C2D DATA PRIVACY POLICY

• C2D DATA PRIVACY POLICY (2021-01-26EN)
• C2D DATA PRIVACY POLICY (2023-04-01ENAPP)
• PRIVACY STATEMENT FOR VENDORS AND OTHER BUSINESS PARTNERS

C2D DATA PRIVACY POLICY (2021-01-26EN)

Effective January 26, 2021

1. GENERAL
2. WHAT INFORMATION DOES C2D COLLECT?
3. HOW DOES C2D USE YOUR INFORMATION?
4. WITH WHOM DOES C2D SHARE YOUR INFORMATION?
5. HOW DOES C2D PROTECT YOUR INFORMATION?
6. WHAT ARE YOUR DATA PROTECTION RIGHTS?
7. FURTHER INFORMATION AND CONTACT

1. GENERAL

1. C2D Payment Solutions Ltd (hereinafter, "C2D", "us", "our", "we") is committed to user privacy. This Privacy Policy provides details on how your personal information is collected, processed, shared, transferred and retained by C2D when opening and using a C2D Account through one of our Acceptance Partners.
2. This Privacy Policy must be read together with and is considered to form an integral part of our C2D Terms of Use. All terms defined in the Terms of Use shall have the same meaning in this Privacy Policy. By continuing to use the services offered via C2D after being provided with access to this Privacy Policy, you acknowledge to have read and understood the terms of this Privacy Policy and to the use of your personal information in accordance with these terms.
3. C2D's data processing activities comply with all applicable data protection legislation, including the provisions of the General Data Protection Regulation 2016/679 (hereinafter "GDPR"), and any other European or national legislation we may be subject to.
4. C2D will act as data controller in relation to the data processing activities envisaged in this Privacy Policy. The Acceptance Partner will act as data controller in its own right in relation to the processing activities it is obliged to undertake under national anti-money laundering legislation.
5. This Privacy Policy may be subject to modification from time to time, notably in the event of changes to legislation, the introduction of new laws or revision or expansion of our offering. Any changes to this Privacy Policy will be published on the C2D website www.c2dpayment.com as well as displayed in all distribution partners' shops.

2. WHAT INFORMATION DOES C2D COLLECT?

1. During our business relationship with you, we collect following personal information from you:

1. Registration information: Upon registration our Acceptance Partner shall ask you to provide the following information: your first name(s) and surname, your place and date of birth, your nationality, your residential address and the type, number and issuing authority of your identification document. Upon registration, the Acceptance Partner shall also make a copy of your identification document. If your identification document does not show your residential address, our Acceptance Partner also asks for your proof of address (e.g. a utility bill). C2D and the Acceptance Partner are required by law to collect this information, particularly to comply with legal obligations to prevent money laundering (e.g. KYC) and to combat fraud. You will also be required to provide us with either your mobile phone number or your email address. This information is used to provide you with contractual information and may further be used to safely set up your C2D Account and to allow you to make use of our services.
2. Authentication information: Following the opening of your C2D Account, we will provide you with or request you to set up your Account Access Identifiers (e.g. credentials and password), which will help us and/or our Acceptance Partners to verify your identity every time you wish to use your C2D Account.
3. Transactional information: In order to provide you with our C2D services, as well as for compliance with our legal obligations, we keep a record of all (e-money) transactions carried out via your C2D Account. This includes, without being limited to, the amounts loaded or withdrawn, the transfer orders issued, the merchants you interacted with, the history of transactions and the funding instruments used.
4. Identification verification information: For the entire duration of our business relationship C2D and the Acceptance Partner are bound by law to carry out certain due diligence checks and verification processes, amongst others to prevent money laundering. These checks may include, without being limited to, identity checks and checks on the source of wealth and source of funds. We may, at our own discretion, decide which additional information we require from you in this respect. This may include, without being limited to, following information: the information and documentation referenced in Section II.1.a) above, as well as information and/or documentation relating to your source of wealth and source of funds. We may also use third party databases to confirm such information and/or outsource the verification process to a third party Verification Provider. The results of such checks, as well as any documentation you provide to us in the respect, will be stored in our systems during the term of our business relationship and for up to ten (10) years thereafter.
5. Additional verification information: It may be in our legitimate interest to carry out certain checks, both internally or through third parties, for the purpose of assessing potential breaches of our Terms of Use and/or the Applicable Rules. We may, at our own discretion, decide which additional information we require from you in this respect, provided that your rights to the protection of your personal data are not disproportionately harmed.
6. Contact information: Where you use our C2D Website contact form or contact our Customer Service, we will process your contact details (e.g. mail address and/or mobile phone number), as well as any personal data relevant to your query, in order to respond to your query. Provided you have given us your consent thereto or we would otherwise be entitled to do so, we may use your contact details to send you electronic marketing messages and/or newsletters.

