PayRecAI is a global firm with offices located in Belfast, London and Dublin. Many of these jurisdictions have data protection laws that protect the privacy of individuals by regulating the way in which businesses process personal information. These laws require businesses to be open and transparent in their use of personal information.
PayRecAI is committed to ensuring that privacy is protected and it strictly adheres to the provisions of all relevant data protection legislation globally, including the European General Data Protection Regulation (GDPR). PayRecAi’s intention is to be fully transparent about how it collects, uses, processes and ultimately protects personal data under any applicable data protection laws, and PayRecAI has therefore updated its Privacy Policy, which sets out its global standard. The PayRecAI Privacy Policy can be viewed below.
The GDPR require businesses that contract with a data processor to ensure that their contracts or arrangements for services contains certain contractual assurances. PayRecAI will, in the provision of services to clients (with the exception of liquidation services), to the extent it processes personal data, act as “data processor” and it has therefore produced a Data Processing Addendum which provides contractual assurances to its clients. The Addendum can be viewed below.
To the extent that PayRecAI accepts applications from candidates for employment, PayRecAI acts as a controller under GDPR. To that extent it has adopted Privacy Notices, which can be accessed here.
If you have any questions about how PayRecAI holds personal information, the contents of this page, or if you would like to be removed from our database, please contact: info@PayRecAI.com
PayRecAI will endeavour to respond satisfactorily to any request, query, or complaint you may have. However, if you wish to make a formal complaint, or if you simply wish to learn more about your rights, you can contact the relevant data protection regulatory authority, as follows:
Dublin:
Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, https://www.dataprotection.ie/
United States:
No current single national authority.
Data Protection Addendum
This Data Processing Addendum (the Addendum) will apply from 30 September 2019 and will thereafter be incorporated into all arrangements, agreements and contracts (Agreement) under which members of the PayRecAI Group (each, and together PayRecAI) provide services, to the extent that in doing so they act as a ‘data processor’ (as defined in applicable Data Protection Law). Where a client of PayRecAI already has in place a signed Data Processing Agreement or Amendment Agreement to incorporate data processing provisions (DP Agreement), and there is any conflict with the terms of this Addendum, the terms of the DP Agreement will prevail.
For the purpose of this Addendum:
Data Protection Law shall mean all applicable data protection law, which may include, (i) with effect from 25 May 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) including any amendments thereto and any applicable consequential national data protection legislation and guidance and codes of practice issued by any relevant European data protection supervisory authority.
Entity means the person or entity that has entered into an Agreement with PayRecAI.
Relevant Data Protection Authority means the relevant independent public authority responsible for monitoring the application of the relevant Data Protection Law.
PayRecAI Group means all direct and indirect subsidiaries of PayRecAI.
PayRecAI acknowledges that in providing the services under the Agreement PayRecAI may process personal data on behalf of the Entity.
In such circumstances, PayRecAI acknowledges that the Entity is a data controller and PayRecAI is data processor and the parties agree that:
PayRecAI processes personal data, as may be specified in the privacy notice of the Entity, on behalf of the Entity in the context of providing the Services under the Agreement. The obligations and rights of the Entity shall be as set out in this Addendum;
PayRecAI will only process such personal data in accordance with the documented instructions of the Entity unless required to do so under applicable laws to which PayRecAI is subject. In such a case PayRecAI shall inform the Entity of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
PayRecAI shall ensure that the persons authorised by PayRecAI to process such personal data are bound by appropriate confidentiality obligations;
PayRecAI shall implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Data Protection Law and to ensure the rights of the data subject;
PayRecAI shall take all measures to ensure a level of security of processing required pursuant to Data Protection Law;
PayRecAI is authorised to engage sub-processors to undertake processing on its behalf, provided that it provides the Entity with prior notice in writing containing details of the sub-processors that it engages and informs the Entity of any intended changes concerning the addition or replacement of such sub-processors and provides the Entity with a reasonable opportunity to object to such changes. In certain circumstances the Entity may engage or contract directly with agents, delegates or representatives of PayRecAI in which case such agents, delegates or representatives are not considered sub-processors of PayRecAI for the purposes of this Clause and Clause (g) below and, instead, are considered to be processors on behalf of the Entity;
