Privacy Statement for Users

0. EXECUTIVE SUMMARY

0.1 Why, what, where, when, who, and how (long)

Why: The first and foremost reason we ask you for personal details is to be able to offer you a smooth and seamless experience to (complete the) use our service and the services of the onramps (aka Fiat Gateways) of your choice by providing our trusted Fiat Gateway partners (which offer fiat-to-cryptocurrency conversion services) with your relevant personal information to avoid being bothered to provide this information to each Fiat Gateway again (and again and again…).

In order for you to be able to do business with a Fiat Gateway, the Fiat Gateway has to comply with relevant applicable know your customer (KYC) and anti-money laundry (AML) laws and legislation which requires KYC/AML verification. This will fall under the Fiat Gateway’s own policies, and Onramper does not process or store this data.

What: We (also) collect and process certain personal and non-personally identifiable information to offer, enable and improve our service and Platform. The non-personally identifiable information includes transactional data and product usage data. The personal identifiable information includes your wallet address. We additionally collect your email address.

What else – rights: You will have all rights granted by applicable law, such as the right to know what information we hold, the right to be forgotten, and the right to amend, correct, delete, or block your personal information

What else – security: We have implemented a range of procedures, controls and measures to prevent unauthorized access to, and the misuse of, your personal data that we process.

When: Upon registration with Onramper (or at any time thereafter), Onramper may ask you to provide, update and complete relevant required personal information in its system through the website/app on which the Onramper service is available to you.

Who: Onramper is responsible for the personal data it collects in relation to Onramper’s product and Account service, and acts as a data controller for such data. 

What about the Fiat Gateways: the processing of any (personal) data by the User when making use of the services provided by the Fiat Gateway(s) is subject to and governed by the privacy statement of the relevant Fiat Gateway.

Furthermore, Onramper may share certain personal information with its affiliated group companies (e.g. for customer service) and trusted subcontractors. Onramper is responsible for these parties (which act as data processor subject to a data processor agreement with Onramper).

How (long): We will collect and process your personal information in accordance with this privacy statement and retain your personal data for as long as necessary to manage our business relationship with you, provide Onramper services to you, and comply with applicable laws, including those related to document retention. We will also retain some data to resolve disputes or claims with third parties and, if necessary, to conduct our business

The above is a general overview. Depending on the law that applies to you, we might be required to provide some additional information. Please find below more detailed information about the use and process of your personal information.

Glossary: appendix 1 includes a glossary with relevant privacy terms and their definitions.

1. INTRODUCTION AND DEFINITIONS

1.1 About Onramper

1.1.1 We are Onramper Technologies B.V., a private limited liability company, incorporated under the laws of the Netherlands and having its registered office at Prins Hendrikkade 21 E (1012TL) in Amsterdam (trade register: 76602877). Onramper Technologies B.V. may be referred to in this document as 'we', 'us', 'our', or 'Onramper'.

1.1.2 We collect personal data via our Platform (app) and service. 

1.1.3 The personal data that Onramper collects in relation to its users depends on the context of the business relationship and their interaction with Onramper, the choices the user makes, and the products, services and functions they use.

1.2 Privacy statement and acceptance

1.2.1 This privacy statement explains how Onramper processes your personal data. 'You', 'your' or 'User' means you, the user of our service as made available on our website/app (the "Platform"), including any other natural person of whom the personal data is provided to Onramper.

1.2.2 This privacy statement applies to every group company of Onramper that is responsible for or involved in the processing of a User's personal data. Depending on the nature of the business relationship, various group companies of Onramper may be responsible for the processing of that personal data.

1.2.3 To the extent permitted or required by law, by signing up for, registering (including uploading or otherwise enabling your personal data) and/or using our services, you hereby (i) accept, acknowledge (to have read and understood) and agree to this privacy statement, and (ii) give your explicit consent to Onramper to collect, use, transfer, disclosure or process the personal data as from time to time provided or otherwise made available to us for purposes and to such recipients and locations as described in the privacy statement.

2. DATA COLLECTION

2.1 Personal data that Onramper collects

2.1.1 Personal data that you – as a User – (may) provide to us includes:

• Personal data

If you wish to open an account with us, we may collect relevant contact information from Users, such as first and last name, place/date of birth (if required), (email) addresses, (mobile) telephone numbers, preferences or special requests, etc. Furthermore, we process your (public) wallet address (in which respect we act as processor).