2. The abovementioned information may be collected by us directly or on our behalf by one of our Acceptance Partners (e.g. upon registration), who will immediately transfer such information to C2D.
3. Failure to provide any of the abovementioned information may result in C2D and/or the Acceptance Partner not being able to perform the requested services, in particular where there is a legal obligation to collect such information before being able to provide you with the C2D services. In addition, where the verification information received from you or from one of our Verification Providers does not prove to be satisfying, we may at our own discretion decide to not establish or terminate our contractual relationship with you.

3. HOW DOES C2D USE YOUR INFORMATION?

1. Your information shall be processed by C2D and/or the Acceptance Partner for the following purposes:

1. When needed to be able to perform the C2D services or any additional services you have requested, including to:
   • Set-up your C2D Account;
   • Authenticate the access to your C2D Account;
   • Process e-money transactions via your C2D Account;
   • Communicate to you in relation to your C2D Account and/or any query you address to us.
2. To comply with legal obligations (e.g. identification and verification obligation to prevent money laundering or to combat fraud);
3. When you have consented thereto (e.g. for sending electronic marketing messages); or
4. If we have determined a legitimate interest to do so that is not detrimental to your right to data protection, including to:
   • Manage our business needs, analyse and manage risks, improve our services and enhance the functionality of our C2D Website;
   • Evaluate breaches of our Terms of Use and/or the Applicable Rules;
   • Send marketing messages which do not require consent.

2. C2D and/or the Acceptance Partner shall retain your data for the length of time necessary for the intended purpose of data processing or for as long as legally required (e.g. identification verification information must be retained for at least 5 years following the end of the business relationship). We may retain data for longer if this would be in our legitimate business interest and not prohibited by law.

4. WITH WHOM DOES C2D SHARE YOUR INFORMATION?

1. Your personal information will not be forwarded to or shared with a third party unless expressly stipulated in the terms of this Privacy Policy or unless you have consented thereto.
2. C2D is a subsidiary of Tipico Group Limited, and forms part of the Tipico group of companies ("Tipico Group"). Your personal information may at all times be shared with other companies of the Tipico Group.
3. C2D will share your personal information with its Acceptance Partners and with merchants accepting e-money issued by C2D as payment method, as well as with its advisors, agents, or contractors working on behalf of C2D, provided they would have a need to know such information (e.g. to allow the Acceptance Partners to perform Authentication). C2D may also share personal information with third party service providers, including Verification Providers, with whom C2D has a contractual relationship and who provide certain services or verification processes on behalf of C2D and/or help C2D comply with any of its legal obligations or securing its legitimate interests. In addition, C2D and/or the Acceptance Partner may be required to share your personal data with authorities or other competent bodies as a result of a legal obligation to which we are subject, to detect or prevent fraud, to defend the public interest or to safeguard the interests of C2D’s personnel.
4. C2D currently works with the following Verification Providers and/or third-party service providers:
   • GB Group Plc, The Foundation, Herons Way, Chester Business Park, Chester CH4 9GB, United Kingdom
   • C2D transfers personal data collected within the scope of the instant contract related to the application for, performance or termination of this business relationship to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. The legal bases for such transmission comprise Art. 6 (1) (b) and Art. 6 (1) (f) GDPR. Data may only be transmitted on the basis of Art. 6 (1) (f) GDPR to the extent necessary for the purposes safeguarding the legitimate interests pursued of C2D or third parties and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Data transmitted to SCHUFA is also used for identity verification. SCHUFA processes data and also uses such data for purposes of profile creation (Scoring) in order to provide its contractual partners domiciled in the European Economic Area and Switzerland as well third countries as applicable (to the extent an adequacy decision from the European Commission is available for such countries) information to be used to evaluate the creditworthiness of natural persons amongst other things. Additional information regarding SCHUFA’s business may be found in the SCHUFA Information Sheet pursuant to Art. 14 GDPR or online at www.schufa.de/datenschutz.