where any sub-processor of PayRecAI will be processing such personal data on behalf of the Entity, PayRecAI shall ensure that a written contract exists between PayRecAI and the sub-processor containing clauses equivalent to those imposed on PayRecAI in this clause. In the event that any sub-processor fails to meet its data protection obligations, PayRecAI shall remain fully liable to the Entity for the performance of the sub-processor’s obligations;
PayRecAI shall inform the Entity without undue delay in the event of receiving a request from a data subject to exercise their rights under Data Protection Law and provide such co-operation and assistance as may be required to enable the Entity to deal with such request in accordance with the provisions of Data Protection Law;
taking into account the nature of the processing, PayRecAI shall assist the Entity by appropriate technical and organisational measures, insofar as this is possible, to allow the Entity to comply with requests from data subjects to exercise their rights under Data Protection Law;
PayRecAI shall assist the Entity in ensuring compliance with obligations in respect of security of personal data, data protection impact assessments and prior consultation requirements under Data Protection Law, taking into account the nature of the processing and information available to PayRecAI;
when PayRecAI ceases to provide services relating to data processing PayRecAI shall: (i) at the choice of the Entity, delete or return all such personal data to the Entity; and (ii) delete all existing copies of such personal data unless relevant law requires or permits storage of the personal data;
PayRecAI shall: (i) make available to the Entity all information requested that is necessary to demonstrate compliance with the obligations laid down in this clause; and (ii) allow for and contribute to audits, including inspections, conducted by the Entity or another auditor mandated by the Entity, provided however that the Entity shall be entitled, at its discretion, to accept adherence by PayRecAI to an approved code of conduct or an approved certification mechanism to aid demonstration by PayRecAI that they are compliant with the provisions of this clause;
PayRecAI shall inform the Entity without undue delay if, in its opinion, it receives an instruction from the Entity which infringes Data Protection Law;
PayRecAI shall notify the Entity without undue delay after becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and provide the Entity with such co-operation and assistance as may be required to mitigate against the effects of, and comply with any reporting obligations which may apply in respect of, any such breach; and
Personal data may be transferred by the Processor outside the relevant jurisdiction, including to a jurisdiction which is not recognised by the Relevant Data Protection Authority as providing for an equivalent level of protection for personal data as is provided for in the relevant jurisdiction. These jurisdictions may include the United States of America, the United Kingdom and Asia. If and to the extent that the Processor does so, it will ensure that appropriate measures are in place to protect the privacy and integrity of such personal data and in particular will comply with its obligations under any Data Protection Law governing such transfers, which may, as applicable, include: (a) entering into a contract governing the transfer which contains the “standard contractual clauses” approved for this purpose by the Relevant Data Protection Authority; (b) transferring your personal data pursuant to binding corporate rules; or (c) a transfer where the Relevant Data Protection Authority has decided that the recipient ensures an adequate level of protection.
The Entity warrants that any personal data received by PayRecAI has been collected and then transferred to PayRecAI in accordance with Data Protection Law.
Content
Introduction
Definitions
Data Protection Principles
Personal Data
Consent
Legitimate Interests
Transfers to Third Parties/Service Providers
Disclosure of Data
Transferring Personal Data outside of the European Economic Area
Profiling & Automated Decision-Making
Data Protection by Design
Data Security, Data Retention and Disposal
Data Subject Rights
Law Enforcement Requests & Disclosures
Notification Process
Logging Issues and Breaches
Data Protection Training
APPENDIX I: PRIVACY STATEMENT
Introduction
1.1 Context
This Policy applies to any PayRecAI entity in the PayRecAI group of companies (each a “PayRecAI Entity” and together “PayRecAI”, the “PayRecAI Group” or the “PayRecAI Entities”). PayRecAI must comply with all applicable laws and regulations relating to the Processing of Personal Data and privacy, including the Data Protection Act 1998-2018 (as may be amended or supplemented from time to time), from 25 May 2018, the EU’s General Data Protection Regulation 2016/679 (the “GDPR”).
