- provides an overview of how the Company collects, processes and uses our clients personal data and informs them about their rights under the local data protection law and the EU General Data Protection Regulation (“GDPR“);
- is directed to natural persons who are either current or potential customers of the Company or are authorized representatives/agents or beneficial owners of legal entities or of natural persons which/who are current or potential customers of the Company;
- is directed to natural persons who had such a business relationship with the Company in the past;
- contains information about when we share our clients personal data with other third parties (for example, our service providers or suppliers).
What kind of personal information do we collect and store?As part of our business we collect personal data from customers and potential customers that include the following:
- Name, Surname and contact details
- Date of birth and gender
- Information about our clients income and wealth including details about our clients assets and liabilities, account balances, trading statements, tax and financial statements
- Profession and employment details
- Location data
- Knowledge and experience in trading, risk tolerance and risk profile
- IP address, device specifications and other information relating to our clients trading experience
- Bank account, e-wallets and credit card details
- Details of our clients’ visits to our Website or our Apps including, but not limited to, traffic data, location data, weblogs and other communication data.
- Products clients trade with us
- Historical data about the trades and investments our clients have made, including the amount invested
- Clients preference for certain types of products and services
- driver’s license;
- national identity card (if applicable);
- utility bills;
- bank statement;
- electronic verification document; or
- Other information we consider necessary to our functions and activities.
- corporate documents (i.e. Certificates of incorporation, directors, shareholders etc.)
- regarding the directors and shareholders/ultimate beneficial owners we may request any information found under the Individual Clients list above.
Who may we disclose personal information to?As part of using our clients personal information for the purposes set out above, we may disclose such information to:
- other companies within the XGLOBAL group who provide supporting services (ex. back-office services);
- third party services providers when they use our trading platforms which are provided to us by third parties (only if it is necessary);
- third party services providers when they use our trading platforms for reporting obligations purposes (ex. MiFIR Reporting);
- service providers and specialist advisers who have been contracted to
- provide us with services such as administrative, IT, financial, regulatory, compliance, insurance, research or other services;
- introducing brokers and affiliates with whom we have a mutual relationship;
- payment service providers and banks processing our clients transactions; auditors or contractors or other advisers auditing, assisting with or advising on any of our business purposes;
- courts, tribunals and applicable regulatory authorities as agreed or authorised by law or our agreement with our client;
- government bodies and law enforcement agencies where required by law and in response to other legal and regulatory requests;
- any third-party where such disclosure is required in order to enforce or apply our Terms and Conditions of Service or other relevant agreements;
- anyone authorized by our client.
Collection of personal dataThe company shall collect information necessary to fulfil their legal and regulatory obligations for the provision of services and to improve our service to our clients. We will gather information and documentation to personally identify, contact or locate our clients and may gather information from third parties and or other sources which will help us to offer our services effectively. Our clients are responsible for the true and accurate information and to keep us informed of any changes to their personal information or circumstance by emailing us at [email protected]. We are required to evaluate the appropriateness of the financial instruments and suitability based on three basic parameters;
- The sources of our clients income and wealth as well as their financial obligations
- Clients’ investment knowledge and experience including their objectives including their knowledge and experience of the financial markets along with our clients understanding of the risks involved.
- Clients’ experience in dealing in complex and non-complex financial instruments, especially their investment and risk attitude as they relate to such financial instruments.
