(a) Genome as data controller

You should be aware that by opening of Genome Wallet for you and providing you with Genome Services we collect your personal data and / or personal data of the officers, shareholders, ultimate beneficiary owners, and other representatives of your organisation, when you are a business and open Genome Wallet for your organisation. In this case we act as a data controller, and you act as a data subject. Therefore, we are subject to controller’s rights and obligations under applicable data protection laws, rules, and regulations. Notwithstanding above, when you are a business and share with us personal data of your officers, shareholders, ultimate beneficiary owners, and other representatives of your organisation, you shall warrant that you have valid legal grounds for such disclosure.

Genome also acts as a data controller when we process personal data of the visitors of Genome Site in the form of cookies, pixels and other similar technologies. We process personal data of Genome Site visitors for security and fraud prevention purposes, website experience improvement, management of our advertising campaign, and monitoring conversion results.

(b) Genome as data processor

When you are a business and use payment collection services under Genome Merchant Terms of Service you may transfer to us or instruct us to collect on your behalf personal data of your clients, i.e. individuals who purchase goods or services from your organisation. By providing you with Genome Services in this case we act as a data processor and you act as a data controller. It means that we process data of your clients only to provide you with Genome Services and only on your relevant documented instructions. You, as a data controller, shall comply with all applicable data protection laws, rules, and regulations. Your privacy policy shall duly disclose your data practices, including using third-party service providers for payment collection services.

As a data controller you shall warrant that you have valid legal grounds (e.g. consent of your clients) to collect, use, process, transfer to third parties, including to Genome, and (where applicable) to third countries personal data of your clients. If you disclose personal data without your clients’ proper consent or other legal ground, you are solely responsible for that unauthorized disclosure.

In addition, as a data controller you may be required under privacy laws to honor requests of your clients for data access, portability, correction, deletion, and objections to processing. In case data subject directly contact us with a request to exercise his individual rights under GDPR or with another claim on data protection, we will direct such data subject to you as a data controller. Nevertheless, we will assist you by providing all necessary information or by other means envisaged by applicable law.

In more details your and our obligations and responsibilities may be allocated in other agreements or terms and conditions entered between the parties, including without limitation Merchant Terms of Service.

We process your personal data in accordance with valid legal acts and following principles:

1. personal data is processed in a lawful, honest, and transparent way;

2. personal data is collected for specified, clearly defined, and legitimate purposes and shall not be further processed in a way incompatible with those purposes;

3. the scope of personal data that is processed must be adequate, appropriate, and necessary for the purposes for which it is processed;

4. personal data must be accurate and, if necessary, updated; all reasonable steps must be taken to ensure that personal data which is not accurate in relation to the purposes for which it is processed shall be immediately erased or corrected;

5. personal data shall be kept in such a way that your identity can be determined for no longer than is necessary for the purposes for which it is processed;

6. personal data shall be managed by applying appropriate technical or organizational measures in such a way as required to ensure the proper security of personal data, including protection from unauthorized processing or processing of unauthorized data, and against accidental loss, destruction or damage.

The categories of personal data that we may collect:

A. (i) about you when you open personal Genome Wallet and use Genome Services for your private needs, and

(ii) about your officers, shareholders, ultimate beneficiary owners, and other representatives when you are a business and open Genome Wallet or use Genome Services for and on behalf of your organization:

1. Identity Verification Data – name, surname, personal identification number, date of birth, address, address for tax purposes, nationality, copies of the documents proving the identity (i.e. copy of identity card, passport or residence permit) and all data therein, taxpayer identification number (TIN), evidence of beneficial ownership, evidence of source of funds, number of shares held, voting rights or share capital part, job title, facial image, video and audio recordings for identification purposes, numerical biometric data, telephone conversation recordings to comply with the client due diligence/“know your client”/anti-money laundering laws and collected as part of our client acceptance and ongoing monitoring procedures, data that allows to identify your device, if you use it to open your Genome Mobile App (e.g. device ID, Mac-address, IP address, etc.);

2. Legally Required Information – data resulting from enquiries made by the authorities, data that enables us to perform anti-money laundering requirements and ensure the compliance with international sanctions, including the purpose of the business relationship and operations, the source of funds and whether you (as well as your family members and/or close associates) are a politically exposed person (PEP status) and other data that is required to be processed by us in order to comply with the legal obligation to “know your client” (e.g. data on your employment and/or business, usual turnover etc.), data that enables us to perform AEOI & CRS (Automatic Exchange of Information & Common Reporting Standard) requirements, data of legally required registers;

3. Transaction Data – transaction details (IBAN number, beneficiary details, date, time, amount, and currency which was used, purpose of payment, name, surname, IP address of sender and receiver), account number and/or credit card number, amount of transaction, income, location, documents confirming monetary operation or transaction or other documents having legal force related to the performance of the monetary operations or conclusion of the transactions (e.g. invoices and/or contractual documentation (original documents)), any other data incoming or outgoing together with transaction;

4. Genome Card Data – name, surname of the cardholder, telephone number, e-mail address, shipping address, PPAN (masked card number), card account number, transaction amounts, payment beneficiaries;

5. Technical information – information that is automatically recorded when you visit Genome Site, landing page, log-in to Genome User Portal, open mobile app or use Genome Wallet or Genome Services, such as your IP address, device approximate location, type of device, operating system, other device identification data (required for the prevention of fraud and security of your use of Genome Wallet and Genome Services), user agent, referrer URL;

6. Contact Information – name, surname, postal address, e-mail address and telephone number, information / documents provided by the person applying to us, as a case may be.

