Personal data, or personal information, means any information about an individual from which that person can be identified (as stated above). It does not include data where the identity has been removed and is not relatable to an identified or identifiable person (anonymous data). In the course of customer’s relationship with us (including during the on-boarding), we may collect, use, store and transfer different kinds of personal data of customers which we have grouped together.
We collect information customers provide directly to us. For example, we collect information when customers initiate a business relationship, participate in any interactive feature of the Services, fill out a form, participate in a community or forum discussion, complete a transaction, apply for a job at Xentum, request customer support or otherwise communicate with us. The types of information we may collect include customer’s name, date of birth, email address, postal address, phone number, and, in addition any further information that is legally required, or customers choose to provide. Only personal information necessary for carrying out and performing our tasks and services, or made available by customers on a voluntary basis, is collected.
For avoidance of doubt, categories of data as indicated below are applicable to customers. We shall request this information in order to be able to initiate customer relations and on-board customers in order to be eligible for our Services.
• Identity Data includes customers’ first name, maiden name (where applicable), last name, address, username or similar identifier, marital status, title, nationality, date of birth, gender, photograph, identity card and/or passport number.
• Contact Data includes customer’s billing address, email address and contact number (telephone and/or mobile).
• Financial Data includes customers’ bank account and payment details.
• KYC/AML/CFT Data includes the following due diligence (KYC/AML/CFT) information and documentation about customers: (i) copy of valid I.D. card or passport, (ii) proof of residence (e.g. confirmation of identity; current utility bill), (iii) KYC database checks, (iv) fraud database checks and (v) any documentation or information which may, from time to time:
- be required to collect to ensure compliance with any applicable legislation (including applicable foreign laws) and global AML/KYC/CFT practices; and/or
- otherwise be mandated to collect by a financial intelligence unit or national financial market supervisory authority and/or any other competent authority or law enforcement agency (national or international).
• Marketing and Communications Data includes customers’ preferences in receiving marketing from us and our third parties and customers’ communication preferences.
• Transaction Data includes details about:
- Masked IBAN;
- Customer’s full name;
- IP-address of the requesting merchant;
- Transmitted payment data (transactional volume, amount; purpose, currencies involved);
- Transmitted payment data (TransactionsID, ShopperID, InvoiceID);
- Account to which the transferral is made;
- Name and IBAN of the end customer in plain text (will be used in case of repeated payment, use of registration);
- Name, address and email of the end customer, which are transferred to us by the merchant (will not be given to FinAPI);
- customers’ transactional history relating to the Services; and
- the payments which we receive, or otherwise, charge customers (e.g. our fees for use of our Services).
• Enhanced KYC Data applies in respect of instances mandated by our KYC/AML policy, which would include, amongst other scenarios, situations where a higher risk of money laundering and funding of terrorism has been identified.
In all cases, we collect the following information upon access to our website (http://www.xentum.ch/) and/or Services:
• Technical/Log data includes the IP-address, customers’ login data (username and password), information on internet service provider, device type, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and other technology on the devices used to access our website and Services. This also includes information about customers’ use of the Services, including the type of browser time and date of access, pages viewed, and the pages visited before navigating to our Services.
• Usage Data includes information about how our Services are used by customers.
For the duration of this information being stored, please see Section 9. In accordance with the relevant legal obligations, AML/KYC/CFT Data will be stored until ten years after the termination of the customer relationship. The storage’s purpose is based on ensuring the operability and integrity of the system, ensuring the performance of transactions, the compliance with the legal duties concerning KYC/AML/CFT and related due diligence duties as well as for statistical purposes.
Failure to provide Personal Data
Where we need to collect personal data:
• by law; or
• under the terms of, or in connection with any business relation we have; or
• as part of our legitimate (business) interests to verify the identity of our applicants and clients, mitigate against risks (such as potential or suspected fraud) and in particular, to assess and take a decision on whether we will or should enter into a relationship with contracting parties (as subject to our client acceptance criteria and policies); and this data is not provided when requested, or else provided in an incomplete or insufficient manner, we may not be able to perform or conclude contractual relations which we have or are otherwise trying to enter into.
and this data is not provided when requested, or else provided in an incomplete or insufficient manner, we may not be able to perform or conclude contractual relations which we have or are otherwise trying to enter into.
In certain instances, particularly where this relates to KYC/AML/CFT data, we may even need to exercise our prerogative to terminate our contractual relations, and thus withdraw the availability of our Services, or else, if still at application stage, we may have to decline to enter into a contractual relationship.
Sensitive Personal Data
We do not knowingly collect any information qualifying as Special Categories of Personal Data under article 9 of the GDPR (or Sensitive Personal Data). Should we receive sensitive personal data, we will only process that data where there is a legitimate reason and purpose as set down in article 9 para. 2 of the GDPR to do so and, in all circumstances, in accordance with our obligations at law and under the appropriate safeguards.
As set out below in Section 5, we collect and process KYC/AML/CFT data in order to be able to (i) comply with legal and regulatory obligations, as applicable (ii) conduct our AML and KYC checks, and other due diligence checks, (iii) verify customer’s identity or claimed identity and identify and/or verify customer’s source of funds and source of wealth, as appropriate, (iv) perform a risk assessment on the potential customer relationship, (v) take an informed decision on whether we want to enter into a customer relationship, and, if positive, to conduct initial and ongoing screening and monitoring and (vi) to comply with any legal or regulatory obligation that we may have and/or any court, regulatory or enforcement order that may be issued upon us.