Data Protection Policy

1. Introduction

Tompay Ltd is committed to processing personal information responsibly and securely and in compliance with applicable laws. This document describes how personal information must be collected, handled and stored to meet Tompay's data privacy standards and to comply with UK Data Privacy Laws.

2. Objectives

The objective of the policy is to ensure that Tompay Ltd (“we” “our”, “us”, “Tompay”):

This is an internal policy and should not be shared with third parties without prior authorisation from a Tompay Data Protection Officer:

Mr. Pavel Kuryan

pavel.kuryan@tompayment.com

3. Scope

Legal entity applicability

The policy relates to all staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns engaged with Tompay in the UK or overseas) within the organisation and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.

4. Key Definitions

Where not listed below, terms will take their meaning from the GDPR.

Automated Decision Making: a decision based solely on automated processing which produces legal effects concerning him or her or similarly significantly affects him or her.

Controller: the person or organisation that determines when, why and how to process Personal Data.

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data.

Data Protection Impact Assessment (DPIA): an assessment of the impact of the envisaged processing operations on the protection of Personal Data.

Data Protection Officer (DPO): the person required to be appointed in specific circumstances under the GDPR.

EEA: the countries in the EU, plus Iceland, Liechtenstein and Norway.

EU & UK Data Protection and Privacy Laws: the EU's General Data Protection Regulation x2016/679 and the e-Privacy Directive 2002/58/EC as amended from time to time and their national implementing legislations (including the UK Data Protection Act 2018 and the UK implementing legislations which have been retained in the UK following the withdrawal of the United Kingdom from the European Union), and the data protection acts of the EEA countries as amended and replaced from time to time.

EU General Data Protection Regulation: the EU's General Data Protection Regulation (EU) 2016/679.

GDPR: for the purposes of this policy means EU GDPR and UK GDPR.

Personal Data (personal data): any information relating to an individual who can be identified directly or indirectly from that data. Personal Data includes Pseudonymised personal data but excludes personal data rendered anonymous such that re-identification is not possible.

Personal Data Breach: A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. A personal data breach can occur accidentally or deliberately. A personal data breach is a data incident that triggers regulatory obligations.

Processing (processing): any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person to whom the data relates cannot be identified without the use of additional information which is kept separately and secure.

Tompay Personnel: all employees, workers contractors, agency workers, consultants, directors, members and others.

Sensitive Personal Data (or "Special Category" Data): information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.

UK GDPR: EU GDPR as retained as part of UK domestic law, following the UK withdrawal from the EU. References in this policy to 'GDPR' should be read as referring to both 'GDPR' and 'UK GDPR'.

5. Policy requirements

Personal data protection principles

Tompay adheres to the principles for processing of personal data set out in the GDPR which require personal data to be:

• Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
• Collected only for specified, explicit and legitimate purposes (Purpose Limitation).
• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation).
• Accurate and where necessary kept up to date (Accuracy).
• Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data are processed (Storage Limitation).
• Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).

Tompay is responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).

Lawful Basis for Processing

Under the GDPR personal data may only be collected, processed and shared if at least one of the following lawful grounds of processing under Article 6 applies:

• the individual has given his or her consent;
• the processing is necessary for the performance of a contract with the individual;
• to meet legal obligations;
• the processing is necessary in order to protect someone's life;
• the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
• the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests, in particular where the Data Subject is a child.

Tompay must:

• Consider the lawful basis for all processing of personal data and document it. Typically this will be achieved by updating the records of processing described at paragraph 6.10 below;
• For all new processing or material changes to processing, determine the lawful basis and purpose of the processing before beginning processing; and
• Ensure that its customer facing privacy notices include the lawful basis for processing as well as the purposes of the processing.
• Ensure that high risk processing does not commence without the lawful basis being documented in a signed Data Protection Impact Assessment and that records of processing are updated promptly to reflect material changes to processing and applicable lawful basis

The bases for processing most relevant to Tompay are outlined in more detail below.

Legal Obligation

As a regulated Electronic Money Institution Tompay is subject to legal obligations that require us to process and retain certain personal data.