B. about participants of Genome loyalty programs (affiliates):

1. Affiliates’ Data - name, surname, IBAN / account number, payment details (date, amount, currency of the transaction).

C. about your clients (natural persons) when you are a business and use payment collection services under Genome Merchant Terms of Service:

1. Merchant’s Clients’ Data - name, surname, transaction details (date, amount, currency of the transaction), account number or card data (PAN number, cardholder name, service code, expiry date), phone number, device details (device type, operating system, IP addresses, imprecise location, etc.), email address.

D. about persons calling the Genome support team:

1. Customer Support Data – telephone conversation recording and metadata of telephone conversation records: name and surname of the consulting person, user's telephone number, date and start time of the conversation, duration of the conversation.

E. about you and other visitors of Genome Site and users of Genome Services:

1. Cookies - when you visit Genome Site a small cookie file might be placed on your computer or mobile device. Genome uses cookies and other similar technologies to ensure stable operation of our Site, to adapt its content to your needs, to improve features of Genome Site, and to manage advertising campaign based on the interests of our audience.

For the purpose of clarity, only necessary cookies used to ensure proper operation of Genome Site are always active. To install analytical and / or marketing cookies on your device we will ask for your explicit consent.

Cookies allow us to collect and process data on users’ behavior on Genome Site and technical information on their devices (e.g. device’s IP address (processed during the session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language etc.). We analyse data from cookies and use it to improve quality of our services, track your activities with Genome, keep your account safe.

Learn more about cookies and other similar technologies that we use from our Cookie Policy, which is integrated in and shall be read in conjunction with this Privacy Notice.

Please be informed that in specific cases, other data not listed above, but which relates to the provision of our services or which you have provided to us or which we have collected from third parties in the course of providing or identifying the possibility of providing services to you or your organisation, may also be collected and / or processed. We will provide you with the due information of collecting and processing immediately after obtaining the personal data, but at the latest within 1 (one) month, having regard to the specific circumstances in which the personal data is processed.

1. Conclusion of the contract or performance of identification and verification procedures prior to the conclusion of the contract (to get to know, identify, and verify our clients):

For this purpose, we may process your Identity Verification Data, Legally Required Information to identify the possibility of providing services to you and / or your organisation, Contact Information, Technical information.

The legal basis for the processing of the above-mentioned data is: concluding a contract with you and / or your organisation including taking steps required prior to entering into a contract, fulfilling our legitimate interests and / or fulfilling the legal obligations applicable to us, your consent.

2. Fulfilment of a contract concluded with you, including but not limited to provision of services of issuance, distribution, and redemption of electronic money, provision of payment services, complaint resolution, customer service:

For this purpose, we may process your Identity Verification Data, Transaction Data, Legally Required Information, Contact Information, Customer Support Data, Technical information.

The legal basis for the processing of the above-mentioned data is: performance of a contract signed with you and / or your organisation, fulfilling our legitimate interests, compliance with legal obligations applicable to us, your consent.

3. Compliance with legal obligations (e.g. implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention of the Republic of Lithuania and other fraud and crime prevention purposes, implementation of AEOI & CRS (Automatic Exchange of Information & Common Reporting Standard) requirements) and risk management obligations:

For this purpose, we may process your Identity Verification Data, Transaction Data, Legally Required Information, Contact Information.

The legal basis for the processing of the above-mentioned data is: performance of a contract signed with you and / or your organisation, fulfilling our legitimate interests and/or compliance with legal obligations applicable to us.

4. Execution of payment transactions:

For this purpose, we may process your Transaction Data and Legally Required Information.

The legal basis for the processing of the above-mentioned data is: performance of a contract signed with you and / or your organisation, compliance with legal obligations applicable to us.

5. Debit card granting, activation, processing, and execution of payment transactions by debit card:

For this purpose, we may process your Identity Verification Data, Genome Card Data, Transaction Data.

The legal basis for the processing of the above-mentioned data is: performance of a contract signed with you and / or your organisation, including Genome Card Account Terms and Conditions.

6. Providing an answer when you contact us through Genome Site, Genome Wallet, and other communication measures (if you are not our client):

For this purpose, we may process your Contact Information and other personal data related to your request.

The legal basis for the processing of the above-mentioned data is: your consent, fulfilling our legitimate interests.

7. Processing of written or electronic correspondence relating to the business relationship with our clients:

For this purpose, we may process your Contact Information and other personal data related to your request.

The legal basis for the processing of the above-mentioned data is: performance of a contract signed with you and / or your organisation, compliance with legal obligations applicable to us, your consent, fulfilling our legitimate interests.

8. Maintenance and administration of business relations with our clients and potential clients, customer service and quality assurance of services provided:

For this purpose, we may process Customer Support Data.

The legal basis for the processing of the above-mentioned data is: your consent, fulfilling our legitimate interests.

9. Direct marketing in order to inform Genome clients about our similar goods or services and / or about services provided by our business partners or other third parties or in order to make assessments about your opinion on different issues in relation to our business partners or other third parties:

For this purpose, we may process your Contact Information, i.e. email address.

