Privacy Statement

Post Office International Payments Service (“Service”) is provided by TTT Moneycorp Limited (“Moneycorp”, “we”, “us” and “our”) on behalf of First Rate Exchange Services Ltd, a Post Office/Bank of Ireland Joint Venture Company (“First Rate”).

Moneycorp is the Data Controller and First Rate is the Data Processor for the purposes of providing the Service.

For the purposes of providing you with marketing, Post Office Limited (“Post Office)” is the Data Controller and Moneycorp is a Data Processor in order to specifically provide you with “Post Office International Payments” marketing. As Data Controller, Post Office may use your personal data to promote other Post Office services to you. For details about how Post Office Limited will process your personal data should you consent to receive marketing, Click Here.

Purpose of this Privacy Statement:

This Privacy Statement (“Statement”) explains in detail the types of personal data Moneycorp may collect about you and what we do with your personal data. It also set outs what we do to keep your personal data secure, as well as your rights in relation to the personal data we hold about you.

Please see the “Definitions and Glossary” section to understand the meaning of some of the terms used in this Statement.

What personal data do we collect?

Information you provide us when you use our Service or contact our team:

  • Personal details such as your name, gender, address, date of birth, telephone number, email address.
  • Copies of documents you provide to prove your age or identity. For example, your passport, driving licence, marriage certificate and utility bill.
  • Copies of documents you provide to prove your source of funds. For example, your bank statement or payslip.
  • Bank account and payment card details.

Information we collect about you when you use our Service or contact our team:

  • Details of the transactions you carry out when using our Service, including geographic location from which the transaction originates.
  • If you have a Post Office International Payments online account, we will collect and keep encrypted records of your username, password and security question answers.
  • In relation to our websites, we will log your Internet protocol (IP) address so that it recognised next time you visit.

We will update the information we hold on you as and when you provide it to us during our communications with you. However, whenever possible, you should advise us if information we hold on you needs updating or is no longer accurate.

    When do we collect Personal Data about you?

  • When you visit any of our websites or download and install the International Money Transfer App.
  • When you make an enquiry about our Service or open an account with us online, over the telephone, by post or in person.
  • When you make international payments online, over the telephone, by post or in person.
  • When you enter into a competition or take up a promotional offer.
  • When you have given a third party permission to share with us your personal data.
  • When you report a problem, make a query or issue a complaint about our Service.
  • In the course of your relationship with us, you may occasionally speak with our employees (or persons acting on our behalf) by telephone. To ensure that we provide a quality service, your telephone calls may be recorded.
  • During business-to-business correspondence over telephone, email, post or in person.

The “lawful basis” on which we rely on to process your personal data

    Data Protection Law sets out six lawful basis that organisations, businesses and governments can rely on to collect and process personal data. Moneycorp predominately relies on the following:

  1. Consent

    This means processing your personal data where you have explicitly given us permission to do so.

  2. Performance of a Contract

    This means processing your personal data in order to fulfil our contractual obligations with you.

  3. Legal Obligations

    This means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject.

  4. Legitimate Interests

    This means processing your personal data where we or a third party have a legitimate interest to do so. We make sure we consider and balance any potential impact on your rights before we process your personal data for our legitimate interests. Where our interests are overridden by a negative impact on your rights, we will not process your personal data.

How do we use your Personal Data?

    We may process your personal data for the following purposes, depending on how you interact with us.

  1. To complete the delivery of our international payment service

    Without your personal data, we would not be able to facilitate your foreign exchange transactions and complete the delivery of our service.

  2. To respond to your queries and complaints

    Without your personal data, we would not be able to effectively respond and handle queries or complaints. We may keep a record of our correspondence to demonstrate how we communicated with you throughout.

  3. To comply with our legal and regulatory obligations

    In order to meet our legal and regulatory requirements, we are required to carry out regulatory checks in order to prevent and detect fraud, money laundering, identity theft and other crimes. We are also required to send you communications known as ‘service messages’ in order to inform you about our changes to the services we provide you. These service messages will not include any promotional content and cannot be unsubscribed from.

  4. To analyse, test and improve our systems and databases

    We may use your personal data to ensure that our systems are tested thoroughly. This ensures that the system can cope with comparable volumes of information, that a wide range of realistic scenarios are covered, and that the test will reflect all the possible combinations that occur in the real environment. Test systems are isolated from external networks to ensure that live systems are not compromised. In addition, to ensure data is not compromised, we carry out various risk assessments, and have implemented safeguards to ensure data security. We will do this on the basis of our legitimate interests.

