APS INTERNATIONAL LIMITED – PRIVACY POLICY

This privacy policy (Amended in compliance with the new General Data Protection Regulation- GDPR May 2018), effective as of 25th May 2018, is a commitment made by and between APS International Ltd on behalf of itself and its Affiliates/Agents (” APS”) and all individuals and or entities that we deal with in the ordinary course of business (“Customer”).

As of the date stated above:

WHEREAS, APS International Ltd and our Customers are parties to this privacy policy Whereby Customer procures certain products and services from APS International Ltd; and WHEREAS, the parties desire to agree on and to conform with the requirements of Regulation 2016/679 of the European Parliament and of the Council of the 27th of April 2016 on the protection of natural persons with regard to the collection, processing and storage of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any implementing, derivative or related legislation, rule or regulation of the European Union (“Union”), a Union member state (“Member State”), or the United Kingdom (“UK”), with respect to personal data (as defined below) that APS International Ltd collects, holds or processes (as defined below) on behalf of Customer under the GDPR regulation May 2018;

WHEREAS, all references to APS in this GDPR Guidelines shall mean APS International Ltd or the APS International Ltd Affiliate/Agent that enters a business relationship with the Customer for the provision of Services and all references to APS International Ltd shall be construed accordingly.

NOW THEREFORE, in consideration of the promises made herein and the regulations stated, the parties agree as follows:

1. Definitions

All capitalized terms used but not defined herein shall have the same meaning as set forth in this policy document. Lower case terms used but not defined in this GDPR Guidelines, such as “personal data”, “personal data breach”, “processing”, “controller”, “processor”, “supervisory authority” and “data subject”, will have the same meaning as set forth in Article 4 of the GDPR.

1. Scope and Roles

This GDPR policy applies to the collection, storage and processing of personal data by APS International Ltd on behalf of Customers. In this context, Customer is the controller or possessor of Customer personal data and APS International Ltd is the collector and processor of such personal data.

1. Data Processing
2. Where APS International Ltd is carrying out processing on behalf of Customer, APS International Ltd shall implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
3. APS International Ltd shall not engage another processor without prior specific or general written or implied authorization from Customers. In the case of general written authorization, APS International Ltd shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes in the manner more specifically set forth herein.

APS INTERNATIONAL Ltd GDPR Data Processing Guidelines

Data collection and Processing by APS International Ltd shall be governed by the GDPR under Union or governing Member State law as set forth in the Guidelines. In particular, APS International Ltd shall:

(a) collect and process the personal data only on documented instructions or implied consent from Customer, including with regards to transfers of personal data to a third country or an international organization, unless required to do so by the Union or Member State law governing such personal data; in such a case, APS International Ltd shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) take all measures required pursuant to Article 32 of the GDPR;

(d) respect the conditions referred to in this section C for engaging another processor;

(e) taking into account the nature of the data collected and processed, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;

(f) assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to APS;

(g) at the choice of Customer, delete or return all the personal data to Customer after the end of the provision of services relating to processing and delete existing copies unless Union or governing Member State law requires storage of the personal data; in which case the customer will be informed of member state regulatory requirement, upon request. Customers who wish to opt out can either unsubscribe themselves or send a request to APS to de-register them or opt them out as requested. Requests can be sent via emails: [email protected] and by phone +44 121 643 3003.

(h) make available to Customers all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to requests, including verbal and written, conducted by Customer or another auditor mandated by Customer.

4. APS International Ltd shall immediately inform Customer if, in its opinion, an instruction from Customer to APS International Ltd infringes the GDPR or other Union or governing Member State data protection provisions.
5. Where APS International Ltd engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in the GDPR Guidelines shall be imposed on that other processor by way of a contract or other legal act under Union or governing Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the collection and processing of customers data will meet the requirements of the GDPR, Where that other processors fails to fulfil those data protection obligations, APS shall (subject to the terms of the Guidelines) remain fully liable to Customer for the performance of that other processor’s obligations.
6. Data Processing Details

The subject-matter and duration of the processing, the nature and purpose of the processing, the type of

personal data, the categories of data subjects and the obligations and rights of Customer are set forth in

the GDPR Guidelines, in particular:

(a) The subject-matter of the processing is the personal data provided by the Customer to APS in respect of the products and services under the Guidelines.

(b) The duration of the processing is the duration of the provision of the products and services by APS to the customer up to and including any data storage time limits set by Regulatory requirements.

(c) The nature and purpose of the data collected and processed is in connection with the provision of the products and services offered by APS and its Agents and Affiliates.