The legal basis for the processing of the above-mentioned data is: fulfilling our legitimate interests, your consent.

10. Authentication, fraud prevention, security, settings, service improving, and marketing:

For this purpose, we may process Cookies and Technical Information.

The legal basis for the processing of the above-mentioned data is: your consent, fulfilling our legitimate interests.

11. Providing payment services to you when you are a business and use Genome payment collection services in order to fulfill transactions between you, as a merchant, and your clients:

For this purpose, we may process Merchant’s Clients’ Data.

The legal basis for the processing of the above-mentioned data is: performance of a contract signed with you and / or your organisation, including Merchant Terms of Service.

12. Application of Genome loyalty program:

For this purpose, we may process Affiliates’ Data.

The legal basis for the processing of the above-mentioned data is: performance of a contract signed with you and / or your organisation, including Affiliate terms and conditions.

13. Debt management. Representing Genome in courts and / or pre-trial dispute resolution institutions:

For this purpose, we may process, depending on the subject matter of the case, Identity Verification Data, Legally Required Information, Transaction Data, Genome Card Data, Contact Information, Technical information, Affiliates’ Data, Merchant’s Clients’ Data, Customer Support Data, Cookies.

The legal basis for the processing of the above-mentioned data is: fulfilling our legitimate interests.

Pay attention that your personal data is not used for any additional purposes not mentioned in this Privacy Notice, Cookie Policy or the contract between Genome and you or your organisation.

What do we mean when we say:

Concluding a contract / Contract performance: processing your personal data where it is necessary for the performance of contract to which you are a party or to take steps at your request before entering into such contract.

We rely on contract as a legal basis to process personal data submitted by you in case you are an individual or you transfer to us personal data of your officers, shareholders, ultimate beneficiary owners or other representatives. Processing of your personal data is necessary to provide you with Genome Wallet and Genome Services. Please note that we cannot provide you or your organisation with the requested services or products without processing of the personal data listed above including, for example, without carrying out of “know your client” procedure or business risk assessment.

Legal Obligation: processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to, including without limitation regulations on prevention of the money laundering and funding of terrorism and other fraud and crime prevention laws and regulations, as well as requirements on the automatic exchange of information and common reporting standard.

Please note that in order for you and / or your organization to use Genome Wallet and Genome Services, you will need to provide us with the requested information to fulfil our legal obligations. Otherwise, we may not be able to provide Genome Services and products to you and your organisation.

Legitimate Interest: the interest of ours as a business in conducting and managing our services to enable us to provide to you and / or to your organisation and offer the most secure experience.

We process your personal data on the basis of our legitimate interests provided that such processing shall not outweigh your rights and freedoms. We rely on this legal basis when we carry out procedures which are the part of Genome Services or which are transparent, expectable and / or the stable business practice. For example, to:

1. safeguard the prevention, investigation and detection of payment fraud;

2. ensure your authentication and access to Genome Wallet through Genome Site and Genome Mobile App;

3. ensure that Genome Mobile App and Genome User Portal works well on users’ devices (identify active devices and adapt to the needs / settings of the client); .

4. provide you with high-quality customer service;

5. provide you with technical and administrative notifications;

6. contact you or other officers and representatives of your organisation in connection with customer service and product information. As our client, we may provide you with information on products and services that we offer, or a new promotion that we are running that is related to Genome Wallet or Genome Services. These communications may be via email or in-app message, which can be viewed in the notification center. If you do not want to receive direct marketing message from us, you can opt out at any time by clicking the relevant button in the e-mail. Please note that if you do not agree to receive these marketing messages offered by us, this will not apply to personal data provided to us as a result of the using of our services;

7. ensure that traffic is best routed for users to not experience extra delays (geolocation definitions for traffic analysis and forecasting);

8. know where the traffic comes from;

9. lawfully disclose personal data to a third party, provided we take all technical and legal measures to protect personal data.

We will also process your data on the basis of our legitimate interest where the processing of personal data is strictly necessary and proportionate to the purposes of information security.

Please note that in most cases, if you do not provide the requested information, we will not be able to provide you and / or your organisation with Genome Services and products, e.g. our support cannot reach you in case of the issues with your payment transaction without collecting your contact details.

If we process your personal data based on our legitimate interests as explained above, you can object to this processing under certain circumstances. In such cases, we will cease processing your information unless we have compelling legitimate grounds to continue processing or where it is needed for legal reasons.

Consent: we can request from you a consent for processing when we are required to do so by law or when we do not have another legal basis for processing of your data. Where we rely on your consent to process your personal data, you have the right to withdraw or decline consent at any time. Please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

We do not rely on consent in common cases, because the right to withdraw a consent can be used for fraudulent activity. This would jeopardize the financial stability of Genome, reliability and integrity of Genome Services, thereby harming all legitimate parties in the payment process.

