Privacy Policy (United Kingdom) eCOMM Merchant Solutions Limited 

Introduction 

eCOMM Merchant Solutions Limited (EMS) takes data protection very seriously.  The use of the Internet pages of EMS is not possible without the provision of  some personal data; however, if a Data Subject wishes to use certain services  via our website, processing of further personal data could become necessary. If  the processing of personal data is necessary and there is no statutory basis for  such processing, we will obtain consent from the data subject. 

Personal Data processing shall always be in line with The Data Protection Act  (DPA) which incorporates the UK GDPR and in accordance with any other Data  Protection legislation applicable to EMS. By means of this Privacy Notice, we  would like to inform the general public why we collect and process personal data  and their Data Subject rights relating to the collection and processing of their  Personal Data. 

Definitions 

The data Privacy Notice of EMS is based on the terms used by the legislator for  the adoption of The Data Protection Act incorporating the UK GDPR but for ease  of understanding the following definitions apply: 

Controller: the natural or legal person, public authority, agency or other body  which, alone or jointly with others, determines the purposes and means of the  processing of personal data; where the purposes and means of such processing  are determined by law, the controller or the specific criteria for its nomination  may be provided for by law. 

Personal Data: any information relating to an identified or identifiable natural  person (‘Data Subject’). An identifiable natural person is one who can be  identified, directly or indirectly, in particular by reference to an identifier such  as name, an identification number, location data, an online identifier or to one  or more factors specific to the physical, psychological, genetic, mental,  economic, cultural or social identity of that natural person. 

Data Subject: any identified or identifiable natural person, whose personal data  is processed by the controller responsible for the processing. Processor: a natural or legal person, public authority, agency or other body  which processes personal data on behalf of the controller.

Recipient: a natural or legal person, public authority, agency or another body,  to which the personal data are disclosed, whether a third party or not. However,  public authorities which may receive personal data in the framework of a  particular enquiry in accordance with the law shall not be regarded as recipients;  the processing of those data by those public authorities shall be in compliance  with the applicable data protection rules according to the purposes of the  processing. 

Third Party: a natural or legal person, public authority, agency or body other  than the data subject, controller, processor and persons who, under the direct  authority of the controller or processor, are authorised to process personal data. Restriction of Processing: the marking or stored personal data with the aim of  limiting their processing in the future. 

Processing: any operation or set of operations which is performed on personal  data or on sets of personal data, whether or not by automated means, such as  collection, recording, organisation, structuring, storage, adaptation, or  alteration, retrieval, consultation, use, disclosure by transmission, dissemination  or otherwise making available, alignment or combination, restriction, erasure or  destruction. 

Profiling: any form of automated processing of personal data consisting of the  use of personal data to evaluate certain personal aspects relating to a natural  person, in particular to analyse or predict aspects concerning that natural  person’s performance at work, economic situation, health, personal  preferences, interests, reliability, behaviour, location or movements. 

Consent: Consent of the Data Subject is any freely given, specific, informed and  unambiguous indication of the Data Subject’s wishes by which he or she, by a  statement or by a clear affirmative action, signifies agreement to the processing  of personal data relating to him or her. 

Name and Address of the Controller 

The Controller is:

Name and Address of the Data Protection Officer 

The Data Protection Officer of the Controller is: 

A Data Subject may contact our Data Protection Officer directly with any  enquiries relating to Data Protection. 

Name and Address of the Lead Supervisory Authority The Lead Supervisory Authority overseeing the Controller is:

Reasons/Purposes for Processing Information 

The following is a broad description of the way this organisation/ data controller  processes personal information. To understand how your own personal  information is processed you may also need to refer to any personal  communications you have received. 

We process personal information to enable us to promote our services, provide  Merchants with e-money services, administer Merchant Accounts, manage  queries, process transactions and manage complaints. We also process personal  information to meet our legal and regulatory obligations including the  prevention and detection of crime such as money laundering, the reporting of  suspicious transactions, requirements to check our records against financial  sanctions lists and meeting our legal obligations for example Consumer  Protection Code. 

From time to time, we may request feedback from our customers in order to  improve the service we offer, for example by conducting customer satisfaction  surveys. 

We may also use your personal data when we are testing enhancements to our  IT systems or websites to help ensure that the changes we make are tested in as  real an environment as possible, thereby minimising the impact on our  customers. 

For customer service and quality control purposes, we may record and monitor  calls in order to assess the quality of our staff’s customer service, to verify your  identity, to administer your policy and to improve our services to you. Your personal data (and, if applicable, that of other people you have designated)  will be gathered and processed by our staff or, where you choose to use them,  our online services. 