   C2D shall regularly update this list but cannot guarantee that this list is exhaustive at all times.

   Unless specifically provided otherwise in the respective privacy policies of the Verification Providers, the Verification Providers shall act as (separate) data controllers with respect to the personal information transferred to them by C2D. We advise you to consult the respective privacy policies for more information on the way in which these Verification Providers process your personal data.

   The information we receive from the Verification Providers may serve as a basis for our decision on whether to establish, conduct or terminate the contractual relationship with you. No automated decision-making shall take place.

5. Where we share your personal information with third parties, we shall take all reasonable precautions to ensure that these third parties respect the same privacy standards as C2D does under this Privacy Policy.
6. We have put the necessary measures in place to ensure that any transfer of your personal information to countries outside the European Economic Area are accompanied by the required additional safeguards. In this respect, we may, for example rely on contractual clauses.

5. HOW DOES C2D PROTECT YOUR INFORMATION?

1. Appropriate technical and organisational measures are used to protect your personal information from unauthorized access by third parties, disclosure, alteration, misuse, destruction or loss during its collection, processing and retention. These measures include, amongst others, data encryption, firewalls, physical and electronic access controls, etc. We also implement all necessary measures to ensure confidentiality of your personal information. This includes imposing appropriate confidentiality obligations on our employees, Acceptance Partners, advisors, agents or contractors. This level of protection can, however, not be extended to communication by email and we recommend that you send all confidential information by registered post.
2. You are responsible for the security and confidentiality of your Account Access Identifiers, your email account and your mobile phone number. In this respect, you shall only use strong passwords and update them regularly. You are also responsible for communicating any changes to your personal information to C2D immediately.

6. WHAT ARE YOUR DATA PROTECTION RIGHTS?

1. Subject to the limitations set out in the applicable data protection legislation, as a data subject, you are granted a number of rights in relation to your personal information. These rights include the right to:

1. Request access to, information on or a copy of your personal data;
2. Rectify your personal data;
3. Request erasure of your personal data;
4. Request the restriction of processing of your personal data;
5. Object to the processing of your personal data;
6. Withdraw your consent at all times;
7. Receive your personal data in a structured, commonly used and machine-readable format and/or have it transmitted to another data controller.

2. All requests, complaints or queries may be addressed to C2D to the email address mentioned in section VII. We will consider any requests, complaints or queries and provide you with a reply in a timely manner. If we are unable to provide you with a reply within the required timeframe, we will provide you with a date by when the information will be provided to you. If a request cannot be carried out for any reasons, we will inform you accordingly. You can also file a complaint with the Maltese Information and Data Protection Commissioner (idpc.info@idpc.org.mt) should you not be satisfied with the way in which we handle your personal information.

7. FURTHER INFORMATION AND CONTACT

For any privacy issues you may have, to exercise any of your rights under the GDPR, or to obtain further information on our data processing activities, please contact our Data Protection Officer at:

C2D Payment Solutions Ltd
Level 8, Portomaso Business Tower
STJ 4011 St. Julian's, Malta

Email: dpo@c2dpayment.com

Version 2021-01-26EN, © C2D Payment Solutions Ltd

C2D-Payment-Solutions--Privacy-Policy--2021-01-26EN.pdf

C2D DATA PRIVACY POLICY (2023-04-01ENAPP)

Effective April 01, 2023

1. GENERAL
2. WHAT INFORMATION DOES C2D COLLECT?
3. WHAT DOES C2D USE YOUR INFORMATION FOR?
4. WITH WHOM DOES C2D SHARE YOUR INFORMATION?
5. HOW DOES C2D PROTECT YOUR INFORMATION?
6. WHAT ARE YOUR DATA PROTECTION RIGHTS?
7. FURTHER INFORMATION AND CONTACT DETAILS OF OUR DATA PROTECTION OFFICER