How we use your data

The main goal of gathering and processing your personal data is to deliver effective, scalable, smooth, and personalised Genome experience. Hence, personal data we collect might be used to:

1. Ensure maximum Genome Wallet user experience;

2. Process transactions and issue relevant notifications in the most comprehensive manner;

3. Settle disputes, levy charges, and resolve occurring problems;

4. Prevent clients from becoming a subject to illegal activities and potential fraud;

5. Improve quality of services, solutions, and incentives Genome offers on a daily basis;

6. Provide target-oriented services based on your experience with the company;

7. Being able to contact you in case of emergency via one of the means available;

8. Make sure information you provide is accurate, in case discrepancies occur;

9. Send personalised offers of services and products, in accordance with the rules as they are described in “Purposes and legal basis for personal data processing” and “Direct marketing” parts of this Privacy Notice;

10. Carry out regulatory checks and meet our obligations to our regulators;

11. Prevent and detect fraud, money laundering and other crime (such as terrorist financing and offences involving identity theft);

12. Safeguard you from scam, fraud, and misuse of any private data you might share;

13. Develop new services based on the collected information.

In order to make your identity verification, we are using the solution of our service provider Onfido. To verify your identity Onfido conducts facial similarity check comparing the face displayed on the identity document provided by you with a facial image captured from a photo or video recorded by you, to verify that they are the same, while requiring you to undergo liveness detection. Onfido matches the facial image of the user from the photo or video with the face displayed on the identity document. The comparison is conducted in order for Genome to fulfil “know your client” procedures and to comply with AML / CFT and risk management obligations making sure that a person displayed on the identity document and the one registering in Genome system is the same person. Onfido does not uniquely recognize the user within the scope of facial similarity check.

For this purpose Onfido processes the following personal data: photo or video of the user, image of the face in the identity document, transcribed text data from the video clip (if applicable), and numerical biometric data.

Image(s) of your identity document and photo or video recorded by you in the course of verification, as well as the result of the facial similarity check (match or mismatch) are transferred to Genome. Your personal data is processed by us on the basis of the above described legal obligations applicable to us. Genome retains your data for as long as it is necessary to carry out verification and for the period required by AML / CFT laws, in particular for the period of 8 (eight) years from the date of the end of business relations with the client. The storage terms of documents, data, logs can be additionally extended for no longer than 2 (two) years, when there is a reasoned instruction of the competent authority.

In addition to the above, Onfido may also compare the face on an image or video against a database of biometric numerical identifiers of the faces from past checks completed by Genome (“known faces service”). Onfido alerts Genome if there is a match. Your extracted biometric numerical identifier from the face on the image or video is included to Onfido database and can be used for future comparing checks. Within the known faces service your numerical biometric data is used for the purpose of uniquely identifying a natural person.

For this purpose Onfido uses the following personal data of yours: image or video of the user’s face, Onfido user unique identifier, check status/outcome and related tracking information, numerical biometric data.

Learn more about the facial biometric checks and authentication from Onfido Privacy Policy.

In the course of opening Genome Wallet at the stage of your identity verification we will ask you to confirm your redirection to Onfido app page to start the verification process and to give your consent for processing of your personal including biometric data by Onfido for the above listed purposes.

You have the right to withdraw your consent at any time. However, please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

For the purpose of clarity Genome does not have access to Onfido database of biometric numerical identifiers of the faces. We do not create, store, use or otherwise process your numerical biometric data.

For the avoidance of doubt, withdrawal of your consent shall not affect retention period or processing by Genome of your personal data transferred to us by Onfido that is processed by Genome for compliance with the above described legal obligations applicable to us.

If you do not feel comfortable with Onfido identity verification method or have questions regarding its functionality, you may contact us by email support@genome.eu for further clarification.

Please note that if you are not satisfied with the results of the identity verification provided by Onfido, e.g. in the event your enrollment application / registration in Genome system was rejected because of unsuccessful verification process, you can contact our customer support service and ask to check your application.

We want to make it clear how we use your personal data for marketing purposes.

We may use our existing clients’ e-mail for the marketing of our similar goods or services, unless you object to the use of your e-mail for the marketing of our similar goods and services. You are granted with a clear, free of charge and easily realisable possibility to object or withdraw from such use of your contact details on the occasion of each message.

We may also provide the information to you as our client about our products or services by sending messages through Genome Mobile App. Such messages may be viewed in the notification center, in case you do not choose the “opt-out” function in our application.

In other cases, we may use your personal data for the purpose of direct marketing, if you give us your prior consent regarding such use of data.

We are entitled to offer the services provided by our business partners or other third parties to you or make assessments about your opinion on different issues in relation to our business partners or other third parties on the basis of a prior consent.

In case you do not agree to receive these marketing messages offered by us, our business partners or third parties, this will not have any impact on the provision of services to you as our client.

We provide a clear, free of charge and easily realisable possibility for you at any time not to give your consent or to withdraw your given consent for sending proposals put forward by us. We shall state in each notification sent by e-mail that you are entitled to object to the processing of the personal data or refuse to receive notifications from us. You shall be entitled to refuse to receive notifications from us by clicking on the respective link in each e-mail notification.

In some cases we may make automated decisions regarding you using your information. When you instruct us to make a payment from your account, or to request a payment into your account from a bank or other payment services provider, our systems (or systems provided to us by our suppliers) make an automated check for authorisation, sanction check and / or automated checks to detect an unusual transaction pattern or location of your transaction and help us to fight fraud.

In addition, automated decisions can be made by our partner Onfido in the course of your identity verification. Learn more about Onfido practices from their Privacy Policy (“Automated Decision Making and Onfido Reports” section).

