Privacy policy
OBLIGATION
TO PROTECT PERSONAL DATA UNDER THE GDPR IN BLOCKENOMY
Due to the provisions of the GDPR
and AML – Blockenomy processes personal data of Customers. Accordingly, Blockenomy
is the Processor of personal data collected by Blockenomy within the meaning of
this document.
§
1 [OBLIGATION TO PROTECT PERSONAL DATA UNDER THE GDPR FOR ENTITIES WHOSE
INFRASTRUCTURE BLOCKENOMY USES]
Blockenomy uses the
infrastructure of a protected datacenter mail server Nazwa.pl, Poland and
intermediary servers of Google LLC, USA. Due to the separate provisions of the
GDPR regarding the provision of IT services in the European Union – technology companies Nazwa.pl, Poland and Google LLC, usa process data in a secure manner in
compliance with the principles of the GDPR, which means that the Customer’s
data sent by e-mail by Blockenomy in correspondence with the Customer are
protected in accordance with the GDPR.
§
2 [GDPR PLUS MINIMUM MEDIUM AML RISK SITUATIONS]
- The administrator of the customer’s personal data is Blockenomy , i.e.:
DigiLand Co.., Warsaw, Poland,
Mariusz Sperczynski
Address: 37 Mickiewicza Str. Office no. 58
City:Warsaw
Post code: 01-625
Country:Poland / EU
Tax Identification Number 957-000-84-40
- Purposes and legal bases for the processing of personal data.
- Blockenomy processes personal data (personal data of Customers) for
purposes related to the provision by Blockenomy of the services indicated
in this document. The above also includes the processing of personal data
related to communication between Blockenomy and Customers, to the extent
that it is related to the purposes referred to in the first sentence, in
particular to send customers information about the submitted order and its
execution. The above also includes the processing of personal data
related to the service process, directed by the Customer by e-mail or telephone,
as well as via the contact form of any applications. Blockenomy processes
this personal data on the basis of article 6(1)(f) of the GDPR law, i.e.
due to the fact that the processing of this data is necessary for the
purposes resulting from the legitimate interests pursued by the
Administrator, i.e. the proper performance of services provided by Blockenomy
and its agents, including communication with the Customer in connection
with the provision of services. In the scope related to handling the complaint
handling process, Blockenomy processes this personal data also
on the basis of Article 6(1)(c) of the GDPR Regulation, because the
processing of this data is necessary to fulfill the legal obligation
incumbent on the Administrator, i.e. the obligation to consider
complaints and keep documentation related to this process.
- Blockenomy processes Customers’ personal data related to the
provision of services also in order to possibly pursue claims related to
non-performance or improper performance of obligations related to the
contract for the performance of services, e.g. for the performance and/or
non-performance or improper performance of the service. Blockenomy processes
this personal data on the basis of art. 6 par. 1 lit. f) of the GDPR
Regulation, i.e. due to the fact that the processing of this data is
necessary for the purposes resulting from the legitimate interests
pursued by the Administrator related to the pursuit of claims.
- Blockenomy processes customers’ personal data related to the
provision of services by its agents to the extent necessary to prevent
fraud related to the exchange or payment services performed or the
operation of a payment system and to investigate and detect such fraud by
the competent authorities. Blockenomy processes this personal data on the basis of Article
6(1)(c), (d) and (f) of the GDPR Regulation, i.e. due to the fact that
these processing is necessary to fulfill the legal obligation incumbent
on the Administrator and is necessary to protect the interests of users
of exchange and payment services, as well as is necessary for the
purposes of the legitimate interests pursued by payment service
providers.
- Blockenomy processes Clients’ personal data related to the provision
of exchange or payment services for purposes related to the performance
of obligations arising from the provisions on counteracting money
laundering and terrorist financing, in particular to identify and assess the
risks associated with money laundering and terrorist financing, apply
security measures including, among others, identification of the Customer
and verification of his identity. Blockenomy processes this personal data on the basis of Article
6(1)(c) of the GDPR Regulation in connection with the provisions on
counteracting money laundering and terrorist financing, i.e. due to the
fact that the processing is necessary to fulfill the legal obligation
incumbent on the Administrator as an obliged institution within the
meaning of the provisions on counteracting money laundering and terrorist
financing.
- In addition, Blockenomy processes Clients’ personal data for other,
legally permissible, purposes directly or indirectly related to the
purposes referred to in paragraphs 1-4, in particular for archival and
statistical purposes, for purposes related to audits, management control,
or for purposes related to consulting. Blockenomy processes
this personal data on the basis of article 6(1)(f) of the GDPR
Regulation, i.e. in order to achieve the legally justified purposes of
the Administrator.