Under Data Protection Legislation, PayRecAI is required to implement an appropriate data protection policy as part of the organisational and technical measures it puts in place to demonstrate compliance with applicable Data Protection Legislation.
This Policy describes how Personal Data must be collected, handled, stored, disclosed and otherwise “Processed” to meet the PayRecAI’s data protection standards and to comply with Data Protection Legislation.
PayRecAI is responsible for and shall be in a position to demonstrate compliance with this Policy. This includes ensuring that Third Parties and Service Providers who Process Personal Data on its behalf are acting in accordance with Data Protection Legislation.
1.2 Scope
This Policy applies to PayRecAI Entities where they act as a Controller of Personal Data and PayRecAI Entities acting as a Processor of Personal Data in the following scenarios:
in the context of the business activities of PayRecAI Entities;
for the provision or offer of goods or services to individuals (including those provided or offered free-of-charge) by a PayRecAI Entity; and
in the context of Human Resources where a PayRecAI Entity has Employee Personal Data.
This Policy applies to all Processing of Personal Data. Personal Data can be in electronic form (including electronic mail and documents created with word Processing software) or manual files that are structured in a way that allows ready access to information about individuals.
This Policy has been designed to demonstrate the minimum standard for the Processing and protection of Personal Data by all PayRecAI Entities. Where a national law imposes a requirement, which is stricter than imposed by this Policy, the requirements in national law must be followed. Furthermore, where national law imposes a requirement that is not addressed in this Policy, the relevant national law must be adhered to by the relevant PayRecAI Entity through operational procedures.
1.3 Data Protection Contact
To demonstrate PayRecAI’ commitment to Data Protection, and to enhance the effectiveness of its compliance efforts, PayRecAI Regional Compliance Teams (“Compliance Team”) will support the business in Data Protection Legislation compliance.
The Compliance Team reports has direct access to the PayRecAI Entities’ senior management teams and boards of directors (the “PayRecAI Entities Boards”) and its duties in this role will include:
mediation with the relevant Data Protection Authority;
review of the PayRecAI Data Protection Policies on an annual basis for compliance with relevant legislation;
produce Annual Board Report on the PayRecAI Data Protection Framework;
annual review and ongoing oversight of the Processors of the PayRecAI Group ensuring compliance with relevant legislation;
report and escalate directly to the respective PayRecAI Entity Boards on data protection related matters;
act as the point of contact for individuals whose Personal Data is Processed by PayRecAI;
facilitation of data protection training and tracking of same;
ensure that PayRecAI maintains a record of all Personal Data Processing activities;
ensure PayRecAI Service Providers apply appropriate technical and organisational measures when protecting Personal Data;
ensure PayRecAI Service Providers apply appropriate security measures to ensure against all unlawful forms of Processing;
report to the PayRecAI Entity Boards on measures and Processes to demonstrate that privacy has been factored into new business line processes;
report to the PayRecAI Entity Boards on oversight of PayRecAI Service Providers;
verify that individuals have given Consent to receive marketing information from a PayRecAI Entity; and
verify that Personal Data has been deleted where an individual has withdrawn Consent for direct marketing purposes.
1.4 Board Approval
This Policy shall be approved by the PayRecAI Entity Boards.
1.5 Governance, Policy Review and Ownership
This Policy will be reviewed at least annually by the Compliance Team to ensure appropriateness. Additional updates and ad-hoc reviews may be performed as and when required to ensure that any changes to the PayRecAI organisational structures/business practices are properly reflected in this Policy.
All amendments to this Policy will be co-ordinated by the Compliance Team to ensure consistency across the PayRecAI Group. All new PayRecAI Entities must adopt and adhere to this Policy.
The management team of each PayRecAI Entity must ensure that each of that PayRecAI Entity’s Employees who are responsible for the Processing of Personal Data are aware of and comply with the contents of this Policy.
