1. Introduction

1.1. UAB “Glocash Payment” (hereafter referred to as “Company”) is a licensed electronic money institution under the license no. 19 and is regulated by the Bank of Lithuania. The Company is incorporated under the laws of the Republic of Lithuania with Company code 304596376 and has its registered address at Narbuto St. 5-1, Vilnius, LT-08101, Lithuania. The Company owns and operates the domain https://www.glocash.com/en/ (hereafter – the “Website”).
1.2. The Company is the data controller (hereafter also referred to as “Data Controller”) of Your personal data collected via the means described herein and any process of Your personal data is performed in accordance with this Privacy Policy (hereafter “the Policy”) and the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) as amended from time to time (hereafter – the “GDPR”).
1.3. You are an identified or identifiable natural person, whose personal data the Data Controller processes in course of conducting business, regardless of whether the personal data were obtained from You directly or from third parties (hereinafter referred to as “Data Subject”).
1.4. Any information relating to an identifiable natural person (i.e., using information and data in order to directly or indirectly identify a specific person) hereafter shall be referred to as “Personal Data”.
1.5. Any operation which is performed on the Personal Data (or on sets of Personal Data) whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction hereafter shall be referred to as “Processing”.

2. Scope and Applicability

2.1. As part of the Data Controller’s daily operations, it is necessary to collect Personal Data from existing and prospective customers to be able to provide them with the products and services of the Data Controller. This Policy describes how the Data Controller collects, processes, uses, maintains, stores and discloses the Personal Data of the Data Subjects.
2.2. Any Personal Data the Data Controller collects about the Data Subjects will only be used for the purposes the Data Controller collects it for, or as allowed under the applicable legislation, and to perform its contractual obligations concerning the products and services offered. This Policy covers the Data Controller’s official Website, all its related sub-domains that are registered and operated by the Data Controller, as well as the payment gateways and any other software solutions used by the Data Controller.
2.3. This Policy applies to the Processing of Personal Data regardless of the form/environment in which the Personal Data is provided (e.g., on paper, electronically, by phone or otherwise) and whether or not the Data Controller processes it by automated means or manually.
2.4. This Policy applies to former, existing or prospective customers, applicants, and visitors on the Website(s). The Data Controller strives to protect the privacy, confidentiality, and security of all Personal Data obtained from the Data Subjects during the business relationship and their dealings with the Data Controller, including information obtained during their visits to the Website(s).
2.5. The Data Controller treats all individual visitors that enter its Website(s), all private individuals that represent its corporate customers (i.e., authorized representatives, proxies, etc.), and all its private individual customers as Data Subjects in the sense of the GDPR.

3. Commitment to Data Subjects

3.1. The Data Controller fully understands the importance of maintaining the confidentiality and privacy of the Personal Data of Data Subjects. The Data Controller respects the privacy of Data Subjects, and to this end, is committed to taking all reasonable steps to protect and safeguard the privacy, confidentiality, security and integrity of the Personal Data of Data Subjects.