- Categories of personal data that are processed.
Blockenomy processes primarily personal data of Customers related to the provision of exchange or payment services, including in particular: name(s) and surname (surnames), correspondence address, e-mail address, payment account number, including bank accounts, other identifier of the payment instrument used, telephone number. In certain cases related to counteracting money laundering and terrorist financing – Blockenomy also processes additional personal data related to the identification of the Client’s person and verification of their identity, which includes, in particular, address, citizenship, PESEL number (or dates of birth – if no PESEL number has been assigned), series and number of the document confirming the Customer’s identity, address of residence. For communication purposes, Blockenomy primarily processes names, telephone numbers, email addresses. - Information about the categories of data recipients. The recipient of
the data is understood as a natural or legal person, public authority, entity
or other entity to which Blockenomy discloses the personal data of
customers, regardless of whether it is a third party. However, public
authorities which may receive personal data in the context of a specific
procedure in accordance with Union or Member State law are not considered
to be recipients. In connection with the above, Blockenomy informs about
the following categories of recipients: Blockenomy agents,
i.e. entities acting in the name and on behalf of Blockenomy (NOTE – in
the version currently in force in these Regulations, i.e. as at October
12, 2022. – Blockenomy
does not have agents obliged to comply with the rules of the GDPR on the
basis of these Regulations to the extent indicated in the previous part of
this document). as payment institutions; other payment service providers,
including the payment service provider, which makes available to the
customer the payment instrument used by the customer; the data is made
available to these recipients to the extent that the data must be provided
to them in connection with the provision of exchange or payment services
(point II.1), and to the extent that the data must be provided to them for
the purposes referred to in points II.3 and II.4, as well as in other
cases where these entities are entitled to obtain from Blockenomy information, including information
containing personal data; in particular, this includes banks and branches
of foreign banks, credit institutions, electronic money institutions,
payment institutions, credit, payment, virtual card operators; entities
providing legal services related to the activities of Blockenomy;
recipients of payments, for purposes related to the payment performed;
entities providing IT services related to Blockenomy’s activities, including hosting services; entities providing audit and other
services related to controlling Blockenomy’s activities; accountants and statutory auditors examining documents related to Blockenomy’s
activities ; entities related to Blockenomy;
other than the entities indicated above, which on the basis of legal
provisions are entitled to obtain from Blockenomy information related to Blockenomy’s
activities, which information may include personal data of Customers,
including in particular supervisory authorities towards Blockenomy .
recipients may also be other entities if the Customer’s personal data are
made available to them on the basis of the Customer’s consent indicating
such another recipient.
- Information about the intention to transfer personal data to a third
country or international organization.
Blockenomy does not intend to transfer Customers’ personal data to a third country (i.e. a country outside the European Economic Area) or to an international organization. - The period for which personal data will be stored or the criteria for
determining this period.
- Customers’ personal data processed for the purposes referred to in
point II.1 will be processed for the period of providing the payment
service and for a period of 13 months from the date of debiting the
payment account in connection with the exchange or payment service
performed or for a period of 13 months from the date on which the
exchange or payment transaction was to be performed, and after the expiry
of this period – for the period resulting from the provisions of
law, including the Payment
Services Act and tax regulations. In particular, Blockenomy explains that
AML regulations additionally require a correspondingly longer data
retention period.
- Customers’ personal data processed for the purpose referred to in
point II.2 will be processed for the period referred to in the paragraph
above, but not longer than for the period in which it is possible to
pursue claims in court, i.e. until the expiry of the limitation period
for claims. However, if the period referred to in this paragraph expires
earlier than the period referred to in the first subparagraph, Blockenomy
will cease to process personal data for the purpose and to the extent
referred to in this paragraph, but may still process Customers’ personal
data for the purposes and to the extent referred to in the first
subparagraph.
- Customers’ personal data processed for the purpose referred to in
point II.3 will be processed for the period necessary to achieve these
purposes, in particular taking into account the limitation periods for
the criminal record of such crimes.
- Customers’ personal data processed for the purpose referred to in
point II.4 will be processed for the period resulting from the provisions
of the law on counteracting money laundering and terrorist financing, in
particular information obtained as a result of applying security measures
is stored for a period of 5 years, counting from the first day of the
year following the year in which the transaction with the Customer was
carried out, and information on
transactions carried out by obliged institutions and documents relating
to transactions shall be kept for a period of 5 years from the first day
of the year following the year in which the last record relating to the
transaction was made.
