ABDALI XCHANGE

What is data protection?

It is the fair and proper use of information collected from people in the course of business. We are required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and Payment Services Regulations 2017 to collect customer data. While collecting data we must ensure that we comply with certain regulations in the UK which sets certain standards and obligations for collecting, processing, and storing of data.

Data Protection Act 2018 sets out the framework for data protection law in the UK. It replaces the Data Protection Act 1998 and came into effect from 25 May 2018. It sits along and supplements the UK GDPR.
The UK GDPR is the UK General Data Protection Regulation which came into effect on 01 January 2021. It is based on the EU GDPR which applied in the UK before January 2021. Abdali Xchange is only required to comply with the UK GDPR as we only operate in the UK.

‘Personal Data’ means information about a particular individual. This might be our customer, employee, business partner or business contact. Personal data includes information that is public or provided to us while performing our duty.
‘Processing’ includes collecting, recording, storing, using, analysing, disclosing, or deleting it.
A controller is the main decision-maker who exercise overall control over the purposes and means of the processing of personal data.
A processor is a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller.
The data subject is the individual who is the subject of the relevant personal data.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. The GDPR refers to sensitive personal data as special categories of personal data that we collect during the course of business.

Abdali Xchange Ltd takes the security and privacy data seriously. We need to gather and use information or ‘data’ about our customers, employees and partners as part of our business. We intend to comply with our legal obligations under the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR 2021) in respect of data privacy and security. We have a duty to notify customers and other interested parties of the information contained in this policy.
This policy applies to our customers, employees, and all partners. If you fall into one of these categories, then you are a ‘data subject’ for the purposes of this policy. You should read this policy and any other notice we may issue from time to time in relation to your data.
The Company has separate policies and privacy notices in place in respect of the remittance services we provide. A copy of these can be obtained by request to the director of the Company.
The Company is a data controller for the purposes of your personal data. This means that we determine the purpose and means of processing your personal data.
This policy explains how the Company will hold and process your information. It explains your rights as a data subject. It also explains our obligations when obtaining, handling, processing or storing personal data in the course of the business.
This policy does not form part of your contract for services and can be amended by the Company at any time. It is intended that this policy is fully compliant with the DPA 2018 and the UK GDPR 2021. If any conflict arises between those laws and this policy, the Company intends to comply with the DPA and the UK GDPR.
The objective of this policy is to ensure everyone in the Company understands their obligations under the UK GDPR to:

• Assure the data privacy and protection of customers, staff, advisors, and other individuals who interact with our Company
• Mitigate risks arising from non-compliance
• Ensure that the Company has necessary safeguards in place as required by UK GDPR

This Policy applies to all processing of personal data by Abdali Xchange Ltd and its employees and any 3rd party suppliers of services to Abdali XchangeLtd, where ‘processing’ includes any operation undertaken on the data, including receipt, use, storage and disposal.
Employees are defined as permanent and fixed term contract employees engaged under a contract of employment who provide services on behalf of Abdali XchangeLtd. The Policy applies to data held in any format (electronic or hard copy/paper) or system or processed by any means.

Under the UK GDPR, the data protection principles set out the main responsibilities for organisations. The principles are similar to those in the Data Protection Act, with added detail at certain points and a new accountability requirement. Article 5(1) of the GDPR requires that personal data shall be:

• processed lawfully, fairly and in a transparent manner in relation to individuals;
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; and
• Article 5(2) adds that “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

The accountability principle requires organisations to show how they comply with the principles of UK GDPR, which can be done by:

• Maintaining relevant documentation on processing activities
• Implementing appropriate technical and organisational measures that ensure and demonstrate compliance
• Implementing internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal policies
• Implement measures that meet the principles of data protection by design and data protection by default

Penalties

We are accountable for these principles and must be able to show that we are compliant. Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to £17.5 million, or 4% of total worldwide annual turnover, whichever is higher.
Under Recital 87 of the UK GDPR when a security incident takes place, we will establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO within 72 hours if required.
Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover.

• racial or ethnic origin; political opinions;
• religious or philosophical beliefs;
• trade union membership;
• genetic or biometric data;
• health;
• sex life and sexual orientation; and
• criminal convictions and offences.