4. Personal Data Collection

4.1. If a natural person has an intention to become the customer of the Data Controller, then they have to accept the terms and conditions of the Data Controller (hereinafter – “Terms and Conditions”) and the following customer due diligence process needs to be carried out. During this process, the prospective customer is requested to provide certain personal information, data and identification documents, as well as acknowledge their willingness to share this private information with the Data Controller to evaluate their request to use Data Controller’s products and services and to comply with the laws and regulations governing the provision of payment instruments, services and products offered by the Data Controller. 4.2. Apart from the Personal Data collected during the account opening process or afterwards, the Data Controller may collect Personal Data in several ways, including but not limited to the following:
4.2.1. through the provision and use of its products and services;
4.2.2. through the use of its Website(s) and mobile apps (if applicable);
4.2.3. through the completion of any forms;
4.2.4. via subscription to the Data Controller’s blogs, newsletters, and/or news updates;
4.2.5. through participation in online discussions, surveys, or promotions;
4.2.6. through participation in any offers, campaigns, or competitions of the Data Controller;
4.2.7. through any person during correspondence with the Data Controller, both online and offline;
4.2.8. during the provision of customer service or support in any form;
4.2.9. from third-parties such as the Data Controller’s business partners, agents, outsourcers, sub-contractors, service providers, intermediaries, payment service providers (i.e., Visa, Mastercard, etc.), credit reference agencies, fraud prevention agencies, banks, other financial or credit institutions, public registers and official databases, third-party authentication service providers, associations (i.e., lawyer’s association), etc. to be able to enter into a contract with the Data Subject and carry out its obligations arising from the contracts entered between the Data Subject and Data Controller;
4.2.10. from persons connected with the above-mentioned third-parties such as representatives, proxies, authorized representatives, trustors, beneficial owners, family members, spouses, partners, heirs, guarantors, etc.;
4.2.11. data from Data Controller’s e-commerce merchants regarding transactions made by their own customers in e-shops to ensure the merchants’ payment collection services for the goods sold and services rendered online;
4.2.12. through publicly available sources and social media (i.e., Registrar of Companies, Government Gazette, online directories, newspapers, social media websites, etc.), and;
4.2.13. by contacting the Data Controller for any other reason.
4.3. The Data Controller may occasionally request further information from the Data Subject to help improve its services and products under the Terms and Conditions or to comply with the applicable laws and regulations.

5. The Collected Personal Data

5.1. The following list of Personal Data that the Data Controller may collect from the Data Subject is not exhaustive, however, it specifies the main categories of Personal Data which the Data Controller collects and Processes:
5.1.1. personal details (i.e., name, surname, identification document number, date and place of birth, gender, nationality, citizenship). Personal Data may also include sensitive data like your race, ethnic origin, biometric data, etc.;
5.1.2. contact details (i.e., actual place of residence, registered place of residence, email address, mobile telephone number, landline telephone number, fax number, identifier on telecommunication systems, etc.);
5.1.3. employment history (i.e., current profession, employer’s name and address, employment history, education, skills, academics, etc.);
5.1.4. economic profile (i.e., annual income, estimated net worth, wealth, source of funds, assets, liabilities or any other necessary financial information) and whether the Data Subject is a politically exposed person;
5.1.5. identification documents necessary to (a) verify the Data Subject’s identity such as passport or national identity card and (b) to verify their permanent residence such as utility bills, bank statements, etc.;
5.1.6. image of the Data Subject in photo and/or video form derived from customer due diligence identification documents, or by uploading a photo to the customer account, or by conducting a video call with any of the employees of the Data Controller;
5.1.7. tax information (i.e., tax identification number (TIN), country of tax residence, other taxpayer information as necessary);
5.1.8. financial information (i.e., bank account and payment card details and other financial information as necessary);
5.1.9. account information (i.e., username, password, customer number, trading activity and history, charges, fees and commissions charged, etc.);
5.1.10. transactional information (i.e., in and out payments, including date, time, amount, beneficiary details, merchant details and location, internet proxy (IP) address of the sender and receiver as well as their names and registration details, messages sent and received in relation to the payment, payment methods used, device information used to facilitate the payment and payment instrument used, etc.);
5.1.11. telephone/audio recordings, email correspondence or any other form of communication with the Data Controller (i.e., live chat, blogs, post, etc.). These forms of correspondence are recorded and the recordings are retained for such periods as may be necessary or required by law;
5.1.12. technical information (i.e., internet protocol (IP) address used, unique device identifier, location, login information, browser type and version, time-zone setting, operating system and platforms, type of device or browser used, network information server logs, etc.);
5.1.13. location (tracking via the global positioning system (GPS), if location services are switched on the device used to access the customer account).
5.1.14. marketing information or any other information received as a result of visiting and using the Data Controller’s Website(s) (i.e., the full Uniform Resource Locators (URL) clickstream to, through and from the Website (including date and time), referrer URL, products and services viewed or searched for by the Data Subject, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page, any phone number used to call Data Controller’s customer service number, etc.).

