Data Protection Policy

“Account” means any entry on our systems in which an entity (legal person, person, introducer, or other entity) is able to place trades or actively engage with our products and services;

“ADM” means Automated Decision Making which is when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The UK GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing;

“AML” means Anti-Money Laundering;

“Automated Processing” means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing, as are many uses of artificial intelligence (AI) where they involve the processing of Personal Data;

“CDD” means Client Due Diligence;

“Company Personnel” means all employees, workers, contractors, agency workers, consultants, directors, members and others;

“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. It is responsible for establishing practices and policies in line with Data Protection Legislation. We are the Controller of all Personal Data relating to our Company Personnel and Personal Data used in our business for our own commercial purposes;

“Criminal Convictions Data” means any data or information which we hold which relates or is connected to the criminal records of any individual. For Navro purposes this will primarily be Employees, but in some cases will include details of criminal activity from clients or persons related to clients from public sources such as news sources;

“CTO” means Chief Technical Officer;

“DPIA” means Data Privacy Impact Assessment. This comprises tools and instruments used to carry out an assessment to identify and reduce risks of a data processing activity;

“Data Protection Legislation” means:

(a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data.

(b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Provider is subject, which relates to the protection of Personal Data;

“Data Privacy Manager” means a nominated individual responsible for oversight and control of data protection controls at Navro;

“Data Subject” means the identified or identifiable living individual to whom Personal Data relates;

“EDD” means Enhanced Due Diligence;

“EU GDPR” means the General Data Protection Regulation ((EU) 2016/679) of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) as it has effect in European Union law;

“FCA” means the Financial Conduct Authority;

“UK GDPR”: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018;

“Group Companies” means the companies that are part of the Navro Group from time to time.

“Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to:

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual;

“Identifiable natural person” means one who can be identified, directly or indirectly, in particular by reference to a identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“KYC” means Know Your Client;

“Legal Basis for Processing” means the lawful bases for processing as set out in Article 6 of the GDPR and UK GDPR. At least one of these must apply whenever Navro process Personal Data. We must also provide this data to the client so that they understand what data we are processing, and why:

(a) “Consent” means that the individual has given clear consent for you to process their Personal Data for a specific purpose.

(b) “Contract” means that the Processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) “Legal obligation” means that the processing is necessary for you to comply with the law (not including contractual obligations).

(d) “Vital interests” means the processing is necessary to protect someone’s life.

(e) “Public task” means that the Processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) “Legitimate interests” means that the Processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s Personal Data which overrides those legitimate interests;

“Personal Data” means “any information that relates to an identified or identifiable natural person” or individual (‘data subject’) (Article 4 GDPR); or “any information relating to an identified or identifiable living individual” (Section 3(2) DPA 2018)”.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

“Payment Services Regulations” means the Payment Services Regulations 2017 which is the core piece of legislation governing offering payment services. It also defines the core legislative obligations which Navro has towards its clients in terms of consumer protections and controls which must be in place to protect consumers and the financial services sector in general;

“Payment Services User” means a natural or legal person making use of a payment service.

“Privacy by Design” means implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the UK GDPR;

“Privacy Guidelines” means the Company guidelines in respect of Data Protection Legislation provided to assist in interpreting and implementing this Data Protection Policy and Related Policies [LINK TO RELATED POLICIES].

“Privacy Policy” means our separate privacy notice setting out information that may be provided to Data Subjects when the Company collects information about them. These notices may take the form of:

(a) general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy); or

(b) stand-alone, one-time privacy statements covering Processing related to a specific purpose;

“Processing” or “Process”: any activity that involves the use of Personal Data. It includes:

(a) collection, recording, organisation, structuring or storage,

(b) adaptation or alteration,

(c) retrieval, consultation or use,

(d) disclosure by transmission, dissemination or otherwise making available,

(e) alignment or combination, or

(f) restriction, erasure or destruction,

Processing also includes transmitting or transferring Personal Data to third parties.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.

“Prospect” means any entry on our systems (Legal Person, Person, introducer, or other entity) which is being marketed to, engaging with, or is seeking to utilise our products and services, but has not yet been validated or approved by the Operations team as a client.

“Pseudonymisation” means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

“Related Policies” means Navro’s policies, operating procedures or processes related to this Data Protection Policy and designed to protect Personal Data which include but are not limited to our Website Privacy Policy (Schedule 1), Cookie Policy (Schedule 2), Cyber-Security Policy (Schedule 3), Candidate Privacy Notice (Schedule 4) and Employee Privacy Notice (Schedule 5).

These are available here. Policy Library

“Sensitive Payment Data” is defined in the Payment Services Regulations 2017 and means information, including personal security credentials, which could be used to carry out fraud; but in relation to account information services and payment initiation services does not include the name of an account holder or an account number.

“Special Categories of Personal Data” includes any data we hold which is Personal data about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or conditions, sexual life, sexual orientation, biometric or genetic data. Any use of sensitive Personal Data must be strictly controlled in accordance with this policy. Any Criminal Convictions Data which we hold will also be considered to be special category of Personal Data.

“Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 GDPR to be responsible for the monitoring the application of Data Protection Legislation. In Ireland, this is the Data Protection Commission. In the UK, the relevant regulator is the Information Commissioner’s Office (“ICO”).

We recognise that the correct and lawful treatment of Personal Data will maintain confidence in our organisation and will provide for successful business operations and relationships. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. We are exposed to potential fines of up to £17.5 million or 4% of total worldwide annual turnover, whichever is higher and depending on the breach, for failure to comply with the provisions of the Data Protection Legislation.

Navro acts as Data Controller for its regulatory, compliance and onboarding processing, and as Data Processor when executing payment transactions on behalf of payroll providers and employers.

The applicable role depends on the specific processing activity, as follows:
(a) Navro is Controller for employer director and owner data processed for KYC, onboarding and safeguarding;
(b) Navro is Controller for staff data processed for AML, sanctions screening and regulatory record-keeping, as Navro alone determines the purpose and means of that processing; and
(c) Navro is Processor for staff payment data processed solely to execute payment instructions given by the employer or payroll provider, where Navro cannot make independent payroll decisions.

All Company Personnel must correctly identify Navro’s role before handling personal data in any given context. Where Navro acts as Controller (categories (a) and (b)), the provisions of this policy apply in full and Navro is accountable for the processing. Where Navro acts as Processor (category (c)), the specific obligations in clause 27 also apply and take precedence in the event of any inconsistency. We must be able to demonstrate that our Processing is performed in compliance with Data Protection Legislation in either capacity.

Please refer to clause 27 for applicable provisions where Navro acts as a Processor.

All CEOs, individual business owners, units, departments, line managers are responsible for ensuring all Company Personnel comply with this Data Protection Policy and need to implement appropriate practices, processes, controls and training to ensure that compliance.

The Data Privacy Manager is responsible for overseeing this Data Protection Policy and developing any Related Policies and Privacy Guidelines, and is the firm’s central point of contact and representative for data protection purposes. This post is currently held by Mike Southgate, who can be reached at 020 4571 4244 and mike@Navro.com .

The Data Privacy Manager is responsible for the following:

(a) keeping the board updated about data protection responsibilities, risks and issues;

(b) reviewing all data protection procedures and policies on a regular basis;

(c) reviewing the data structure of Navro and making recommendations as to the structure and storage of key data;

(d) arranging data protection training and advice for all staff members and those included in this policy;

(e) answering questions on data protection from staff, board members and other stakeholders;

(f) responding to individuals such as clients and employees who wish to know which data is being held on them by Navro;

(g) checking and approving with third parties that handle the company’s data any contracts or agreement regarding data processing; and

(h) reviewing relevant agreements to ensure that they comply with the above requirements

Where Navro is acting as Processor (see clause 27), the Data Privacy Manager is also responsible for:

(a) reviewing relevant agreements to ensure that they clearly indicate that Navro is acting as a Processor in the arrangement;

(b) reviewing processes of data to ensure that the practical or operational application of such agreements meets our obligations to act only as a Processor; and

(c) ensuring that the Controllers of data in such situations are aware of their obligations and their position (including ensuring that this is suitably captured in our contracts).

The Data Privacy Manager cannot, alone, operate and control all data protection responsibilities, particularly around the systems and infrastructure which is primarily the source of Navro data. The CTO will also accept the following responsibilities which aim to support the Data Privacy Manager:

(a) ensuring all systems, services, software and equipment meet acceptable security standards;

(b) checking and scanning security hardware and software regularly to ensure it is functioning properly;

(c) researching third-party services, such as cloud services the company is considering using to store or process data; and

(d) ensuring that the structure and engineering properties of our systems are capable of conforming to this policy.

The Data Privacy Manager will retain responsibility for informing the board on the nature and purpose of their obligations under Data Protection Legislation, however cannot operate in a silo. The Data Privacy Manager must therefore be supported by the board of Navro and given access to certain materials and resources to enable the Data Privacy Manager to perform his/her role. Where the board fails to support the Data Privacy Manager, they may ultimately retain responsibility for the failures of the Data Privacy Manager.  In order to ensure that the Data Privacy Manager is supported, the board must:

(a) ensure that the Data Privacy Manager has sufficient resources in order to meet the obligations of Data Protection Legislation; and

(b) has sufficient seniority and is sufficiently qualified to enact any relevant changes needed

Please contact the Data Privacy Manager with any questions about the operation of this Data Protection Policy, the Data Protection Legislation or if you have any concerns that this Data Protection Policy is not being or has not been followed. In particular, you must always contact the Data Privacy  Manager in the following circumstances:

(a) if you are unsure of the lawful basis on which you are relying to process Personal Data (including the legitimate interests used by the Company) (see clause 5 );

(b) if you need to rely on Consent or need to capture explicit Consent (see clause 5);

(c) if you need to draft Privacy Notices (see clause 7);

(d) if you are unsure about the retention period for the Personal Data being Processed (see clause 11);

(e) if you are unsure what security or other measures you need to implement to protect Personal Data (see clause 12);

(f) if there has been a Personal Data Breach (clause 13);

(g) if you are unsure on what basis to transfer Personal Data outside the UK or the EU (see clause 14);

(h) if you need any assistance dealing with any rights invoked by a Data Subject (see clause 15);

(i) whenever you are engaging in a significant new, or change in, Processing activity which is likely to require a DPIA or plan to use Personal Data for purposes other than for which it was collected (see clause 19);

(j) if you plan to undertake any activities involving Automated Processing including profiling or Automated Decision-Making (see clause 20 );

(k) if you need help complying with applicable law when carrying out direct marketing activities (see clause 21);

(l) if you need help with any contracts or other areas in relation to sharing Personal Data with third parties (including our vendors) (see clause 22).

