Privacy Policy

This Privacy Policy shall be effective from 15 August 2022.

ONLINE PRIVACY STATEMENT

This Privacy Policy describes how Drinela UAB trading as CrissCross (Company number 306280633, registered address Vilnius, Architektų g. 56-101 Lithuania) ("We", "Us", "Our") processes personal data in compliance with the General Data Protection Regulation (GDPR).

Crisscross respects and protects the privacy of visitors to our websites and our customers who use our services. To ensure transparency, this Privacy Policy describes our data handling practices when you access content we own or operate on the website located at crisscross.money or any other associated websites we own or operate (site(s)).

Please take a moment to read through our privacy policy. If you have any specific questions about it, you’re welcome to contact us at info@crisscross.money, and We will be happy to give you further clarity.

Information on our Privacy Policy

This Privacy Policy outlines what data We collect from you, how We use this information, and how We take care in disclosing this information, in compliance with data protection laws, including the General Data Protection Regulation (EU 2016/679)

By accessing and reading our Privacy Policy, you acknowledge you have been informed about the processing of your personal data that we may process from you.

In this statement We have used certain terms which are set out in the EU’s General Data Protection Regulation (GDPR or the Regulation):

personal data means: any information relating to an identified or identifiable natural person (data subject).

an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

controller means: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

processor means: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

processing means: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

PRIVACY STATEMENT

What is the lawful reason Crisscross uses to process personal data?

The four lawful reasons Crisscross uses to process personal data are set out in Article 6 of the Regulation.

Processing will only be lawful if and to the extent that at least one of the following applies:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Consent).
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Contract Performance).
  • processing is necessary for compliance with a legal obligation which We are subject to (Legal Obligations).
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Legitimate Interest).

1. Consent

Where We process personal data as a result of Consent, We ensure that consent is freely given, specific and informed, and established by a clear affirmative act. Where Consent is withdrawn, we have set out (below) how this may be undertaken by the data subject.

2. Contract Performance

Where We enter into a contract with third parties, processing of personal data may, as a matter of course, be necessary in order to execute such a contract or take pre-contract preparation steps.

3. Legal Obligations

Where there are legal obligations which apply to Crisscross, processing of personal data may be required by law.

4. Legitimate Interest

Where We process personal data as it is necessary for the purpose of our legitimate interests, We do so on the basis of a balanced evaluation of our interests and the rights and freedoms of the data subject which require protection.

We have concluded that the way We manage the processing of personal data results in a cumulation of data subject protections which show that the balance is in favour of Crisscross being able to rely on Article 6.1(f) of the Regulation as a lawful reason to process personal data.

Why does Crisscross need to collect and store personal data?

We collect and store personal data to provide our clients, customers, suppliers or third parties with the service they require or provide as a party to a contract with us, or a third-party with an interest in Crisscross.  We do not process personal data for any reason other than this purpose.

We only keep personal data for as long as is necessary to undertake this purpose. We are committed to ensuring that the information We collect and use is appropriate for this purpose and does not constitute an invasion of the data subject’s right to privacy.

When does Crisscross collect my information?

Crisscross collects information about you if you:

  • register with or use our Website or online services;
  • represent one of our business clients;
  • work with us as a service provider; or
  • visit a Crisscross office or register to attend a Crisscross event.

What type of data does Crisscross collect?

We distinguish in this policy between personal data and ‘non-personal data’ (this is de-identified data, and cannot be attributed to you personally).

What type of personal data does Crisscross collect?

If you wish to use any of our services, We will collect and retain certain relevant data of yours, including some of your personal information.

Personal information we collect will fall within one of the below:

  • Personal information: Basic information about you, including your signature;
  • Identification data including unique descriptors: Government issued identifiers, other unique identifiers such as date of birth, and personal descriptors that might identify you;
  • Financial and transactional: Financial information about you, transactional information and credit information, account authentication details;
  • Contractual details: information collected as part of the products and services we or our service providers provide you;
  • Socio-demographic: Details about your work or profession, nationality, education;
  • Technical information: Details about your devices and technology that you use to access our services, including IP address;
  • Behavioural: information about how you use our products and services;
  • Location: Data we receive about where you are;
  • Communications: Information we capture through your communications with us, e.g. emails, instant messaging;
  • Publicly available information: Details that are in public records and information about you that is openly available on the internet.

How does Crisscross handle my personal data?