For example, Tompay is obligated under the UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692) to retain personal data about Tompay customers and Tompay transactions for a period of six years after termination of a customer's Tompay account.

Contract

This basis for processing applies where the processing is necessary for the performance of a contract to which the individual is a party or to take steps at the request of the individual prior to entering into a contract.

For example, when customers enter into our terms and conditions and wish to receive payment card related services, to perform our contract with our customers we must transfer their data to our partners such a BIN Sponsor.

Legitimate Interests

An example of our reliance on this basis of processing is the sending of electronic marketing communications promoting our own products to existing customers. The UK Data Protection and Privacy Laws acknowledge that companies may have a legitimate interest in direct marketing activities such as promoting special offers to existing customers.

Where a Tompay entity promotes its own products to existing customers there is relatively little intrusion into customers' privacy or other disproportionate impact. We may therefore rely on the legitimate interests basis of processing so long as the customer has not indicated they do not wish to receive marketing materials.

For electronic marketing the legitimate interest basis of processing is applicable only in these narrow circumstances. Otherwise consent is required as further described at paragraph 6.15 below.

Consent

It is only when no other lawful basis exists that Tompay relies on consent to process or share data.

Consent requires affirmative action. Silence, pre-ticked boxes or inactivity are insufficient.

If consent is given in a document which deals with other matters, then the consent must be kept separate from those other matters. In addition, valid consent must be “freely given”.

The individual must be free to withhold their consent for that data processing activity without being penalised in some way, such as by being refused access to a service.

Consent must also be “specific informed and unambiguous". The individual must be told in very clear terms, at the time that consent is requested, what they are being asked to consent to.

Unless Tompay can rely on another legal basis of processing consent from the individual is usually required in each of the situations outlined below:

One (or more) of the following types of personal data is collected:

• location data via a mobile application
• biometrics including facial images, fingerprints retinal scans, keystroke speed, and mouse movements
• other sensitive data such as racial or ethnic origin, political opinions, health data, religious beliefs
• device information and user behaviour through the use of cookies and other technologies; or

Personal data is processed for one or more of the following purposes:

• to send electronic marketing communications relating to third party products or services
• to share personal data with third parties (other than service providers who process only under our instruction)
• to conduct account level analytics for the purpose of targeted offerings to individuals for Automated Decision Making.

Where we rely on consent Tompay must:

• Evidence consent captured and keep records of all consents so that Tompay can demonstrate compliance with consent requirements.
• Ensure individuals are easily able to withdraw consent to processing at any time and promptly honour any withdrawal of consent.

Purpose limitation

Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.

Tompay must not use personal data for new, different or incompatible purposes from that disclosed when it was first obtained unless it has informed the individual of the new purposes and they have consented where necessary.

An example of this would be sending Tompay customer personal data to a third party in order to send them targeted marketing communications for products that are unrelated to Tompay products This may only be done when we have obtained the individual's GDPRc ompliant consent.

Data minimisation

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Tompay Personnel may only process personal data when performing their job duties requires it. Personal data must not be processed for any reason unrelated to job duties.

Tompay Personnel may only collect personal data required for their job duties and must not collect excessive data. Tompay Personnel must ensure any personal data collected is relevant and necessary for the intended purposes.

Tompay Personnel must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with Tompay's data retention policies.

Accuracy

Personal data must be factually accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

Tompay Personnel must ensure that the personal data they use and hold is accurate, complete, kept up to date and relevant to the purpose for which it was collected.

Tompay must check the accuracy of personal data at the point of collection and reasonable steps must be taken to destroy or amend inaccurate or out-of-date personal data.

Storage limitation

Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.

Personal Data must not be kept in a form which permits the identification of the individual for longer than needed for the legitimate business purpose or purposes for which it was originally collected including for the purpose of satisfying any legal, accounting or reporting requirements.

Tompay maintains retention policies and procedures to ensure Personal Data is deleted when no longer needed for the purpose for which it was being held unless a law requires such data to be kept for a minimum time.