‍

We must ensure that when we are obtaining or processing data, that we do so in keeping with our terms and conditions, our legal obligations and requirements.  We adhere to the principles relating to Processing of Personal Data set out in Data Protection Legislation which requires Personal Data to be:

(a) Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);

(b) collected only for specified, explicit and legitimate purposes (purpose limitation);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (data minimisation);

(d) accurate and where necessary kept up to date (accuracy);

(e) not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (storage limitation);

(f) processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (security, integrity and confidentiality);

(g) not transferred to another country without appropriate safeguards in place (transfer limitation); and

(h) made available to Data Subjects and allow Data Subjects to exercise certain rights in relation to their Personal Data (Data Subjects’ rights and requests).

We are responsible for and must be able to demonstrate compliance with the data protection principles listed above. See clause 16 (Accountability).

Personal Data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject in accordance with the Data Subject’s rights.

You may only collect, process and share Personal Data fairly and lawfully and for specified purposes. Data Protection Legislation restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent Processing but to ensure that we Process Personal Data fairly and without adversely affecting the Data Subject.

Data Protection Legislation allows Processing for specific purposes, some of which are set out below:

(a) the Data Subject has given his/her Consent i.e. we have the written and explicit Consent of the individuals whose data we are processing;

(b) the Processing is necessary for the performance of a contract with the Data Subject;

(c) we have a clear compliance (legal) remit or obligation to process the data of those individuals;

(d) we have a contractual obligation to meet, which would require us to hold data (for example the data is required in order to process a payment); or

(e) to protect the Data Subject’s vital interests.

You must identify and document the legal ground being relied on for each Processing activity in accordance with our guidelines on the lawful basis for Processing Personal Data.

It should be noted that whilst Navro believes that it could rely upon one or more of the legal bases for processing data, a separate obligation to do so, an overriding obligation is created from  section 97 of the Payment Services Regulations 2017.

Under section 97 of the Payment Services Regulations 2017, a payment service provider must not access, process or retain any Personal Data for the provision of payment services by it, unless it has the explicit Consent of the payment service user to do so.

This obligation requires that in all cases, we must obtain the specific Consent of a Payment Service User (Our client) to process their Personal Data. On this basis, Navro will seek the explicit Consent of any payment services users, to hold their data.

‍

As Controller, we must only Process Personal Data on one or more lawful bases set out in Data Protection Legislation, which include Consent.

A Data Subject Consents to Processing of their Personal Data if they clearly indicate agreement to the Processing. Consent requires affirmative action, so silence, pre-ticked boxes or inactivity will not be sufficient to indicate Consent. If Consent is given in a document which deals with other matters, then the Consent must be kept separate from those other matters.

A Data Subject must be easily able to withdraw Consent to Processing at any time and withdrawal must be promptly honoured. Consent may need to be refreshed if you intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first Consented.

When Processing Special Category data or Criminal Convictions Data, we will usually rely on a legal basis for Processing other then explicit Consent or Consent if possible. Where explicit Consent is relied on, you must issue a privacy notice to the Data Subject to capture explicit Consent.

Data Protection Legislation requires a Controller to provide specific information to a Data Subject depending on whether the information was collected directly from the Data Subject or from elsewhere. The information must be provided through an appropriate privacy notice which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand it.

Whenever we collect Personal Data from a Data Subject, including for HR or employment purposes, we must provide the Data Subject with all the information required by Data Protection Legislation as soon as possible after collecting or receiving the data. We must also check that the Personal Data was collected by the third party in accordance with Data Protection Legislation and on a basis which contemplates our proposed Processing of that Personal Data.

When Personal Data is collected indirectly (for example, from a third party or publicly available source), we must provide the Data Subject with all the information required by Data Protection Legislation as soon as possible after collecting or receiving the data. We must also check that the Personal Data was collected by the third party in accordance with Data Protection Legislation and on a basis which contemplates our proposed Processing of that Personal Data.

If you are collecting Personal Data from a Data Subject, directly or indirectly, then you must provide the Data Subject with a privacy notice in accordance with our Related Policies and privacy guidelines.

Navro will disclose the data it holds through an additional statement which follows its terms and conditions with the following disclosure, and will require positive confirmation (Consent) from its client that they have read and accepted these terms. Copies of our disclosures can be found in the appendices to this document.

Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.

You cannot use Personal Data for new, different, or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes and they have Consented where necessary.