The following principles are observed in the handling of your data:

  1. We will only collect personal data for a purpose consistent with the purpose for which it is required. The specific purposes for which information is collected will be apparent from the context in which it is requested, as they are set out as follows.
  2. Personal information will only be processed for a purpose compatible with that for which it was collected, unless you have consented to an alternative purpose.
  3. We do not retain your data indefinitely. We will destroy or delete any personal information that is no longer needed by us for the purpose it was initially collected, or subsequently deleted.  Crisscross is however required to retain certain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements, contractual obligations and agreed practices. Personal data may be held in addition to these periods depending on individual business needs.

How will Crisscross use the personal data it collects about me?

We may use your personal information to:

  1. Provide, maintain, and improve the features and functionality of our site and services, based on our legitimate interest and/or the performance of the contractual relationship between you and us.
  2. Provide for internal non-marketing or administrative purposes, based on our legitimate interest.
  3. Provide information to you about updates and new services, based - when relevant - (i) on the performance of the contractual relationship between you and us or, (ii) if relevant, your consent; or (iii) if relevant, our legitimate interest.
  4. Process billing and collection of any fees based on the performance of the contractual or precontractual relationship between you and us.
  5. Meet our legal and regulatory obligations in terms of the applicable laws.

To comply with legal and regulatory requirements in rendering our services, Crisscross may be required to disclose information about you and/or your account to the following trusted third parties, namely:

  • Our agents, affiliates and/or professional advisors.
  • Service providers assisting us in processing or otherwise fulfilling transactions and/or providing required services.
  • Law enforcement, regulatory and governmental agencies if or when requested.

We don’t use your personal data to:

  • Send commercial or marketing messages to you, without your prior consent.
  • Sell your data to third parties.

Will Crisscross share my personal data with anyone else?

We may share your information in the manner and for the purposes described below:

  • Internally, where such disclosure is necessary to provide you with our services or to manage our business;
  • With third parties who help manage our business and deliver services, pursuant to a contract between the third party and Crisscross. In these circumstances, the third party may be another controller, processor or sub-processor. Where the third party is a processor or a sub-processor, they are obliged amongst other things, to keep your details secure, and to use them only to fulfil their contractual obligations to Crisscross under a processing agreement or terms which comply with Article 28 of the Regulation.
  • With agencies and organisations working to prevent fraud in financial services;
  • With our regulators;
  • To comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies;

When they no longer need your personal data to fulfil this service, they will dispose of the details in line with Crisscross’s data retention policy, or as otherwise set out in the processing agreement.

We operate globally

The personal information we collect from you may be transferred to, stored and processed outside of the jurisdiction in which you live. The laws of those countries may vary from the laws applicable in your own country. Data gathered in the European Economic Area (EEA) may be transferred to, stored and processed at a destination(s) outside of the EEA. Said international data transfers will be carried out in strict compliance with the Regulation and after having executed the relevant Standard Contractual Clauses with the recipients of the data.

Your account is stored by Crisscross on a secure server maintained and operated by third-party service providers. These third-party providers are bound by and adhere to the relevant data processing agreements, in compliance with the Regulation.

Your data protection rights

You have the right to access your personal data held by Crisscross, by contacting us with a request at info@crisscross.money. For your protection, We will take steps to verify your identity before fulfilling your request.

If there are any changes to your personal information or if you believe that the information we have about you is inaccurate, incomplete, misleading or not up-to-date, you must inform us accordingly at info@crisscross.money. You also have the right to request the restriction and objection to its processing, the right to request the portability of your personal data and the right not to be subject to a decision based solely on automated processing.

You have the right to be forgotten in terms of the Regulation. This may be done by requesting your account to be deleted in a support ticket to the Crisscross support team at info@crisscross.money. By requesting us to delete you, you may forfeit your ability to use Crisscross’s services going forward as We require certain data in order to provide our services.

We may use our discretion in allowing correction requests and may request further documentary evidence of any new information in order to avoid fraud and inaccuracy.

Security measures for your personal data

We take all appropriate and reasonable technical and organisational measures to prevent the loss of, damage to or unauthorised destruction of personal data and the unlawful access to or processing of such data. We have systems in place to control your data in a way that minimizes its exposure.

We will take reasonable steps to identify all reasonably foreseeable internal and external risks posed to your personal data under our possession or control and establish and maintain appropriate safeguards against any risks identified.

Non-personal data

In addition to personal data, We also collect and store non-personal data, which cannot be used to identify you. The kinds of non-personal data that We collect includes de-identified data about the usage patterns of our sites. This data is useful to us as it helps us to optimize our user experience.

