Ecommbx Limited Privacy Statement
Last updated 25/09/2020
Ecommbx Ltd (referred to as ‘we’, ‘us’, ‘our’ or ‘the Company’) offers its
customers products and services relating to electronic money. During the
course of our business relationship, we collect and process personal data.
In particular the personal data which is processed by us is that of natural
persons who are our customers, contractors, business affiliates and/or
visitors to our website as well as personal data of any other individuals
including but not limited to authorised representatives, employees,
directors, beneficial owners and shareholders of our customers, contractors
and/or business affiliates, being legal entities. As a result, the Company
is committed to protecting the privacy and handling of data in an open and
For the purposes of this privacy statement,
‘personal data’ means any information relating to an identified or
identifiable natural person (“data subject”); an identifiable person is
one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person;
“processing” means any operation or set of operations which is performed on
personal data, whether or not by automated means, such as collection,
recording, storage, use, disclosure, erasure or destruction.
“business relationship” means our commercial and/or business and/or other
relationship with you including, but not limited to, provision of our
services to you or vice versa and the various transactions entered into
between us and you from time to time.
This Privacy Statement provides an overview of how the Company
processes your personal data in order to be in compliance with the
provisions of the Processing of Personal Data and for the Free Movement
of such Data of 2018 (Law 125(I)/2018) (hereinafter the “Law”) as
amended and/or replaced from time to time, the provisions of Regulation
(EU) 2016/679 (hereinafter the “EU Regulation’’) and any other legal
and/or regulatory requirements.
Purpose of this Privacy Statement:
This Statement aims to provide you with information about the processing of
your personal data when establishing a business relationship with us.
Additionally, the purpose of this Statement is to inform you inter alia, of
your data protection rights under the current legislative and regulatory
Who we are:
ECOMMBX Ltd, is an Electronic Money Institution incorporated in 2016 in the
Republic of Cyprus under the registration number HE354749. We are fully
authorised and licensed by the Central Bank of Cyprus with license No.
220.127.116.11/2018 to provide services on a professional basis within the
framework of the relevant Law (No. 86(I) of 2004) and the corresponding
Directive (2009/110/EC) of the European Parliament and of the European
Council for issuing of e-money also known as an Electronic Money
We are a data controller in respect of your personal data. This means that
we are responsible for determining the purposes and means of the processing
of such personal data.
If you have any questions or require additional details on how we use your
personal information, you can contact our Data Protection Officer at:
firstname.lastname@example.org and/or (+357 22270349)
When we process your personal data, such data is:
(i) Processed lawfully, fairly and in a transparent manner in respect to
the data subject (‘lawfulness, fairness and transparency’);
This means that we provide information to you in respect of the processing
of your personal data (transparency), the processing matches the
description given to you (fairness), and that it is based on at least one
of the lawful basis set out in the GDPR (lawfulness).
(ii) Collected for specified, explicit and legitimate purposes and not
further processed in a manner that is incompatible with those purposes;
This means that we specify exactly what personal data is collected for, the
purpose of use and limit the processing of personal data to only what is
necessary to meet the relevant purpose.
iii) Adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed (‘data minimisation’);
This means that we do not process any personal data over and above what is
(iv) Accurate and, where necessary, kept up to date; every reasonable step
is taken to ensure that personal data that are inaccurate, having regard to
the purposes for which they are processed, are erased or rectified without
This means that we have in place processes for identifying and addressing
out-of-date, incorrect or unnecessary personal data.
(v) Kept in a form which permits identification of data subjects only for
the period necessary for the purposes for which their personal data are
processed (‘storage limitation’);
This means that we store personal data only for the max required period and
delete them right after in such a way that limits or prevents
identification of the data subject.
(vi) Processed in a manner that ensures appropriate security of the
personal data, including protection against unauthorized or unlawful
processing and against accidental loss, destruction or damage, using
appropriate technical or organizational measures (‘integrity and
Personal data we process and collection of personal information:
We process personal data that we receive from you in the context of our
business relationship. We collect and process different types of personal
data received from data subjects themselves, or their representatives, or
our website, in the context of our business relationship. We may also
collect and process personal data which we lawfully obtain from other
entities of our Group, or public authorities, client introducers, or
publicly available sources (such as the Cyprus Registrar of Companies and
the media) lawfully obtained and permitted to process.