6. Data Usage and Processing

6.1. The Data Controller will only collect, use, Process, disclose, transfer and store Personal Data in accordance with the GDPR, local Lithuanian legislation on data protection and practices, and Terms and Conditions based on one or more of the following legal bases and purposes:
6.1.1. to perform its contractual obligations and to provide the Data Subjects with the services and products that they have requested, or to provide them with information regarding its products and services that may be of interest to them, or to keep them updated on the issues that are relevant to their business relationship with the Data Controller;
6.1.2. to complete the customer on-boarding and identification procedures. Personal Data is used to verify the Data Subject’s identity and residence (in order to accept them as a customer) as well as to conduct the anti-money laundering, terrorist financing and fraud prevention, sanctions, credit risk and customer due diligence checks as required by the applicable laws. It is also used to assess and confirm the Data Subject’s eligibility to use the products and services of the Data Controller. It should be noted that these checks may be conducted by the Data Controller’s third-party service providers on its behalf;
6.1.3. to set-up and operate the customer account / profile the Data Subject has with the Data Controller as well as to provide them with technical and customer support;
6.1.4. to process transactions and to send information about transactions executed;
6.1.5. to administer and improve the Data Controller’s Website(s) and payment gateways in relation to any technical issues faced, troubleshooting, errors, maintenance, support, data analysis, testing, etc.;
6.1.6. to protect the security of Data Controller’s Website(s), devices and payment gateways through detecting and preventing any type of security breaches, hacking, fraud or other malicious, illegal or criminal activities as well as to prevent any unjustified risks to its commercial operations;
6.1.7. to perform research or to conduct data analysis which will help the Data Controller to improve its products and services as well as to provide the Data Subjects with better products and services in the future and/or to suggest them products and services that may be of interest. In such a case, the Data Controller will combine the Personal Data of one Data Subject with the Personal Data of other Data Subjects on an aggregate basis and create impersonalized data. The Data Controller may provide this research or analysis to third parties solely for statistical and/or marketing purposes to the extent allowed under the Terms and Conditions. Under no circumstances shall any particular Data Subject be identifiable from this data analysis and always remain anonymous;
6.1.8. to investigate any grievances or complaints and settle any disputes;
6.1.9. to enable Data Subjects to participate in surveys, competitions, campaigns, etc. that might be of interest, where they have consented to be contacted for such purposes;
6.1.10. to send marketing communications and/or promotional material in the agreed forms (i.e., by email address, telephone number or social media accounts). Please note that the Data Controller will not disclose any Personal Data to any third parties for the purpose of allowing them to directly market to Data Subjects;
6.1.11. to notify the Data Subjects of any changes to the Data Controller’s products and services, Terms and Conditions, policies or other legal documents which form part of the business relationship between the Data Subject and the Data Controller, or to keep Data Subjects updated with the news on products and services, or to provide them with any legal notifications in relation to other important matters relating to the use of Data Controller’s services and products;
6.1.12. to comply with the applicable laws and regulations, including requests from the regulator or other competent authorities, court orders, police investigations, preparation of regulatory reporting or any other legal and regulatory requirements to which the Data Controller is subject such as anti-money laundering laws, market abuse laws, financial services laws, privacy laws and tax laws;
6.1.13. to safeguard the legitimate interests of the Data Controller, whether this is pursued by the Data Controller itself or by another third party. In such a case, the Data Controller must have a sound business or commercial reason to use Personal Data and must not go unfairly against the best interests of the Data Subject.
6.2. If it is necessary to use Personal Data and other data for any other reason which is not outlined above, then Data Subjects shall be duly informed by the Data Controller (i.e., via a pop-up message, push notification, email or otherwise) and also if there are any additional terms and conditions which will apply. Data Subjects will always be asked to confirm whether they agree to these additional terms and conditions before the Data Controller can proceed.
6.3. Data Subjects shall always have control over what and how they receive communications or information from the Data Controller. If the Data Subject wishes to withdraw from such electronic communications (including marketing and advertising communications, promotional material, market research analysis, news, updates, newsletters, etc.), then they shall express their wish by sending a freeform email to a designated email address at dpo@glocash.com to unsubscribe from future correspondence.
6.4. It should be noted that even if the Data Subject unsubscribes from marketing communications, they will still continue to receive communications from the Data Controller that are necessary for the provision of its products and services.

