Xinpay Limited is a company incorporated in United Kingdom under the company number: 13049871 (the “Company”). The Company is committed to data protection and privacy. We respect and protects the rights of individuals, particularly the right to data protection and privacy as far as the processing and use of personal data is concerned. This Data Protection Policy (“Policy”) is approved by the Board of Directors of the Company. The Data Protection Officer of the Company shall be responsible for the compliance and enforcement of data protection and privacy.
This Policy defines the standard for the data protection compliant processing of personal data. It defines the requirements for business processes that involve personal data and assigns clear responsibilities.
The Company must ensure that all processes involving the processing of personal data are able to fulfil the requirements stated in this Policy. As employers, the Company have the responsibility for the processing of their employees’ personal data. When handling personal data in course of their duties, all employees of the Company are required to follow the requirements of this Policy.
Personal data shall only be processed lawfully and in accordance with the principles set out below.
- Lawfulness, Fairness, and Transparency Personal data may only be processed lawfully, fairly and in a transparent manner in relation to the data subject. This is the case when: processing is legally permitted in the specific case. Among others, the laws permit all cases of data processing that:
- are necessary for the performance of contracts with the data subject (e.g. the storage and use of necessary personal data in the context of an employment- or service contract),
- are necessary to take steps at the request of the data subject prior to entering a contract (e.g. a customer requests information about product X and then purchases said product. The data necessary to send the information material and to execute the contractual relationship may be processed),
- are necessary for compliance with legal obligations, e.g. due to tax or social insurance laws,
- are necessary to protect the vital interests of the data subject or of another natural person,
- are necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (e.g. for direct marketing),
- include decision-making based on automated processing in an individual case that produces legal effects concerning the data subject, when this automated decision is legally permitted, required for the performance of a contract with the data subject, or for which the data subject has explicitly granted consent, or
- when a data subject has granted his or her consent (for example, when registering on a website or subscribing to a newsletter).
Personal data should be collected directly from the data subject. If this is not the case, the data subject must be notified, particularly about the types of personal data that are being collected, processed, and/or used and for which specific purposes this occurs.
- Specific Purpose Personal data may only be collected for specific, explicit purposes. It may not be processed in a manner that is incompatible with those purposes.
The specific purpose must be defined before data collection. Processing for a purpose other than that for which the data have been collected is only permitted in exceptional cases, when a law permits processing for another purpose or if it is based on the data subject’s consent. To ascertain whether the other purposes are compatible with the agreed purposes, the reasonable expectations of the data subject towards the Company with regard to such further processing, the type of data used, the possible consequences of the intended further processing for the data subject, and measures of encryption or pseudonymization must be taken into account.
- Data Minimization Personal data may only be collected to the extent which is absolutely necessary to fulfil the defined purpose. Processing must be adequate, relevant, and limited to what is necessary in relation to the purposes for which the data is processed.
- Accuracy Personal data must be accurate and up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay. All processes that involve the processing of personal data must provide an option for rectification and update.
- Storage Limitation (Obligation to Erase) Personal data may only be stored as long as is necessary for the purposes for which it is processed or due to other legal requirements, particularly to comply with statutory retention periods. After this point, personal data must generally be erased or anonymized. All processes for processing personal data must contain an option for erasure or blocking to the extent required by law.
- Integrity, Availability, and Confidentiality Personal data and its processing operations must always be appropriately protected by means of technical and organizational measures. This includes, in particular, suitable measures to protect against unauthorized or unlawful processing, accidental loss, destruction or damage, accidental disclosure and unauthorized access.
- Processing of Special Categories of Personal Data The collection, processing, and use of special categories of personal data should always be transparent for the data subject. Unless the collection and processing of such data is explicitly authorized by law, e.g. if necessary, for carrying out obligations and exercising rights in the field of employment, social security, social protection, it should only be collected on the basis of explicit prior notification and consent of the data subjects.
The consent must explicitly refer to these special data categories and their processing for one or more specified purposes. Unless applicable laws stipulate otherwise, special categories of personal data may only be processed and used with the explicit consent of the data subjects. Increased protective measures must be established to protect the data (e.g. physical security measures, access restrictions and encryption).