- Personal data of customers processed for the purpose referred to in
point II.5 will be processed for the period appropriate to the original
purpose for which they were collected. However, if other data were
collected as part of this purpose than as a result of the implementation
of the purposes referred to in points II.1-II.4, these data will be
processed for the period of providing the payment service and 10 years
from its completion, but not longer than until the date of objection to
such processing, if it is justified.
- Information on the obligatory or optionality of providing personal
data. Providing the data referred to in point II.1 is a contractual, as
well as statutory requirement and in the scope of the so-called AML
financial security procedures, the Customer is obliged to provide them. In
the case of financial security procedure, if not provided, Blockenomy will
not be able to accept the order or payment and provide services. Providing
the data referred to in point II.2 is a contractual requirement in cases
to ensure financial security and the Customer is obliged to provide them.
Therefore, if they are not provided, Blockenomy will not accept an
exchange or payment order and will not provide the service. Providing the
data referred to in points II.3 and II.4 is a statutory requirement in
cases of ensuring financial security and the Customer is then obliged to
provide them. Therefore, if they are not provided, Blockenomy will not
accept an exchange or payment order and will not provide the service.
- Information about the rights of Customers.
- The Customer has the right to request from the Administrator access
to their personal data, including to obtain a copy of the personal data
subject to processing. The first copy is free of charge. For any
subsequent copies requested by the Customer, the Administrator may charge
a reasonable fee resulting from administrative costs.
- The Customer has the right to request the Administrator to rectify
their personal data that are incorrect, in particular because they were
collected with errors or because they have changed after collection. The
above right also includes the completion of missing data.
- The Customer has the right to request the Administrator to delete
their personal data, with the proviso that this right may be exercised in
the cases specified in the Regulation, i.e. when one of the following
circumstances occurs:
- personal data are no longer necessary for the purposes for which
they were collected or otherwise processed, in particular if the period
in which the Administrator planned or was obliged to process your data
has already expired;
- the consent on which the data processing is based has been
withdrawn, unless the Administrator has another legal basis for the
processing;
- an objection to the processing has been lodged and there are no
overriding legitimate grounds for the processing;
- if the personal data have been processed unlawfully;
- where the personal data must be erased in order to comply with a
legal obligation under Union or Member State law to which the Controller
is subject.
Blockenomy may refuse to comply with a reasoned request for deletion
referred to above in the cases provided for by law, in particular where further
processing is necessary to comply with a legal obligation requiring processing
under Union or Member State law, to establish, exercise or defend legal claims.
- The Customer has the right to request the Administrator to limit the
processing of their personal data, under the conditions set out in the
Regulation, i.e. when:
- The Customer disputes the correctness of personal data – for a
period allowing the Administrator to check the correctness of these
data;
- the processing is unlawful and the Customer objects to the deletion
of the personal data, requesting instead the restriction of their use;
- The controller no longer needs the personal data for the purposes of
the processing, but they are needed by the customer to establish,
exercise or defend claims;
- The Customer has objected to the processing – until it is determined
whether the legitimate grounds on the part of the Administrator override
the grounds for the Customer’s objection.
- The Customer has the right to object to the processing of their
personal data by the Administrator in accordance with Article 21(1) of
the Regulation, i.e. to object – for reasons related to a special
situation – to the processing of their data based on Article 6(1)(e) or
(f) of the Regulation, including profiling on the basis of these
provisions. In the case of the Administrator, the above right to object
applies to personal data processed for the purposes referred to in points
II.2, II.3, II.5.. In the event of an objection, the Controller may no
longer process this personal data, unless he demonstrates the existence
of compelling legitimate grounds for processing overriding the interests,
rights and freedoms of the data subject or grounds for establishing,
pursuing or defending claims. In particular, further processing of
personal data despite the objection may result from the purposes referred
to in points II.2 and II.3.
- The Customer has the right to object to the processing of their data
by the Administrator in accordance with Article 21(2) of the Regulation,
i.e. to object to the processing of their data for the purposes of such
direct marketing, including profiling, to the extent that the processing
is related to such direct marketing. In the event of exercising this
right, the Administrator may no longer process the Customer’s data for
the purposes of such direct marketing.
- The customer has the right to data portability. Therefore, the
Customer has the right to receive in a structured, commonly used and
machine-readable format his personal data that he has provided to the
Administrator, and has the right to send this personal data to another
administrator without hindrance from the Administrator. However, this
right is vested in the Customer only in the scope of personal data that
are processed on the basis of the Customer’s consent or on the basis of a
contract, and in the scope of data the processing of which is carried out
in an automated manner (in accordance with point IX. Blockenomy does not
process data in an automated manner). In exercising this right, the
Customer may also request that his personal data be sent by the
Administrator directly to another administrator, if it is technically
possible.