  5. To develop new and improved products and services, including conducting market research and product analysis

    For this purpose, we will use cookies to personalise your next visits to our websites and to measure volumes and patterns of website usage. Full information can be found in our “Use of Cookie” notice here. This includes information on how to adjust your browser settings to accept or reject cookies.We will do this on the basis of our legitimate interests.

  6. For training and quality purposes

    We are continually reviewing the quality of the services we provide in order to improve your experience with Moneycorp.We will do this on the basis of our legitimate interests.

  7. To keep you informed about relevant foreign exchange and international payment products, special offers and market news.

    For existing customers who currently agree to receive marketing, we will continue to send you relevant products, special offers and market news unless you tell us otherwise. We will rely on our legitimate interests and the soft opt-in exception made available by the Privacy and Electronic Communications Regulations 2003 to do this.

    For new customers, we will only keep you informed about relevant products, special offers and market news where you have explicitly consented.

    You are free to opt out of receiving marketing communications from us at any time by one of the following options set out in the “Managing your marketing preferences” section of this Statement.

    Who do we share your personal data with?

    We may share your personal data with the following entities for the purposes described in this Statement:

  1. Moneycorp subsidiaries, overseas branches and affiliate companies

    A complete and up-to-date list can be found in the “Definition and Glossary” section of this Statement.

  2. Third party service providers
  3. This includes:

    • Agencies who provide credit referencing, identity checking and fraud prevention services.
    • Auditors and professional advisers such as lawyers and consultants.
    • Banks and financial services who facilitate our foreign exchange transactions and provide our Explorer Card product.
    • Companies who support and maintain our website, databases and other business systems.
    • Companies who perform functions on our behalf in the areas of IT development, IT support, back office, compliance and finance.
    • Companies that carry out our direct marketing email campaigns on our behalf.
  4. Public authorities

    This will only be in response to lawful requests made from public authorities in order to meet national security, public interest or law enforcement requirements.

  5. First Rate Exchange Services Limited

    First Rate acts as a Data Processor for Moneycorp. They may process your personal data in order to assess your eligibility to use The Post Office International Payment Service.

  6. Post Office Limited

    Where you have consented to receive marketing from Post Office, we will transfer your personal data to the Post Office so they may promote other similar Post Office services. For further details about how the Post Office will process your personal data should you consent to receive marketing, Click Here

  7. Other third parties

    In the event we sell divisions of our business, we may disclose your personal data to prospective purchasers and their advisers so they can evaluate the relevant business.

    If you have been referred to Moneycorp by a third party who you have a direct relationship with, we may provide such third party with personal data relating to you in which they are interested in by virtue of Moneycorp’s agreement with them and where your interests and data protection rights do not override those interests.

    Please note our websites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility for them. Please check these policies before you submit any personal data to these websites.

Sharing your personal data outside the European Economic Area

The personal data that we collect from you may be transferred to, and stored at, destinations both in and outside the European Economic Area (“EEA”).

Where processed outside the EEA, we will take appropriate steps to ensure your personal data still receives a level of protection that is consistent with European data protection standards. For example, we will only share your personal data outside the EEA if we have an EU approved model clauses agreement in place or if the third party receiving your personal data has signed up to an EU approved data sharing mechanism such as the EU-US Privacy Shield scheme.

How do we protect your personal data?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

Personal data is protected by a defence in-depth security programme that is aligned to best practice found in International Organisation for Standardisation (ISO) and National Institute of Standards Technology (NIST) documentation. Protections include, but are not limited to, mature access control (with strict procedures around privileged access), network segmentation, standard security appliances (firewalls, IPS, AV, monitoring via SIEM), secure configuration and system hardening, monthly vulnerability assessments and yearly penetration tests, documented processes and procedures, DLP protection, rogue detection, and monthly rolling patch management and vulnerability remediation. Payment card information is secured and tokenized to ensure it is protected. We also secure access to all transactional areas of our websites and apps using ‘https’.