• Transactional data

We collect information about your transaction history with Fiat Gateways, incl. the type of virtual financial assets involved, the order volume, price, value, and information on which bank is used for a transaction identified through the processing of a part of your credit card number. This does not include any personally identifiable information.

• Usage data

Information we collect automatically about how you use our Platform (i.e. app or website) and Software (i.e. Onramper widget, API and such other software components as used or built by Onramper to render the Service) (the "Product Usage Data"), including information on the device(s) you may use (the "Device Information") and information on when, where and how you use our Platform and/or Software, including your IP address and info such as your browser type (the "Log Data"). For a more specific overview of what data and information (including personal data) is collected automatically, see below and our cookie statement [link].

• Other data

When a User communicates with Onramper, we may collect and process information about this communication. During calls with our customer service (including when being in queue or on hold), live listening and calls can be recorded for quality control and training purposes. These recordings can also be used for claims handling and fraud detection.

Recordings are kept for a limited time before they are automatically deleted unless Onramper has a legitimate interest in keeping the recording for longer. This only happens in exceptional cases, such as for fraud investigation, compliance, and legal purposes.

2.2 Information We Collect Automatically

2.2.1 Depending on the business relationship, Onramper may also automatically collect information, some of which may be personal data. This data is collected when a User uses online services such as a registration form or a user account.

The data collected may include:

• Language settings

• IP address

• Place

• Device settings

• Device operating system

• Log information

• Time of use

• URL requested

• Status report

• User-agent (information about the browser version)

• Browsing history

• Browsing behaviour

• The type of data being viewed

2.3 Other information we receive from other sources

• Fiat Gateway data

Fiat Gateways may share certain personal data with us. This can include your phone number, country, your email address and your name, but does not include credit card numbers or any other PAN or CVC data. To learn more about the data processing that occurs when making use of the services offered by Fiat Gateways, see relevant Fiat Gateways' privacy statement for more information.

• Data related to requests from law enforcement and tax authorities

Law enforcement or tax authorities may contact Onramper with additional information about Users in the event that they are affected by an investigation.

• Fraud detection & prevention, risk management & compliance

In certain cases, and as permitted by applicable law, Onramper may need to collect data from third-party sources for fraud detection and prevention, risk management, and compliance purposes (e.g. sanction/PEP screening).

3. PROCESSING PURPOSES AND SHARING

3.1 Purposes

3.1.1 Onramper uses the previously described information about Users, some of which may be personal data, where relevant, for the following purposes:

A. Registration and administration

Onramper uses account information, contact details, and financial information to manage and maintain the business relationship with the User and to render its service to you. This also applies to registration and verification purposes.

Important notice: there is no obligation for you to open an Account and provide your personal data to us. You can continue using our services without the need for an Account. The Account is optional and helps you to enjoy the verification service, if desired by you.

B. Render its service (including verification service and customer service)

We may collect email addresses in order to provide quicker check-outs, transaction history functionality and better recommendations.

Your (public) wallet address is used for sending the crypto to your wallet.

C. Other activities, including marketing

If a potential User has not yet completed the online registration, Onramper may send a reminder to complete the registration process. We believe that this extra service is useful for our (future) Users because it allows them to complete the registration without having to re-enter all registration details.

Onramper may invite Users to complete user/product reviews, ratings and scores and attend (online) events, seminars, webinars that may be relevant or interesting to them or where they can share crypto or Fiat Gateway related products and services. We may also use personal data to provide and host online forums that allow Users to find answers to frequently asked questions about the range and use of Onramper's products and services.

Marketing (e.g. newsletters): To the extent relevant to the business relationship, Onramper may use personal data for communication, including providing information about its systems or product updates, sending Onramper newsletters, and inviting Users to participate in references, promotions, or for other marketing communications. When we use personal information to send direct marketing messages electronically not for or related to our service, we offer an active opt-in option.