- The Customer has the right to withdraw the consent referred to in
point II.5 at any time. However, the withdrawal of consent does not
affect the lawfulness of the processing that was carried out on the basis
of consent before its withdrawal. In the event of withdrawal of consent,
the Administrator ceases to process the customer’s personal data, which
he processes only on the basis of consent. If the customer’s personal
data are also processed on a basis other than this consent, the
Administrator may continue to process them on this other basis – as long
as it occurs.
- The customer has the right to lodge a complaint with the supervisory
authority, i.e. one of the bodies established by individual EU Member
States, whose task is to monitor the application of the Regulation. The
supervisory authority competent for the territory of the Republic of
Poland is the President of the Office for Personal Data Protection.
- Information about automated decision-making, including profiling. The
Customer’s data will not be processed in an automated manner, including in
the form of profiling.
- Processing of data for a purpose other than the purpose for which they
were collected. Subject to point II.5 , Blockenomy does not plan to
further process Customers’ personal data for a purpose other than the
purpose for which the personal data was collected.
- Sources of data origin. The Administrator obtains Customer data from Customers.
* Processing of personal data
means an operation or set of operations which is performed on personal data or
on sets of personal data, whether or not by automated means, such as
collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, restriction, erasure
or destruction.** Personal data means
information about an identified or identifiable natural person (data subject);
an identifiable natural person is a person who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural
or social identity of a natural person.*** The payer is the person who intends
to pay, as well as the person who has already paid, through a payment agent cooperating with Blockenomy
– a specific monetary amount for the benefit of the payment recipient. In order
to make this payment, the payer uses a payment instrument such as, for example,
electronic banking or the payer’s card.**** The Merchant is the recipient of
the payment from the Payer, for whom payment services are provided by the Blockenomy
agent using the Blockenomy service.***** The
GDPR Regulation (“Regulation”) is Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of
natural persons in in relation to the
processing of personal data and on the free movement of such data and repealing
Directive 95/46/EC****** Third party means a natural or legal person, public
authority, agency or body other than the data subject, controller, processor or
persons who, under the authority of the controller or processor, may process
personal data. Processor, on the other hand, means a natural or legal person,
public authority, agency or other entity that processes personal data on behalf
of the controller.
§
3 [AML PROCEDURES
Blockenomy has introduced and
applies internal procedures in the field of counteracting money laundering and
terrorist financing in accordance with Article 50 of the Act of 01.03.2018 on
counteracting money laundering. The person responsible for ensuring the compliance
of the activities of Blockenomy and other persons performing activities for Blockenomy
with the provisions on counteracting money laundering and terrorist financing
pursuant to Article 8 of the above-mentioned Act is the owner of Blockenomy. Blockenomy has
introduced and applies internal procedures for anonymous reporting by employees
or other persons performing activities for Blockenomy of actual or potential
violations of anti-money laundering and terrorist financing regulations in
accordance with Article 53 of the above-mentioned Act.
Blockenomy has introduced and applies instructions for managing the risks
associated with money laundering and terrorist financing in accordance with
Article 27 of the aforementioned Act.
Blockenomy has introduced and applies mandatory participation of persons
performing duties related to counteracting money laundering and terrorist
financing in training in accordance with Article 52 of the above-mentioned Act.
§4
[RELATED TRANSACTIONS]
Blockenomy has introduced and
applies a procedure for identifying related transactions referred to in Article
35(1)(2)(a) in conjunction with Article 50(2)(4) of the Anti-Money Laundering
Act of 01.03.2018.
Blockenomy has introduced and applies financial security measures when carrying
out an occasional transaction also when it is carried out as several operations
that appear to be related to each other. Blockenomy considers
transactions to be related transactions when:
- in several transactions (within one day) the same bank account address
appears for withdrawal both when the Customer is one or several people;
- the same Client who makes several transactions below the threshold
amount (EUR 1,000), in short intervals (within one day) to different bank
accounts or different telephone numbers.
In the case of suspicion of
related transactions, pursuant to Article 34(1) and (4)(w) of the Act,
financial security measures are implemented consisting in the identification of
the customer and verification of his identity (personal data). In such a case,
Blockenomy sums up the value of the transaction and if it exceeds EUR 15,000,
it provides such information to the person designated pursuant to Article 8 of
the Act in order to fulfill the reporting obligation referred to in Article
72(1)(1) of the aforementioned Act.
Blockenomy in the course of customer service may apply additional financial
security measures consisting in questioning, monitoring, requesting a statement
under Article 46 of the Act (a person in a politically exposed position), etc.
and on this basis assess transactions also from the point of view of their
connection.