Contact us

357A Edgware Road London W2 1BS

Email us

info@hazarbuzexchange.co.uk

Free Call

+ 44 207 2587 778

KYC Policy

Contact us
Untitled Document

1. Introduction

Hazarbuz Exchange Ltd (the ‘Company’) is a financial services company that offer money remittance services to UK residents.

As a company, Hazarbuz Exchange is committed to dealing with our customers, employees and other parties with honesty and integrity. As part of this commitment, we will make every effort to ensure that all Personal Data is handled in accordance with the UK GDPR. Our policy framework sets out the necessary requirements and principles to manage and mitigate key risks and ensure compliance with the UK GDPR.

We acknowledge that our business is underpinned by personal data, which is an important business asset and therefore must be kept secure, both to preserve the privacy of individuals and to safeguard our reputation.

This document sets out and provides the high-level approach to implementing and maintaining an adequate and effective data privacy risk management framework which, alongside other policies, contributes to our system of internal controls.

This policy sets out our approach to how we collect, process, manage, transfer, disclose, retain, and destroy any personal data either controlled or processed by us, including the personal data of our customers, employees, partners, and contractors.

Hazarbuz Exchange Ltd is registered with the ICO under registration number ZA333802.

2. Policy Statement

Hazarbuz Exchange Ltd takes the security and privacy data seriously. We need to gather and use information or ‘data’ about our customers, employees and partners as part of our business. We intend to comply with our legal obligations under the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR 2021) in respect of data privacy and security. We have a duty to notify customers and other interested parties of the information contained in this policy.

This policy applies to our customers, employees, and all partners. If you fall into one of these categories, then you are a ‘data subject’ for the purposes of this policy. You should read this policy and any other notice we may issue from time to time in relation to your data.

The Company has separate policies and privacy notices in place in respect of the remittance services we provide. A copy of these can be obtained by request to the director of the Company.


The Company is a data controller for the purposes of your personal data. This means that we determine the purpose and means of processing your personal data.

This policy explains how the Company will hold and process your information. It explains your rights as a data subject. It also explains our obligations when obtaining, handling, processing or storing personal data in the course of the business.

This policy does not form part of your contract for services and can be amended by the Company at any time. It is intended that this policy is fully compliant with the DPA 2018 and the UK GDPR 2021. If any conflict arises between those laws and this policy, the Company intends to comply with the DPA and the UK GDPR.

The objective of this policy is to ensure everyone in the Company understands their obligations under the UK GDPR to:

  • Assure the data privacy and protection of customers, staff, advisors, and other individuals who interact with our Company
  • Mitigate risks arising from non-compliance
  • Ensure that the Company has necessary safeguards in place as required by UK GDPR

3. Scope of Policy

This Policy applies to all processing of personal data by Hazarbuz Exchange Ltd and its employees and any 3rd party suppliers of services to the Company, where ‘processing’ includes any operation undertaken on the data, including receipt, use, storage and disposal.

Employees are defined as permanent and fixed term contract employees engaged under a contract of employment who provide services on behalf of the Company. The Policy applies to data held in any format (electronic or hard copy/paper) or system or processed by any means.

The Policy is effective from 03 December 2024 and subject to review in the event of a significant change to the business impacting this policy.

4. Principles of UK GDPR

Under the UK GDPR, the data protection principles set out the main responsibilities for organisations. The principles are similar to those in the Data Protection Act, with added detail at certain points and a new accountability requirement. Article 5(1) of the GDPR requires that personal data shall be:

    • processed lawfully, fairly and in a transparent manner in relation to individuals;

    • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
    • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
    • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
    • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; and
    •         Article 5(2) adds that “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

 

The accountability principle requires organisations to show how they comply with the principles of UK GDPR, which can be done by:

  • Maintaining relevant documentation on processing activities
  • Implementing appropriate technical and organisational measures that ensure and demonstrate compliance
  • Implementing internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal policies
  • Implement measures that meet the principles of data protection by design and data protection by default

Penalties

We are accountable for these principles and must be able to show that we are compliant. Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to £17.5 million, or 4% of total worldwide annual turnover, whichever is higher.

Under Recital 87 of the UK GDPR when a security incident takes place, we will establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO within 72 hours if required.

Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover.


5. UK GDPR Lawful bases for Processing Conditions

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever personal data is processed. These are set out below:

  • Consent: the individual has given clear consent to process their personal data for a specific purpose.
  • Contract: processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.

 

  • Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

‘Special categories of personal data’ are types of personal data consisting of information as
to:

    • racial or ethnic origin;

 

    • political opinions;
    • religious or philosophical beliefs;
    • trade union membership;
    • genetic or biometric data;
    • health;

 

    • sex life and sexual orientation; and
    • criminal convictions and offences.

6. Our Lawful basis for Processing

Our lawful basis for collecting and processing personal data of customers is that processing is necessary to perform or enter into a contract in order for them to use our services.

Our lawful basis for processing the personal data of employees is that processing is necessary to perform or enter into the employment contract we have with them.

Our lawful basis for processing the personal data of employees in relation to PAYE, pension contributions and other personal data shared with HMRC is that processing is necessary for compliance with the law.