1. GENERAL

1. C2D Payment Solutions Ltd., Level 6, Portomaso Business Tower, STJ 4011 St. Julian's, Malta (hereinafter "C2D", "us", "our", "we") is committed to user privacy. This Privacy Policy provides details on how your personal information is collected, processed, shared, transferred and retained by C2D when opening and using a C2D Account through one of our Acceptance Partners.
2. This Privacy Policy must be read together with and is considered to form an integral part of our C2D Terms of Use. All terms defined in the Terms of Use shall have the same meaning in this Privacy Policy. By continuing to use the services offered via C2D after being provided with access to this Privacy Policy, you acknowledge to have read and understood the terms of this Privacy Policy and to the use of your personal information in accordance with these terms.
3. C2D's data processing activities comply with all applicable data protection legislation, including the provisions of the General Data Protection Regulation 2016/679 (hereinafter "GDPR"), and any other European or national legislation we may be subject to.
4. C2D will act as data controller in relation to the data processing activities envisaged in this Privacy Policy. The Acceptance Partner will act as data controller in its own right in relation to the processing activities it is obliged to undertake under national anti-money laundering legislation.
5. This Privacy Policy may be subject to modification from time to time, notably in the event of changes to legislation, the introduction of new laws or revision or expansion of our offering. Any changes to this Privacy Policy will be published on the C2D website www.c2dpayment.com as well as displayed in all distribution partners' shops.

2. WHAT INFORMATION DOES C2D COLLECT?

1. During our business relationship with you, we collect following personal information from you:

1. Registration information: Upon registration you are asked to provide the following information: your first name(s) and surname, your place and date of birth, your nationality, your residential address and the type, number and issuing authority of your identification document. Upon registration, the Acceptance Partner shall also make a copy of your identification document. If your identification document does not show your residential address, our Acceptance Partner also asks for your proof of address (e.g. a utility bill). C2D and the Acceptance Partner are required by law to collect this information, particularly to comply with legal obligations to prevent money laundering (e.g. KYC) and to combat fraud. You will also be required to provide us with either your mobile phone number or your email address (or both the mobile phone number and email address, in case you use the QR-code within our app). This information is used to provide you with contractual information and may further be used to safely set up your C2D Account and to allow you to make use of our services.
2. Authentication information: During the opening of your C2D Account, we will provide you with or request you to set up your Account Access Identifiers (e.g. credentials and password), which will help us and/or our Acceptance Partners to verify your identity every time you wish to use your C2D Account.
3. Transactional information: In order to provide you with our C2D services, as well as for compliance with our legal obligations, we keep a record of all (e-money) transactions carried out via your C2D Account. This includes, without being limited to, the amounts loaded or withdrawn, the transfer orders issued, the merchants you interacted with, the history of transactions and the funding instruments used.
4. Identification verification information: For the entire duration of our business relationship C2D and the Acceptance Partner are bound by law to carry out certain due diligence checks and verification processes, amongst others to prevent money laundering. These checks may include, without being limited to, identity checks and checks on the source of wealth and source of funds. We may, at our own discretion, decide which additional information we require from you in this respect. This may include, without being limited to, following information: the information and documentation referenced in Section II.1.a) above, as well as information and/or documentation relating to your source of wealth and source of funds. We may also use third party databases to confirm such information and/or outsource the verification process to a third party Verification Provider. The results of such checks, as well as any documentation you provide to us in the respect, will be stored in our systems during the term of our business relationship and for up to ten (10) years thereafter.
5. Additional verification information: It may be in our legitimate interest to carry out certain checks, both internally or through third parties, for the purpose of assessing potential breaches of our Terms of Use and/or the Applicable Rules. We may, at our own discretion, decide which additional information we require from you in this respect, provided that your rights to the protection of your personal data are not disproportionately harmed.
6. Contact information: Where you use our C2D Website contact form or contact our Customer Service, we will process your contact details (e.g. mail address and/or mobile phone number), as well as any personal data relevant to your query, in order to respond to your query. Provided you have given us your consent thereto or we would otherwise be entitled to do so, we may use your contact details to send you electronic marketing messages and/or newsletters.