D. Communication with users

For any User who has signed up for an Account, Onramper may have (access to) communication with you (telephone, chatbot, email, Platform). We may use automated systems to review, scan and analyze communications for the following purposes:

• Safety

• Fraud prevention

• Compliance with legal and regulatory requirements

• Research nasty possible misconduct

• Product development and improvement

• Research

• Customer engagement (including providing information or offers to Users that we think may be of interest to them)

• Customer or technical support

Communications sent or received using Onramper's means of communication are received and stored by Onramper. We do not record all calls. If a call is recorded, each recording is kept for a limited time before being automatically deleted. This is the case unless we have determined that it is necessary to keep the recording for fraud investigation or legal purposes.

E. Analysis, improvement and research

Onramper uses the information provided to us, which may include personal data, for analytical and research purposes. This is part of our commitment to improve Onramper's products and services and to improve the user experience in respect of our Platform, Service and Software (e.g. customize the content, user experience and layout of the Platform). 

The data can also be used for identification of IT or network issues, testing purposes, troubleshooting and improving the functionality and quality of Onramper's online services. We may also record some live sessions using tools such as Hotjar and invite users to participate in surveys and other market research from time to time.

Certain Users may be invited to join a user forum to communicate with Onramper and/or to exchange experiences with other Users.

Please refer to the information Onramper provides when you are invited to participate in a survey, market research or to join an online Platform to understand how your personal data may be treated differently than described in this Privacy Statement.

F. Security, fraud detection, administration and prevention

We process the information provided to us, which may include personal data, to investigate, prevent and detect fraud and other illegal acts and to manage our Platform (including system administration). This may include personal data that a User has provided to Onramper, for example for security and verification purposes as part of the registration process, personal data collected automatically, or personal data obtained from external sources (including from guests). We also use the information to identify mal-intended usage of our Platform, Service and/or Software, prevent fraud, money laundering and unauthorized use of our Service, Platform and Software.

Onramper may also use personal data to facilitate investigation and enforcement by competent authorities, if necessary. For these purposes, personal data may be shared with law enforcement authorities.

Onramper may also use personal data for risk assessment and security purposes, including user authentication, and we use external service providers for third-party risk management. These providers help us assess the business risk profile of our Users. They may also provide us with due diligence reports from third parties, which, as permitted by applicable law, may contain potential information about criminal convictions and owner or User violations.

G. Legal, regulatory and compliance

In certain cases, Onramper must use the information provided (which may include personal data) to handle and resolve legal disputes or for regulatory investigations, risk management and (regulatory) compliance. We may also use it to enforce our agreement(s) with Users or to resolve any complaint or claim involving a User, and in accordance with internal rules and procedures.

In addition, we may need to share information about Users (including personal data) where required to do so by law or strictly necessary to respond to requests from competent authorities. This includes tax authorities, courts, other government and public authorities, or local municipalities (for example, regarding short-term rental laws). 

Finally, Onramper may use personal data for AML verification and KYC related purposes and obligations (including sanction screening for 'politically exposed persons' (PEPs) and sanctioned individuals).

If we use automated means to process personal data that produces legal effects or significantly affects you or other natural persons, we will take appropriate measures to safeguard your or the other person's rights and freedoms. This includes the right to human intervention.

3.2 Legal grounds

3.2.1 First of all, Onramper strongly believes that the User should be in control of its personal data. Therefore and save as set out otherwise below, Onramper will at all times obtain your consent before processing personal data for any services you wish to use from Onramper, including for marketing and profiling purposes or as otherwise required by law.

3.2.2 Purpose A and B: In addition to the consent, Onramper assumes the legal basis that the processing of personal data for purposes A and B is also necessary for the execution of the agreement between the User and Onramper. If the required information is not provided, Onramper may not be able to fully service a User and provide its services (such as the verification service), nor will we be able to provide customer service. 

With regard to the (public) wallet address, the legal basis is also legitimate interest in order to render our services, whereas we act as processor to the Fiat Gateways. The Personal Data is shared with subprocessors (see below) in order to process and allocate the relevant crypto as purchased with the Fiat Gateways to your wallet.

3.2.3 Purposes C to G: Onramper relies on its legitimate interest to provide its services to, or obtain services from Users, to prevent fraud and to improve its services. When we use personal data to serve the legitimate interest of Onramper or a third party, we will always balance the rights and interests of the data subject and the protection of their information against the rights and interests of Onramper and/or the third party.