In addition, each PayRecAI Entity will make sure all Third Parties engaged to Process Personal Data on their behalf (i.e. their Data Processors) are aware of and comply with the contents of this Policy. Assurance of such compliance, usually through the terms and conditions of their appointment, must be obtained from all Third Parties, whether companies or individuals, prior to granting them access to Personal Data controlled by PayRecAI.
1.6 Responsibility and Escalation
Considering the circumstances in which a Controller must appoint a Data Protection Officer (“DPO”) the PayRecAI Board has determined that it is not currently necessary to appoint a DPO. The PayRecAI Board shall keep this matter under review and should guidance emerge which indicates that any PayRecAI Entity, should appoint a DPO, the PayRecAI Board will re-consider the need to appoint a DPO.
This Policy is therefore owned by the PayRecAI Board, with the Compliance Team being responsible for escalation to the relevant PayRecAI Entity Boards of any data protection related matters. Where data protection issues arise, these are investigated by the European Head of Compliance and where necessary, input from the relevant PayRecAI Entity Board may be sought.
Definitions:
PayRecAI Board
The Boards of Directors for PayRecAI
Employee
An individual who works part-time or full-time for PayRecAI under a contract of employment, whether oral or written, express or implied, and has recognised rights and duties. Includes temporary employees and independent contractors.
Third Party/Service Providers
An external organisation with which PayRecAI conducts business and is also authorised, under the direct authority of PayRecAI, to Process the Personal Data provided by a PayRecAI Entity.
Personal Data
Any information (including opinions and intentions) which relates to an identified or Identifiable Natural Person.
Identifiable Natural Person
Anyone living who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
PayRecAI Entity
A PayRecAI establishment, including subsidiaries and joint ventures over which PayRecAI exercise management control.
Data Subject
A natural person to whom Personal Data refers.
Process, Processed, Processing
Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection
The Process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.
Data Protection Authority or DPA
An independent public authority responsible for monitoring the application of the relevant Data Protection regulation set forth in national law.
Data Processors
A natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of a Data Controller.
Consent
Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
Special Categories of Data
Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
Third Country
Any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
Profiling
Any form of automated Processing of Personal Data Where Personal Data is used to evaluate specific or general characteristics relating to an Identifiable Natural Person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement.
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
Legitimate Interests
Processing necessary for the purposes of the legitimate interests pursued by a Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.
Data Protection Principles
When Processing Personal Data, PayRecAI must comply with the following core Data Protection principles.
A. Lawfulness, fairness and transparency
Personal Data must be Processed fairly, transparently and lawfully. An individual’s Personal Data must not be Processed unless there are lawful grounds for doing so and the Data Subject must be informed as to how and why their Personal Data is being Processed either upon or before collecting it.
B. Purpose Limitation
Personal Data must be Processed only for specified and lawful purposes. Personal Data must not be Processed in any manner which is incompatible with the specified and lawful purpose.
C. Data Minimisation
Personal Data that is Processed must be adequate, relevant and limited to the minimum data necessary for the lawful purposes for which it is Processed.
D. Accuracy
Personal Data must be accurate and, where appropriate, kept up-to-date. Any Personal Data which is incorrect must be rectified as soon as possible
E. Data Retention
Personal Data must be kept for no longer than is necessary considering the lawful purpose(s) for which it is Processed.
F. Security
Personal Data must be protected against unauthorised or unlawful Processing, including transmission, accidental loss, destruction or damage through appropriate technical and organisational measures.
Personal Data
4.1 Definition of Personal Data
“Personal Data” includes any data which relates to a living individual who can be identified:
from that data; or
from that data and other piece of information which is in the possession of PayRecAI.
Certain categories of Personal Data are particularly sensitive (“Sensitive Personal Data”) and cannot be Processed unless certain conditions are met.
It is PayRecAI policy to only hold Personal Data of a given Data Subject where we are legally or contractually required or permitted. All Personal Data will be held and Processed in accordance with the Data Protection Legislation and this Policy.
4.2 Processing Personal Data
Processing Personal Data includes any operation that is carried out in respect of Personal Data, including, but not limited to, collecting, storing, using, recording, disclosing, transferring or deleting Personal Data.