We will only contact our customers for marketing purposes if they have given us their consent in relation to the daily currency rates.

We are under legal obligation to hold records including transactional data for 5 years from the date a one-off transaction has been carried out or if the business relationship ends, but in all cases, this should be in line with the requirements set by PSR 2017 and HMRC Regulations 2017.

We will not hold and use any of these special categories of your personal data as this is not required for remittance purposes.7. Our obligations

For services provided by the Company where we collect and process personal data on behalf of our clients, we act a data controller and processor, therefore we must comply with the obligations placed by UK GDPR which include:

  • As a data processor we must have adequate security measures in place for processing personal data
  • We must make sure that the people processing data on our behalf are subject to a duty of confidence
  • We will only share personal data with third parties if they fall under UK GDPR and we have a written agreement with them to process such data
  • All staff must contact the data controller (Mr. Farhad Khan Niaz) if they become aware of any data breach
  • Staff must assist the controller in providing data subject access and allowing data subjects to exercise their rights under the UK GDPR

7. Our obligations

For services provided by the Company where we collect and process personal data on behalf of our clients, we act a data controller and processor, therefore we must comply with the obligations placed by UK GDPR which include:

    • As a data processor we must have adequate security measures in place for processing personal data
    • We must make sure that the people processing data on our behalf are subject to a duty of confidence
    • We will only share personal data with third parties if they fall under UK GDPR and we have a written agreement with them to process such data
    • All staff must contact the data controller (Mr. Farhad Khan Niaz) if they become aware of any data breach
    • Staff must assist the controller in providing data subject access and allowing data subjects to exercise their rights under the UK GDPR

    8. Data we collect and Process

    The company processes personal information about customers and employees.

    The information we collect may include:

    • Personal details such as name, address, ID etc.
    • Financial details
    • Employment details
    • bank details in case of electronic transfer
    • your images (whether captured on CCTV or photograph)
    • credit checks (GBG Group) for verification of your personal details Our processing activities do not involve automated decision making or profiling.

    The Company may need to share the personal information it processes with the individual themselves and also with other organisations. Where necessary we may share data collected with banks, FX brokers, service providers, credit referencing agencies, HMRC, advisors and other authorities.

    It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the UK GDPR.

    9. Data Protection Officer

    In line with the UK GDPR requirements the Company has appointed a data protection officer (DPO), Mr. Farhad Khan Niaz who is responsible for the firm’s data collected, stored and processed.

    He can be contacted on info@hazarbuzexchange.co.uk and telephone No. 020 7258 7778. The Company’s Data Protection Officer [Mr. Farhad Khan Niaz] is responsible for reviewing this policy and updating the Company’s data protection responsibilities and any risks in relation to the processing of data. Staff should direct any questions in relation to this policy or data protection to him using the contact details above.

     

    10. Right of Data Subjects

    The UK GDPR provides the following rights for individuals:

    Right to be informed


    Individuals have the right to be informed about the collection and use of their personal data. We are obliged to provide ‘fair processing information’, typically through a privacy notice or policy document. This should include:

      • Identity and contact details of the data controller
      • Purpose of the processing and the lawful basis for the processing
      • The legitimate interests of the controller
      • The rights of the data subjects

     

    If the data is obtained directly from the data subject, the information should be provided at the time the data is obtained.

    • Right of access

    Individuals have right to access their personal data. Individuals can access their data through a data request form or email directly to the DPO (details in section 12 above).

    Information must be provided without delay and at the latest within 30 days of receiving the request. The company must verify the identity of the person making the request, using ‘reasonable means’.

    If the company refuses to respond to a request, it must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

    Right to rectification

      

    Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. A request for rectification must be responded to within 30 days. All such requests should be made to the Company.
    • Right to erasure / Right to be forgotten

     

    The right to erasure enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. We are required to keep records of all data for 5 years from the day the relationship has ended.
    Right to erasure applies in some circumstances as below:

      • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
      • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
      • The personal data has to be erased in order to comply with a legal obligation

    • Right to restrict processing

    Individuals have a right to ‘block’ or suppress processing of personal data. When processing
    is restricted, the company is permitted to store the personal data, but not further process it.

    The Company will be required to restrict the processing of personal data in the following circumstances: -

      • Where an individual contests the accuracy of the personal data, the Company should restrict the processing until it has verified the accuracy of the personal data
      • If the Company no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim

     

    • Right to data portability

    The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The Company must provide the personal data in a structured, commonly used and machine-readable form. This should enable other data controllers to use the data.

    The information must be provided free of charge. It is very unlikely that we receive a similar request but, in any case, the company must respond to such requests without undue delay, and within 30 days.

    • Right to object

    Individuals have the right to object to:

      • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
      • Direct marketing (including profiling); and
      • Processing for purposes of scientific/historical research and statistics The company must stop processing the personal data unless:
      • It can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
      • The processing is for the establishment, exercise or defence of legal claims.

    The company must inform individuals of their right to object “at the point of first communication” and in their privacy notice. The company must stop processing personal data for direct marketing purposes as soon as it receives an objection. There are no exemptions or grounds to refuse.