2. The abovementioned information may be collected by us directly or on our behalf by one of our Acceptance Partners (e.g. upon registration), who will immediately transfer such information to C2D.
3. Failure to provide any of the abovementioned information may result in C2D and/or the Acceptance Partner not being able to perform the requested services, in particular where there is a legal obligation to collect such information before being able to provide you with the C2D services. In addition, where the verification information received from you or from one of our Verification Providers does not prove to be satisfying, we may at our own discretion decide to not establish or terminate our contractual relationship with you.

3. WHAT DOES C2D USE YOUR INFORMATION FOR?

1. Your information shall be processed by C2D and/or the Acceptance Partner for the following purposes:

1. When needed to be able to perform the C2D services or any additional services you have requested (Art 6 para 1 (b) GDPR), including to:
   • Set-up your C2D Account;
   • Authenticate the access to your C2D Account;
   • Process e-money transactions via your C2D Account;
   • Communicate to you in relation to your C2D Account and/or any query you address to us.
2. To comply with legal obligations (Art 6 para 1 (c) GDPR, e.g. identification and verification obligation to prevent money laundering or to combat fraud);
3. When you have consented thereto (Art 6 para 1 (a) GDPR), e.g. for sending electronic marketing messages); or
4. If we have determined a legitimate interest (Art 6 para 1 (f) GDPR) to do so that is not detrimental to your right to data protection, including to:
   • Manage our business needs, analyse and manage risks, improve our services and enhance the functionality of our C2D Website;
   • Evaluate breaches of our Terms of Use and/or the Applicable Rules;
   • Send marketing messages which do not require consent.

2. C2D and/or the Acceptance Partner shall retain your data for the length of time necessary for the intended purpose of data processing or for as long as legally required (e.g. identification verification information must be retained for at least 5 years following the end of the business relationship). We may retain data for longer if this would be in our legitimate business interest or necessary for the establishment, exercise or defence of legal claims and not prohibited by law.

4. WITH WHOM DOES C2D SHARE YOUR INFORMATION?

1. Your personal information will not be forwarded to or shared with a third party unless expressly stipulated in the terms of this Privacy Policy or unless you have consented thereto.
2. C2D is a subsidiary of Tipico Group Limited, and forms part of the Tipico group of companies ("Tipico Group"). Your personal information may at all times be shared with other companies of the Tipico Group.
3. C2D will share your personal information with its Acceptance Partners and with merchants accepting e-money issued by C2D as payment method, as well as with its advisors, agents, or contractors working on behalf of C2D, provided they would have a need to know such information (e.g. to allow the Acceptance Partners to perform Authentication). C2D may also share personal information with third party service providers, including Verification Providers, with whom C2D has a contractual relationship and who provide certain services or verification processes on behalf of C2D and/or help C2D comply with any of its legal obligations or securing its legitimate interests. In addition, C2D and/or the Acceptance Partner may be required to share your personal data with authorities or other competent bodies as a result of a legal obligation to which we are subject, to detect or prevent fraud, to defend the public interest or to safeguard the interests of C2D’s personnel.
4. C2D currently works with the following Verification Providers and/or third-party service providers:
   • GB Group Plc, The Foundation, Herons Way, Chester Business Park, Chester CH4 9GB, United Kingdom
   • C2D transfers personal data collected within the scope of the instant contract related to the application for, performance or termination of this business relationship to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. The legal bases for such transmission comprise Art. 6 (1) (b) and Art. 6 (1) (f) GDPR. Data may only be transmitted on the basis of Art. 6 (1) (f) GDPR to the extent necessary for the purposes safeguarding the legitimate interests pursued of C2D or third parties and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Data transmitted to SCHUFA is also used for identity verification. SCHUFA processes data and also uses such data for purposes of profile creation (Scoring) in order to provide its contractual partners domiciled in the European Economic Area and Switzerland as well third countries as applicable (to the extent an adequacy decision from the European Commission is available for such countries) information to be used to evaluate the creditworthiness of natural persons amongst other things. Additional information regarding SCHUFA’s business may be found in the SCHUFA Information Sheet pursuant to Art. 14 GDPR or online at www.schufa.de/datenschutz.

