Exhibit 2 – Privacy and Data Protection.
This Exhibit 2 “Privacy and data protection” includes Provider's terms and conditions in respect of the processing of data (hereafter "Privacy Terms"). These Privacy Terms apply to Users and to any visitor of the Website or Platfom. They govern any processing of personal data in relation to the Services, Website or Platform. The processing of personal data under this Agreement is also subject to the provisions of the General Data Protection Regulation (GDPR) https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=NL.
- Entity responsible for processing User’s personal data.
Provider is, when it collects and processes User’s personal data, the controller for the processing of this data.
- Data being processed.
The following information may be collected, processed and stored by Provider:
Directly identifying information may be processed by Provider, if User has provided Provider with this information (for example by communicating with Provider). User is not obliged to provide Provider this information or to agree with the processing thereof. However, in certain cases such communication will need to take place to ensure proper service provision or to comply with applicable laws.
In this context Provider :
a1) will process information required for the performance of the contract, such as: User’s surname and first name, address, nationality. User’s email address, User’s phone number, User’s VAT number, User’s financial information.
a2) may process personal information required by law in the context of its “know your customer” obligations. In case User is a natural person: its surname, first name; date and place of birth, address; nationality; a copy of user’s identity card or passport. In case User is a legal person the following personal information may be processed: for each member of the board of directors, the above listed personal data for natural persons and for each ultimate beneficiary person(s), the above listed personal data for natural persons.
a3) may process information voluntarily provided by User and used by Provider to increase security and verify user’s identity; including for example a copy of user’s utility bills.
Provider may process certain information in the course of visits to the Website, Platform or other internet-based Services, in particular:
b1) information concerning the pages that were consulted and the activities User’s have undertaken via the Website, Platform or Wallet.
b2) identification information Users have provided voluntarily (for example by registering on the Website, Platform or subscribing to newsletters);
b3) certain non-directly identifying data, such as the type of browser or operating system that is used, the IP address or the technologies use for accessing the Website or Platform.
- Purposes of the processing.
Provider can process personal data for (one of) the following purposes, based on one or more legal grounds:
To ensure the provision of the Services, User’s information will be used to create his account and his Wallet, to verify his identity and his status as contract party in the course of his use of the Wallet and Platform (in particular in case of recovery of his private key or to reset his login or pin code) or for performing our Services in the context of Transactions (and amongst others when you contact our service desk). Provider processes this data based on the legitimate interest it has in providing the Services in compliance with the agreement.
To comply with “know your customer” obligations imposed by law, the information under (A) above may be processed with a view to performing know your customer obligations imposed by law and any related reporting obligations. Provider processes this data based on the legitimate interest it has in complying with the law.
To ensure the technical and functional management of the Website and Platform and the provision of the ordered Services, the information under B) may be processed to ensure the good functioning of the Website, Platform and the Services and to enhance their use. Provider processes this data based on the legitimate interest it has in providing a good functioning Website and Services.
To inform Users about our events, about developments related to subjects that might be of interest to Users and about our services, or for direct marketing purposes, Provider processes the data under (A) and (B) based on his explicit consent and Provider's legitimate interest to keep its clients informed of its activities and services.
To answer User’s questions and job inquiries, Provider processes the data under (A) or (B) based on User’s explicit consent, User’s contractual relationship with us or his request to take steps prior to entering into a contract.
- Third-party access to User’s personal data.
Provider may rely on the services provided by third parties to perform certain (processing) activities.
Provider uses in the context of its Services servers that are rented from a third party and that are located at the premises of this third party. This third party has no access to the data hosted on these services.
Provider may provide User’s data as mentioned under A.2 to a subcontractor who will provide to Provider the services of performing the know-your-customer verifications based on Provider's instructions. User hereby agree to the provisions of his data mentioned under A.2 to such a subcontractor for the purpose mentioned.
Provider may, upon User’s request and with his consent, transfer User’s personal data under 4.A) to third parties in the context of the integration of User’s Wallet with other IT-applications. In this case, User will be requested via appropriate technical means to provide his consent with such transfer and User will conclude directly with such third party the required data processing agreements.
Provider does not provide any personal data to other third parties, except if required by law or by an order of a competent court or regulatory authority to do so.
- Protection and storing of User’s personal data.
Provider undertakes to implement the security measures, which can reasonably be expected in order to protect User’s personal data from destruction, loss, modification or any other unauthorized processing.
In particular, Provider will amongst others implement the following security measures:
A) Technical security measures
User data is stored on a server with no public IP address. Only specific servers are able to contact this server in a separate private network.
SSH connection to public servers can only be done from the (virtual) private network of Venly.
User passwords are always hashed (not stored in plain text). User data is stored in a database with access control and all user data (which is inside the database) is encrypted at rest.
B) Operational security measures.
Access to user data is restricted to certain team members and can be revoked at any time.
Provider will not store any of User’s personal data any longer than is necessary for the specific purposes for which it is stored, taking into account Provider's contractual and legal obligations with regard to this data and Provider's mission to correctly answer customer questions and to provide the Services in compliance with the Agreement.
- Exercise of personal rights related to User’s personal data.
User have the following rights in respect of User’s personal data being processed by Provider:
- the right to request free access to the personal data processed;
- the right to request the correction or removal of User’s data;
- the right to request a restriction of the processing;
- the right to request the portability of User’s data; and
- the right to object to the processing of User’s personal data (in the case of direct marketing without any substantiation).
In case the processing of your personal data is based on your consent, User has the right to revoke this consent at any time. However, such a revocation does not affect the lawfulness of any processing prior to this revocation.
If User intends to use any of its abovementioned rights, please do so by submitting a request with the Terms & Conditions Request Form or by letter to Provider (see address below). Provider cannot handle User’s request without proof of User’s identity and the applicable legislation may impose conditions on exercising the above rights.
Provider will request a copy of User’s identification document as proof that User are indeed concerned by the personal data and thus entitled to rights mentioned above.
Provider will use its best efforts to respond to User’s request without undue delay after receipt of User’s request.
User should bear in mind that Provider will not always be obliged to comply with a request for access, correction, removal or transfer, taking into consideration the requirements related to the establishment, exercise or substantiation of a legal claim or the legitimate exercise of the right of freedom of expression and / or information.
User also has the right to file a complaint with the Data Protection Authority. Such a complaint can be filed either by post directed at Rue de la Presse 35, 1000 Brussels or through an e-mail to email@example.com