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever personal data is processed. These are set out below:
(a) Consent: the individual has given clear consent to process their personal data for a specific purpose.
(b) Contract: processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
(c) Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject.
(d) Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person.
(e) Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

• Our lawful basis for collecting and processing personal data of customers is that processing is necessary to perform or enter into a contract in order for them to use our services.
• Our lawful basis for processing the personal data of employees is that processing is necessary to perform or enter into the employment contract we have with them.
• Our lawful basis for processing the personal data of employees in relation to PAYE, pension contributions and other personal data shared with HMRC is that processing is necessary for compliance with the law.
• We will only contact our customers for marketing purposes if they have given us their consent in relation to the daily currency rates.
• We are under legal obligation to hold records including transactional data for 5 years from the date a one-off transaction has been carried out or if the business relationship ends, but in all cases, this should be in line with the requirements set by PSR 2017 and HMRC Regulations 2017.
• We will not hold and use any of these special categories of your personal data as this is not required for remittance purposes.

For services provided by Abdali XchangeLtd where we collect and process personal data on behalf of our clients, we act a data controller and processor, therefore we must comply with the obligations placed by UK GDPR which include:

• As a data processor we must have adequate security measures in place for processing personal data
• We must make sure that the people processing data on our behalf are subject to a duty of confidence
• We will only share personal data with third parties if they fall under UK GDPR and we have a written agreement with them to process such data
• All staff must contact the data controller if they become aware of any data breach
• Staff must assist the controller in providing data subject access and allowing data subjects to exercise their rights under the UK GDPR

The company processes personal information about customers and employees.
The information we collect may include:

• Personal details such as name, address, ID etc.
• Financial details
• Employment details
• bank details in case of electronic transfer
• your images (whether captured on CCTV or photograph)

Our processing activities do not involve automated decision making or profiling.
The Company may need to share the personal information it processes with the individual themselves and also with other organisations. Where necessary we may share data collected with banks, FX brokers, service providers, credit referencing agencies, HMRC, advisors and other authorities.
It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the UK GDPR.

In line with the UK GDPR requirements the Company has appointed a data protection officer (DPO), Mr. Said Aqib Habibi who is responsible for the firm’s data collected, stored and processed.
He can be contacted on sayed.aqib.habibi@gmail.com and telephone No. +44 7404765514. The Company’s Data Protection Officer [Mr. Said Aqib Habibi] is responsible for reviewing this policy and updating the Company’s data protection responsibilities and any risks in relation to the processing of data. Staff should direct any questions in relation to this policy or data protection to him using the contact details above.

The UK GDPR provides the following rights for individuals:

Right to be informed

Individuals have the right to be informed about the collection and use of their personal data. We are obliged to provide ‘fair processing information’, typically through a privacy notice or policy document. This should include:

• Identity and contact details of the data controller
• Purpose of the processing and the lawful basis for the processing
• The legitimate interests of the controller
• The rights of the data subjects

If the data is obtained directly from the data subject, the information should be provided at the time the data is obtained.

Right of access

Individuals have right to access their personal data. Individuals can access their data through a data request form or email directly to the DPO.
Information must be provided without delay and at the latest within 30 days of receiving the request. The company must verify the identity of the person making the request, using ‘reasonable means’.
If the company refuses to respond to a request, it must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

Right to rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. A request for rectification must be responded to within 30 days. All such requests should be made to the Abdali Xchange Ltd.

Right to erasure / Right to be forgotten

The right to erasure enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. We are required to keep records of all data for 5 years from the day the relationship has ended.
Right to erasure applies in some circumstances as below:

• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
• When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
• The personal data has to be erased in order to comply with a legal obligation

Right to restrict processing

Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, the company is permitted to store the personal data, but not further process it.
The Company will be required to restrict the processing of personal data in the following circumstances: -

• Where an individual contests the accuracy of the personal data, the Company should restrict the processing until it has verified the accuracy of the personal data
• If the Company no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim

Right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The Company must provide the personal data in a structured, commonly used and machine-readable form. This should enable other data controllers to use the data.
The information must be provided free of charge. It is very unlikely that we receive a similar request but, in any case, the company must respond to such requests without undue delay, and within 30 days.

Right to object

Individuals have the right to object to:

• Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
• Direct marketing (including profiling); and
• Processing for purposes of scientific/historical research and statistics

The company must stop processing the personal data unless:

• It can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
• The processing is for the establishment, exercise or defence of legal claims.

The company must inform individuals of their right to object “at the point of first communication” and in their privacy notice. The company must stop processing personal data for direct marketing purposes as soon as it receives an objection. There are no exemptions or grounds to refuse.

Rights in relation to automated decision making and profiling

The GDPR has provisions on automated decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).
Abdali XchangeLtd’s process does not involve automated decision making or profiling.