Security

Keeping Personal Data Secure

Personal data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

Tompay Personnel must follow all procedures in place to maintain the security of personal data from the point of collection to the point of destruction and maintain data security by protecting the confidentiality, integrity and availability of personal data, defined as follows:

• Confidentiality means that only people who have a need to know and are authorized to use the Personal Data can access it.
• Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed.

Availability means that authorised users are able to access the Personal Data when they need it for authorised purposes or in order to assist data subjects with their rights.

Tompay Personnel must comply with and not attempt to circumvent the administrative, physical and technical safeguards put in place by Tompay to protect personal data as further set out in Tompay's Security Policy.

Reporting a Personal Data Breach

The GDPR requires data controllers to notify any Personal Data Breach to the applicable regulator and, in certain instances, the individual. For example, any of the following could result in a personal data breach for Tompay:

• suffering a computer system hack or phishing attack;
• emailing personal information to the wrong recipient; or
• the loss or theft of a device or records containing personal data.

Tompay has put in place a Data Breach Policy setting out how it complies with its legal obligations in the event of a Personal Data Breach.

A member of Tompay Personnel who knows or suspects that a Personal Data Breach has occurred must immediately report the matter through the Risk Incident Reporting process on Backoffice as referred to in the Data Breach Policy.

International Data Transfers

The UK GDPR restricts transfers of personal data to countries outside the UK to ensure that the level of data protection afforded to individuals by the UK GDPR is not undermined.

Personal data originating in one country is transferred when it is transmitted or sent to another country or viewed or accessed from another country.

Tompay Personnel must engage with the legal department prior to any transfer of personal data to a country outside the UK.

Transfers outside the UK are compliant with UK Privacy laws only if:

• the European Commission has issued a decision confirming that the country to which the transfer is made ensures an adequate level of protection for the individual's rights and freedoms;
• appropriate safeguards are in place such as standard contractual clauses approved by the European Commission; or
• one of the other conditions for lawful transfers under Chapter 5 of EU GDPR are met.

Similar requirements must be complied with in respect of transfers from the UK to third countries.

Data Subject's rights and requests

The GDPR provides individuals with certain rights in respect of their Personal Data (GDPR, Chapter 3). A summary of these rights and Tompay's approach to them is set out in the table below.

Data Subject Rights Requests (DSRRs)

A response must be provided to the individual without delay and in any event within one calendar month of receiving the request.

This period may be extended by a further two months where requests are complex or numerous. However, the individual must be informed of an extension within one month of the request and provided with an explanation of why it is necessary.

Standard DSRRs may be handled by customer support and non-standard DSRRs are handled by the DPO as further described in the Privacy Inquiries and Complaints.

Records of Processing

The GDPR contains explicit obligations about documenting data processing activities. To comply with those requirements Tompay must maintain clear descriptions of its processing including the personal data types, processing activities, processing purposes, data sharing, data storage locations, transfers outside the UK and/or the EEA and data retention periods. Tompay records of processing must be created and updated by product owners or service owners to reflect material new or changed processing activity as further described in the applicable documentations.

Sharing Personal Data with Service Providers and Third Parties

In order to comply with GDPR personal data must not be shared with Tompay service providers (Data Processors) or other third parties unless certain safeguards and contractual arrangements have been put in place, and unless the individual has been made aware of this sharing in advance, in particular through our privacy notice.

Tompay Personnel must only share personal data with third parties, such as our service providers if:

• they have a need to know the information for the purposes of providing the contracted services;
• sharing the personal data is consistent with our customer facing privacy notice and, if required, the individual's consent has been obtained;
• the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
• the transfer complies with any applicable cross border transfer restrictions; and
• a fully executed written contract that contains GDPR approved third party clauses has been obtained (for Processing relationships only).

Tompay is responsible under GDPR for the processing undertaken by its Data Processors. GDPR requires that a contract is in place with each Processor including specific provisions for the protection of personal data.

The Tompay legal team can provide template data processing provisions for personal data processing and data sharing upon request.

Tompay Personnel must liaise with the legal team before agreeing to any such measures or sharing any personal data with third parties.

The principles above apply to all data sharing including data sharing between Tompay or associated companies (if applicable).