Personal Data collected by PayRecAI is generally collected for the purposes set out in its Privacy Notices including, but not limited to, the following:
to comply with legal, tax or regulatory obligations imposed on PayRecAI under applicable law;
to efficiently manage its directors and its relationship with its Service Providers;
to carry out statistical analysis and market research;
to transfer Personal Data to third parties such as auditors, regulatory or tax authorities and technology providers in the context of the day to day operations of PayRecAI in the conduct of its services provided globally; and
for the purposes outlined in the Employee Privacy Notice.
4.3 Grounds for Processing Personal Data
Personal Data must only be Processed if the purpose of the Processing satisfies one of the legal bases permitted under the Data Protection Legislation.
The below details the legal bases for Processing which are most commonly relevant to PayRecAI Processing activities.
4.3.1 Legal Grounds for Processing Personal Data
The legal grounds for Processing Personal Data include:
where the Processing is in PayRecAI’s Legitimate Interests or the Legitimate Interests of a third party and the proposed Processing does not cause unwarranted infringement on the Data Subject’s rights;
where the Processing is necessary for the performance of a contract to which the Data Subject is a party, or for the taking of steps with a view to entering into or exiting a contract at the request of the Data Subject;
where the Processing is required by law or other regulation to which the PayRecAI is subject to, for example, the Central Bank of Ireland or another relevant regulator’s regulations/anti-money laundering and terrorist financing legislation etc; and
where the Data Subject has provided its Consent to the Processing for the specific purpose in accordance with this Policy.
4.3.2 Sensitive Personal Data
As detailed previously, Sensitive Personal Data is subject to stricter controls and the circumstances in which it can be Processed are significantly more limited than Personal Data.
PayRecAI will only Process Sensitive Personal Data where the Data Subject expressly Consents to such Processing or where one of the following conditions apply:
Processing relates to Personal Data which has already been made public by the Data Subject;
Processing is necessary for the establishment, exercise or defence of legal claims;
Processing is specifically authorised or required by law;
Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent; or
further conditions, including limitations, based upon national law related to the Processing of genetic data, biometric data or data concerning health.
4.4.3 Children’s Data
In general terms PayRecAI will not process any Personal Data in relation to a child or minor. Should any PayRecAI Entity ever be required to Process Personal Data relating to a child, in the first instance the relevant PayRecAI Entity must obtain guidance and approval from the Compliance Team before any Processing of a child’s Personal Data may commence. If it is deemed appropriate the PayRecAI Entity will be required to obtain parental Consent.
4.4 Processing of Personal Data relating to criminal convictions and offences
The Processing of Personal Data relating to criminal convictions and offences or related security measures may take place subject to appropriate safeguards for the rights and freedoms of Data Subjects. There are certain conditions under which this information may be inadvertently Processed including:
the Data Subject has given explicit Consent to the Processing for one or more specified purposes except where applicable law prohibits such;
Processing is necessary and proportionate for the performance of a contract to which the Data Subject is a party or to take steps at the request of the Data Subject prior to entering into a contract;
Processing is:
necessary for the purpose of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or
otherwise necessary for the purposes of establishing, exercising or defending legal rights;
Processing is necessary to prevent injury or other damage to the Data Subject or another person or loss in respect of, or damage to, property or otherwise to protect the vital interests of the Data Subject or another person; or
Processing in relation to screening of potential employees. PayRecAI conducts background checks including checking for any criminal convictions of senior Employees to assess the risk of fraud or prevent fraud. Employees are notified of this in the Privacy Notice and consent to it in the initial screening form.
4.5 Higher Risk Processing Activities
The Data Protection Legislation provides that wherever the Processing of Personal Data is likely to result in increased risk to the Data Subject, PayRecAI as a Data Controller will need to, before carrying out the Processing activity, perform an assessment of the potential impact of the intended Processing on the rights and freedoms of the Data Subject (a “Data Protection Impact Assessment” or “DPIA”).
PayRecAI has identified where the Processing of Personal Data takes place globally. Following this assessment PayRecAI has not identified any activities that would be considered as posing a high risk to Data Subjects.