If you want to use Personal Data for a new or different purpose from that for which it was obtained, you must first contact the Data Privacy Manager for advice on how to do this in compliance with both the law and this data protection policy.

Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.

You cannot Process Personal Data for any reason unrelated to your job duties.

You may only collect Personal Data that you require to carry out your employment duties and must not collect excessive data. Ensure that any Personal Data collected is adequate and relevant for the intended purposes.

Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

You must ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant for the purpose we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.

We will not process Personal Data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this, for example information may be obtained for KYC and due diligence purposes, and then may be later used for sanctions screening purposes.

Any individual, client or employees may ask that we correct inaccurate Personal Data relating to them. If any individual, employee or client believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the Data Privacy Manager immediately.

Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. What is necessary will depend on the circumstances of each case, taking into account the reasons that the Personal Data was obtained, but should be determined in a manner consistent with our data retention guidelines.

We will maintain retention policies and procedures to ensure Personal Data is deleted after an appropriate time, unless a law requires that data be kept for a minimum time. [You must comply with our data retention policy]

You must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for legitimate business purpose(s) for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.

You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised from our systems in accordance with our data retention guidelines and policies. This includes requiring third parties to delete that data where applicable.

You will ensure that Data Subjects are provided with information about the period for which data is stored and how that period is determined in any applicable privacy policy or notice.

Navro shall, wherever possible, avoid storing files or data in a paper format. Instead files will be stored in a PDF format and archived on our secured servers (see clause 11.8). Paper files, where kept, will be kept in secured and locked cabinets on Navro premises.

Other files or documents will be shredded once utilized, secure shredding bins shall be provided in the office for this purpose.

Digitally stored data shall be kept in keeping with the firms IT security policy, which contains details of the locations of data, the segregation of certain data types and the user access levels which will be proportioned out to staff. This includes, but is not limited to requirements that :

(a) data stored on a computer should be protected by strong passwords that are changed regularly. We encourage all staff to use a password manager to create and store their passwords;

(b) all computers, systems or devices used by staff to store client data must be encrypted;

(c) data should not be stored on CDs or memory sticks outside of our network. Data stored outside of our network in this fashion will be reported to HR;

(d) the Data Privacy Manager must approve any cloud used to store data;

(e) servers containing Personal Data must be kept in a secure location, encrypted and away from general office space;

(f) data should be regularly backed up in line with the company’s backup procedures;

(g) data should never be saved directly to mobile devices such as laptops, tablets or smartphones; and

(h) all servers containing sensitive data must be approved and protected by security software and strong firewall.

As a general rule we should not retain data which is not in use, or which has not been utilised for 12 months, unless it is subject to AML Law.

We are required to retain certain data (any data which is relevant for the prevention of money laundering) for:

(a) a minimum of five years (UK); and

(b) six years (Ireland — under section 108I of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 as amended, from the date of the last dealing with the customer or from the date the record is made. Staff operating in the Irish jurisdiction must apply this six-year period rather than the five-year UK period)

from the date at which Navro ceases to trade with a client. Such data will be data which relates to the delivery and utilisation of our products and services, including sensitive data which may have been obtained during the course of our relationship.

Data should also be retained for prospective clients, including those who do not pass our KYC processes. This data should also be retained for five years from the date of the rejection of their application, so that it can be made available to police forces or investigators.

Where there is no ongoing activity with a client and no balance held, we will consider an account to be closed 18 months from the date of our last transaction with a client. We will move to delete data held on accounts five years from the date of our last trade with a client in relation to our UK-regulated services and six years in relation to our Ireland-regulated services.

We must delete any Personal Data in our records in accordance with clause 11.12 unless they are required for anticipated legal proceedings or we have the consent of the person to whom the Personal Data relates.

Where we hold a balance for a client after 6 years with no trading or transaction history, this will be referred to the Data Privacy Manager. Personal Data contained in the CDD information and transaction data may not be retained for any longer than ten years.

Where this is not possible, for where we need to retain, say, transaction entries as part of an ongoing ledger or payments system, we will hash or anonymize such data and expunge personally identifiable information where possible.

Data which must be retained under this process includes:

(a) any data obtained during the onboarding, KYC, CDD or EDD phases of our processes;

(b) copies of supporting documentation, ID’s, etc, which were used as part of this process

(c) documents relating to the approval of such a client;

(d) details of any sanctions screening operations, and the outcome of such which took place; and

(e) details of any transaction performed by the client, including details of the source of funds and destination of such funds, if paid out.

‍

Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.

We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we have or maintain on behalf of others, and identified risks (including encryption and Pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data. You are responsible for protecting the Personal Data we hold. You must implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data. You must exercise particular care in protecting Special Categories of Personal data and Criminal Convictions Data from loss and unauthorised access, use or disclosure.

You must follow all procedures and technologies we put in place to maintain the security and integrity of all Personal Data from the point of collection to the point of destruction. You may only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.