Purpose of collecting and processing of personal dataOur client’s personal data is used for specific, explicit and legitimate purposes and only as required to provide quality service to our clients and to comply with applicable legislation as referred to above. A. For the performance of a contract The personal data collected from our clients is used to verify their identity, to construct their economic and investment profile in order to ensure that we provide our clients with products and services suitable to their requirements, knowledge and risk appetite, to manage their account with us, to process their transactions, to provide our clients with post-transaction information, to inform them of additional products and/or services relevant to their economic profile, to produce analysis and statistical data which will help us improve our products and services, and for website improvement purposes. These are necessary for the entry into or performance of our contract once signed. We will carry out regular checks to ensure that our systems are working as intended. B. For Identity Verification purposes The Company needs to perform its due diligence measures and apply the principles of KYC (Know-Your-Client) before entering a client relationship in order to prevent actions, such as money laundering or terrorist financing, and also to perform other duties imposed by law. Therefore, we collect from our clients’ identity verification information (such as images of their government issued national ID card or International Passport, or driving licence or other governmental proof of identification, as permitted by applicable laws) or other authentication information. We are also requesting our clients to provide us with a recent Utility Bill in order to verify their address. Further to this, the Company can use third parties which carry out identity checks on its behalf. C. For compliance with a legal obligation There are a number of legal obligations emanating from the relevant laws to which we are subject as well as statutory requirements. There are also various supervisory authorities whose laws and regulations we are subject to. Such obligations and requirements impose on us necessary personal data processing activities for credit checks, identity verification, compliance with court orders, tax law or other reporting obligations and anti-money laundering controls. These include amongst others transaction reporting requirements, assessment of the clients’ knowledge and experience, FATCA and CRS reporting. D. For the purposes of safeguarding legitimate interests We process personal data so as to safeguard the legitimate interests pursued by us or by a third party. A legitimate interest is when we have a business or commercial reason to use our clients information. But even then, it must not unfairly go against what is right and best for our clients. Examples of such processing activities include:
- Initiating court proceedings and preparing our defence in litigation procedures,
- Means and processes we undertake to provide for the Company’s IT and system security, preventing potential crime, asset security, admittance controls and anti-trespassing measures,
- Measures to manage business and for further developing products and services,
- The transfer, assignment (whether outright or as security for obligations) and/or sale to one or more persons and/or charge and/or encumbrance over, any or all of the Company’s benefits, rights, title or interest under any agreement between the customer and the Company.
Who controls and processes our clients personal dataThe company, and any undertakings being a member of our group, agents which we engage with for the purpose of collecting, storing and processing personal data and any third parties acting on our or their behalf, may collect, process and store personal data provided by our clients. For the purpose of processing and the storage of personal data provided by our clients in any jurisdiction within the European Union or outside of the European Union, the company can confirm this will be done in accordance with applicable laws.
Authorized ProcessorThe company may also use authorized external processors for client data processing, based on concluded service agreements, which are governed by instructions from our company for the protection of client related data. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out what needs to be included in the contract which the company has adhered to, the below is not an exhaustive list of the obligations of all relevant parties;
- Such third parties must only act on the written instructions of the our company (unless required by law to act without such instructions);
- Ensure that people processing the data are subject to a duty of confidence;
- Take appropriate measures to ensure the security of processing;
- The rights of Clients will not be impaired in meeting with GDPR requirements;
- The security of processing, the notification of personal data breaches and data protection impact assessments will not be impaired;
- Deletion or return of all personal data as requested at the end of the contract;
- if required by law or by order of a court, administrative agency, or other government entities;
- if there are reasonable grounds showing disclosure is necessary to protect the rights, privacy, property, or safety of users or others;
- if we believe the information is related to a breach of an agreement or violation of the law, that has been, is being, or is about to be committed;
- if it is necessary for fraud protection, risk reduction, or the establishment or collection of funds owed to us;
- if it is necessary to enforce or apply the Terms and Conditions and other agreements, to pursue remedies, or to limit damages to our company;
- for other reasons allowed or required by law.
- if the information is public;
How the Company treats our clients personal data for marketing activities and whether profiling is used for such activitiesThe Company may process our clients personal data to inform our clients about products, services and offers that may be of interest to them. The personal data that we process for this purpose consists of information our clients provide to us and data we collect and/or infer when they use our services, such as information on our clients transactions. We study all such information to form a view on what we think our clients may need or what may interest them. In some cases, profiling is used, i.e. we process our clients data automatically with the aim of evaluating certain personal aspects in order to provide them with targeted marketing information on products. We can only use our clients personal data to promote our products and services to them if we have our clients explicit consent to do so – by clicking on the tick box during the account opening form – or in certain cases, if we consider that it is in our legitimate interest to do so. Further, our clients have the option to choose whether they wish to receive marketing related emails (company news, information about campaigns, the company’s newsletter, the company’s strategic report, etc.) to our clients provided email address by clicking the relevant tick box during the account opening form. Our clients have the right to object at any time to the processing of our clients personal data for marketing purposes or unsubscribe to the provision of marketing related emails by the Company, by contacting at any time our customer support department via the following ways:
- By Email: [email protected]
- By post or in person at the Company’s Headquarters at: 162 Fragklinou Rousvelt, 1st Floor 3045, Limassol, Cyprus
Period of keeping our clients personal informationThe Company will keep our clients personal data for as long as a business relationship exists with our clients, either as an individual or in respect of our dealings with a legal entity our clients are authorized to represent or are beneficial owner. Once the business relationship with our clients has ended, we are required to keep our clients data for a maximum period of five years to meet our regulatory and legal requirements. If reasonably necessary or required to meet other legal, contractual or regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions, we may also keep for an additional three years some of our clients information as required, even after the above-mentioned period. When we no longer need personal data, we securely delete or destroy it.