Such personal data may include, amongst others:
* Government issued identifiers and other Identification data, such as
passport, identification card, social insurance number, tax
* Contact information such name, surname, address (including proof of
address e.g. utility bill), telephone, fax number, e-mail address and
country of residence)
* Personal characteristics such as date of birth and country/place of
* Economic Data such as bank account number/details, data on transactions,
financial information including origin of wealth, tax income, earnings);
* Communication data such as name, surname, email, postal address
(including proof of address e.g. utility bill), telephone number, tax
number and country of residence);
* Functions and powers of relevant representative(s);
* Employment and occupation information(including but not limited to CV,
professional memberships, job title and responsibilities, professional
* Data from payment transactions and payment services; and
* Data relating to telephone communications with you, which may be recorded
in compliance with legal requirements.
We do not process, without your explicit consent (and/or where the
processing is necessary for the establishment, exercise or defence of legal
claims relevant to us), personal data revealing racial or ethnic origin,
political option, religious or philosophical beliefs, trade union
membership, genetic data, data concerning health or data concerning a
natural person’s sex life or sexual orientation, referred to as special
categories of personal data in the EU Regulation.
If during the course of our business relationship there is a change in your
personal data, you must ensure that the above details (as and where
applicable) are updated by contacting us as soon as practically possible.
Once our business relationship has ended and the period for maintaining
your personal data has lapsed (see data retention paragraph below
), the Company may proceed with the pseudonymisation, of such personal data
for the purposes of maintaining an archive for historical, statistical and
We do not provide any services to children however certain transactions may
be related to such. We may collect personal data in relation to children
who are under the age of fourteen (14) only if we have obtained the
explicit consent from their parents’ or legal guardian’s or unless
otherwise permitted by law.
Purposes of processing your personal data
We will process your personal data (as and where applicable) for the
(a) Meeting our obligations under our business relationship and/or
agreement entered into between us, including inter alia in relation to
the provision of our (financial) services;
(b) Customer acceptance and onboarding procedures, customer communication,
customer relationship purposes;
(c) Maintaining and developing our business with our customers, the
carrying out of surveys and direct marketing (including via our website);
(d) Operation, management and control of the affairs of our business and
(e) Maintaining our IT systems, including our human capital, administrative
and management systems, processes and policies;
(f) Maintaining and developing our business relationship with you;
(g) Complying with any requirement of law and/or regulation (e.g. KYC
requirements under the Prevention and Suppression of Money Laundering and
Terrorist Financing Law of 2007, as amended) and/or competent authority or
professional body (where applicable);
(h) Developing verification procedures and processes, anti-money laundering
Legal basis of processing your personal data
Your personal data are processed in compliance with the provisions of the
EU Regulation, the applicable local legislation as amended and/or replaced
from time to time as well as any other relevant legislation.
Your personal data are only used for the purpose for which we collected it,
unless there are reasonable ground for using them for any other reason
which is compatible with the original purpose. We process your personal
data for the purposes mentioned above on the following basis:
(a) Processing is necessary for compliance with a legal obligation
such as anti-money laundering or regulatory requirements for the Central
Bank of Cyprus.
Processing is necessary for entering or performance of contractual
obligations which you have entered with us
Processing is necessary for the purposes of the legitimate interests
pursued by us
. This may include preventing crimes, fraud and money laundering
activities, actions to manage our business and further develop our
services, direct marketing, risk management, initiate legal claims and
preparing a defence in the event of litigation, disclosing information to
other data recipients such as our service providers, auditors and
technology providers and/or to comply with obligations or internal policy
requirements of our business, and/or to monitor and improve our
relationships with you and/or to keep our internal records and/or to
monitor communication to/from you using our systems and/or to protect the
integrity of our IT systems.