You must maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:

(a) Confidentiality: only people who have a need to know and are authorised to use the Personal Data can access it;

(b) Integrity: Personal Data is accurate and suitable for the purpose for which it is processed; and

(c) Availability: authorised users are able to access the Personal Data when they need it for authorised purposes.

You must comply with all applicable aspects of our [NAME OF SECURITY POLICY] OR [comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with Data Protection Legislation].

Where other organisations process Personal Data as a service on our behalf, the Data Privacy Manager will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.

‍

Data Protection Legislation requires Controllers to notify any Personal Data Breach to the relevant Supervisory Authority (for EU member states) and the Information Commissioner’s Office (for the UK )and, in certain instances, the Data Subject.

Even when acting solely as a Processor, all members of staff have an obligation to report actual or potential data protection compliance failures.

We have put in place procedures to deal with any suspected Personal Data Breach and will notify the Data Subject or any applicable regulator where we are legally required to do so. We are obliged to report any such breach:

(a) without undue delay to the FCA where it could have a significant adverse impact on our reputation or could affect our ability to continue to provide adequate services to our customers and could result in serious detriment to a customer or our business; and/or

(b) without undue delay to the Central Bank of Ireland where there are material breaches of legislative or supervisory requirements; and

(c) within 72 hours of becoming aware of the breach, to the Data Protection Commission (breaches relating to Data Subjects in Ireland) and/or the Information Commissioner’s Office (breaches relating to Data Subjects in the UK), as applicable.

If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the person or team designated as the key point of contact for Personal Data Breaches in the first instance your line manager OR the  Data Privacy Manager. You should preserve all evidence relating to the potential Personal Data Breach. This allows us to:

(a) investigate the failure and take remedial steps if necessary;

(b) maintain a register of compliance failures;

(c) notify the Supervisory Authority or the ICO of any compliance failures that are material either in their own right or as part of a pattern of failures; and

(d) if appropriate, notify the FCA or CBI as applicable.

Please refer to our employee handbook  for more details on our reporting procedure.

Data Protection Legislation restricts data transfers to third countries (i.e. countries outside the UK or the EU as applicable) to ensure that the level of data protection afforded to individuals by the Data Protection Legislation is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country.

You must comply with our guidelines on cross-border transfers.

You may only transfer Personal Data outside the UK or the EU (as applicable) if one of the following conditions applies:

(a) the UK or European Commission (depending on whether the data is being transferred from the UK or the EU) has issued regulations (an adequacy decision) confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subject's rights and freedoms;

(b) appropriate safeguards are in place such as binding corporate rules, standard contractual clauses approved for use in the UK or the EU (as appropriate), an approved code of conduct or a certification mechanism, a copy of which can be obtained from the Data Privacy Manager. For cross-border transfers from the UK, these standard contractual clauses will comprise either the UK Addendum or the International Data Transfer Agreement (IDTA).

(c) the Data Subject has provided explicit Consent to the proposed transfer after being informed of any potential risks; or

(d) the transfer is necessary for one of the other reasons set out in Data Protection Legislation, including:

(i) the performance of a contract between us and the Data Subject;

(ii) reasons of public interest;

(iii) to establish, exercise or defend legal claims;

(iv) to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent; and

(v) in some limited cases, for our legitimate interest.

Where the transmission of data is required for the completion of a contract, such as where Navro is required to include certain data in a payment, such as details of the remitter, or to provide data on the remitter to a third party to clear a sanctions hit or similar, Navro will be able to provide such data, only where it is required for the completion of the contract.

Where we are utilising suppliers including CRM tools or cloud based providers, we shall ensure that such services are located inside of the UK or the EU (as applicable) or that we have adequate safeguards in place.

A Data Subject has rights when it comes to how we handle their Personal Data. These include rights to:

(a) withdraw Consent to Processing at any time;

(b) receive certain information about the Controller's Processing activities;

(c) request access to their Personal Data that we hold;

(d) prevent our use of their Personal Data for direct marketing purposes;

(e) ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;

(f) restrict Processing in specific circumstances;

(g) challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;

(h) request a copy of an agreement under which Personal Data is transferred outside of the UK;

(i) object to decisions based solely on Automated Processing, including profiling (ADM);

(j) prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;

(k) be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;

(l) make a complaint to the supervisory authority; and

(m) in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.

You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Data without proper authorisation).

You must immediately forward any Data Subject request you receive to the Data Privacy Manager and comply with Navro’s response procedures for data subject requests.

Where Navro is acting as Processor, the Data Subject making the request should be referred back to the Controller, to fulfil this request.

‍

We must implement appropriate technical and organisational measures in an effective way to ensure compliance with data protection principles. As Controller, we are responsible for, and must be able to demonstrate compliance with the data protection principles.

We must have adequate resources and controls in place to ensure and to document compliance with Data Protection Legislation, including:

1. appointing a suitably qualified DPO (where necessary) and/or a Data Privacy Manager;
2. implementing Privacy by Design when Processing Personal Data and completing DPIAs where Processing presents a high risk to rights and freedoms of Data Subjects;
3. integrating data protection into internal documents including this data protection policy, Related Policies, privacy guidelines or privacy notices;
4. regularly training Company Personnel on Data Protection Legislation, this Data Protection Policy, Related Policies and privacy guidelines, and data protection matters including, for example, a Data Subject's rights, Consent, legal basis, DPIA and Personal Data Breaches. The Company must maintain a record of training attendance by Company Personnel; and
5. regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.