3.2.4 Purpose F and G: Onramper also relies, where applicable, on compliance with legal obligations (such as lawful law enforcement requests and compliance with financial laws for AML/KYC purposes (including sanction screening)). 

3.2.5 Important notice: you can at all times withhold or withdraw your consent without detriment. If you wish to object to the processing as set out under C to G and cannot find a way to opt out directly (for example in your account settings), please contact Onramper at compliance@onramper.com.

4. SHARE WITH OTHERS

4.1 Sharing with affiliated group companies

4.1.1 To support the use of Onramper services, your information (which may include personal data) may be shared with or within Onramper affiliates. This is done for the purposes described below, subject to any contractual terms.

The purposes for sharing data within the Onramper group of companies are:

A. to offer, provide or make available services and products and to provide (customer) support;

B. to prevent, detect and investigate fraud and other illegal activities;

C. for analytical, quality, and product improvement purposes (including monitoring conversations by live listening or recording for quality and training purposes);

D. marketing activities (including news items) from which you can easily unsubscribe or unsubscribe) and to personalize online services (including personalized offers and promotions);

E. communication purposes (by email, telephone, or post) for the above purposes (including survey, market research, reviews, or ratings) or as necessary under our agreement with you;

F. legal purposes, including the handling of complaints, claims, legal claims, and for the detection of fraud (in which cases any telephone conversations may be recorded);

G. to ensure compliance with applicable (financial and privacy) laws or law enforcement.

With a view to purpose A, and insofar as applicable, Onramper relies on the legal basis that the processing of personal data is necessary for the performance of the agreement with you for the purchase, booking, reservation, order, or use of the product or service as offered by the travel provider.

Onramper further relies on its legitimate interest and that of its group companies to receive, process, and share personal data as described under B to G. This is to provide services to or obtain services from Users, including to improve the services and prevent fraud or other illegal acts. When personal data is used to serve the legitimate interest of Onramper or a third party, Onramper will always balance the rights and interests of the person concerned in protecting their personal data and the rights and interests of Onramper or the third party.

For purpose G, Onramper also relies on compliance with legal obligations where applicable (such as lawful law enforcement requests or enforcing its terms and conditions for use of the service and compliance with financial laws for AML/KYC purposes (including sanction screening)).

Finally, where needed under applicable law, Onramper will obtain your consent prior to processing your personal data, including for email marketing purposes or as otherwise required by law.

If you wish to object to the processing as set out under B to G, and cannot find a way to unsubscribe directly (for example in your account settings), please contact Onramper at compliance@onramper.com

4.2 Sharing with third parties

4.2.1 We share Users' information (which may include personal data) with third parties, as permitted by law and as set out in paragraph 8 and described below:

(a) Fiat Gateways. We may transfer, disclose, share or otherwise enable your personal data with travel providers to allow them to offer, facilitate or provide their product or service to you. Depending on the product or service used, ordered or booked by you, the details we share can include your name, contact and payment details, ID/passport information, the names of the people accompanying you and any other information or preferences you specified when you book, order or use the relevant service or product of the relevant travel provider. The travel providers shall also act as (co-) data controller upon receipt of the relevant information. Onramper and each travel provider shall each be solely responsible for the processing of personal data by itself or on its behalf in accordance with applicable data protection laws.

(b) Service providers (including suppliers, auxiliaries, and subcontractors). We share personal information with selected third-party service providers to provide our products and services, prevent and detect fraud, store data and otherwise support our business processes, or so that they can conduct business on our behalf.

(c) To the extent that you have signed up for an Account, we may share your personal data with trusted partners which conduct KYC/AML verification and screening of sanctions lists as required by applicable law. 

With regard to your wallet address, we share your this personal identifiable information with Proper Trust, A.G., a Switzerland corporation ("Exodus"), and Exodus Movement, Inc. (which all act as our sub-processors).

(d) Forced disclosure. When required by law, strictly necessary for the performance of our services, in legal proceedings, or to protect our rights or the rights of users, we disclose personal data to law enforcement agencies, research organizations or group companies.

As applicable and unless indicated otherwise, for purposes (a), (b) and (c) Onramper relies on the legal basis that the processing of personal data is necessary for the performance of a contract, and for purposes (a) to (d), Onramper relies on its legitimate interests to share, process, enable and receive personal data, and, where applicable, for (d) on compliance with legal obligations (such as lawful law enforcement requests).