(d) Based on your consent. Insofar as you have granted us specific
consent for processing (other than for the reasons out hereinabove), then
the lawfulness of processing is based on your consent. In case consent is
relied solely upon to achieve a lawful basis of processing of your personal
data, you have the right to revoke your consent at any time by contacting
The Company retains personal data for as long as there is a business
relationship with customers. Once the business relationship is ended,
personal data are kept up to ten (10) years or as required under applicable
law. Your personal data may be retained for longer periods for the purposes
of our legitimate interests in case of any legal process commencing prior
to the completion of the 10-year period.
For prospective business relationships the Company shall keep personal data
for six (6) months from the date of notification of the rejection or from
the date of withdrawal of the customers application. Such data may be kept
in an identifiable form for the purposes of re-assessing the (acceptance of
the) business relationship or in an anonymized form for the
Who we disclose your personal data to:
Your personal data may be shared with organisations and bodies including
but not limited to:
(a) Independent advisors, auditors and accountants, lawyers, tax advisors,
valuators, consultants, credit reference and fraud prevention agencies and
other professional advisors (as shall be engaged from time to time).
(b) Public and/or regulatory and/or supervisory authorities such as Central
Bank of Cyprus, Tax authorities, law enforcement authorities, courts and
(c) Our IT service providers and other companies who assist us with the
effective operation of our business by providing technological expertise,
file storage and record management, logistic services and solutions and
(d) Companies or individuals you ask us to share your personal data with.
(e) Persons acting on behalf of beneficial owners/shareholders of our
clients/contractors being legal entities, including and not limited to
payment recipients, beneficiaries, account nominees, intermediary,
correspondent and agent banks.
(f) Legal or natural persons with which we have contracted for the
provision of services, who are bound by confidentiality and data protection
obligations according to the applicable data protection framework.
(g) Other member companies and/or entities of the group of companies which
we belong to.
(h) Regulatory and public authorities.
(i) Banks and/or other licensed financial institutions based in Cyprus or
abroad for facilitating the execution of transactions and any other
services you request.
Your information may also be shared in case the Company’s structure alters
or if we choose to transfer, sell part of our business or seek to merge
with other companies.
Data transfer to Third Countries or International Organisations
Your data may be transferred in countries outside the European Economic
Area to a recipient (i) who is in a country which provides an adequate
level of protection for personal data or (ii) under appropriate safeguards
pursuant to the provisions of applicable data protection laws (e.g. under
an agreement in the form of standard data protection clauses adopted by the
European Commission), the form of which is available at
. In some (occasional) cases we may carry out such transfers where (a) we
have obtained the explicit consent from the relevant data subject in
respect of the proposed transfer, provided that the data subject has been
informed of the possible risks of such transfer (due to the absence of an
adequacy decision and appropriate safeguards); (b) the transfer is
necessary for the performance of a contract between the data subject and
us, or (c) the transfer is necessary for the performance of a contract
concluded in the interest of the data subject between us and another person
or (d) the transfer is necessary for the establishment exercise or defence
of legal claims.
Automated decision-making, including profiling
We do not take decisions solely on the basis of automated processing.
However, some of your personal data may be processed by automatic means in
order to evaluate certain of your personal aspects, in the following cases:
* Carrying out data evaluations, which may include payment transactions, in
the context of anti-money laundering and anti-terrorism financing measures.
These evaluations are carried out to protect you.
* Marketing of services and products of the Company, as long as you have
Your personal data will be used for direct marketing purposes where you
have explicitly consented to do so, or when such processing is necessary
for the purposes of the legitimate interests pursued by us. Where we rely
on such legitimate interest, you have the right to object at any time to
such processing of data. In such a case we shall no longer process such
data for direct marketing purposes.
Your Personal Data Rights
The following are the rights you have pursuant to the provisions of the EU
Regulation and any other relevant legislation:
(a) Right to access - you have the right to request a copy
of the information that we hold about you.
You have the right to confirmation as to whether or not we process your
personal data and, where we do, access to the personal data, together with
certain additional information. Such additional information includes
inter-alia, details of the purposes of the processing, the categories of
personal data concerned and the categories of recipients of the personal
data. The right to obtain a copy of your data shall not adversely affect
the rights and freedoms of others.
(b) Right to rectification. You have the right to request
rectification of inaccurate or incomplete personal data concerning you.