Data Protection Legislation requires us to keep full and accurate records of all our data Processing activities.

You must keep and maintain accurate corporate records reflecting our Processing including records of Data Subject Consents and procedures for obtaining Consents [in accordance with the Company’s record-keeping guidelines]

These records should include as a minimum:

1. the name and contact details of the Controller and the Data Privacy Manager; and
2. clear descriptions of:
   1. the Personal Data types;
   2. the Data Subject types;
   3. the Processing activities;
   4. the Processing purposes;
   5. the third-party recipients of the Personal Data;
   6. the Personal Data storage locations;
   7. the Personal Data transfers;
   8. the Personal Data's retention period; and
   9. the security measures in place.

To create the records, data maps should be created which should include the detail set out above together with appropriate data flows.

We are required to ensure all Company Personnel have undergone adequate training to enable them to comply with Data Protection Legislation. We must also regularly test our systems and processes to assess compliance.

You must undergo all mandatory data privacy-related training and ensure your team undergoes similar mandatory training.

You must regularly review all the systems and processes under your control to ensure that they comply with this data protection policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.

Privacy by Design is an approach to projects that promotes privacy and data protection compliance from the start. The Data Privacy Manager will be responsible for conducting DPIAs on any projects and ensuring that all IT projects commence with a privacy plan, to ensure that all data collected is relevant to the product or change which Navro is making and that it is essential that Navro collect the data which is proposed.

We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures (such as Pseudonymisation) in an effective manner, to ensure compliance with data privacy principles.

We must assess what Privacy by Design measures can be implemented on all programmes, systems or processes that Process Personal Data by taking into account the following:

(a) the state of the art (technical feasibility);

(b) the cost of implementation ;

(c) the nature, scope, context and purposes of Processing; and

(d) the risks of varying likelihood and severity for rights and freedoms of the Data Subject posed by the Processing.

The Controller must also conduct a DPIA in respect to high-risk Processing.

You should conduct a DPIA under the direction of the Data Privacy Manager when implementing major system or business change programs involving the Processing of Personal Data including:

(a) use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);

(b) Automated Processing including profiling and ADM;

(c) large-scale Processing of Special Categories of Personal Data or Criminal Convictions Data; and

(d) large-scale, systematic monitoring of a publicly accessible area.

A DPIA must include:

(a) a description of the Processing, its purposes and the Controller's legitimate interests, if appropriate;

(b) an assessment of the necessity and proportionality of the Processing in relation to its purpose;

(c) an assessment of the risk to individuals; and

(d) the risk mitigation measures in place and demonstration of compliance.

‍

Generally, ADM is prohibited when a decision has a legal or similar significant effect on an individual unless:

(a) a Data Subject has explicitly Consented;

(b) the Processing is authorised by law; or

(c) the Processing is necessary for the performance of or entering into a contract.

If certain types of Special Categories of Personal Data or Criminal Convictions Data are being processed, then grounds (b) or (c) will not be allowed. However, the Special Categories of Personal Data and Criminal Convictions Data can be Processed where it is necessary (unless less intrusive means can be used) for substantial public interest like fraud prevention.

If a decision is to be based solely on Automated Processing (including profiling), then the Data Subject must be informed when you first communicate with them of their right to object. This right must be explicitly brought to their attention and presented clearly and separately from other information. Further, suitable measures must be put in place to safeguard the Data Subject's rights and freedoms and legitimate interests.

We must also inform the Data Subject of the logic involved in the decision making or profiling, the significance and the envisaged consequences, and give the Data Subject the right to request human intervention, express their point of view or challenge the decision.

A DPIA must be carried out before any Automated Processing (including profiling) or ADM activities are undertaken.

‍

We are subject to certain rules and privacy laws when engaging in direct marketing to our customers and prospective customers (for example when sending marketing emails or making telephone sales calls).

For example, in a business to consumer context, a Data Subject's prior Consent is generally required for electronic direct marketing (by email, text or automated calls). The limited exception for existing customers known as "soft opt-in" allows an organisation to send marketing texts or emails without Consent if it:

(a) has obtained contact details in the course of a sale to that person;

(b) is marketing similar products or services; and/or

(c) gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent marketing message.

The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.

A Data Subject's objection to direct marketing must always be promptly honoured. If a customer opts out of marketing at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

You must comply with our guidelines on direct marketing to customers and you should consult the Data Privacy Manager if you are unsure regarding how to comply with either Navro’s guidelines or the law.

Generally, we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place. You must comply with the Company's guidelines on sharing data with third parties.

You may only share the Personal Data we hold with another employee, agent or representative of our group (which includes our subsidiaries and our ultimate holding company along with its subsidiaries) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.