We provide our employees with training and detailed information about our data handling practices through internal company policies such as our Data Protection Policy. All employees have to certify that they have read and understood the contents of our Data Protection Policy where is reviewed and updated on an annual basis. As well as our data protection policy, which governs how we process data throughout the Moneycorp Group, we have a separate suite of internal policies which govern areas such as information security and information classification.

How long will we keep your personal data?

Whenever we collect or process your personal data, we will only keep it for the purpose for which it was collected and in accordance with our legal and regulatory obligations. In most cases, our retention period for your personal data will come to an end six years after the end of your relationship with us.

Inactivate Accounts

If you have not used your account for more than two years, it will be flagged as inactive and we’ll contact you to ask whether you want to keep it open. Unless you reply to say ‘yes’, we will close and deactivate your account.

Closed Accounts

If you inform us you longer wish to have a Moneycorp account, we will close and deactivate your account.

At the end of the retention period, your personal data will either be anonymised (so that it can only be used in a non-identifiable way for statistical analysis, business planning), made inaccessible or unintelligible (for system integrity purposes) or deleted completely.

Your Data Protection Rights

You have a number of rights under Data Protection Law which, in certain circumstances, you may be able to exercise in relation to the personal data we process about you. This includes:

Right to Access: You have a right to receive a copy of the personal data we hold about you. This is commonly known as a Data Subject Access Request.

Right to Data Portability: You have a right to receive certain information you have provided to us in a ‘machine-readable’ format and/or request that we transmit it to a third party.

Right to Erasure: You have a right to request that we erase your personal data. However, we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Right to Object: In cases where we are processing your personal data on the basis of our legitimate interests, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.

Right to Lodge a Complaint: You have the right to lodge a complaint with your national data protection authority. Further details can be found in the “Contact” section of this Statement.

Right to Rectification: Where your personal data is inaccurate, out-of-date or incomplete, you have the right to request an amendment to it.

Right to Withdraw Consent: Where you have given us your consent to process your personal data, you have the right to change your mind at any time and withdraw that consent.

If you wish to exercise any of these rights, please get in touch by using the details in the “Contact Us” section below. Please note we will ask you to verify your identity before proceeding with any request you make.

Managing your marketing preferences

You can update or stop direct marketing communications from us by the following ways:

  • Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails from that particular business entity of Moneycorp.
  • Email: DataProtection@moneycorp.com
  • Telephone: +44 (0)20 3823 0009

Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.

Contact

You can direct any questions or complaints about the use or disclosure of your personal data to us at:

Data Protection Officer

Email: DataProtection@moneycorp.com

Telephone: +44 (0)20 3823 0009

Post: Floor 5, Zig Zag Building, 70 Victoria Street, London, SW1E 6SQ

If you feel that your personal data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

You can contact them by calling 0303 123 1113 or visiting www.ico.org.uk.

If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection authority in your country of residence

For other matters, please contact your Account Executive or your usual point of contact. You can also speak to a member of our team by calling Client Contact Centre on 0800 180 4809 / +44 (0)203 162 8080.

Changes

Effective Date: 25th May 2018

Last Modified: 23rd May 2018

We reserve the right to amend this Statement from time to time in order to be consistent with Data Protection Law requirements. Where we do make significant changes to this Statement, we will take appropriate steps to bring those changes to your attention.

Glossary and Definitions

Data Controller

This means an entity that determines the purposes and means of the processing of personal data.

Data Processor

This means an entity that processes personal data on behalf of a Data Controller.

Data Protection Law

This means the EU General Data Protection Regulation 2016/679 (as amended and replaced from time to time), the EU Privacy and Electronic Communications Directive 2002/58/EC (as amended by Directive 2009/136/EC and as amended from time to time) and any national implementing legislations (as amended and replaced from time to time).

European Economic Area

The means the countries of the European Union and members countries of the European Trade Association. A complete list of applicable countries can be found at: https://www.gov.uk/eu-eea

“Moneycorp”, “we”, “us” and “our”

This means TTT Moneycorp Limited. A company registered in England under registration number 738837 with its registered office at Floor 5, Zig Zag Building, 70 Victoria Street, London, SW1E 6SQ.

Personal Data

This means information that can be used to directly or indirectly identify a living person.

Process, Processing, Processed

This means operation or set of operations which are performed on data. This includes collecting, viewing, recording, organising, structuring, storing, using and destroying.

Service

This means the Post Office International Payment Service.