PayRecAI has also determined that it is unlikely that any other Service Providers will be engaging in higher risk Processing activities on behalf of PayRecAI but will keep this matter under review.
4.6 Fair Processing Information
Any Process which involves the gathering of Personal Data on an individual should contain a Privacy Notice explaining among other things what the Personal Data is to be used for and to whom it may be disclosed.
Regardless of how Personal Data is obtained (whether it is obtained from the Data Subject or from a Service Provider) the Data Subject will be provided with certain information about the Processing of their Personal Data by PayRecAI. This information will be provided either before or upon collection of the Personal Data. If the Personal Data is obtained from a Service Provider, then the Privacy Notice must be provided within a reasonable time period from obtaining the Personal Data or at the time of the first communication with the Data Subject, whichever is earlier.
This information will be provided in the form of Privacy Notice (please refer to Appendix I for a GDPR specific Privacy Notice).
Where applicable, the PayRecAI Entity, shall ensure that the Privacy Notices are kept under review annually and shall be updated as necessary to reflect non-material changes. Material changes notified to a PayRecAI Entity by any Service Providers or which otherwise come to the attention of PayRecAI shall be made on an ad-hoc basis and the Compliance Team shall instruct the provision of an updated data Privacy Notice to Data Subjects as applicable.
4.7 Data Register
PayRecAI maintains an up to date Data Register of all activities it conducts that require the Processing of Personal Data, a copy of which shall be made available to the DPA upon request. The Data Register consists of the following elements:
categories of Data Subjects;
categories of Personal Data;
Processing activity;
the grounds for Processing the Personal Data;
in which jurisdiction the Processing is conducted;
whether the Personal Data is transferred to a third party;
whether the Personal Data is transferred outside the European Economic Area; and
the retention period.
The Data Register is maintained by the Compliance Team.
Consent
While not currently anticipated, where there is no other lawful basis for Processing Personal Data then it should not be Processed unless the Data Subject has given their Consent.
For Consent to be valid, it must satisfy the following criteria:
it must be limited to specific Processing activities;
Data Subject must have been informed about the Processing activities in sufficient detail so as to be able to fully understand what they are consenting to;
it must be freely given which means that the Data Subject must have a genuine free choice as to whether they give the Consent;
the performance of a contract cannot be made conditional upon the Data Subject giving their Consent to the data Processing, unless the data Processing is required to perform the contract; and
it must be given by way of an unambiguous statement of some other clear active communication by the Data Subject, such as signing a form. Consent cannot be inferred from silence or inactivity such as the use of pre-selected boxes; and
Details of the Processing of Personal Data must be clearly distinguished from other matters that the Data Subject is asked to agree to.
Equally, where the Processing relates to Sensitive Personal Data and PayRecAI cannot rely on any other lawful ground for Processing such Sensitive Personal Data, the Data Subject’s explicit Consent shall be obtained, by way of a signed statement.
It is important to note that a Data Subject must be informed of their right to withdraw their Consent at any time. PayRecAI Entities shall put in place appropriate Processes to promptly action any withdrawal of Consent. Where a Data Subject wishes to exercise this right, they may contact the designated contact for this purpose via the contact details provided in the Privacy Notices.
Legitimate Interests
Where a PayRecAI Entity seeks to rely on Legitimate Interests to legitimise certain Processing activities, the Compliance Team must be satisfied that those Legitimate Interests are not outweighed by the interests or fundamental rights and freedoms of the relevant Data Subject.
The PayRecAI Entity must conduct a Legitimate Interests assessment (“LIA”) when relying on Legitimate Interests as a lawful basis for Processing.
This LIA will:
identify the Legitimate Interest for which PayRecAI intends Processing the Personal Data;
consider whether the Processing is necessary for the pursuit of its objectives; and
(involve the completion of a balancing test which assesses whether or not the Data Subject’s interests override the Legitimate Interests of PayRecAI.
Factors taken into account by the PayRecAI Entity in conducting the balancing test include:
the nature of the Legitimate Interests and the Data Subject’s reasonable expectations about what will happen to their data;
the impact of Processing on the Data Subject; and
any safeguards which are or could be put in place in order to limit undue impact on the Data Subject.