7. Communication

7.1. The Data Controller or its affiliates, business partners, associates or other agents may, from time to time, contact Data Subjects by telephone, fax, email, post or otherwise, for the purposes of offering them further information about its products and services, or to inform them of promotional offerings, or for marketing purposes or to conduct market research.
7.2. If the Data Subject wishes to opt-out of any further contact at any time and for whatever reason, they are entitled to do so by contacting the Data Controller’s backoffice department via email and requesting in writing that they wish no further contact in relation to the above reasons.

8. Disclosure and Transfer of Personal Data

8.1. Any Personal Data or other confidential information (including recordings, documents of a confidential nature, payment details and personal details) that Data Subjects provide to the Data Controller will be treated as confidential and it will not be disclosed to any third parties, except when necessary to provide the Data Subjects with the products and services of the Data Controller, fulfil its contractual obligations and conduct its business operations as described herein. Below are the cases under which the Data Controller may disclose Personal Data and why:
8.1.1. group companies: to any member of the company group of the Data Controller, meaning any branch, subsidiary company, sister company, parent and/or holding company and its respective employees in order to provide the services and products, to fulfil contractual obligations under the Terms and Conditions and to provide technical and customer support. It should be noted that all group entities and its employees are required to follow the privacy and security protocols of the Data Controller when handling Personal Data;
8.1.2. third-party service providers: including but not limited to legal advisors, professional or expert advisors, internal auditors, external auditors, service providers who have been contracted to provide the Data Controller with software and hardware systems, payment gateways, platforms, support, administrative, financial, legal, accounting, auditing, taxation, compliance, record-keeping, Website, cloud-hosting, informational technology (IT), research, marketing, advertising, email transmission or messaging services, data storage, or other services which are necessary to be able to execute transactions, instructions of Data Subjects, order or payments, or to complete contractual obligations, or to provide the products and services requested, or for purposes which are ancillary to the provision of the products and services. It should be noted that third-party providers are permitted to use Personal Data only for the provided services contracted for and may not use or otherwise share this data;
8.1.3. credit reference agencies, fraud prevention agencies, third authentication service providers, banks, payment service providers, other financial institutions: to conduct credit checking, anti-money laundering checks, identity verification checks, sanction checks, fraud and fraud prevention checks, risk assessment, payments processing or customer due diligence checks. In order to do so, these organizations will check the details supplied by Data Subjects against any details held on any database (public or otherwise) to which they have access. These organizations may store the information in order to comply with their legal and regulatory obligations. A record of the search conducted by these organizations will be retained by the Data Controller;
8.1.4. affiliates, business partners, agents, associates and business introducers: with whom the Data Controller has a mutual business relationship and they have directed Data Subjects to it;
8.1.5. police, courts, regulatory authorities, governmental agencies, public authorities and law enforcement authorities: having control or jurisdiction over the Data Controller or companies of the group, Data Subjects, associates or in whose territory the Data Controller has customers or providers, as applicable. In such a case, the Data Controller will share Personal Data only when it is required to comply with the applicable laws, rules and regulations, or to comply with a court order of a competent court, or to comply with investigations, administrative, judicial or legal proceedings and/or to respond to official requests from these authorities. This may include authorities outside the Data Subject’s country of residence or the Data Controller’s country of operations;
8.1.6. other third parties: the Data Controller may share Personal Data in the event of a merger, sale, restructure, acquisition, joint venture, assignment, transfer or other disposition of all or any portion of its business, assets or stock (including bankruptcy/liquidation proceedings or equivalent);
8.1.7. where necessary to secure the Data Controller’s legitimate business interests and to defend, protect and/or exercise its legal rights in front of any court, tribunal, arbitrator, the financial ombudsman or any other regulatory or governmental authority, as the case may be;
8.1.8. at the request or with consent of the Data Subject;
8.1.9. to any person(s) authorised by the Data Subject.
8.2. Entities and employees within the group, third-party service providers, business partners, associates, affiliates, agents and business introducers are duly informed about the confidential nature of such information and the Data Controller requires that these organizations acknowledge and commit to the confidentiality of Personal Data by means of contractual clauses, undertake to respect the right to privacy, safeguard Personal Data and to comply with all the relevant data protection laws and this Policy.