Our clients rights
Rights to Access:Our clients have the right to request copies of their personal data. Information must be provided without delay and at the latest within one month of receipt. The company will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform the individual within one month of the receipt of the request and explain why the extension is necessary. Can the company charge a fee for dealing with a subject access request: We must provide a copy of the information free of charge. However, the company can charge a “reasonable fee” when a request is manifestly unfounded or excessive, particularly if it is repetitive. The fee if applied will be based on the administrative cost of providing the information. If at any time we refuse to respond to a request, we will explain why to the individual, informing them of their right to complaint to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month. When information is provided: The company will verify the identity of the person making the request, using reasonable means.
Right for rectificationWhen should personal data be rectified? Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. Our clients can make a request for rectification verbally or in writing. If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort. If asked to, we must also inform the individuals about these recipients. How long does the company have to comply with a request for rectification? We must respond within one month. This can be extended by two months where the request for rectification is complex. Where the company is not taking action in response to a request for rectification, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.
Our clients right to erasure;When does the right to erasure apply? The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The persofnal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
- the exercise or defense of legal claims.
Our clients right to restrict processingWhen does the right to restrict processing apply? We will be required to restrict the processing of personal data in the following circumstances:
- Where an individual contest the accuracy of the personal data, we should restrict the processing until they have verified the accuracy of the personal data.
- Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our company organization’s legitimate grounds override those of the individual.
- When processing is unlawful, and the individual opposes erasure and requests restriction instead.
- If the company no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim.
Our clients right to data portability:
- The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
- It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- It enables consumers to take advantage of applications and services which can use this data to find them a better deal or help them understand their spending habits.
- We will respond without undue delay, and within one month. This can be extended by two months where the request is complex or where the company may receive a number of requests. We will inform the individual within one month of the receipt of request and explain why the extension is necessary, if applicable.
- Where we are not taking action in response to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
Right to object:Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling);
- processing for purposes of scientific/historical research and statistics.
We will stop processing the personal data unless:
- We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defense of legal claims.
Guide on data usage and subscription optionsFurther information on how we handle client data can be found here.
Automated decision-makingIn establishing and carrying out a business relationship, we generally do not use any automated decision-making. We may process some of our clients data automatically, with the goal of assessing certain personal aspects (profiling), in order to enter into or perform a contract with them for data assessments (including on payment transactions) which are carried out in the context of combating money laundering and fraud. An account may be detected as being used in a way that is unusual for our clients business. These measures may also serve to protect our clients.
The Geographical Area of ProcessingAs a general rule, the client data is processed within the European Union/European Economic Area (EU/EEA), but in some cases it is transferred to and processed in countries outside the EU/EEA. The transfer and processing of client data outside the EU/EEA can take place provided there are appropriate safeguards in place and the actions are made based on a legal basis only. Upon request, the client may receive further details on client data transfers to countries outside the EU/EEA.
Other related informationWe use appropriate technical, organizational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorized access, disclosure, alteration and destruction. Unfortunately, no company or service can guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time. Among other practices, our clients account is protected by a password for their privacy and security. Our clients must prevent unauthorised access to their account and Personal Information by selecting and protecting their password appropriately and limiting access to their computer or device and browser by signing off after they have finished accessing their account. Transmission of information via regular email exchange is not always completely secure. The Company however exercises all possible actions to protect clients’ personal data, yet it cannot guarantee the security of client data that is transmitted via email; any transmission is at the clients’ own risk. Once the Company has received the client information it will use procedures and security features in an attempt to prevent unauthorised access. When our clients email the Company (via the “Contact Us” page), or using the Live Chat feature, a person may be requested to provide some additional personal data, like their name or email address. Such data will be used to respond to their query and verify their identity. Emails are stored on our standard internal contact systems which are secure and cannot be accessed by unauthorised external parties.
Raising a concernOur clients have the right to be confident that we handle their personal information responsibly and in line with good practice. If our clients have a concern about the way we are handling their information, for example if they feel we may not be;
- keeping their information secure;
- holds inaccurate information about them;
- has disclosed information about them;
- is keeping information about them for longer than is necessary; or
- has collected information for one reason and is using it for something else;