Fiat Gateways may further process your personal data outside our control. Fiat Gateways may also ask for additional personal data, for instance to provide additional services, or to comply with local regulations and restrictions. If available, please read the privacy statement of the relevant Fiat Gateway to understand how they process your personal data and how to enforce your rights.

4.3 Sharing and disclosure of aggregated data

4.3.1 We may share information with third parties in an aggregated form and/or another form in which the recipient cannot identify you, for example for industry analysis or demographic profiling.

5. SECURITY, PROTECTION AND CROSS BORDER TRANSFER

5.1 You have access to your personal data via your Account.

5.2 We have procedures and controls in place to prevent unauthorized access to and misuse of personal data.

5.3 We employ industry-standard security measures designed to protect the security of all information submitted through the Software. We use appropriate business systems, controls and procedures to protect and secure information, including personal data. We also use security procedures and technical and physical restrictions to access and use the personal information on our servers. Only authorized personnel have access to personal data in the context of their work.

5.4 Onramper does not itself store any cardholder information and does not qualify as a processor, merchant, or service provider as described under Payment Card Industry Data Security Standards (PCI DSS). 

5.5 Please be aware that your data might be transferred to, processed, and stored in the United States or other non-EEA jurisdictions. Whenever we transfer your personal information out of the EEA to the U.S. or countries not deemed by the European Commission to provide an adequate level of personal information protection, the transfer will be based on a data transfer mechanism recognized by the European Commission as providing adequate protection for personal information.

6. DATA RETENTION

6.1 We retain personal data for as long as it is deemed necessary to manage the business relationship with a User, to provide Onramper services to a User, and to comply with applicable laws (including those relating to the retention of documents ), disputes, or claims with any parties, and if otherwise necessary to enable us to conduct our business.

6.2 Upon termination of the agreement with you, we will delete all your personal data in any event after 2 years after termination of the agreement (or for certain relevant personal information such longer period as required by law). 

6.2 Any personal data we hold about you as a User is subject to this privacy statement and our internal retention guidelines. If you have any questions about the specific retention periods for the different types of personal data we process, please contact Onramper at compliance@onramper.com.

7. YOUR CHOICES AND RIGHTS

7.1 Depending on where you are located or the entity of Onramper that processes your personal data, different rights may apply to the processing of that data, as set out in this privacy statement. As applicable:

• You can ask us for a copy of the personal data we hold about you,

• You can notify us of any changes to your personal information, or you can ask us to correct the personal information we hold about you,

• In certain situations, you can ask us to delete, block, amend, or restrict the personal information we hold about you, or you can object to certain ways in which we use your personal information,

• In certain situations, you can also ask us to send the personal data you provide to us to a third party.

7.2 Where we use your personal information based on your consent, you have the right to withdraw that consent at any time, subject to applicable law. Where we process your personal data on the basis of legitimate interest or public interest, you also have the right to object at any time, subject to applicable law.

7.3 Regardless of your location or the Onramper entity you have a contract with, we rely on our Users to ensure that the personal information we hold is complete, accurate, and current. Always inform us in good time of any changes or inaccuracies in your personal data.

7.4 To protect your privacy and security, we will verify your identity before responding to such request, and your request will be answered within a reasonable timeframe. We may not be able to allow you to access certain personal data in some cases e.g. if your personal data is connected with personal data of other persons, or for legal reasons. In such cases, we will provide you with an explanation why you cannot obtain this information. We may also deny your request for deletion or rectification of your personal data if you have future/ongoing service with us or due to statutory provisions, especially those affecting our accounting processes, processing of claims, for fraud detection or prevention purposes, and mandatory data retention, which may prohibit deletion or anonymization. 

8. THIRD PARTIES WE USE

We use the following third parties, which act as our data processor (unless indicated otherwise), subject to an appropriate data processing agreement.

We use Google Analytics in respect of the Product Usage Data to analyse your usage of our Platform; this data might be stored on Google Analytics’ servers. Information gathered to use Google Analytics as described in this privacy policy, is stored by Google Analytics, which has earned the independent security standard ISO 27001 certification.