When you access or use our services, we may automatically collect data about your behaviour that includes:

  1. Log Information: We log data about your use of our services, including the type of browser you use, access times, pages viewed, , and the page you visited before navigating to our Services.
  2. Device Information: We collect data about the device you use to access our services, including information about the device’s software and hardware, Media Access Control ("MAC") address and other unique device identifiers, device token, mobile network information and time zone.
  3. Consumption data: We collect data about your consumption habits relating to your use of our services, including which purchases you make with both virtual and real Currencies.
  4. Data Collected by web cookies and other tracking technologies: We use various technologies to collect data, and this may include sending cookies to your computer or mobile device.

Under what circumstances will Crisscross contact me?

The personal data We process is subject to rigorous measures and procedures to minimize the risk of unauthorized access or disclosure. We will get in touch with you where this is required under the Regulation.

Can I find out the personal data that the organisation holds about me?

At your request and where this is technically possible, Crisscross will confirm the information We hold about you and how it is processed. As set out in the Regulation you can request the following information:

  • Identity and the contact details of the person or organisation that has determined how and why to process your data. In some cases, this could be a representative in the EU.
  • Contact details of the data protection officer, where applicable.
  • The purpose of the processing as well as the legal basis for processing.
  • If the processing is based on the legitimate interests of Crisscross or a third party, information about those interests.
  • The categories of personal data collected, stored and processed.
  • Recipient(s) or categories of recipients that the data is/will be disclosed to.
  • If We intend to transfer the personal data to a third country or international organisation, information about how We ensure this is done securely.
  • How long the data will be stored.
  • Details of your rights to correct, erase, restrict or object to such processing.
  • Information about your right to withdraw consent at any time.
  • How to lodge a complaint with the supervisory authority.
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
  • The source of personal data if it wasn’t collected directly from you.
  • Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

Revisions to this Privacy Policy

This Privacy Policy may be revised from time to time so we can keep it up to date with global best practices, but we will always let you know when we do via email.

CONTACT DETAILS

Email: info@crisscross.money

Address: 6th floor, Žalgirio av. 90, Vilnius, Lithuania, 090303

DEFINITIONS

The following words and expressions bear the meanings assigned to them and cognate expressions bear corresponding meanings:

1.1. “Applicable Laws” means all applicable laws, rules, codes, regulations, and formal regulatory guidelines and standards, made by a Regulator, legislature or other public authority with binding effect in force from time to time (construed having regard to related guidance and codes of practice issued or approved by a regulator or other public body);

1.2. “Controller” and “Processor” are read to refer to those equivalent terms;

1.3. “CrissCross,” “we,” “our,” “us” means CrissCross Tech Pty Ltd, a company incorporated and registered in South Africa (registration number 2022/812239/07) (“CrissCross SA”) together with all companies that are directly or indirectly (whether through one or more intermediaries or otherwise) control, or are controlled by, or are under common control with CrissCross SA;

1.4. “Data Breach” means any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed;

1.5. “Data Protection Laws” means any Applicable Laws which regulate the Processing of Personal Information that is received by CrissCross;

1.6. “Data Subject” means each identified or identifiable (whether directly or indirectly) legal or natural person to whom any Personal Information relates;

1.7. “Personal Information” means information relating to any natural or legal person, the Processing of which is regulated by Data Protection Laws including:

• (i) information relating to the race, gender, sex, marital status, national, ethnic or social origin, colour, age, disability, language and birth of the person;

• (ii) information relating to the education or the medical, financial, criminal or employment history of the person;

• (iii) information relating to the financial affairs of the person;

• (iv) credit card details and transactional data;

• (v) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;

• (vi) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

• (vii) the views or opinions of another individual about the person;

• (viii) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

• (ix) any other information the Processing of which may be treated or defined as “personal information” in terms of any Applicable Laws, including Data Protection Laws;

1.8. “Policy” means this Privacy Policy;

1.9. “Process” means to collect, receive, record, organise, collate, store, develop, update, modify, retrieve, alter, consult, use, disseminate or perform any other act or action, including any other act or action which may be treated or defined as “process” or “processing” (or any equivalent term for a similarly-regulated activity) in terms of any Data Protection Laws, and “Processed” and “Processing” shall have a corresponding meaning;

1.10. “Regulator” shall mean any court or public body having regulatory or supervisory authority over all Personal Information;

1.11. “Responsible Party” and “Operator” have the meanings given to those terms in the Data Protection Laws, and where an equivalent term is used in Data Protection Laws (such as “Responsible Party” and “Operator”, respectively);

1.12. “Special Personal Information” is sensitive Personal Information of a Data Subject or a child in terms of the Data Protection Laws.