You may only share the Personal Data we hold with third parties, such as our service providers, if:

(a) they have a need to know the information for the purposes of providing the contracted services;

(b) sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject's Consent has been obtained;

(c) the third party has agreed to comply with the required data security standards, policies and procedures, and put adequate security measures in place;

(d) the transfer complies with any applicable cross-border transfer restrictions; and

(e) a fully executed written contract that contains UK GDPR/GDPR-approved third party clauses has been obtained.

Navro holds Personal Data relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, persons who work for clients and persons that have a beneficial interest in clients, suppliers and marketing contacts.

Personal data that we Process includes but is not limited to: individuals' contact details, name, address, DOB, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.

As a general standard, Navro will not attempt to obtain Special Categories of Personal Data from its clients, including all elements of Special Categories of Personal Data as defined in Article 9 of Data Protection Legislation. To enforce this, we shall :

(a) not create any field or location in our CRM in which it is required that we obtain or store Special Categories of Personal Data;

(b) not create any field or location in which it is expected, or that an expectation is made, that we would hold sensitive data, even when such a field is voluntary;

(c) will not request, from our clients, any Special Categories of Personal Data as part of our application forms or similar; and

(d) will not use any sensitive data which we may inadvertently hold to market or target clients based on this data.

Where exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations such as requests for information from police forces or government agencies) Navro may obtain and process this data on a case by case basis, with the agreement of the  Data Privacy Manager.

Navro concedes that, despite the controls above, situations may arise in which certain data may become known or available to Navro, for example a non exhaustive list of situations in which this may occur:

(a) Knowledge of certain client’s weekend activities as part of standard conversation may result in knowledge of their political affiliations.

(b) A client’s references to a partner, boyfriend/girlfriend may provide hints or information about the individual’s sexual orientation.

(c) A client may have health related issues which resulted in them being unable to reply to emails, which they may openly disclose to us during calls or emails.

Navro acknowledges that such information may be linked to existing email chains which we need to retain, or which are of commercial value such as email chains which include trade confirmations from clients.  For this reason, we will obtain Consent from all clients, which permits us to hold such sensitive Personal Data, however will not:

(a) utilize this data for marketing purposes

(b) share this data with external third parties, except where required to by law

(c) store this data in such a way that it is categorizable, searchable or manipulatable and may result in it being easily utilized for purposes other than day to day relationship management. We will attempt to make this data, and store this data, in an unstructured manner.  

You must take reasonable steps to ensure that Personal Data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the relevant HR Contact so that they can update your records.

You may, at any time, submit a request to the HR Team (a subject access request) in order to obtain a copy of any relevant data held on you.

You may also update or change your data via the Humaans platform.

Article 9(2)(b) of the UK GDPR and GDPR allows us to hold Special Categories of Personal Data, where “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment”

For this reason, we may treat employee data differently to client data, and may intentionally hold Special Categories of Personal data on our employees. Such data will:

(a) be held in restricted folders, accessible only by senior management who have a legitimate purpose for accessing it;

(b) not be disclosed to other employees or staff;

(c) be reviewed on an annual basis to ensure that data is not held for longer than necessary on former employees;

(d) be reviewed on an annual basis to ensure that the data held is not excessive compared to the needs of the business;

(e) be reviewed on an annual basis to ensure that the data held is up to date, accurate and relevant; and

(f) not be shared with third parties, unless legally required.

Sensitive Payment Data

It should be noted that the Payment Services Regulations 2017 contain a distinct and separate category of sensitive or Special Category Personal Data, referred to in those regulations as Sensitive Payment Data. Sensitive Payment Data means information, including personalized security credentials, which could be used to carry out fraud; but in relation to account information services and payment initiation services does not include the name of an account holder or an account number.

This category of Sensitive Payment Data is distinctly different from Special Category Personal Data as defined in the Data Protection Legislation, as in reality a large amount of information which is presented to Navro, such as the name, email address, DOB, passport or ID documents, may result in a risk of fraud if this data was to be made publicly available.

On this basis, we will take steps to enhance the protection of Sensitive Payment Data such as private information on individuals or bank details, however because this data is required in order for us to process payments, we will have to obtain this data.

Sensitive Payment Data may also be subject to AML law and require retention for a longer period than required under Data Protection Legislation. For example transaction histories must be unchangeable post execution, e.g. a record relating to a beneficiary cannot be changed after a transaction has completed, if this would overwrite details of a prior transaction or similar.

Transaction data should be treated as a double entry process, in which removals, deletions or corrections to transactions are shows as a cancelation of the existing trade, and a re-entry of a trader, as opposed to simply deleting the old one.

In some cases, Navro, will simply pass on data from one location to another, on behalf of another entity who will control the data. In this case Navro will be considered a data Processor. This means that the Controller will be responsible for all data held, and the decisions made on how, where and what data we will hold will be decided by the Controller and executed on our behalf.  

