our products.
We will not share our mailing list subscribers with any other third party, other than as required for us to send emails to the mailing list.
We will only store email addresses in our mailing list.
In case you do not agree to receive these marketing emails offered by us, our business partners or third parties, this will not have any impact on the provision of services to you as the client.
The Company will take reasonable precautions to prevent the loss, misuse, accidental or unlawful destruction, modification, disclosure, unauthorized access alteration or any other unlawful handling of information you give us. Agents or contractors of us who have access to information which you give us in the course of providing services to B4B Payments are required to keep that information confidential and are not permitted to use it for any purpose other than to carry out the services which they are performing for B4B Payments.
The Company and any third-party service providers that may engage in the processing of Personal Data on our behalf (for the purposes indicated above) are also contractually obligated to respect the confidentiality of the Personal Data.
B4B Payments will maintain all applicable PCI DSS requirements to the extent proportionate to the cardholder data processed or transmitted on behalf of you, or to the extent that B4B Payments could impact the security of your cardholder data environment.
Privacy Notice for Job Applicants
In accordance with the General Data Protection Regulation (GDPR), we have implemented this privacy notice to inform you, as prospective employees of our Company, of the types of data we process about you when you apply for the job.
We follow these principles, to ensure that:
- data processing is fair, lawful and transparent
- data is collected for specific, explicit, and legitimate purposes
- data collected is adequate, relevant and limited to what is necessary for the purposes of processing
- data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
- data is not kept for longer than is necessary for its given purpose
- data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
- we comply with the relevant GDPR procedures for international transferring of personal data
- We keep several categories of personal data on our prospective employees in order to carry out effective and efficient processes. We keep this data in recruitment files relating to each vacancy and we also hold the data within our computer systems, for example, recruitment logs.
Specifically, we hold the following types of data:
- personal details such as name, address, phone numbers;
- information of any disability you have or other medical information relevant;
- right to work documentation;
- information gathered via the recruitment process such as that entered into a CV or included in a CV cover letter;
- references from former employers (Not applicable to Lithuanian office);
- criminal background information (Not applicable to Lithuanian office);
- social background information for some staff (Not applicable to Lithuanian office);
- Passport or photo ID copy;
- proof of address (Not applicable to Lithuanian office).
You provide several pieces of data to us directly during the recruitment exercise.
In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies.
Should you be successful in your job application, we will gather further information from you, for example, your bank details and next of kin details, once your employment begins.
This data is collected on this lawful basis. (1) legal obligations under Lithuanian and UK law, (2) your consent and (3) legitimate interests of B4B such as making decisions on employment, salary, benefits as well as other motivation, determining your suitability for the position, skill level and assessing your training needs, preventing fraud, dealing with legal claims against B4B.
Some of this data is a special category of data, which is collected for the purposes of equal opportunities monitoring, meeting your specific needs for the work environment, and your eligibility for certain positions following PCI DSS requirements (criminal conviction data based on our legitimate interests).
EU and UK job applicant data is not shared outside the EU and UK. US job applicant data is not shared outside the US and UK.
You may contact us by writing to us at firstname.lastname@example.org or post us at our relevant registered office address.
Our data protection officer (hereinafter – DPO) continuously monitors our privacy compliance and communicates with us on data protection matters relevant to the provision of our services. You may contact our DPO regarding all issues relating to our company’s processing of your personal data and the exercise of your data protection rights by sending an e-mail to the address: email@example.com