2. PURPOSE

2.1. The purpose of this Policy is to inform you about how we Processes your Personal Information.

2.2. CrissCross, in its capacity as Responsible Party (and/or Operator, where applicable), shall strive to observe, and comply with its obligations under Data Privacy Laws as well as accepted information protection principles, practices and guidelines when it Processes Personal Information from or in respect of a Data Subject.

2.3. This Policy applies to Personal Information collected by us in connection with the products and services which we provide to you. This includes information collected directly from you as a Data Subject, as well as information we collect indirectly through our service providers who collect your information on our behalf.

2.4. This Privacy Policy does not apply to the information practices of third party companies that we may engage with in relation to its business operations (including, without limitation, their websites, platforms and/or applications) which we do not own or control; or individuals that CrissCross does not manage or employ. These third party sites may have their own privacy policies and terms and conditions that people will have to comply with.

3. PROCESS OF COLLECTING PERSONAL INFORMATION

3.1. We will collect Personal Information directly from you as and when required for a defined purpose, unless an exception is applicable (such as, for example, where you have made the Personal Information public or the Personal Information is contained in or derived from a public record).

3.2. We will always collect Personal Information in a fair, lawful and reasonable manner to ensure that we protect your privacy and will Process the Personal Information based on legitimate grounds in a manner that does not adversely affect you.

3.3. Where we obtain Personal Information from third parties, we will ensure that we obtain your consent to do so. We will only Process your Personal Information without your consent where we are permitted to do so in terms of clause Error: Reference source not found above or the Data Protection Laws.

3.4. An example of such third parties includes:

• (i) agencies;

• (ii) other companies providing services to us; and

• (iii) where we make use of publicly available sources of information.

4. LAWFUL PROCESSING OF PERSONAL INFORMATION

4.1. Where we are the Responsible Party, we will only Process your Personal Information (other than for Special Personal Information) where:

• 4.1.1. your consent (or a competent person, where the Data Subject is a child) is obtained;

• 4.1.2. Processing is necessary to carry out the actions for conclusion of a contract to which you are a party;

• 4.1.3. Processing complies with an obligation imposed by Data Protection Laws on us;

• 4.1.4. Processing protects your legitimate interests; and/or

• 4.1.5. Processing is necessary for pursuing our legitimate interests or of a third party to whom the information is supplied.

4.2. We will only Process Personal Information where one of the legal bases referred to in paragraph 4.1 above are present.

4.3. We will make the manner and reason for which the Personal Information will be Processed clear to you.

4.4. Where we rely on your consent as the legal basis for Processing Personal Information, you may withdraw your consent or may object to us Processing your Personal Information at any time. However, this will not affect the lawfulness of any Processing carried out prior to the withdrawal of your consent or any Processing justified by any other legal ground provided under Data Privacy Laws.

4.5. If you withdraw your consent or if there is otherwise a justified objection against the use or the Processing of such Personal Information, we will ensure that the Personal Information is no longer Processed.

5. SPECIAL PERSONAL INFORMATION

5.1. We will generally not Process Special Personal Information unless:

• 5.1.1. Processing is carried out in accordance with your consent;

• 5.1.2. Processing is necessary for the establishment, exercise or defence of a right or obligation in law;

• 5.1.3. Processing is for historical, statistical or research purposes, subject to stipulated safeguards;

• 5.1.4. information has deliberately been made public by you; or

• 5.1.5. specific authorisation applies in terms of Data Privacy Laws.

5.2. We will not Process any Personal Information concerning a child unless we have obtained the consent of the parent or guardian of that child or where it is permitted to do so in accordance with Applicable Laws.

6. PURPOSE FOR PROCESSING PERSONAL INFORMATION

6.1. We will make you aware of the fact that we are Processing your Personal Information and we will inform you of the purpose for which we will Processes such Personal Information.

6.2. We will only Process your Personal Information for a specific, lawful and clear purpose and we will ensure that we make you aware of such purpose(s) as far as possible.

6.3. We will ensure that there is a legal basis for the Processing of any Personal Information. Further, we will ensure that Processing will relate only to the purpose for and of which you have been made aware (and where relevant, consented to) and we will not Process any Personal Information for any other purpose(s).