Tompay intends to comply with the Data Management standards of good practice in relation to open banking available at https://standards.openbanking.org.uk/good-practice/data-mgmt/latest/

Cookie Requirements

EU and UK Cookie consent rules require obtaining the user's express consent indicated by positive action before placing cookies and similar technologies on the user's device, except where cookies are necessary for the provision of a service.

All Tompay websites and mobile apps must have clear, conspicuous and comprehensive information to users about the use of cookies or similar technologies before any cookies are dropped on the user's device.

Users must consent to all cookies that are not strictly necessary for the operation of the site or mobile application, specifically advertising/media and analytics cookies.

Users must have the ability to withdraw consent for the use of non-essential cookies at any time.

Tompay Personnel must comply with internal guidelines on the placing of cookies and the maintenance of an auditable consent record.

Direct Marketing

Where Tompay has an existing relationship with a customer it may rely on a legitimate interests basis to send electronic marketing communications to customers.

Where Tompay does not have an existing relationship with a customer and where it promotes the products of third parties to existing customers it cannot rely on legitimate interests and needs opt-in consent to send electronic marketing communications.

For all direct marketing customers must be given a clear means to opt-out. Tompay provides the means of opt out via its mobile application.

Tompay Personnel must:

• ensure that all direct marketing activity complies with EU and UK Data Privacy Laws;
• comply with internal guidelines and consult with legal as necessary before engaging in any new direct marketing activity;
• maintain an auditable record of all consents and opt-outs and ensure that customer preferences are adhered to.

6. Governance

Roles and responsibilities

Whole Business

All departments are responsible for:

• Ensuring Tompay Personnel comply with this policy; and
• Implementing and adhering to appropriate practices, processes, controls and training to ensure compliance.

Data Protection Officer Responsibilities

The Data Protection Officer ("DPO") is responsible for:

• Ensuring the business and Tompay Personnel involved in processing personal data are aware of their obligations under UK Data Privacy Law, including ensuring that adequate training is provided;
• Monitoring compliance with this policy and UK Data Privacy Law;
• Supporting the DPIA process and monitoring its performance, including ensuring that DPIAs are undertaken in accordance with GDPR requirements;
• Acting as the first point of contact for supervisory authorities and for individuals whose data is processed;
• Notification of Data Breaches to the supervisory authorities in accordance with GDPR requirements as further set out the Data Breach Policy.

The DPO must perform their duties in independent manner and shall not receive any instructions from the business regarding the exercise of its duties.

Senior Management Support of DPO Function and DPO Reporting

The Board, Head of Risk and Head of Compliance will actively support the DPO function, including providing adequate support in terms of financial resources and staff.

Legal Team

The Legal Team provides privacy support to the business on product assessments, privacy aspects of contracts with suppliers, partners and third parties and the updating of customer facing and employee privacy policies. The Head of Legal is the lead legal contact for privacy.

Tompay Personnel must contact DPO in the following circumstances:

• if they are unsure of the lawful basis for processing Personal Data;
• if they need to rely on consent;
• if they need to draft privacy notices;
• if they are unsure on what basis to transfer personal data outside the UK and/or EEA;
• if they need any assistance dealing with any rights invoked by an individual;
• when engaging in a significant new, or change in, processing activity which is likely to require a DPIA or planning to use personal data for purposes other than that for which it was collected;
• if planning to undertake any activities involving Automated Decision Making;
• if help is needed to comply with applicable law when carrying out direct marketing activities;
• if help is needed to comply with applicable laws relating to cookies;
• before undertaking any new data analytics internally or with third parties; or
• if help is needed with any contracts or other areas in relation to sharing personal data with third parties.

Policy review

This policy is reviewed annually, as well as any off-cycle review as needed, per the Tompay Policy Framework.

Policy approval

This policy has been approved as per the policy approval process explained in the Tompay Policy Framework.

7. Complying with the policy

Training

All Tompay Personnel are required to complete mandatory data protection training at onboarding and refresher training annually.

The training programme also includes focused training to specific groups such as product teams and customer support.