9. Personal Data Safeguarding Measures

9.1. The Data Controller has implemented physical, technical and organizational measures to secure and protect Personal Data from unauthorized access, use or disclosure, unlawful breach or from accidental destruction, loss or damage. The Personal Data provided to the Data Controller is protected in many ways as follows:
9.1.1. Personal Data is stored in secure servers and back-up servers;
9.1.2. access to the Personal Data is limited only to those employees or partners that need to know the information in order to enable the carrying out of the Terms and Conditions and have access via a username and password;
9.1.3. the Data Controller uses encryption, tokenization and takes all reasonable technical security measures to prevent unauthorized parties from viewing, using or processing any such information. This information is accessible only to authorized personnel;
9.1.4. payment card environment is Payment Card Industry Data Security Standard (PCI DSS) compliant by the external assessor;
9.1.5. the Data Controller trains its employees regularly regarding the importance of maintaining, safeguarding and respecting Personal Data and security;
9.1.6. potential breaches of individuals’ privacy are taken very seriously. The Data Controller will impose appropriate disciplinary measures to its employees and it could even involve a dismissal from employment in case the potential or an actual breach took place due to the employee’s neglect;
9.1.7. business partners, affiliates, agents, associates, service providers and employees sign a confidentiality and non-disclosure agreement in order to maintain the confidentiality of the Personal Data;
9.1.8. the Data Controller tests and monitors the effectiveness of security measures frequently;
9.1.9. the Data Controller has appointed a Data Protection Officer (DPO) to ensure that it obtains, manages, processes and discloses Personal Data in accordance with this Policy and the applicable legislative and regulatory framework;
9.1.10. in the unlikely event of a data breach, as soon as the Data Controller becomes aware of a breach of Personal Data protection, and without undue delay, it notifies the regulatory body in accordance with the provisions of the GDPR. In case that a breach of Personal Data protection could pose a high risk to the rights and liberties of persons, without undue delay, the Data Controller will notify the affected person about the Personal Data breach as well.
9.2. While the Data Controller shall use all reasonable efforts to safeguard Personal Data entrusted with it, Data Subjects must acknowledge that the transmission of information via the internet is not entirely secure and for this reason the Data Controller cannot ensure or guarantee the confidentiality, security or integrity of any Personal Data transferred from the Data Subject to the Data Controller or vice versa via the internet.
9.3. This Data Controller shall not be responsible or liable (whether in civil, criminal or otherwise) under any circumstances for any amount or kind of loss or damage (including without limitation, any direct, indirect, punitive or consequential loss or damages, or any anticipated loss of profit, loss of profit, loss of opportunity, loss of data, costs and fines and/or any special or incidental damages of any kind) that may result to Data Subjects or arising from or connected in any way to cyberattacks, computer viruses, system failures or malfunctions which may occur in connection with the use of the Data Controller’s products, services, websites, devices, mobile applications, payment channels or any other method.

10. Personal Data Storage and Retention Period

10.1. Under the applicable laws and regulations (including anti-money laundering laws), the Data Controller is required to retain all types of records containing Personal Data for at least 5 (five) years after the termination of the business relationship as long as one of the following criteria is valid:
10.1.1. until the contract concluded with the Data Subject is in force;
10.1.2. as long as according to the legislation and regulations, the Data Controller and the Data Subject can realize their legal (legitimate) interests;
10.1.3. as long as the Data Subject’s consent is in force for the appropriate processing of their Personal Data, if there is no other legal basis for processing the data.
10.2. It should be noted that the Data Controller may keep Data Subject’s Personal Data for longer than five (5) years in case, for example, a dispute arises between both parties, or due to legal and/or regulatory reasons requiring the Data Controller to do so. In any case, the Data Controller shall not keep the Data Subject’s personal information for any longer than is required. As soon as the purpose has been fulfilled, the Data Controller erases the data or destroys the information carriers on which the data is recorded (e.g., documents in paper format).
10.3. Retention periods will be determined taking into account the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable time. When Personal Data is no longer necessary for the purpose for which it was collected, we will securely destroy the records.