Please be informed that you can request a manual review of the accuracy of an automated decision in case you are not satisfied with it and you have the right not to be subject to a decision based solely on such automated processing.

In addition, please note that Genome does not make automated profiling based on your data. At the same time, such profiling can be made by our third-party service providers specified in the Cookie Policy thereto we may transfer your data if you provide your consent to third-party cookies. In such a case the data is processed for marketing and targeting purposes.

We warrant and represent that Genome has implemented the technical and organizational security measures and technological development to ensure an appropriate level of security of personal data. Your data is protected by the means of physical, technical, and administrative resources to lower the risks of loss, misusage, unauthorized entry, disclosure, or alteration by third parties. To keep your data safe, we apply:

1. firewall and data encryption protection;

2. physical authorisation control system;

3. surveillance facilities, video/CCTV monitor, alarm system;

4. securing decentralized data processing equipment and personal computers;

5. user identification and authentication procedures;

6. tunneling, logging, transport security;

7. audit trails and documentation;

8. backup procedures, and much more things.

Genome also carries out regular network vulnerabilities scans and penetration testing, especially after any significant changes or updates to the infrastructure and applications.

As Genome is PCI DSS V 3.2.1 certified, we maintain all required technology, methods, and business processes to protect cardholder data, and also use such technology and methods as regards the security of your personal data.

We monitor our systems 24x7 and our staff is always ready to respond to your notifications and queries within a short time.

Genome respects your privacy and your personal data and warrants that:

1. Your data will not be disclosed to any unauthorised third party;

2. We will use your data only as described in this Privacy Notice, Cookie Policy, and the contract entered into between Genome and you or your organisation;

3. We will maintain appropriate administrative, technical and organizational measures to protect your personal data;

4. We will keep your data and any information provided by you in confidence;

5. We will notify you promptly of personal data breach when it is likely to result in a high risk to your rights and freedoms;

6. We will respect and protect personal data of the officers, shareholders, ultimate beneficiary owners, and other representatives of your organisation when you are a business and open Genome Wallet for your organisation, as well as personal data of your clients when you use Genome payment collection services, - where such data is transferred to us or collected by us on your behalf;

7. We will immediately inform you if, in our opinion, you infringe GDPR protection provisions. You shall ensure the security of data you transfer to Genome. You assume full liability for failures to meet the GDPR in cases when it is envisaged by this Privacy Notice, GDPR and / or the contract entered into between Genome and you or your organisation.

8. We will assist you in ensuring compliance with the duties under GDPR;

9. We impose on our sub-contractors the same data protection obligations as set out in the contract with you or your organisation.

To ensure security of your data and data of your clients, officers and other representatives of your organisation transferred to or collected by us on your behalf, you shall maintain the confidentiality of your password and login from Genome Wallet. You are recommended to sign out of Genome Wallet when you have finished work with it. In any case responsibility for any loss of passwords and misuse of Genome Wallet by third parties lays with you and / or your organisation. Read more about it in Genome T&Cs.

We obtain personal information from you when you provide it directly to us. For example, when becoming a new client or when you provide us information through direct communication (e.g. completing a form on Genome Site, registration for our services), by setting up, accessing and using of Genome Wallet and Genome Services (e.g. by making payment transactions or transactions with Genome Card), when you subscribe to our electronic publications (e.g. newsletters) etc.

We also collect personal information about you from third parties, mainly:

1. when it is provided to us by a third party which is connected to you and / or is dealing with us, for example, business partners, sub-contractors, service providers, merchants etc.;

2. third party sources, for example, register held by governmental agencies or where we collect information about you to assist with “know your client” check-ups as part of our client acceptance procedures such as sanctions list, politically exposed persons list, publicly available profile information etc.;

3. from banks and / or other financial institutions in case the personal data is received while executing payment operations;

4. from publicly available sources – we may, for example, use sources (such as public websites, open government databases or other data in the public domain) to help us maintain data accuracy, provide and enhance our services;

5. from other entities in Genome group or other entities which we collaborate with.

Genome warrants that it will not disclose your personal data to unauthorised third parties. Genome may share your data with Genome’s contractors, partners, and suppliers who may use such information only for the limited purpose of providing services to you or your organisation and who are obligated to keep the information confidential. For the purpose of clarity, Genome’s cooperation with its contractors, partners, and suppliers is based on the service agreements that contain data protection section thereunder they are required to be in compliance with the data collection and processing regulations.

We may disclose and / or transfer your personal data only in accordance with legal regulations and the principles of confidentiality to the following categories of recipients:

1. card schemes (such as Visa or MasterCard), banks, and payment service providers - to make you and / or your organisation able to obtain payment collection services, bank transfers, and other payment services;

2. Visa international payment card association – to process and manage information about payment operations with Genome Card;

3. beneficiaries of transaction funds receiving the information in payment statements together with the funds of the transaction;

4. service providers such as: identification and verification service providers, other service providers with which we have concluded service provision agreements (e.g. companies providing services for anti-money laundering, politically exposed persons and terrorist financing check-up, other fraud and crime preventions) or when mentioned sharing is mandatory according to applicable laws – to provide you with the high-quality service, fight fraud and comply with law requirements;