We are acting as a Processor, when we meet all of  the following criteria:

(a) We are a separate entity from the Controller;

(b) We are following instructions from another party regarding the processing of Personal Data;

(c) We were given the Personal Data by a customer or similar third party, or told what data to collect;

(d) We do not decide to collect Personal Data from individuals;

(e) We do not decide what Personal Data should be collected from individuals;

(f) We do not decide the lawful basis for the use of that data;

(g) We do not decide what purpose or purposes the data will be used for;

(h) We do not decide whether to disclose the data, or to whom;

(i) We do not decide how long to retain the data;

(j) We may make some decisions on how data is processed, but implement these decisions under a contract with someone else;

(k) We are not interested in the end result of the processing; and

(l) We are subject to monitoring by the other party.

When we are acting as the Processor in such situations, we must have a contractual relationship with the firm or entity which is acting as the Controller, and who has defined Navro as the Processor on its behalf.

In order to comply with our regulatory obligations we need to ensure that our partners or counterparties who process data on our behalf are safe, secure and compliant with Data Protection Legislation. In order to achieve this, we conduct a vendor assessment of all suppliers by way of our Vendor Management Questionnaire.

If we are acting as a Processor, our obligations include but are not limited to:

(a) only Processing the Personal Data in accordance with the Controller’s written instructions;

(b) maintaining the confidentiality of the Personal Data and not disclosing the Personal Data to third parties without the prior consent of the Controller or as required by a regulatory authority or by applicable law. If this applies, we must notify the Controller beforehand so they have an opportunity to object or challenge the requirement;

(c) reasonably assisting the Controller at no additional cost with meeting its obligations under Data Protection Legislation;

(d) only collecting Personal Data for the Controller using a notice or method approved in writing by the Controller;

(e) ensuring our employees are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions regarding the Personal Data; have undertaken relevant data protection training;

(f) implementing appropriate technical and organisational measures against unlawful or unauthorised Processing of the Personal Data;

(g) notifying the Controller of any Personal Data Breach without undue delay and in any event within 24 hours of becoming aware of the breach, providing details of the nature of the breach, the categories and approximate number of affected Data Subjects and data records, the likely consequences, and the measures taken or proposed to address it. Staff must escalate any suspected breach involving Processor data to the Data Privacy Manager immediately upon discovery;

(h) only carrying out cross-border transfers of data with the Controller’s prior written consent and using an agreed appropriate transfer mechanism; and

(i) only engaging sub-processors in accordance with the general authorisation granted under our Data Privacy Addendum. Navro maintains a current list of approved sub-processors at Annex A to this Policy. Where Navro intends to add or replace a sub-processor, the Data Privacy Manager must update Annex A and notify the relevant Controller in advance with reasonable notice. Any Controller objection received in writing within ten business days must be escalated to the Data Privacy Manager for good-faith resolution; and

(j) where Navro is acting as Processor for payment execution purposes, ensuring that payment data is used exclusively to execute the specific payment instruction and for no other purpose. Staff must not use payment execution data to make independent decisions about the underlying payroll, amend or supplement the payment instructions, or share the data with any party other than as required to complete the payment. Any Data Subject who contacts Navro directly to exercise their data protection rights in respect of payment execution data must be informed promptly (and in any event within five working days) that the relevant Data Controller is their employer or payroll provider, and directed to contact that party. The Data Privacy Manager must be notified and the request forwarded to the relevant Controller without undue delay.

We must ensure that when we are Processing data as a Processor, that we do so in keeping with our terms and conditions with the Controller, and inside of our legal obligations and requirements.  We will obtain data only when:

(a) the collection of process is necessary to deliver our services;

(b) we are provided data by the Controller for this purpose; and

(c) we are acting in accordance with our written agreement with the Controller.

The rights of individuals around their data are handled between the Controller and the Data Subject. We shall ensure that in all cases where we are to be considered a Processor, that the Controller has in place sufficient controls to obtain and handle clients’ data. We achieve this through contractual terms and conditions.

We will process Personal Data under the provisions of our contract with a Controller, and will only hold Personal data in this way when we are required to for the performance of a contract between us, and a data Processor.

Regular data audits to manage and mitigate risks will be carried out to inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

We take compliance with this policy very seriously. Failure to comply puts both you and the organization at risk.

The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.

We keep this Data Protection Policy under regular review. This version was last updated on 13-04-2026.

This Data Protection Policy does not override any applicable national data privacy laws and regulations in countries where Navro operates.

This Annex sets out Navro’s current list of approved Sub-processors engaged in processing Personal Data in connection with the provision of Navro’s payment and e-money services. It is maintained by the Data Privacy Manager and updated in tandem with Annex 3 of the Data Privacy Addendum in accordance with clause 27(i) of this Policy. Last updated: April 2026.

Notes:

(1)Sub-processors marked as providing services only for specific payment types (stablecoin/crypto, APAC, USA) will not access Personal Data unless and until those payment capabilities are activated for the relevant customer.

(2)Intragroup Sub-processors (Navro Group Limited, Navro Payments Europe Limited, Navro Payments Limited) process data pursuant to intragroup data sharing arrangements subject to equivalent data protection obligations.

(3)Transfers to Sub-processors located outside the UK or EEA are subject to appropriate safeguards, including Standard Contractual Clauses and/or UK International Data Transfer Addenda as applicable.