6.4. We will generally use your Personal Information for purposes required to operate and manage our normal operations and these purposes include one or more of the following non-exhaustive purposes:

• 6.4.1. for the purposes of providing services to you;

• 6.4.2. for purposes of onboarding you;

• 6.4.3. generally for procurement and supply purposes;

• 6.4.4. for purposes of monitoring the use of our electronic systems and online platforms by you. We may, from time to time, engage third party service providers (who will Process your Personal Information on our behalf) to facilitate this;

• 6.4.5. for purposes of preventing, discovering and investigating violations of this Policy, the Applicable Law and other CrissCross policies;

• 6.4.6. in connection with the execution of payment processing functions;

• 6.4.7. in connection with internal audit purposes (i.e. ensuring that the appropriate internal controls are in place in order to mitigate the relevant risks, as well as to carry out any investigations where this is required);

• 6.4.8. in connection with external audit purposes. For this purpose, we engage external service providers and, in so doing, we may share your Personal Information with third parties;

• 6.4.9. for company secretarial related purposes. For this purpose, we may, from time to time, collect information relating to you from third parties;

• 6.4.10. for such other purposes to which you may consent from time to time;

• 6.4.11. for such other purposes as authorised in terms of Data Protection Laws; and

• 6.4.12. to comply with any Data Protection Laws or any query from a Regulator.

7. KEEPING PERSONAL INFORMATION ACCURATE

7.1. We will take reasonable steps to ensure that all Personal Information is kept as accurate, complete and up to date as reasonably possible depending on the purpose for which Personal Information is collected or further Processed.

7.2. We may not always expressly request you to verify and update your Personal Information unless this process is specifically necessary.

7.3. You must notify us from time to time in writing of any updates required in respect of your Personal Information.

8. STORAGE AND PROCESSING OF PERSONAL INFORMATION

8.1. We may store your Personal Information in hardcopy format and/or in electronic format using our own secure on-site servers or other internally hosted technology.

8.2. Your Personal Information may also be stored by third parties, via cloud services or other technology, with whom we have contracted to support our operations.

8.3. Our third party service providers, including data storage and processing providers, may from time to time also have access to your Personal Information in connection with purposes for which the Personal Information was initially collected to be Processed.

8.4. We will ensure that such third-party service providers will Process your Personal Information in accordance with the provisions of this Policy, all other relevant internal policies and procedures and Data Privacy Laws.

8.5. The third-party service providers will not use or have access to your Personal Information other than for purposes specified by us, and we will require such parties to employ at least the same level of security that we use to protect the Data Subjects’ Personal Information.

8.6. Your Personal Information may be Processed in the country where you reside or another country where CrissCross and their third-party service providers maintain servers and facilities, and we will take steps, including by way of contracts, to ensure that it continues to be protected, regardless of its location, in a manner consistent with the standards of protection required under applicable law, including Data Privacy Laws.

9. DIRECT MARKETING

9.1. To the extent that we act in our capacity as a direct marketer, we shall strive to observe, and comply with our obligations under Data Privacy Laws when implementing principles and practices in relation to direct marketing.

9.2. We will only use your Personal Information to contact you for purposes of direct marketing from time to time where it is permissible to do so.

9.3. We may use your Personal Information to contact you and/or market CrissCross services directly to you if you are one of our existing clients, you have requested to receive marketing material from us, or we have your consent to market our services directly to you.

9.4. If you are our existing client, we will only use your Personal Information if we have obtained your Personal Information through the provision of a service to you and only in relation to similar services to the ones we previously provided to the Data Subject.

9.5. We will ensure that a reasonable opportunity is given to you to object to the use of your Personal Information for our marketing purposes when collecting your Personal Information and on the occasion of each communication to you for purposes of direct marketing.

9.6. We will not use your Personal Information to send you marketing materials if you have requested not to receive them. If you request that we stop Processing your Personal Information for marketing purposes, we shall do so.

10. RETENTION OF PERSONAL INFORMATION

10.1. We may keep records of your Personal Information, correspondence, or comments we have collected in an electronic or hardcopy file format.

10.2. In terms of Data Privacy Laws, we may not retain your Personal Information for a period longer than is necessary to achieve the purpose for which it was collected or Processed and will delete, destroy (in such a way that it cannot be reconstructed) or de-identify the information as soon as is reasonably practicable once the purpose has been achieved. This prohibition will not apply in the following circumstances:

• 10.2.1. where the retention of the record is required or authorised by Applicable Laws or by any Regulator;

• 10.2.2. where we require the record to fulfil our lawful functions or activities;

• 10.2.3. retention of the record is required by a contract between the parties thereto;

• 10.2.4. you (or competent person, where the Data Subject is a Child) has consented to such longer retention; or

• 10.2.5. the record is retained for historical, research, archival or statistical purposes provided safeguards are put in place to prevent use for any other purpose. Accordingly, we will, subject to the exceptions noted in this Policy, retain your Personal Information for as long as necessary to fulfil the purposes for which your Personal Information was collected and/or as permitted or required by Data Protection Laws.

