Data Protection

First Name and Last Name

Full Address (Country, Postal Code, Town/City, Street Name, House Number)

Official Personal Document Number (e.g., Passport Number), Customer Identification Number, Date and Place of Birth

Payment account numbers or wallet addresses

Email (in case of data subject access requests).

Each Party shall ensure that at all times it has a valid legal basis for processing the personal data, which includes but is not limited to the:

processing necessary for the performance of a contract (Article 6(1)(b) GDPR);

processing necessary for compliance with a legal obligation, specifically for AML&CTF and Travel Rule compliance (Article 6(1)(c) GDPR);

processing necessary for substantial public interest (Article 6(1)(e) GDPR);

processing necessary for legitimate interests (Article 6(1)(f) GDPR), such as ensuring secure and lawful payments or cryptocurrency transactions.

The sharing of personal data may require for it to be transferred outside the EU and UK, including but not limited to the Gibraltar, Philippines, Switzerland.

Any such transfers shall comply with applicable GDPR requirements, including Standard Contractual Clauses or adequacy decisions where required.

Where the sharing of Personal Data involves a transfer to a jurisdiction outside the EU or UK and where no adequacy decision applies, the Parties agree that the transfer shall be governed by the following Standard Contractual Clauses (SCCs):

For data transfers subject to the EU GDPR, the SCCs as detailed in Appendix I of this Agreement.

For data transfers subject to the UK GDPR, the SCCs approved by the UK Information Commissioner’s Office (ICO) under the UK Addendum to the EU SCCs as detailed in Appendix II of this Agreement and applicable together with Appendix I of this Agreement.

The Parties acknowledge that these SCCs shall apply to the extent required under respective clauses of the EU GDPR, UK GDPR, and Gibraltar GDPR, ensuring appropriate safeguards for cross-border data transfers.

In the event of any conflict between the terms of this Agreement and the SCCs, the SCCs shall take precedence concerning cross-border data transfers.

Shared Personal Data will be used by Receiving Data Controller to assess eligibility for financial services, process transactions, and fulfill contractual as well as regulatory obligations related to traditional and cryptocurrency payments.

The Receiving Data Controller may process Shared Personal Data to verify identity, prevent fraud and comply with financial crime regulations.

The Receiving Data Controller may process personal data as follows:

to screen against Sanctions lists (e.g., OFAC, EU, UK, UN sanctions lists);

to screen individuals against Politically Exposed Persons (PEP) databases to identify high-risk individuals;

to screen individuals against adverse media databases and open-source intelligence to detect links to financial crime, fraud, or corruption;

to conduct media searches and public domain checks to identify risks related to money laundering or terrorism financing;

to review potential risks based on past criminal history, where legally permitted;

to compare the data with available data or third party sources in the attempt to verify the identity of the individual.

The Receiving Data Controller may use automated decision-making and profiling to process Shared Personal Data to predict risks or outcomes for purposes of AML&CTF and sanctions screening, identity verification and fraud detection. These processes may involve artificial intelligence or similar technologies to evaluate risk and compliance factors without initial human input. Where required by applicable law, such processing shall include appropriate safeguards, including the right to obtain human intervention, contest decisions, and express a point of view.

For the purposes outlined in Section 5, the Receiving Data Controller may share Shared Personal Data with group entities or third-party service providers acting as data processors. These processors may assist with identity verification, sanctions and adverse media screening, fraud detection, transaction monitoring, or other compliance-related functions. The Receiving Data Controller shall ensure that any such processor is engaged under a written agreement containing data protection obligations consistent with applicable data protection laws and this Agreement.

Only the Disclosing Data Controller interacts with Data Subjects and has established legal relationship with them, therefore the Disclosing Data Controller shall be primarily responsible for providing clear, detailed, and accurate information to Data Subjects regarding the disclosure of their personal data to the Receiving Data Controller and the subsequent processing of it in compliance with applicable laws and under this Agreement.