5. suppliers of analytical services – to monitor, evaluate and improve functionality and accessibility of Genome Wallet;

6. IT service suppliers (e.g. disaster recovery services, website hosting, data and applications hosting, software application provision and maintenance) - to ensure uninterrupted operation of Genome Wallet;

7. communication service suppliers – to communicate with you and provide you with up-to-date information on the usage of Genome Wallet, e.g. by SMS or e-mails;

8. customer support services – to operate our payment services platform and provide administration and customer support;

9. debt collection and recovery agencies - to manage and collect debts, submit claims, demands, lawsuits, etc. on behalf of us;

10. other external service providers that help us to provide services for you;

11. our business partners, agents or intermediaries who are a necessary part of the provision of Genome products and services;

12. third parties where we have a duty to or are permitted to disclose your personal information by law, mainly: governmental bodies and / or supervisory authorities (in accordance with the requirements and obligations under the provisions of legal acts concerning anti-money laundering, fraud prevention, counter terrorist financing), credit, financial, payment and / or other electronic money institutions, pre-trial investigation institutions, the State Tax Inspectorate;

13. third parties where reasonably required to protect our rights, systems and services, mainly: lawyers, bailiffs, auditors etc.;

14. other entities that have a legitimate interest or the personal data may be shared with them under the contract which is concluded between Genome and you or your organisation.

You should also be aware that if you provide your consent to third-party cookies, this data will be transferred to respective service providers, as detailed in our Cookie Policy.

We may also disclose your personal data, if we are under a duty to disclose or share your personal information in order to comply with any legal or regulatory obligation or request.

To ensure the payment process runs smoothly, some of your personal information may be shared with a company or entity you cooperate with inside Genome eco-system.

Genome warrants that it will disclose your data and data of your clients, officers and other representatives your organisation transferred to us or collected by us on your behalf as specified in this Privacy Notice, Cookie Policy, and the contract entered into between Genome and you or your organisation, as well as where there is a legal requirement for data transfer or disclosure.

How organisations / merchants share data with us

When you are a business and transfer to us any personal data of the officers, shareholders, ultimate beneficiary owners, and other representatives of your organisation, as well as when you use payment collection services under Genome Merchant Terms of Service and transfer to us personal data of your clients, you shall be obliged to obtain prior consent or have other legal grounds for the collection, retention, use, and processing of such data, as well as for the data transfer to Genome.

For the purpose of providing you with Genome Wallet and Genome Services we may engage the third-party service providers outside the EU/EEA. In such a case your personal data may be transferred and processed outside the EU/EEA, including, without limitation, in the United Kingdom. We may share your information with Genome service provider for the clients’ identity verification Onfido, whose registered office address is in the United Kingdom.

Data protection law of third countries may be different from the EU data protection laws and not guaranty adequate level of security. However, we will take measures to ensure that any such transfers comply with applicable data protection laws and that personal data remains protected.

The transfer of personal data outside the EU/EEA may be considered as needed in such situations as, e.g.:

1. in order to conclude the agreement between you and Genome and / or in order to fulfill the obligations which are set under such agreement;

2. in cases indicated in legal acts and regulations for protection of our lawful interests, e.g. in order to file a lawsuit in court / other governmental bodies;

3. in order to fulfill legal requirements or in order to realize public interest.

When you act as a data controller and we act as a data processor, you shall inform your clients about risks of cross-border transfers and obtain their consent for that.

When we transfer your personal data internationally, we put in place safeguards in accordance with applicable laws and in accordance with this Privacy Notice and we will ensure that it is protected and transferred in a consistent way with the legal requirements applicable to the personal data.

There are different ways to ensure that your personal data is treated securely, mainly:

1. In case of adequacy decision: the country to which we send the personal data, a territory or one or more specified sectors within that third country, or the international organization is approved by the European Commission as having an adequate level of protection (as stated in https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en);

2. In the absence of adequacy decision of European Commission, Genome may transfer personal data to a third country or an international organization only if we have provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available, in particular:

(a) the recipient has signed standard data protection clauses for the transfer of personal data to third countries, i.e. for international transfers, which are approved by the European Commission (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914);

(b) in case a special permission has been obtained from a supervisory authority.

We may also transfer personal data to a third country by taking other measures provided by GDPR if they ensure appropriate safeguards as indicated in applicable law.

3. In the absence of an adequacy decision of European Commission or in case there is no possibility to use any appropriate safeguards mentioned above, a transfer or a set of transfers of personal data to a third country or an international organization could take place only on one of the following conditions (GDPR Article 49):

1. the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the Company and another natural or legal person;

4. the transfer is necessary for the establishment, exercise or defense of legal claims;

5. other cases stated in GDPR Article 49 of applicable legislation.

In Genome, data may normally be transferred to a third party with the consent of the data subject and / or for the purpose of performance of the contract only in the following cases:

(a) When the customer executes a payment order to a third party (the payment service provider of beneficiary of payment gets the information of payment order according to legislation however Genome could not have any contractual relations to payment service providers);

(b) For the execution of the customer's payment order with the help of a third-party correspondent partner (payment orders to third parties may include some payment correspondents, to which the information of payment order is provided according to legislation however Genome could not have any contractual relations to payment service providers).

