1 Who “we” are
DNA Payments Limited (“we”, “us”, “company” or “our”) is committed to protecting the privacy and security of your Personal Data.
This Privacy Notice applies to all personal information processing activities carried out by about you prior to, during and after your client relationship with us. It is relevant to anyone who uses our services, including customers, prospective customers, suppliers, contractors, and website users.
Our principle address is C/O Wework, 123 Buckingham Palace Road, London, England SW1W 9SH.
We may update our Privacy Notice from time to time. When we do, we will communicate any changes by publishing the updated Privacy Notice on our website. We would encourage you to visit our website regularly to stay informed of the purposes for which we process your information and your rights to control how we process it.
2 Information collected from others
Where we have collected information directly from you it will usually be obvious what this is, as you will have given it to us. This might not be the case where we have used cookies to collect information from your computer or portable devices. Please see our Cookies Policy for more information.
3 What Personal Data do we collect?
We respect individuals’ rights to privacy and to the protection of personal information. The purpose of the Privacy Notice is to explain how we the data controller collect and use personal data in connection with our business. “Personal Data” means information about a living individual who can be identified from that information (either by itself or when combined with other information). We will collect and process various categories of personal data at the start of and for the duration of, your relationship with us. We will limit the collection and processing of information to information necessary to achieve one or more legitimate purposes as identified in this notice. Personal data may include:
The majority of the Personal Data provided by you is mandatory in order for us to administer the client relationship and perform our obligations under our contract(s) with you and/or comply with statutory requirements relating to making or receiving payments, sanctions, immigration or taxation. Failure to provide mandatory Personal Data may affect our ability to accomplish the purposes stated in this privacy notice and potentially affect your ongoing client relationship with us.
Where permitted by law, we may process information about criminal convictions or offences and alleged offences for specific and limited activities and purposes, such as to perform checks to prevent and detect crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions. It may involve investigating and gathering intelligence on suspected financial crimes, fraud and threats and sharing data between DNA Payments Limited and with law enforcement and regulatory bodies.
The list set out above is not exhaustive, and there may be other Personal Data which we DNA Payments Limited collects, stores and uses in the context of the client relationship.
4 How we obtain information
The majority of the Personal Data which we process will be collected directly from you. Your information is made up of all the financial and personal information we collect and hold about you/your business and the proprietors, officers and beneficial owners of that business and your transactions. It includes:
5 Credit reference and fraud prevention agencies
Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.
The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details.
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
5.2 Automated Decisions
As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us using the details above.
5.3 Consequences of Processing
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.
5.4 Data Transfers
Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
6 How Do We Use Your Personal Data?
DNA Payments Limited uses your Personal Data for a variety of purposes in order to perform its obligations under the contracts between you and us to comply with legal obligations or otherwise in pursuit of its legitimate business interests.
7 Schedule of Purposes of Processing
We will only use and share your information where it is necessary for us to carry out our lawful business activities. We want to ensure that you fully understand how your information may be used. We have described the purposes for which your information may be used in detail below:
7.1 Contractual necessity
We may process your information where it is necessary to enter into a contract with you for the provision of our products or services or to perform our obligations under that contract. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you. This may include processing to:
7.2 Legal obligation
When you apply for a product or service (and throughout your relationship with us), we are required by law to collect and process certain personal information about you. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you. This may include processing to:
7.3 Legitimate interests
We may process your information where it is in our legitimate interests do so as an organisation and without prejudicing your interests or fundamental rights and freedoms.
a) We may process your information in the day-to-day running of our business, to manage our business and financial affairs and to protect our customers, employees and property. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business. This may include processing your information to:
b) It is in our interest as a business to ensure that we provide you with the most appropriate products and services and that we continually develop and improve as an organisation. This may require processing your information to enable us to:
c) We may perform data analysis, data matching and profiling to support decision-making with regards to the activities mentioned above. It may also involve sharing information with third parties who provide a service to us.
d) It is in our interest as a business to manage our risk and to determine what products and services we can offer and the terms of those products and services. It is also in our interest to protect our business by preventing financial crime. This may include processing your information to:
Application decisions may be taken based on solely automated checks of information from credit reference agencies and internal records. For more information on how we access and use information from credit reference and fraud prevention agencies see Credit reference and fraud prevention agencies in this document.