We collect information relating to the above reasons / purposes from the  following sources: 

• The data subject directly i.e. when you complete an online  application form; 
• The data subject indirectly i.e. when you complete an application  form with an Introducer or reseller (or other representative); • Publicly available registers i.e. the electoral roll; 
• Social Media; 
• Credit searches internally or with one or more credit checking or  credit reference agencies; 
• refer your information to the relevant law enforcement agencies; • Screening agencies; 
• Government Agencies and Bodies.

We process information relating to the above reasons/ purposes. This  information may include: 

• Personal details such as Full name, date of birth, nationality, email  address, home address and phone number; 
• Business activities of the person whose personal information we are  processing; 
• Goods and services provided; 
• Financial details such as bank account details; 
• Professional Body membership. 

We also process sensitive classes of information that may include: • Offences and alleged offences. 

We process personal information about our: 

• Customers (merchants); 
• Complainants and enquirers; 
• Suppliers; 
• Advisers and other professional experts; 
• Employees. 

We sometimes need to share the personal information we process with the  individuals themselves and also with other organisations. Where this is  necessary, we are required to comply with all aspects of The Data Protection Act  (DPA) as it applies – including the UK GDPR and the Privacy and Electronic  Communications Regulation (PECR). What follows is a description of the types  of organisations we may need to share some of the personal information we  process with for one or more reasons. 

Where necessary or required we share information with: 

• HMRC; 
• Regulators; 
• Card Schemes; 
• Service Providers; 
• Professional Advisors; 
• Courts and those involved in legal proceedings; 
• Anyone in the future who may buy or merge with our business. 

Online services 

When you use our online services, we gather certain information automatically  and store it in files. This information includes IP addresses, browser type,  internet service provider, referring/exit pages, date timestamp and click stream  path. This data does not contain any personal identifiable information and is  used to analyse trends, to administer the site and to track users’ movements  around the website during a particular session and to gather demographic data.

Cookies 

Cookies are small text files stored by your browser. They are created when your  browser loads our website. Every time you visit our website, the browser you  are using e.g. Internet Explorer, Firefox etc. retrieves and sends the file to our  server. They help us to track information on our systems and identify categories  of visitors by using information such as your IP address, domain, browser type  and pages visited. If you require further information, please see our cookies  policy. 

Rights of the Data Subject 

UK GDPR affords Data Subjects with rights. These rights are summarised below.  In order to assert any of these rights, the Data Subject may contact the Data  Protection Officer designated by eCOMM Merchant Solutions Limited or  another employee at any time. 

The right of Confirmation: Each data subject shall have the right to obtain from  the controller the confirmation as to whether or not personal data concerning  him or her are being processed. 

The right of Access: Each data subject shall have the right to obtain from the  Controller, free information about his or her personal data stored at any time  and a copy of this information. Furthermore, the data subject shall have a right  to obtain information as to whether personal data are transferred to a third  country or to an international organisation. Where this is the case, the data  subject shall have the right to be informed of the appropriate safeguards relating  to the transfer. 

Right of Rectification: Each data subject shall have the right granted by the  legislator to obtain from the controller without undue delay the rectification of  inaccurate personal data concerning him or her. Taking into account the  purposes of the processing, the data subject shall have the right to have  incomplete personal data completed, including by means of providing a  supplementary statement. 

Right of Erasure (Right to be forgotten): Each data subject shall have the right  to obtain from the controller the erasure of personal data concerning him or her  without undue delay, and the controller shall have an obligation to erase  personal data without undue delay where one of the statutory grounds applies,  as long as the processing is not necessary. 

Right of Restriction of Processing: Each data subject shall have the right granted  by the legislator to obtain from the controller restriction of processing where  statutory reasons apply.

Right to Object: Each data subject shall have the right to object, on grounds  relating to his or her particular situation, at any time, to the processing of  personal data concerning him or her. 

Automated individual decision-making, including profiling: Each data subject  shall have the right not to be subject to a decision based solely on automated  processing, including profiling. 

Right to Withdraw Consent: Where consent forms the basis for processing, Data  Subjects shall have the right to withdraw his or her consent to the processing of  his or her personal data at any time. The Data Subjects can contact the Data  Protection Officer or any other employee to withdraw consent. 

Right to Complain to the Supervisory Authority: Where consent forms the basis  for processing, Data Subjects shall have the right to withdraw his or her consent  to the processing of his or her personal data at any time. The details of the  Supervisory Authority are contained at the top of this Privacy Notice. 