Where Legitimate Interests are relied upon this will be notified to the Compliance Team who will review and record the basis of reliance in line with the foregoing LIA.
The PayRecAI Entity shall provide information on any balancing test conducted by it to affected Data Subjects on request. In the event that a Data Subject objects to the Processing of Personal Data by PayRecAI on grounds of Legitimate Interests, PayRecAI shall stop the Processing of such Personal Data unless, having re-conducted the balancing test, the Compliance Team is satisfied that the Data Subject’s interests should not prevail over those of PayRecAI. Furthermore, PayRecAI will carry out a new LIA if the purpose of the Processing changes or if it becomes aware of a change in the factors relating to the outcome of the LIA previously conducted.
Transfers to Third Parties/Service Providers
Where a PayRecAI Entity is required to transfer Personal Data to, or allow access by, a Service Provider, it must be assured that Personal Data will be Processed legitimately and protected appropriately by the recipient.
Where a Service Provider is deemed to be a Data Controller, the PayRecAI Entity will enter into an appropriate agreement with the Data Controller to clarify each party’s responsibilities in respect to the Personal Data transferred.
Where a Service Provider is deemed to be a Data Processor, the PayRecAI Entity will enter into, an adequate Processing agreement with the Data Processor. The agreement will require the Data Processor to protect the Personal Data from further disclosure and to only Process Personal Data in compliance with PayRecAI’ instructions. In addition, the agreement will require the Data Processor to implement appropriate technical and organisational measures to protect the Personal Data as well as procedures for providing notification mechanism of Personal Data Breaches. PayRecAI has a Standard Data Processing Clause document that should be used as a baseline template, including the provisions detailed below.
When a PayRecAI Entity is outsourcing services to a Service Provider (including Cloud Computing services), it will identify whether the Service Provider will Process Personal Data on its behalf and whether the outsourcing will entail any Third Country transfers of Personal Data. In either case, it will make sure to include, adequate provisions in the agreement for such Processing and Third Country transfers.
8.1 Article 28(3) Data Processing Agreements
Each PayRecAI Entity must ensure that it enters into a written agreement with any such Data Processors which includes provisions imposing the specific obligations set down in Article 28(3) on the relevant Third Parties.
8.2 Right of Audit and Inspection
Under its agreement with the relevant Service Provider, the PayRecAI Entity shall have a contractual right to obtain all relevant information from that Service Provider which is necessary for the Service Provider to demonstrate its compliance with the data protection obligations set down in the contract. Furthermore, the PayRecAI Entity shall have the contractual right to carry out an audit or inspection of the relevant Service Provider for such purposes.
Disclosure of Data
Each PayRecAI Entity will ensure that Personal Data is not disclosed to unauthorised third parties. All personnel acting on behalf of PayRecAI must exercise caution when asked to disclose any Personal Data to a third party and prior to completing any such transfer. PayRecAI Global Data Protection Procedure will document this and regular staff training ensures that each individual acting on behalf of PayRecAI understands their obligations in this regard.
Disclosure to third parties may be permitted where this is:
necessary to safeguard national security;
necessary for the prevention or detection of crime, in the substantial public interest and where obtaining Consent from the Data Subject would prejudice that purpose;
necessary for the administration of justice;
necessary to comply with applicable laws or regulation; or
necessary to protect the vital interests of the Data Subject, such as life and death situations, but only where their Consent cannot be obtained.
Any instances of uncertainty regarding the sharing or transfer of Personal Data should be referred to the Compliance Team.
Transferring Personal Data
10.1 Transferring outside the European Economic Area
Specific legal requirements apply to the transfer of Personal Data out of the European Economic Area (“EEA”), where transfers of data include sending data to another country or allowing that data to be accessed remotely from another country.
Personal Data must not be transferred outside the EEA unless the recipient country ensures an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission or alternatively one of the following safeguards have been put in place by or on behalf of PayRecAI:
the existence of binding corporate rules; or
the entry into a data transfer agreement between the PayRecAI Entity (or a Fund Service Provider acting as its agent) and the non-EEA recipient of the Personal Data which contains standard contractual clauses that have been approved by the European Commission.