Any information processed on, or through, Amazon Web Services are similarly secure by way of compliance with applicable industry-standard certifications and best practices. AWS has achieved numerous internationally-recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27701 for privacy information management, and ISO 27018 for cloud privacy, as well as SOC 2 and SOC 3 compliance.

Snowflake’s government deployments have achieved Federal Risk & Authorization Management Program (FedRAMP) Authorization to Operate (ATO) at the Moderate level. In addition, support for ITAR compliance, SOC 2 Type 2, PCI DSS compliance, and support for HITRUST compliance all validate the level of Snowflake security required by industries, and state and federal government.

ThoughtSpot has successfully completed the Service Organization Control (SOC) 2 Type II audit. The SOC 2 report verifies the suitability of the design and operating effectiveness of ThoughtSpot’s information security practices, policies, procedures, and operations to meet the standards for security, availability, and confidentiality. The ISO/IEC 27001:2013 certification specifies security management best practices and controls for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. It ensures that our ISMS is fine-tuned to keep pace with changes to security threats, essential in the fast-paced world of IT security. ThoughtSpot submits to a re-certification audit every third year, inclusive of an annual surveillance audit. ThoughtSpot’s certificate can be found here.

To enhance your experience with Onramper, we may utilise Hotjar to record user sessions. This tool helps us understand how users interact with Onramper, but will never record your personal data. Hotjar only tracks user’s navigation (e.g. where they click, scroll their mouse, or move in between pages) and protects user information by blurring images that are uploaded, and decoding text (e.g. numbers will appear as asterixis; ‘***’). All user session recordings are completely anonymous; IP/MAC addresses will not be shared.

9. DISCLAIMER

9.1 We are not responsible for any interception or interruption of any communications through the internet or for changes to or losses of data. Users of the Software are responsible for maintaining the security of any password (which needs to be unique and strong) or another form of authentication involved in obtaining access to password protected. To protect you and your data, we may suspend your use of any of the Software, without notice, pending an investigation, if any breach of security is suspected.

10. CONTACT US AND COMPLAINTS

10.1 If you have any questions, wishes, complaints or comments about how we process your personal data, or if you would like to exercise any of the rights you have under this Privacy Statement, please contact us at compliance@onramper.com. You can also contact your local data protection authority.

10.2 We handle privacy-specific questions, requests, and concerns reported to us using internal policies and procedures based on applicable privacy laws, regulations, and guidelines. We regularly review and improve this policy and procedures, also taking into account User feedback.

11. CHANGES TO THIS PRIVACY STATEMENT

This privacy statement may be amended or supplemented from time to time. If we intend to make material changes or changes that affect you, we will always contact you in advance. An example of this type of change would be if we started processing your personal data for purposes not described above. 

Version: 12 Aug 2024.APPENDIX 1 – Glossary and definitions

Some useful terms and definitions:

"Algorithm" means a computational procedure or set of instructions and rules designed to perform a specific task, solve a particular problem, or produce a machine learning or AI model.

"Anonymization" means the process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual.

"Automated processing" means a processing operation that is performed without any human intervention.

"Caching" means the saving of local copies of downloaded content, reducing the need to repeatedly download content.

"Cookie" means a small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already.

"Data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

"Data controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.  

"Data minimisation": The principle of "data minimisation" means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is necessary to fulfil that purpose. 

"Data processor" means a natural or legal person (other than an employee of the controller), public authority, agency or other body which processes personal data on behalf of the controller.

"Personal data" means any information that relates to an identified or identifiable living individual (e.g. name, address, email, etc). Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data (e.g. location data, IP data, ID number, etc). Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

"PEP" (politically exposed person) means any of the following persons: (i) head of state, head of government, minister, deputy minister or state secretary, (ii) member of Parliament or member of a similar legislative body, (iii) member of the board of a political party, (iv) member of a Supreme Court, Constitutional Court or other high-level court that gives rulings against which, except in exceptional circumstances, no appeal is possible, (v) member of a court of audit or a board of directors of a central bank, (vi) ambassador, agent or senior officer of the armed forces, (vii) member of the management, supervisory or administrative bodies of a state-owned company, (viii) director, deputy director, member of the board of directors or person holding an equivalent position at an international organization, or (ix) any of their family members (child, sibling or parent) or their spouse or partner.

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.