   C2D shall regularly update this list but cannot guarantee that this list is exhaustive at all times.

   Unless specifically provided otherwise in the respective privacy policies of the Verification Providers, the Verification Providers shall act as (separate) data controllers with respect to the personal information transferred to them by C2D. We advise you to consult the respective privacy policies for more information on the way in which these Verification Providers process your personal data.

   The information we receive from the Verification Providers may serve as a basis for our decision on whether to establish, conduct or terminate the contractual relationship with you. No automated decision-making shall take place.

5. Where we share your personal information with third parties, we shall take all reasonable precautions to ensure that these third parties respect the same privacy standards as C2D does under this Privacy Policy.
6. We have put the necessary measures in place to ensure that any transfer of your personal information to countries outside the European Economic Area are accompanied by the required additional safeguards. In this respect, we may, for example rely on an adequacy decision of the European Commission or, in case such a decision is missing for the relevant jurisdiction, on Standard Contractual Clauses. These are accessible upon request.

5. HOW DOES C2D PROTECT YOUR INFORMATION?

1. Appropriate technical and organisational measures are used to protect your personal information from unauthorized access by third parties, disclosure, alteration, misuse, destruction or loss during its collection, processing and retention. These measures include, amongst others, data encryption, firewalls, physical and electronic access controls, etc. We also implement all necessary measures to ensure confidentiality of your personal information. This includes imposing appropriate confidentiality obligations on our employees, Acceptance Partners, advisors, agents or contractors. This level of protection can, however, not be extended to communication by email and we recommend that you send all confidential information by registered post.
2. You are responsible for the security and confidentiality of your Account Access Identifiers, your email account and your mobile phone number. In this respect, you shall only use strong passwords and update them regularly. You are also responsible for communicating any changes to your personal information to C2D immediately.

6. WHAT ARE YOUR DATA PROTECTION RIGHTS?

1. Subject to the limitations set out in the applicable data protection legislation, as a data subject, you are granted a number of rights in relation to your personal information. These rights include the right to:

1. Request access to, information on or a copy of your personal data;
2. Rectify your personal data;
3. Request erasure of your personal data;
4. Request the restriction of processing of your personal data;
5. Object to the processing of your personal data;
6. Withdraw your consent at all times;
7. Receive your personal data in a structured, commonly used and machine-readable format and/or have it transmitted to another data controller (data portability);
8. Lodge a complaint with the competent supervisory authority (see below VI.2.).

2. All requests, complaints or queries may be addressed to C2D to the email address mentioned in section VII. We will consider any requests, complaints or queries and provide you with a reply in a timely manner. If we are unable to provide you with a reply within the required timeframe, we will provide you with a date by when the information will be provided to you. If a request cannot be carried out for any reasons, we will inform you accordingly. You can also file a complaint with the Maltese Information and Data Protection Commissioner (idpc.info@idpc.org.mt) should you not be satisfied with the way in which we handle your personal information.

7. FURTHER INFORMATION AND CONTACT DETAILS OF OUR DATA PROTECTION OFFICER

For any privacy issues you may have, to exercise any of your rights under the GDPR, or to obtain further information on our data processing activities, please contact our Data Protection Officer at:

C2D Payment Solutions Ltd
Level 8, Portomaso Business Tower
STJ 4011 St. Julian's, Malta