10.2 Transfers between PayRecAI Entities
For PayRecAI to carry out its operations effectively across its global PayRecAI Entities, there may be occasions when it is necessary to transfer Personal Data from one PayRecAI Entity to another, or to allow access to the Personal Data. Should this occur, the PayRecAI Entity sending the Personal Data remains responsible for ensuring protection for that Personal Data.
PayRecAI handles the transfer of Personal Data between PayRecAI Entities, where the Personal Data is being transferred from the European Economic Area and the location of the recipient PayRecAI Entity is a Third Country, by using the Commission approved data transfer agreements supported by detailed SLAs. These agreements impose standard clauses which govern the Processing of Data Subjects’ Personal Data and must be enforced by each approved PayRecAI Entity, and their Employees.
Profiling & Automated Decision-Making
PayRecAI does not currently engage nor does it plan to engage in Profiling and Automated Decision making.
PayRecAI will only engage in Profiling and automated decision-making where it is necessary to enter into, or to perform, a contract with the Data Subject or where it is authorised by law. Where a PayRecAI Entity utilises Profiling and automated decision-making, this will be disclosed to the relevant Data Subjects.
Data Protection by Design
To ensure that all Data Protection requirements are identified, considered and addressed, each PayRecAI Entity will ensure that material changes such as new systems or processes go through a DPIA before launch in collaboration with the Compliance Team. The subsequent findings of the DPIA must then be submitted to the PayRecAI Entity’s Chief Risk Officer and the Head of Compliance Europe for review and approval.
Where applicable, the Information Technology (IT) department, as part of its IT system and application design review Process, will cooperate with the PayRecAI Entity and the Compliance Team to assess the impact of any new technology uses on the security of Personal Data.
Data Security, Data Retention and Disposal
Each PayRecAI Entity will adopt all necessary measures to ensure that the Personal Data it collects and Processes is complete and accurate in the first instance, and is updated to reflect the current situation of the Data Subject.
The measures adopted by PayRecAI to ensure Personal Data quality include:
facilitating amendments to Personal Data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the Data Subject does not request rectification;
keeping Personal Data only for the period necessary to satisfy the permitted uses or applicable statutory retention period;
the removal of Personal Data, if not compliant with any of the Data Protection principles or if the Personal Data is no longer required; and
restriction, rather than deletion of Personal Data, insofar as:
a legal or regulatory requirement or matter prohibits erasure;
erasure would impair Legitimate Interests of the Data Subject; or
the Data Subject disputes that their Personal Data is correct and it cannot be clearly ascertained whether their information is correct or incorrect.
Personal Data must not be retained for longer than is necessary for the lawful purposes for which it is Processed. To achieve this, each category of Personal Data Processed by PayRecAI Entities shall be subject to a retention period which can be justified by reference to those lawful grounds. For this purpose, this Policy should be read in conjunction with related operational procedures and Data Classification Policy.
The length of time for which PayRecAI Entities need to retain Personal Data is set out in the PayRecAI Group Data Retention Policy. This requires all PayRecAI Entities to consider the legal and contractual requirements, both minimum and maximum, that influence the retention periods.
All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
Personal Data must be disposed of securely in a way that protects the rights and privacy of Data Subjects and ensures the permanent erasure of the Personal Data. This might include shredding, disposal as confidential waste, or secure electronic deletion.
A Service Provider, acting as a Data Processor, will be contractually obliged to implement appropriate technical and organisational measures which seek to ensure that Personal Data is appropriately protected against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access.
Data Subject Rights
Data Subjects are entitled to exercise certain rights in respect of their Personal Data. These are detailed within the relevant Privacy Notice and include:
the right to be informed at the time or before the Personal Data is obtained as to how their Personal Data will be Processed;
the right to obtain information regarding the Processing of their Personal Data and access to the Personal Data which PayRecAI holds about them or which is held on PayRecAI’s behalf;
the right to receive a copy of any Personal Data which PayRecAI Processes about them, including t
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.