The types of personal data APS International Ltd collects and processes:

The personal data APS International Ltd, It’s Agents and affiliates collect and process may include full name, email addresses, home postal addresses, office/institution postal address, telephone number, mobile phone numbers, business cards and job titles, work section, username and passwords for accessing and using the products and services, education, certifications, professional background and training; gender, photographs, card data (for processing transactions only) bank account data (for direct deposit payments or evidence of sources of fund); government issued identification, including passport numbers (for identification); date of birth (for identification and marketing); nationality (for identification); sanction and watch list data; connection data- IP addresses and computer location details; locale data; other unique identifiers such as IP addresses or device IDs; marketing and advertising responses and preferences; results data from the products and services which may include other third-party data and other types of personal data identified in the GDPR, and/or documents, images or other content containing Personal Data submitted by or at the direction of Customer as part of our registration, transaction processing and AML/TF compliance requirements.

The categories of data subjects may include representatives and end users, including employees, contractors, temporary personnel and its Affiliates, regulators, and other individuals/partners whom personal data is submitted to APS by or at the direction of Customers as part of a transaction process.

On termination of Customer’s business relationship, APS International Ltd shall delete or return personal data, when requested, in accordance with the terms and timelines for the products and services set forth in the GDPR regulation, unless Union, governing Member State, or other applicable law requires storage of the personal data.

APS customers can see the details we hold of them by clicking on the “my account” button after they signed in on their customer portal. This will display the information we hold of you.

Sub-processing

APS International Ltd may engage other processors for the processing of Customer personal data in accordance with GDPR safeguards. APS International Ltd shall maintain a list of such processors, which APS International Ltd may update from time to time. At least 14 days before authorizing any new such processor to process personal data, APS International Ltd shall update the list. Customer may object/opt out to the change or use of the new processor without penalty, by initiating the GDPR dispute resolution process, or in the absence of a dispute resolution procedure, and without prejudice to any applicable refund or termination rights Customer has under the Guidelines. APS International Ltd shall use reasonable endeavours to change, modify or remove the affected products or services, in order to avoid the collection and processing of Customer personal data by such new processor to which Customer reasonably objects.

Data Subject Rights

APS International Ltd shall, to the extent legally permitted, promptly notify Customer of any data subject requests received by APS International Ltd and reasonably cooperate with Customer to fulfil its obligations under the GDPR in relation to such requests. Customer shall be responsible for any reasonable costs arising from APS providing assistance to Customer to fulfil such obligations.

Data Transfer

APS International Ltd will ensure that, to the extent that any personal data originating from the UK or European Economic Area (EEA) is transferred to a country or territory outside the UK or EEA that has not received a binding adequacy decision by the European Commission or a competent national data protection authority, such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the GDPR.

Security of Data collection and Processing

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of data collection and processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons (Customers), APS International Ltd shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of data collection and processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the collected and processed personal data.

2. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
3. Customer and APS International Ltd shall take steps to ensure that any natural person acting under the authority of Customer or APS International Ltd who has access to personal data does not process them except on instructions or implied consent from Customer, unless he or she is required to do so by Union or governing Member State law.

Personal Data Breach

APS International Ltd will notify Customer without undue delay after becoming aware of a personal data breach and shall reasonably respond to Customer’s request for further information so that Customer may fulfil his/her obligations under Articles 33 and 34 of the GDPR.

Audit

The rights set out in Section C.(3)(h) are subject to the notice, confidentiality and other requirements for conducting audits set forth in the Guidelines. In the absence of such requirements in the Guidelines, the

following shall apply: Audits shall be:

(a) subject to the execution of appropriate confidentiality undertakings or relying on similar obligations in the Guidelines;

(b) conducted no more than twice per year unless a demonstrated reasonable belief of non-compliance with the Guidelines has been made, upon thirty (30) days written notice and having provided a plan for such review; and

(c) conducted at a mutually agreed time and in an agreed manner.

Conflict

If there is any conflict or inconsistency between the terms of this GDPR Guidelines and the terms of the Guidelines, the terms of this GDPR Guidelines will control to the extent required by law. Otherwise, the terms of the Guidelines will control in the case of such conflict or inconsistency.

Jurisdiction

This GDPR Guidelines and any dispute or claim arising out of or in connection with it or its subject matter or formation (including any non-contractual disputes or claims) shall be governed by and construed in accordance with the governing law set forth in the Guidelines.

The parties irrevocably agree that exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this GDPR Guidelines or its subject matter or formation (including non-contractual disputes or claims) shall be the jurisdiction agreed to by the parties in the Guidelines, by default it shall be primarily assumed to be the UK / EEA member state of the customer.

By default, APS International Ltd shall assume consent is given by customers who intentionally sign up to our platforms (including our website, mobile apps and customer transactions software portals) and/or uses any of APS products and services. Customers have the right to opt out of any data collection and processing activity conducted by APS International Ltd, its Agents and Affiliates, as long as it is reasonable and does not violate any regulatory requirement in respect of the use of such product or service.

For further information or clarification, please contact: The Data Protection Officer, APS International Ltd, 26 Moat Lane, City Gate House, Birmingham; B5 5BD: Tel: +44 121 643 3003, Email: [email protected]

Authorized representative and on behalf of APS INTERNATIONAL LTD

Lamin Sanneh: CEO- APS INTERNATIONAL LTD