Legal Basis for the Processing 

We will only collect, use and share your information where we have a valid  reason to do so under data protection legislation. We have three main reasons  for collecting and using your information which are set out below. Often, we will  need your information for more than one reason, for example, in order to  perform our contractual and legal obligations. 

1. Contractual obligations – We need to process your personal details as  part of the application process. Once the contract is in place, the  processing of your personal information is necessary for the performance  of this contract including but not limited to: 

• using your bank account details to process payments; 
• verifying the accuracy of the personal information that we receive  from you and for verifying your identity; 
• underwriting your Merchant Account; 
• administering and processing your Merchant Account; 
• Managing complaints; 
• maintaining and storing records on our systems. 

If you do not provide us with your personal data for the above purposes,  we may not be able to provide services to you. 

2. Legal obligations – we may need certain information from you in order to  meet our legal obligations; for example, we require proof of identity (e.g.  certified copy of a passport or driving licence) to meet our anti-money laundering obligations. We may also need to use your personal data for  reporting to supervisory authorities.
3. Our legitimate business interests – we strive continually to improve how  we do business with you and how to develop our service to you; for  example, we may undertake a survey of our Merchants to determine how  we can improve our relationship with you. Furthermore, we may process  your personal data for preventing fraud, for internal administrative  purposes and for reporting potential criminal acts to a competent  authority. 

Before using your personal data to pursue our legitimate interests, the  impact of our processing activities is carefully considered against the  fundamental rights and freedoms of individuals. 

Security of Processing 

As the Controller, eCOMM Merchant Solutions Limited has implemented  technical and organisational measures to ensure personal data processed  remains secure however absolute security cannot be guaranteed. Should a Data  Subject have a particular concern about a particular method of data  transmission, we will take reasonable steps to provide an alternative method. 

Transfers 

It may sometimes be necessary to transfer personal information overseas. When  transfers are needed, information may be transferred to countries or territories  around the world. Any transfers made will be in full compliance with all aspects  of the UK GDPR and in accordance with the country-specific legislation  applicable to eCOMM Merchant Solutions Limited. 

Personal Data Retention Periods 

The criteria used to determine the retention period of personal data is the  respective statutory retention periods within the State. After the expiration of  that period, personal data shall be securely deleted, as long as it is no longer  necessary for the fulfilment of the contract, the initiation of a contract, or in  relation to other legal proceedings. 

Contractual obligations of the data subject to provide the personal  data and the possible consequences of failure to provide such data For clarity, the provision of personal data is partly required by law (e.g. tax  regulations) or can also result from contractual provisions. Sometimes it may be  necessary for the data subject to provide us with personal data which must 

subsequently be processed by us. The data subject is, for example, obliged to  provide us with personal data when eCOMM Merchant Solutions Limited signs  a contract with him or her. The non-provision of the personal data would have  the consequence that eCOMM Merchant Solutions Limited would be unable to  conclude the contract with the Data Subject. 

Automated Decision-Making & Profiling 

eCOMM Merchant Solutions Limited do not process personal data for automatic  decision-making or profiling. 

Data protection for Employment & Recruitment Procedures The data controller shall collect and process, the personal data of applicants for  the purpose of the processing of the application procedure. The processing may  also be carried out electronically, this is the case if an applicant submits  corresponding application documents by email to the controller. If the data  controller concludes an employment contract with an applicant. The submitted  data will be stored for the purpose of processing the employment relationship  in compliance with legal requirements. If no employment contract is concluded  with the applicant by the Controller, the application documents shall be  automatically erased two months after notification of the refusal decision,  provided that no other legitimate interests of the Controller are opposed to the  erasure. Other legitimate interests could be complying with the country specific  legislation. 

General 

You may not transfer any of your rights under this privacy notice to any other  person. We may transfer our rights under this privacy notice where we  reasonably believe your rights will not be affected. 

If any court or competent authority finds that any provision of this privacy notice  (or part of any provision) is invalid, illegal or unenforceable, that provision or  part-provision will, to the extent required, be deemed to be deleted, and the  validity and enforceability of the other provisions of this privacy notice will not  be affected. 

Unless otherwise agreed, no delay, act or omission by a party in exercising any  rights or remedy will be deemed a waiver of that, or any other, right or remedy.

This notice will be governed by and interpreted according to the laws of England  and Wales. All disputes arising under the notice will be subject to the exclusive  jurisdiction of the English and Welsh courts. 

Changes to this Notice 

This notice was last updated on the 1st of January 2025. We may change this  policy to reflect changes in the law or our privacy practices. However, we will  not use your personal data in any new ways without your consent.