11. Personal Data Transfer Outside the EEA

11.1. Data protection rules of the European Union apply to the whole European Economic Area (hereinafter – “EEA”) which includes all of member states of the European Union and other countries, such as Iceland, Liechtenstein and Norway. If necessary, the Data Controller may transfer Personal Data to a country outside the EEA, for storage and/or for processing by staff operating outside the EEA who work for the Data Controller and/or to its suppliers, business partners, associates, affiliates, agents, business introducers or service providers who are engaged on its behalf to fulfil contractual obligations under the Terms and Conditions. Moreover, the collected Personal Data may be stored or processed in a jurisdiction that is different to the country in which the specific entity of the group is registered and established. Therefore, by entering into the business relationship with the Data Controller and submitting Personal Data, Data Subjects agree to the transmittal, storing and processing of their Personal Data outside the EEA.
11.2. When Personal Data is transferred outside the EEA, the Data Controller will take all steps reasonably necessary to ensure that the transfer is lawful, that the organization to whom the data is sent provides data protection at an adequate level, or, provided that receiving, the Data Controller undertakes sufficient guarantees in accordance with the provisions of the GDPR to ensure that Personal Data is treated securely.
11.3. Where this is not possible to do so and the Data Controller is required to disclose Personal Data (i.e., because it is required by law or by virtue of a court order in place), the Data Controller will do this as per the applicable legal and regulatory obligations.
11.4. The Data Controller will only send Personal Data outside the EEA to a country, in relation to which the European Commission has not made a decision regarding the adequacy of its security level and which does not provide the corresponding guarantees, if:
11.4.1. the Data Subject has clearly agreed to the proposed transfer, having received information from the Data Controller about the potential risks that such a transfer could pose to them;
11.4.2. transfer is necessary in order to fulfil the contract between the Data Subject and the Data Controller or to implement measures after the conclusion of the contract, which were approved at the Data Subject’s request;
11.4.3. transfer is necessary for conclusion of an agreement between the Data Controller and another private individual or legal entity, in the interests of the Data Subject or for the fulfilment of such a contract;
11.4.4. transfer is necessary, if there are important reasons of public interest;
11.4.5. transfer is necessary in order to raise, fulfil or defend legal requirements, or;
11.4.6. transfer is necessary in order to protect the vitally important interests of persons if the Data Subject is physically or legally incapable of giving their own consent.

12. Cookies and Links

12.1. The Data Controller’s data collection procedures include the placement of cookies for the purpose of gathering information and data about the manner in which its customers interact with the Website(s) in order to provide them with a better experience and present its product and services according to their needs and preferences. Cookies are small pieces of data files sent from the Website(s) to the Data Subject’s browser that is stored on their computer when using the Website(s) and may include a unique identification number. A cookie in no way gives the Data Controller access to the Data Subject’s computer or any other information about them, other than the information they choose to share with the Data Controller.
12.2. The Data Controller uses cookies on its Website(s). It does not link the information that it stores in cookies to any personally identifiable information that the person submits while on the Website(s). The individual can choose if and how a cookie will be accepted by changing their preferences and options in the browser. If the person chooses to disable the cookies, they may still use the Website(s), but they may not be able to access some parts of it or fully use all of the features within it. Data Subjects are strongly advised to read the Data Controller’s Cookies Policy in order to fully understand how it uses cookies and other web tracking technology via the Website(s).
12.3. It should be noted that some of the Data Controller’s business partners, agents, associates, business introducers or affiliates may also use cookies on the Website(s). The Data Controller has no access to, or control over these cookies and, therefore, it will not be liable for misuse of loss of Personal Data resulting from these cookies. When the Data Subject uses the Website(s), they may be able to link to other websites. This Policy does not apply to those other sites. The Data Controller encourages Data Subjects to read and understand the privacy policies on all of these other sites.