- Right to be informed Data subjects have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. The Company must provide the data subjects with information including: our purposes for processing their personal data, our retention periods for that personal data, and who it will be shared with.
- Right of Access and Data Portability Data subjects have the right to obtain from the Company confirmation as to whether or not personal data concerning her or him are being processed. In such case, the Company shall provide for access as required by law. The information is provided in writing, unless the data subject submitted the request for information electronically. The information to be provided to the Data Subjects must include the purpose of storage, the recipients of the data, and all other legally required information pursuant to Article 15 of the GDPR. The data subject must be provided with a copy of the personal data that are undergoing processing. Upon request by the data subject, the data that he or she has provided to the controller must be made available in a structured, commonly used and machine-readable format.
- Right to Rectification, Restriction, and Erasure When personal data prove to be incorrect, incomplete, or out-of-date, each data subject has the right to rectification of his or her personal data. This can be the case, for example, if the data subject has changed history her name due to marriage.
Data subjects also have the right to obtain restriction of processing of their personal data when one of the following applies:
- The data subject contests the accuracy of the personal data and verification of the accuracy of the personal data takes some time. In this case, the data subject can demand restriction for the period of the verification of the accuracy.
- The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of its use instead.
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims. Should it become apparent that certain information have a respective value to the data subject, the data subject must be notified of the pending erasure with reasonable notice.
- The data subject has objected to processing for the duration of the clarification as to whether the legitimate interests for processing outweigh those of the data subject.
Within the restriction process, the stored personal data of the data subject must be marked with the aim to restrict access and limit their further processing. In addition, data subjects have the right to the erasure of their personal data in the following cases:
- The purpose of the data processing no longer applies.
- The data subject withdraws his or her consent for a specific purpose of processing.
- Address data is used for direct marketing purposes and the data subject objects to such use.
- The data is processed unlawfully.
- Erasure is required to meet legal obligations.
All processes in which personal data is collected, processed, or used must include a concept for the regular retention and deletion of personal data. This concept must ensure that personal data is erased in a timely manner after the fulfilment of the specified purpose or the lapse of the authorization for storage, particularly statutory retention terms. Instead of erasure, personal data may also be anonymized. If there is an obligation to erase personal data and said data has already been made public, other controllers shall be notified of the request to erase his or her data, including all links to this data.
- Right to Object Data subjects have the right to object to data processing when the Company processes personal data based on a decision in favour of its legitimate interests. In this case, the data subject must claim his or her own rights or interests on grounds relating to his or her particular situation, which outweigh the Company’s legitimate interest to process the data. Data subjects can object to the processing of their personal data for purpose of direct marketing, including profiling if such is related to direct marketing, at any time and without giving reasons. If an objection is raised, the Company will not process this data further for these purposes. This does not apply where the processing cannot be ceased due to compelling legitimate grounds for the processing, particularly the establishment, exercise, or defence of legal claims.
- Right to Complain If a data subject wishes to file a complaint with regard to processing of her or his personal data, they can do so directly in an e-mail to the data protection officer: firstname.lastname@example.org.
The data subject must be notified about all measures taken based on her or request within one month at the latest.
Responsibility for compliance with data protection requirements rests with the board of directors of the Company that processes the personal data for its business purposes. Executive management may delegate the task to fulfil this responsibility to managers at different levels within the organizational framework and the associated business processes.
If personal data is to be transferred to an associated company, a review must first take place as to whether contractual agreements regarding data protection and privacy are needed. Such review is required only when an associated company or external service provider is to process personal data on behalf of the Company (referred to as “transfer for processing purposes”). If personal data that is to be transferred to a country outside the EEA, it must be ensured beforehand that an appropriate level of protection is guaranteed, pursuant to Article 44 of the GDPR.
In addition, the following rules apply to the transfer of personal data:
- Transfer for commissioned processing: If the Company commissions an associated entity or an external company with the processing of personal data, it remains responsible for compliance with data protection and privacy requirements.
- Transfer for the recipients’ own purposes: The Company may transfer personal data to an associated company or an external company for their own purposes only if this is legally permitted or required, or if the data subjects have first given consent.
The Company processes personal data of customers and on behalf of customers. The use and, if relevant, transfer of such customer data must be in accordance with the applicable laws.