Such notification shall include, at a minimum:

The identity of the Receiving Data Controller and its role in processing the personal data.

The types of personal data being shared, as set out in this Agreement.

The purpose and legal basis for the processing by the Receiving Data Controller, as set out in this Agreement.

Details of any international transfers and applicable safeguards, as set out in this Agreement.

The rights of Data Subjects and how they can exercise them.

How the Data Subjects can contact the Receiving Data Controller regarding their data.

The Disclosing Data Controller shall ensure that its Privacy Policy and other communications clearly reflect this data sharing arrangement and shall provide the Receiving Data Controller with reasonable assistance in responding to Data Subject inquiries, where necessary.

The Receiving Data Controller shall make a publicly accessible privacy notice that covers the processing of personal data under this Agreement, and provide a copy or link to the Disclosing Data Controller to reference in its own privacy notice.

Each Party shall implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or misuse.

The Parties agree that Security measures detailed in Section 9 of Annex 1 of the Data Processing Agreement signed between the Client and the respective Service Provider, shall also apply to each of the Parties in relation to data sharing in accordance with this Agreement.

The Parties shall facilitate the exercise of Data Subject rights in accordance with applicable articles of GDPR, including:

Right of access, rectification, and erasure;

Right to restriction of processing;

Right to data portability;

Right to object, unless the processing is required for legal compliance under AML/KYC regulations.

Disclosing Data Controller shall be the primary contact point for Data Subject requests related to collection, processing or transfer of their personal data. In cases where Data Subject request relates to the processing of data after it was transferred to the Receiving Data Controller, the Disclosing Data Controller shall immediately but not later than within 12 hours inform the Receiving Data Controller of such request and its contents and where required shall provide the contact details of Receiving Data Controller to the Data Subject which are as follows: dpo@getorbital.com). Both Parties shall fully cooperate and support each other in responding to such requests in accordance with applicable law, including forwarding requests without undue delay and sharing response timelines.

Each Party shall retain personal data only for as long as legally required.

Upon expiration of required retention periods, personal data shall be securely deleted or anonymized.

Each Party shall notify the other of any data breach affecting shared personal data within 24 hours of discovery.

Each Party shall take immediate steps to mitigate any impact and comply with notification requirements under applicable GDPR regulations.

Each Party shall be responsible for ensuring that its processing of the Shared Personal Data is in compliance with applicable data protection laws, including but not limited to the EU GDPR, UK GDPR, and Gibraltar GDPR and shall be liable for any breach of its obligations under this Agreement or applicable data protection laws.

Each Party (the "Indemnifying Party") agrees to indemnify, defend, and hold harmless the other Party (the "Indemnified Party") from and against any claims, losses, damages, fines, legal fees, and expenses arising from:

Any unauthorized or unlawful processing of Shared Personal Data by the Indemnifying Party;

Any failure to comply with security obligations resulting in a Personal Data Breach;

Any regulatory penalties or fines imposed due to the Indemnifying Party’s non-compliance with applicable data protection laws.

Limitation of Liability. Except for willful misconduct, gross negligence, or a breach leading to regulatory penalties, neither Party shall be liable for indirect, incidental, or consequential damages, loss of business, reputation, or anticipated savings. For the avoidance of doubt, each Party remains individually liable for any breach of its own data protection obligations and processing activities under this Agreement.

The Parties agree that this Agreement does not establish joint controllership, and each Party shall be solely responsible for its own processing activities and obligations.

In the event of a dispute concerning data sharing or Data Subject complaints, the Parties shall work together in good faith to resolve the issue.

If a dispute cannot be resolved amicably, the Parties agree to mediation before escalating to legal proceedings.

This Agreement shall be governed by and construed in accordance with English laws.

Any disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the English courts.

Each Party acknowledges that it acts as an independent Data Controller and not as a Joint Controller.

Amendments to this Agreement must be made in writing and agreed upon by both Parties.

If any provision of this Agreement is found to be invalid, the remainder shall continue in full force and effect.