13. Monitoring and Recordings

13.1. The Data Controller will, as required by law, monitor and record any form of communication between it and the Data Subject, including but not limited to electronic correspondence (i.e., chats/emails), video calls, fax, postage, telephone conversations, in person or otherwise, in relation to the provision of its products and services and the business relationship established between the Data Controller and the Data Subject. The Data Subject accepts such recordings as conclusive evidence of the orders, instructions, requests or conversations so recorded.
13.2. The Data Controller has security measures in place both for the whole building and at its offices, including closed circuit television (hereinafter – “CCTV”) and building access controls. There are signs notifying everyone that CCTV is in operation. Accordingly, if the Data Subject visits the Data Controller’s premises for any reason, the Data Controller may have CCTV footage which will record the Data Subject’s image. These images are to be securely stored and only accessed by authorized personnel on a need-to-know basis (i.e., to look into an incident). CCTV recordings are typically erased after a short period of time unless an issue arises which requires the Data Controller to maintain the recording for a longer period of time (i.e., to investigate a case of theft).
13.3. In addition, visitors to offices may be requested to sign in at reception and the Data Controller shall keep a record of visitors for a short period of time. Visitor records are to be securely stored and are accessible only on a need-to-know basis. All the above-mentioned types of recordings will be the sole property of the Data Controller and will constitute evidence of the communications between it and Data Subjects, any business dealings and agreements made. The Data Controller reserves the right to use these recordings in a court of law in case of a dispute or otherwise.

14. The Rights of Data Subjects

14.1. In line with the provisions and requirements of the GDPR on the protection of Personal Data, Data Subjects have the following rights in relation to their Personal Data:
14.1.1. access to their Personal Data. Data Subjects have the right to access their Personal Data, to review all the Personal Data that is related to them and which was collected for the duration of the business relationship, update their file (information) and to check the accuracy of their Personal Data at any time, which is related to the Data Subject individually;
14.1.2. rectification. If the Personal Data the Data Controller holds about the Data Subject is inaccurate or incomplete, the Data Subject is entitled to make rectifications, amendments and update it with their current personal circumstances. In such a case, the Data Controller may request supporting documents or evidence to justify the correction of the data;
14.1.3. changes. Data Subjects may inform the Data Controller at any time regarding any changes to their Personal Data by sending an email to a designated mailbox at dpo@glocash.com. The Data Controller will change the Data Subject’s Personal Data according to their instructions. The Data Controller may require supporting documents from Data Subjects as proof in order to proceed with such requests;
14.1.4. deletion. Data Subjects have the right to request the Data Controller to delete their Personal Data (partly or wholly) when there is no good reason for it to continue processing it, except to the extent that the Data Controller is required to hold it for legal or regulatory purposes as well as to maintain adequate records in accordance with anti-money laundering requirements. The request to delete the Data Subject’s Personal Data will lead to the automatic end of the business relationship.
14.1.5. information on use and processing. Data Subjects have the right to obtain information on the use and purpose of processing their Personal Data as well as inform them what information the Data Controller processes and they have the right to request a copy of the Personal Data the Data Controller holds about them (except documents) within 30 (thirty) days from the date of the request free of charge. Taking into account the complexity or number of requests, the Data Controller may extend the response time to 2 (two) months. If additional copies are required, the Data Controller may charge a reasonable administrative fee based on actual costs incurred. The Data Controller has a right to decline the Data Subject’s request if it is clearly unjustified or excessive, particularly because of their repetition on a regular basis;
14.1.6. Processing restrictions. Data Subjects have the right to request the Data Controller to limit the Processing or to stop the Processing altogether of their Personal Data for one of the following reasons. It should be noted that this will not stop the Data Controller from storing the Data Subject’s Personal Data and may have an effect on the provision of its products and services rendered to the Data Subject:
14.1.6.1. the Data Subject disputes the accuracy of the data. In this case, the duration of the restriction cannot be longer than the period during which the Data Controller is checking the accuracy of the data;
14.1.6.2. data Processing is unlawful, and the Data Subject objects to the erasure of data, requesting the restriction of the use of data instead. In this case, the Processing of Personal Data will be restricted for the period that the person has requested;
14.1.6.3. the Data Controller no longer requires the data for Processing, but it is required by the Data Subject concerned, in order to raise, fulfil or defend lawful requirements. In this case, the restriction will be set for the period that the person has requested and justified;
14.1.6.4. the Data Subject has objected to the Processing that is justified by the Data Controller’s legitimate interests. In this case, the duration of restriction will be set for the period during which a check is conducted as to whether the Data Controller’s legitimate interest is more important than the person’s legitimate interest.
14.1.7. choice to opt-out. Data Subjects may opt-out from receiving commercial, non-commercial newsletters and notifications from the Data Controller by notifying its DPO via sending an email to a designated mailbox at dpo@glocash.com;
14.1.8. portability. Data Subjects have the right, under certain circumstances, to receive and retain their Personal Data in order to save it or to re-use it elsewhere, or to ask the Data Controller to transfer it to another data controller or third-party nominated by them. After the fulfilment of the data transfer application, the Data Controller would no longer be responsible for its subsequent Processing by the third-party. The data transfer is free of charge;
14.1.9. withdrawal. Data Subjects may withdraw their previously given explicit consent with regards to the collection, use and Processing of their Personal Data at any time by contacting its DPO via a designated mailbox at dpo@glocash.com. In that case, subsequent data Processing will no longer be carried out, however, Personal Data Processing carried out before the withdrawal will remain valid. Withdrawal of consent cannot result in the suspension of Personal Data Processing which is carried out on legal grounds.
14.2. Data Subjects can submit their request to make use of the above-mentioned rights to their Personal Data by contacting its DPO via a designated mailbox at dpo@glocash.com.