Email: dpo@c2dpayment.com

Version 2023-04-01ENAPP, © C2D Payment Solutions Ltd

C2D-Payment-Solutions--Privacy-Policy--2023-04-01ENAPP.pdf

PRIVACY STATEMENT FOR VENDORS AND OTHER BUSINESS PARTNERS

Effective October 9, 2020

I.General
 C2D Payment Solutions Ltd. of Portomaso Business Tower, St Julian's, STJ 4011, MALTA (hereinafter "C2D") is committed to the protection of personal data of customers, suppliers and other partners. This privacy statement applies to the processing of personal data of suppliers and other business partners (including Acceptance Partners).
 Personal data refers to data concerning the personal or material circumstances of an identified or identifiable individual. This may include amongst others a person's name, address, telephone number and date of birth, but also a copy of your ID card or financial data. For the purposes of this Privacy Statement, when we refer to your personal data, this includes all personal data, including employee data, shareholder data, data of subcontractors and their employees, or any other data of a personal nature which you transfer to us.
 This Privacy Statement provides details on whether your personal data is collected, processed and retained by C2D and how this is done. Whenever C2D collects, processes and retains your personal data, C2D will act as data controller, unless otherwise indicated at the time of data collection or processing. Our data protection practices comply with all applicable data protection legislation, including the provisions of the European General Data Protection Regulation, and any other European or national legislation we may be subject to. This Privacy Statement may be subject to modification from time to time, notably in the event of changes to legislation, the introduction of new laws or revision or expansion of our services. Any changes will be published on our website and notified to you as soon as possible.

II.How C2D uses and retains your data
 We shall only collect and use your personal data to comply with a legal obligation which we are subject to (e.g. verification obligation), if we obtain your consent to do so, or if we feel we have a legitimate interest to process the data that is not detrimental to your right to privacy as a data subject.
 Your personal data will be treated as strictly confidential. We shall only retain your personal data for the length of time necessary for the intended purpose of data collection, or for as long as legally required.

III.To whom C2D may transfer your data
 Your personal data will not be forwarded to a third party unless expressly stipulated in the terms of this Privacy Statement.
 Your personal data may be shared with other companies within the same group of companies which C2D forms part of. We may also share personal data with third party service providers with whom C2D has a contractual relationship and who provide part of the services requested by you on behalf of C2D ("Data Processors"). In addition, we may also be required to share your personal data with authorities or other competent bodies as a result of a legal obligation to which we are subject, to detect or prevent fraud or to safeguard the interests of C2D’s personnel.
 Where we share your personal data with third parties, we shall take all reasonable precautions to ensure that these third parties respect the same privacy standards as C2D.
 We only transfer data to states outside the European Economic Area provided the recipient guarantees a standard of data protection comparable to that in place in Europe, or where adequate safeguards are put in place.

IV.KYC and credit score checks
 If we are legally obliged to do so or have a legitimate interest, we request Due Diligence or KYC documents from you and process them.
 C2D also reserves the right to consult due diligence risk information service providers.  Such companies can save the request themselves and save the circumstance of the request and process it for their own purposes as separate data controllers. C2D will only consult such providers who guarantee an appropriate level of data protection. Further details can be obtained from the respective providers. The data C2D receives from them will serve as a basis for our decision on whether to establish, conduct or terminate the contractual relationship. C2D does not currently use any such providers, however this section of the Privacy Statement shall be updated accordingly should this change in the future.

V.Your rights
 Any data subject has the right to:
•request a copy of their personal data;
•rectify their personal data;
•request erasure of their personal data;
•request the restriction of processing of their personal data;
•object to the processing of their personal data;
•withdraw their consent at any times;
•receive their personal data in a structured, commonly used and machine-readable format and/or have it transmitted to another data controller.
 All requests, complaints or queries may be addressed to C2D to the email-address mentioned in section VII. We will consider any requests, complaints or queries and provide you with a reply in a timely manner. You can also file a complaint with the competent Data Protection Authority should you not be satisfied with the way in which we handle your personal data.

VI.Data security
 Technical and organisational measures are used to protect your personal data from unauthorized access by third parties, disclosure, alteration, destruction or loss during its collection, processing and retention. This level of protection cannot, however, be extended to communication by email and we recommend that you send all confidential data by registered post.

VII.Contact for matters of data protection
 For any privacy issues you may have or to obtain further data on our data processing activities, please contact our Data Protection Officer at:

C2D Payment Solutions Ltd.
Portomaso Business Tower
STJ 4011, St. Julian's, Malta
Email: dpo@c2dpayment.com

Version 1.0, 2020-10-09, © C2D

C2D-Payment-Solutions--Privacy-Policy--Vendor-and-AP--2020-10-09EN.pdf