Again, these lists are not exhaustive, and we may undertake additional processing of Personal Data in line with the purposes set out above.
We will update this privacy notice from time to time to reflect any notable changes in the purposes for which it processes your Personal Data.
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so
Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
8 Marketing information
Unless you have told us that you do not want to hear from us, we will send you relevant marketing information (including details of other products or services provided by us, companies which we believe may be of interest to you), by mail, phone, email, text and other forms of electronic communication. If you change your mind about how you would like us to contact you or you no longer wish to receive this information, you can tell us at any time by contacting us in in writing at DNA Payments Limited C/O Wework, 123 Buckingham Palace Road, London, England, England SW1W 9SH or by telephone on 0203 633 8655.
9 Transferring information overseas
We will share client Personal Data with third parties located outside of the EEA from time to time for the purposes set out in this Privacy Notice. We may transfer your information to organisations in other countries on the basis that anyone to whom we pass it protects it in the same way we would and in accordance with applicable laws.
In the event that we transfer information to countries outside of the European Economic Area (which includes countries in the European Union as well as Iceland, Liechtenstein and Norway), we will only do so where:
10 What Special Categories of Personal Data Do We Process?
Certain categories of data are considered “special categories” of Personal Data” and are subject to additional safeguards. We do not need your consent if we use special categories of your Personal Data in accordance with our written policy to carry out our legal obligations or exercise specific legal rights. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
11 When Do We Share Client Personal Data?
We will share client Personal Data with other parties only in limited circumstances and where this is necessary for the performance of the contract or to comply with a legal obligation, or otherwise in pursuit of its legitimate business interests as follows:
In all cases, the client Personal Data is shared under the terms of a written agreement between us and the third party which includes appropriate security measures to protect the Personal Data in line with this privacy notice and our obligations. The third parties are permitted to use the Personal Data only for the purposes which we have identified, and not for their own purposes, and they are not permitted to further share the data without our express permission.
12 How Long Will My Personal Data Be Retained?
By providing you with products or services, we create records that contain your information. Records can be held on a variety of media (physical or electronic) and formats.
We manage our records to help us to serve our customers well (for example for operational reasons, such as dealing with any queries relating to your account) and to comply with legal and regulatory requirements. Records help us demonstrate that we are meeting our responsibilities and to keep as evidence of our business activities.
Retention periods for records are determined based on the type of record, the nature of the activity, product or service, the country in which the relevant company is located and the applicable local legal or regulatory requirements.
We may on exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that we will be able to produce records as evidence, if they are needed.
Under some circumstances we may anonymise your Personal Data so that it can no longer be associated with you. We reserve the right to retain and use such anonymous data for any legitimate business purpose without further notice to you.
During the course of your client relationship with us we will review the Personal Data we hold in relation to you approximately every 12 months and any Personal Data which is no longer needed will be deleted. Following the termination of your client relationship with us we will typically retain data for the periods set out below:
Retention periods may be changed from time to time based on business or legal and regulatory requirements.
13 How is my Personal Data secured?
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, altered, disclosed, used or accessed in an unauthorised way. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality. Details of these measures may be obtained from Data Protection Officer (the “DPO”) by wring to us at: DNA Payments Limited C/O Wework, 123 Buckingham Palace Road, London, England, England SW1W 9SH.
Third parties will only process your Personal Data on our instructions and where they have agreed to treat the data confidentially and to keep it secure.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
14 Your rights
We want to make sure that you are aware of your rights in relation to the personal data we process about you. We have described those rights and the circumstances in which they apply in the table below.
If you have any questions about these rights or you wish to exercise your rights of access you should set out your request to the DPO in writing to DNA Payments Limited C/O Wework, 123 Buckingham Palace Road, London, England, England SW1W 9SH.
15 No fee usually required
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
16 What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
17 Where Can I get Further Information?
We have appointed the DPO to oversee compliance with this Notice. If you have any questions about this privacy notice or how we handle your Personal Data, please contact the DPO in writing to DNA Payments Limited C/O Wework, 123 Buckingham Palace Road, London, England, England SW1W 9SH.
Finally, you have the right to raise any concerns about how your Personal Data is being processed with the Information Commissioner’s Office (ICO) by going to the ICO’s website: https://ico.org.uk/concerns/ or contacting the ICO on 0303 123 1113 or email@example.com.