15. Legal Disclaimer

15.1. The Data Controller is not liable for the use, misuse or loss of Personal Data (or otherwise) on the Website(s) or from the content of websites to which the Website(s) links to and the Data Controller has no access or control over the use or protection of information provided by Data Subjects or collected by those sites. Whenever a Data Subject elects to link to a co-branded website or to a linked website, they may be asked to provide registration or other Personal Data. Such information is collected by the third-party and will be governed by the privacy policy of that particular third-party.
15.2. The Data Subject is responsible for keeping their login credential confidential and not to disclose them to any unauthorized third-party. If any person gains access to the Data Subject’s account and/or Personal Data, the Data Controller will not be held responsible or liable for any damages that occur, or any unlawful or unauthorized use of Personal Data due to misuse or misplacement of login credentials, negligent or malicious intervention (or otherwise) by the Data Subject or due to their acts or omissions or by a person authorized by the Data Subject (whether or not that authorization is permitted in the terms of the legal relationship between the Data Controller and the Data Subject).

16. Consent

16.1. The collection, use and storage of Personal Data is based on the Data Subject’s consent. By entering into an agreement with the Data Controller and accessing its Website(s), portals or payment gateways, the Data Subjects agrees and consents to the collection, use and storage (for at least 5 (five) years from the end of the business relationship) of all Personal Data that they supply to the Data Controller with by the means described herein. In addition, downloading the Data Controller’s platform(s) and allowing cookie settings in a web browser also constitutes consent of this Policy. Data Subjects may revoke their consent at any time, however, any Personal Data Processed before the receipt of the revocation will not be affected.

17. Data Protection Officer

17.1. Should the Data Subjects have any questions regarding this Policy, wish to make a complaint or exercise any of their rights in relation to their Personal Data, they may contact the Data Controller’s DPO as follows:
17.1.1. via designated email at dpo@glocash.com, or;
17.1.2. via registered post at: T. Narbuto St. 5-1, Vilnius, LT-08101, Lithuania.
17.2. If the Data Controller is unable to satisfy the Data Subject or in case the Data Subject is unhappy with the outcome of the complaint, they have the right to lodge a complaint to the supervisory authority/regulator for Personal Data protection matters Data Protection Commissioner of the Republic of Lithuania by visiting this page https://vdai.lrv.lt/en/.

18. Amendments to the Policy

18.1. The Data Controller will review this Policy at least once annually, or whenever a material change occurs in the law, or in its internal procedures/arrangements, or whenever the Data Controller deems it necessary for any reason, and will duly notify its customers of such changes by posting an updated version of this Policy on its Website(s). If, however, the Data Controller makes material or significant changes, it shall notify its customers promptly by other means.
18.2. The Data Subject hereby accepts that the posting of an updated Policy on the Website will serve as the actual notice of the Data Controller to the Data Subjects. The Data Controller encourages Data Subjects to periodically review this Policy so that they are always aware of what information the Data Controller collects, how it uses it and to whom it may disclose it, in accordance with the provisions of this Policy.