We may use your data for as long as reasonably necessary for the limited purpose of providing you with Genome Wallet and Genome Services, as well as for complying with the applicable laws and regulations. The terms of retention of the personal data for the purposes of the processing of the personal data as defined in this Privacy Notice are the following:

1. Data processed for conclusion of the contract or performance of identification and verification procedures prior to the conclusion of the contract (to get to know, identify and verify our clients):
   
   (a) for a period of 8 (eight) years from the date of the end of business relations with the client. The storage terms of documents, data, logs can be additionally extended for no longer than 2 (two) years, when there is a reasoned instruction of the competent authority.
   
   The conclusion of the contract itself:
   
   (b) until the contract remains in force and up to 10 (ten) years after the contractual relationship with the client has ended;

2. Data processed for fulfilment of a contract concluded with you, including but not limited to provision of services of issuance, distribution, and redemption of electronic money, provision of payment services, complaint resolution, customer service:
   
   (a) for a period of 8 (eight) years from the date of the end of business relations with the client. The storage terms of documents, data, logs can be additionally extended for no longer than 2 (two) years, when there is a reasoned instruction of the competent authority;

3. Data processed for compliance with legal obligations (e.g. implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention of the Republic of Lithuania and other fraud and crime prevention purposes, implementation of AEOI & CRS (Automatic Exchange of Information & Common Reporting Standard) requirements) and risk management obligations:
   
   (a) for a period of 8 (eight) years from the date of the end of business relations with the client. The storage terms of documents, data, logs can be additionally extended for a maximum of 2 (two) years, when there is a reasoned instruction of the competent authority.
   
   Results of investigations of complex or unusually large transactions and unusual transaction structures:
   
   (b) for a period of 5 (five) years in paper format or on an electronic medium. The storage period may be extended additionally upon a reasoned instruction of a competent institution, nevertheless the extension cannot last longer than 2 (two) years;

4. Data processed for execution of payment transactions:
   
   (a) for a period of 8 (eight) years from the date of execution of the monetary transaction or conclusion of the transaction. The storage period may be extended additionally upon a reasoned instruction of a competent institution, nevertheless the extension cannot last longer than 2 (two) years;

5. Data processed for debit card granting, activation, processing, and execution of payment transactions by debit card:
   
   (a) for a period of 8 (eight) years from the date of execution of the monetary transaction or conclusion of the transaction;

6. Data processed for providing an answer if you are not our client and contact us:

6.1. through Genome Site or Genome Wallet:

(a) for a period which is necessary for the fulfilment of the request and to maintain further cooperation, but no longer than 6 (six) months after the last day of communication, in case there are no legal requirements to keep the data longer;

6.2. through other communication measures:

(a) for a period which is necessary for the fulfilment of the request and to maintain further cooperation, but no longer than 1 (one) year after the last day of communication, in case there are no legal requirements to keep the data longer.

7. Processing of written or electronic correspondence relating to the business relationship with our clients:

(a) for a period of 5 (five) years from the date of termination of business relations with the client. The storage period may be extended additionally upon a reasoned instruction of a competent institution, nevertheless the extension cannot last longer than 2 (two) years;

8. Data processed for the maintenance and administration of business relations with our clients and potential clients, customer service and quality assurance of services provided:

(a) 1 (one) year;

9. Data processed for direct marketing in order to inform Genome clients about our similar goods or services and / or about services provided by our business partners or other third parties or in order to make assessments about your opinion on different issues in relation to our business partners or other third parties:

(a) until the end of the business relationship with the client or as long as consent remains in force / is not withdrawn, based on the earliest event;

10. Data processed for authentication, fraud prevention, security, settings, service improving, and marketing:

(a) Cookies retention varies based on the type of cookie and is detailed in our Cookie Policy. Strictly necessary cookies are essential for functionality of Genome Site. These cookies are always active. Analytical and marketing cookies: data is processed as long as consent remains in force / is not withdrawn. The website visitor can delete and disable cookies at any time using browser setting even if you already gave a consent for data processing;

11. Data processed for providing payment services to you when you are a business and use Genome payment collection services in order to fulfill transactions between you, as a merchant, and your clients:

(a) for a period of 8 (eight) years from the date of execution of the monetary transaction or conclusion of the transaction;

12. Data processed for application of Genome loyalty program:

(a) as established in the contract or the governing law, the general storage term of the contract is 5 (five) years (after the end of the contract);

13. Data processed for debt management, representing Genome in courts and / or pre-trial dispute resolution institutions:

(a) according to the deadline set by the institution resolving the dispute, up to 10 (ten) years. In the cases when the terms of data keeping are indicated in the legislative regulations, the legislative regulations are applied.

Your personal data might be stored longer in the following cases:

1. ongoing investigations from Member States authorities, if there is a chance records of personal data are needed by Genome to prove compliance with any legal requirements;

2. when it is necessary in order for us to defend ourselves against claims, demands or action or to exercise legal rights in cases of law suits or similar court proceeding recognized under local law;

3. your personal data is necessary for the proper resolution of a dispute / complaint;

4. there is a reasonable suspicion of an unlawful act that is being investigated by us and / or the competent authorities;

5. under any other statutory ground.

Please note that we will protect confidentiality of the personal data during the entire retention period and will not actively process the personal data if such processing is not necessary anymore.