You have the right to have any inaccurate personal data about you rectified
and, taking into account the purposes of the processing, to have any
incomplete personal data about you completed.
(c) Right to erasure (‘’right to be forgotten’’). You have
the right to request erasure of personal data, where one of the following
* Personal data are no longer necessary in relation to the purposes for
which they were collected or otherwise processed;
* You withdraw your consent on which the processing is based and where
there is no other legal ground for the processing;
* You object to the processing and there are no overriding legitimate
grounds for the processing, or you object to processing for direct
* Personal data have been unlawfully processed;
* Personal data have to be erased for compliance with a legal obligation.
The above shall not apply where processing is necessary (i) for exercising
the right of freedom of expression and information; (ii) for compliance
with a legal obligation which requires processing by a law to which we are
subject; and (iii) for reasons of public interest; or for the
establishment, exercise or defense of legal claims.
(d) Right to restriction of processing. You have the right
to obtain restriction of processing where one of the following applies:
* The accuracy of the personal data is contested for a period enabling us
to verify the accuracy of the personal data.
* The processing is unlawful, and you oppose the erasure of such data and
you request the restriction of their use instead.
* We no longer need the personal data for the purposes of processing, but
you require their retention for the establishment, exercise or defence of
* You have objected to processing on the grounds of our legitimate
interests, until we verify whether the grounds on which we process your
information override your rights and freedoms.
Where processing has been restricted on the basis of the above, we will
continue to store your personal data. However, we will only otherwise
process it (i) with your consent; (ii) for the establishment, exercise or
defense of legal claims; (iii) for the protection of the rights of another
natural or legal person; or (iv) for reasons of important public interest.
(e) Right to portability. You have the right to receive
the personal data that you have provided us in a structured, commonly used
and machine-readable format and you have the right to transmit those data
to another organization and/or request that we do it for you, provided
* The processing is based on your consent, or for the performance of our
contractual obligations, or at you’re your request for the purposes of
entering in a contractual relationship with us.
* Processing is carried out by automated means.
(f) Right to object. You have the right to object to the
processing of your personal data, at any time and for reasons related to
your particular situation where the legal basis on which the processing
activity is based on our legitimate interests. Should you exercise this
right, we will no longer process the personal data unless we can
demonstrate compelling legitimate grounds for the processing which override
your interests, rights and freedoms or for the establishment, exercise or
defence of legal claims. Where you have objected to processing for direct
marketing purposes we shall no longer process your personal data for such
(g) Right to withdraw consent. Where the processing is
based on your written consent you have the right to withdraw consent at any
To the extent that the legal basis for our processing of your personal data
is consent (as and where applicable), you have the right to withdraw that
consent at any time such withdrawal will not affect the lawfulness of
processing before the withdrawal.
(h) Right to lodge a complaint. You can contact us for any
personal data related matters in the details mentioned above. In case you
are not satisfied or still have concerns you may file a complaint with the
Office of the Commissioner for Personal Data Protection. You can find out
on their website how to submit a complaint.
We process personal data which is adequate, relevant and limited to what is
necessary in relation to purposes mentioned above and we have taken
adequate organizational, technical and administrative measures in order to
safeguard and reasonably protect your personal data against loss, misuse
disclosure, alteration and unauthorized access. Such measures include
firewalls, encryption, access restriction and authorization controls. We
are devoted in protecting your personal data; however, security cannot be
absolutely guaranteed against threats. As soon as we become aware of any
data breach that may cause a disadvantage to you, you will be notified
without undue delay.
Further information and/or queries and/or requests regarding the processing
of your personal data and any of your rights (where applicable) in respect
of your personal data, can be requested by contacting us in writing as
27 Pindarou Street, Alpha Business Centre, 3rd floor, 301 Office Block A,
1060, Nicosia, Cyprus
Changes to this Privacy Statement
This Privacy Statement may be modified from time to time so as to be in
compliance with legal regulations. You will be notified appropriately when
any changes are made (as and where applicable). The revised Privacy
Statement will be available on our website and we highly recommend that you
review this Privacy Statement to be informed on the way we protect and
process your personal data.