Everyone who works for or with Abdali Xchange Ltd has some degree of responsibility for ensuring data is collected, stored and handled appropriately. All staff that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. The DPO (Mr. Said Aqib Habibi) is ultimately responsible for ensuring that Abdali XchangeLtd meets its legal obligations.
Area of responsibility:

• The Company must be kept updated about UK GDPR responsibilities, risks and issues
• The company must demonstrate compliance with the data protection principles and UK GDPR
• The Company should implement appropriate technical and organisational measures to ensure and to demonstrate that processing activities are compliant with the UK GDPR
• All data protection procedures and related policies will be reviewed every year
• Training and advice on data protection should be arranged for the staff
• The DPO (Mr. Said Aqib Habibi) should handle data protection questions from staff and anyone else covered by this policy
• The Company should deal with requests from individuals such as right of access or right to be forgotten
• Any third party services the Company is considering using to store or process data should be evaluated
• Contracts with third parties and processors that may handle the Company’s sensitive data should be checked and reviewed
• All systems, services and equipment used for storing data must meet acceptable security standards
• Regular checks and scans should be performed to ensure security hardware and software is functioning properly
• Marketing initiatives should abide by UK GDPR principles
• Adequate data protection procedures should be in place for when an employee leaves
• Data breaches should be recorded, serious data breaches should be reported to the ICO and high risk breaches should be reported to the affected data subjects
• Following any breaches, the company should review the adequacy of its security measures
• The company should make sure individuals are aware that their data is being processed, how the data is being used and how to exercise their rights
• The Company should make sure this policy document is made available to potential and existing clients and employees
• The Company must ensure they continue to be registered as a data controller with the ICO

• Our service providers request data for all customers when we trade funds. Staff should ensure that no data is emailed without password protection
• All customer data should be uploaded to a secure system provided by our service providers
• When sending ID documents, staff should ensure that this is emailed in a secure manner, protected by password
• Staff should never email passwords in the same email
• Always ask customers to provide KYC documents when they visit our office. If customers wish to email their documents, ask them to encrypt or secure it with password where possible

• Sometimes we might share your personal data with FX Brokers, Banks or our contractors/IPSP to carry out our obligations under our contract with them for the services they provide us.
• We require those companies to keep your personal data confidential and secure and to protect it in accordance with the law and our policies. They are only permitted to process your data for the lawful purpose for which it has been shared and in accordance with the services they provide us.
• The services these companies provide us, include cash and electronic payment collection, processing, and wire payment services. These companies will require data of all our customers to meet their legal obligations.
• We do not send your personal data outside the European Economic Area. If this changes you will be notified of this and the protections which are in place to protect the security of your data will be explained.

 

We have to process your personal data in various situations during ID verification or onward payment to your recipient.
For example:
We do not need your consent to process your personal data when we are processing it for the following purposes:

• when we are processing your funds to your beneficiary
• when funds are processed by our banks/ FX Brokers, and they request us to provide details of the originators of the funds
• when the Regulators (HMRC and FCA) request us the same information
• when other authorities request us data

• Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information we hold about them. This request must be made in writing. All such requests should be emailed to the Data Protection Officer who will coordinate a response.

 

• If the data subject would like to make a SAR in relation to their own personal data, they should make this in writing to the DPO [Mr. Said Aqib Habibi]. A response will be given within 15 days unless the request is complex or numerous in which case the period in which we must respond within 30 days.

• There is no fee for making a SAR. However, if the request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse to respond to your request.

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
We have robust measures in place to minimise and prevent data breaches from taking place. Should a breach occur (whether in respect of staff or customers), we must take a note and keep evidence of that breach.
If staff are aware of a data breach, they must contact the DPO immediately and keep any evidence in relation to the breach.
Each case must be considered on its own merits. Breaches that are considered by the company to be ‘serious’ should be reported to the Information Commissioner’s Office (ICO). The seriousness of a breach will depend on: -

• the potential detriment to data subjects
• the volume of personal data lost / released / corrupted
• the sensitivity of the data lost / released / corrupted

There is no need to report a breach if it is “unlikely to result in a risk to the rights and freedoms of natural persons”.
The company has 72 hours from the time it becomes aware of a reportable breach within which to report it. Serious breaches should be reported to the ICO using the DPA security breach helpline on 0303 123 1113. To report the breach in writing, use the DPA security breach notification form (found on the ICO https://ico.org.uk/for-organisations/report-a-breach/)
The Company has agreed that serious breaches will be reported to the ICO by Said Aqib Habibi.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the breach must also be reported to the affected individual(s) without undue delay. The Company has agreed that Mr. Said Aqib Habibi will notify the affected individuals of all such breaches.