When we act as a data controller, you have the following rights for personal data that we have about you:

1. you have the right to know about processing of your personal data as well as to have the access to your personal data and processing (right to get familiar with your personal data and how it is processed);

2. you can ask us to erase or delete all or some of your personal data (e.g. if it is no longer necessary to provide Genome Services to you). In certain cases where we need to store your personal data because of a contractual relationship or law, we cannot erase all of your personal data;

3. you can ask us to change, update or fix your data in certain cases, particularly if it is inaccurate. You may do it by yourself, simply log in to your Genome Wallet and change profile settings at once. If the type of data you want to change or update is not visible or editable in your profile settings, you can contact us using the contact details provided above and request to make appropriate corrections to your personal data. You can also close your account using Genome Wallet functionality and / or contacting our customer support service. If your personal data was transferred to third-party data processors, they will be notified of any editing or deletion of your personal data;

4. you can ask us to obtain restriction of processing all or some of your personal data (e.g., if you believe that we have no legal right to keep using it) or to limit our use of it (e.g., if you believe that your personal data is inaccurate or unlawfully held). It can also pertain to a situation where you object to processing that we base on a legitimate interest. In such case we must verify if our grounds override yours;

5. you can obtain a copy of your personal data we retain about you unless this adversely affects the rights and freedoms of others. You have the right to ask us to provide your information in an easily readable format to another company;

6. where we are processing your personal information based on a legitimate interest you may object to this. However, we may be entitled to continue processing your information based on our legitimate interests or where this is relevant to legal claims. You also have the right to object the usage of personal information for direct marketing purposes or automated decision-making;

7. you can ask to transfer your personal data to another data controller or provide it directly to you in a convenient format (NOTE: applicable to personal data which is provided by you and which is processed by automated means on the basis of consent or on the basis of conclusion and performance of the contract);

8. you have the right to withdraw your consent so that we stop that particular processing, when the processing is based on consent. However, such consent withdrawal does not affect the lawfulness of processing based on consent before its withdrawal;

9. you have the right to appeal to the State Data Protection Inspectorate or the court, in case if you do not agree with our answer to your request or claim;

10. other rights established in GDPR and legal acts.

We will exercise your rights only after we receive your written request to exercise a particular right indicated above and only after confirming the validity of your identity. The written request shall be submitted to us by personally appearing at the registered office address of Genome, by ordinary mail or by e-mail: dpo@genome.eu, support@genome.eu.

Your requests shall be fulfilled or fulfilment of your requests shall be refused by specifying the reasons for such refusal within 30 (thirty) calendar days from the date of submission of the request meeting our internal rules and GDPR. The afore-mentioned time frame may be extended for 30 (thirty) calendar days by giving a prior notice to you if the request is related to a great scope of personal data or other simultaneously examined requests. A response to you will be provided in a form of your choosing as the requester.

Moreover, you have the right to submit a complaint to us if you reasonably believe that processing of personal data related to you is performed in violation of the applicable legal requirements. You can submit a complaint by post or e-mail, specifying your name, surname, contact details, relevant information, which would indicate why you reasonably believe that the processing of the data related to you is performed in violation of the applicable legal requirements. Upon receipt of a complaint from you, we confirm receipt of the complaint and indicate the time limit within which the reply will be submitted. In each case, the deadline for submitting a reply may vary as it directly depends on the extent and complexity of the complaint filed, but we will make the maximum effort to provide the response to you within the shortest possible time. We, after examining the complaint, report the results and actions taken to satisfy your complaint, or provide relevant information on what further actions you may take if your complaint was not satisfied.

You can also address the State Data Protection Inspectorate with a claim regarding the processing of your personal data if you believe that the personal data is processed in a way that violates your rights and legitimate interests stipulated by applicable legislation. You may apply in accordance with the procedures for handling complaints that are established by the State Data Protection Inspectorate and which may be found by this link: https://vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas.

Genome does not voluntarily collect, use or disclose personal data of minors, according to the minimum age equivalent in the relevant jurisdiction. Genome Wallet and Genome Services are not designed to attract minors. If you are minor, you may not submit any personal information to us, open Genome Wallet or subscribe for Genome Services. If we become aware that we collected the personal information of a minor, we will take steps to delete the information as soon as possible and will ask third-party data processors thereto the data was transferred (if any) to erase the data immediately.

We ensure you that we have all necessary technologies and methods to prevent, detect and investigate a personal data breach. In case of data breach, we will endeavor our best efforts to send a notification of becoming aware of the breach as soon as possible, when it is likely to result in a high risk to your rights and freedoms. If your personal data was transferred to third-party data processors, they will be notified of data breach as well.

If you are not satisfied with how Genome handles your personal data or wish to raise a complaint regarding the processing of your personal data, please contact our Data Protection Officer at dpo@genome.eu.

We can make amendments to this Privacy Notice at any time by the means of publishing a revised edition on Genome Site. You will be notified of any substantial changes. The revised version will be in effect immediately and be noted by updated date to the end of this Privacy Notice. You are entitled to terminate contract with Genome if you do not agree with any changes. By continuing using Genome Wallet and Genome Services, you accept the changes. Please review this Privacy Notice from time to time to stay updated on any changes.

This Privacy Notice last modified on November 17, 2022

Download version 0.1 (28.09.2020) →