10.3. Where we retain your Personal Information for longer periods for statistical, historical, archival or research purposes, we will ensure that appropriate safeguards have been put in place to ensure that all your recorded Personal Information will continue to be Processed in accordance with this Policy and Data Protection Laws.

10.4. Once the purpose for which your Personal Information was initially collected and Processed no longer applies or becomes obsolete, we will ensure that the Personal Information is deleted, destroyed or de-identified sufficiently so that no one can re-identify your Personal Information. In instances where we de-identify the Personal Information, we may use such de-identified information indefinitely.

11. FAILURE TO PROVIDE PERSONAL INFORMATION

Should we need to collect your Personal Information as prescribed by Applicable Laws or under our obligations as a service provider, and you fail to provide your Personal Information when requested, we may be unable to perform our duties as a service provider in terms of the Data Protection Laws.

12. SAFE-KEEPING OF PERSONAL INFORMATION

12.1. We shall preserve the security of your Personal Information and, in particular, prevent its alteration, loss and damage, or access by non-authorised third parties.

12.2. We will ensure the security and integrity of your Personal Information in our possession or under our control with appropriate, reasonable technical and organisational measures to prevent loss, unlawful access and unauthorised destruction of your Personal Information.

12.3. We have implemented physical, organisational, contractual and technological security measures (having regard to generally accepted information security practices or industry-specific requirements or professional rules) to keep your Personal Information secure, including measures protecting your Personal Information from loss or theft, unauthorised access, disclosure, copying, use or modification. Further, we maintain and regularly verify that our security measures are effective and we regularly update them in response to new risks.

13. DATA BREACHES

13.1. We will address any Data Breach in accordance with the terms of Data Privacy Laws.

13.2. We will notify the Regulator and the affected Data Subjects (unless the applicable law or a government authority requires that we delay notification to the Data Subjects) in writing in the event of a Data Breach (or a reasonable belief of a Data Breach) in respect of that Data Subject’s Personal Information.

13.3. We will provide such notification as soon as reasonably possible after we become aware of any Data Breach.

13.4. Where we act as an ‘Operator’ for purposes of Data Privacy Laws and should any Data Breach affect the data of Data Subjects whose information we Processes as an Operator, we will (in terms of Data Privacy Laws) notify the relevant Responsible Party immediately where there are reasonable grounds to believe that the Personal Information of relevant Data Subjects has been accessed or acquired by any unauthorized person.

14. PROVISION OF PERSONAL INFORMATION TO THIRD PARTY SERVICE PROVIDERS

14.1. We may disclose your Personal Information to third parties and we will enter into written agreements with such third parties to ensure that they Process any Personal Information in accordance with the provisions of this Policy, and Data Privacy Laws.

14.2. We will disclose your Personal Information with your consent or if we are permitted to do so without such consent in accordance with Data Protection Laws.

14.3. Further, we may also send your Personal Information to a foreign jurisdiction outside of the jurisdiction in which you reside, including for Processing and storage by third parties.

14.4. When your Personal Information is transferred to a jurisdiction outside of the jurisdiction you reside in including to any cloud, data centre or server located outside of the jurisdiction you reside in, we will obtain the necessary consent to transfer your Personal Information to such foreign jurisdiction or may transfer your Personal Information where we are permitted to do so in accordance with the provisions applicable to cross-border flows of Personal Information under Data Privacy Laws.

14.5. The Processing of your Personal Information in a foreign jurisdiction, if and to the extent such Processing does occur, may be subject to the laws of the country in which your Personal Information is held, and may be subject to disclosure to the governments, courts of law, enforcement or regulatory agencies of such other country, pursuant to the laws of such country.

15. RESPONSES

We will respond to each written request of a Data Subject not later than 30 (thirty) days after receipt of such requests. Under certain circumstances, we may, however, extend the original period of 30 days once for a further period of not more than 30 (thirty) days.

16. PRIVACY OFFICER

CrissCross has appointed a dedicated Privacy Information Officer who is responsible for the Processing and protection of Personal Information.