    • Rights in relation to automated decision making and profiling

    The GDPR has provisions on automated decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).

    The Company’s processes does not involve automated decision making or profiling.

    11. Our Responsibilities

    Everyone who works for or with Hazarbuz Exchange Ltd has some degree of responsibility for ensuring data is collected, stored and handled appropriately. All staff that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. The DPO (Mr. Farhad Khan Niaz) is ultimately responsible for ensuring that the Company meets its legal obligations.
    Area of responsibility:

    • The Company must be kept updated about UK GDPR responsibilities, risks and issues
    • The company must demonstrate compliance with the data protection principles and UK GDPR
    • The Company should implement appropriate technical and organisational measures to ensure and to demonstrate that processing activities are compliant with the UK GDPR
    • All data protection procedures and related policies will be reviewed every year
    • Training and advice on data protection should be arranged for the staff
    • The DPOot should handle data protection questions from staff and anyone else covered by this policy
    • The Company should deal with requests from individuals such as right of access or right to be forgotten
    • Any third party services the Company is considering using to store or process data should be evaluated
    • Contracts with third parties and processors that may handle the Company’s sensitive

    data should be checked and reviewed

      • All systems, services and equipment used for storing data must meet acceptable security standards
      • Regular checks and scans should be performed to ensure security hardware and software is functioning properly
      • Marketing initiatives should abide by UK GDPR principles
      • Adequate data protection procedures should be in place for when an employee leaves
      • Data breaches should be recorded, serious data breaches should be reported to the ICO and high risk breaches should be reported to the affected data subjects
      • Following any breaches, the company should review the adequacy of its security measures
      • The company should make sure individuals are aware that their data is being processed, how the data is being used and how to exercise their rights
      • The Company should make sure this policy document is made available to potential and existing clients and employees
      • The Company must ensure they continue to be registered as a data controller with the ICO

      12. Security Measures

       

      Office building

      • The office is located on the high street
      • It has separate alarm system and 24 hour security at the reception desk
      • Visitors can only enter with authorisation from the front desk
      • Employees require office keys to enter the office
      • Reception area is not left unattended
      • There are CCTV outside the front door of the office and a doorbell
      • All employees are given a door key which has an electronic keypad as well as a mechanical lock

      Staff are responsible for cleaning of the office.

      General Staff Guidelines

      • Employees should keep all data secure by taking sensible precautions and following the guidelines below
      • The Company will provide training to all employees to help them understand their responsibilities
      • Staff should request help from DPO, if they are unsure of any aspect of data protection
      • The only people able to access data covered by this policy should be those who need it for their work
      • Personal data should not be disclosed to unauthorised people, either within the company or externally
      • Staff should only process personal data electronically from the Company’s system and

      keep their credentials secure

      • Staff must maintain their duty of confidence as outlined in their confidentiality agreements

      Data Storage


      • Servers containing personal data are located in a secure location, away from general office space
      • Data should be backed up frequently and these backups should be tested regularly
      • All servers and computers containing data should be protected by approved security software and a firewall
      • When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts
      • Data should never be saved directly to laptops or other mobile devices like tablets or smart phones
      • Employees should not save copies of personal data to their own computers or the normal desktop
      • Customer documents should be saved in a file with password protection
      • If the Company decides to save data to memory stick, backups transferred to memory sticks should be password protected
      • Employees should keep memory sticks in a secure place when not in use
      • Data stored on memory sticks should be cleared regularly
      • Personal data stored or printed out on paper should be kept in a secure location where unauthorised people cannot see it
      • Data printouts should be shredded and disposed of securely when no longer required

      Data Use

      • When working from home, or if visitors are in the office, employees should ensure computer screens are locked when left unattended
      • Personal data should never be transferred outside of the European Economic Area except in compliance with the law and authorisation of the Data Protection Officer.
      • Personal data is not allowed to be taken outside the office by copying it to USB sticks or personal laptops
      • Employees should not share personal data of customers with other customers or visitors
      • Data can only be shared with individuals if they are visiting the office for an audit on behalf of our partners, this should be handled by the DPO.

       

      Data Accuracy

        • It is the responsibility of all staff who work with data to take reasonable steps to ensure it is kept as accurate and up to date
        • Staff should take every opportunity to ensure data is updated; data should be updated as inaccuracies are discovered
        • The Company must make it easy for data subjects to update their information that is held by the company

      Providing Personal data to Third Parties

      • Our service providers request data for all customers when we trade funds. Staff should ensure that no data is emailed without password protection
      • All customer data should be uploaded to a secure system provided by our service providers
      • When sending ID documents, staff should ensure that this is emailed in a secure manner, protected by password
      • Staff should never email passwords in the same email
      • Always ask customers to provide KYC documents when they visit our office. If customers wish to email their documents, ask them to encrypt or secure it with password where possible

       

      Sharing your personal data

      • Sometimes we might share your personal data with FX Brokers, Banks or our contractors to carry out our obligations under our contract with them for the services they provide us.
      • We require those companies to keep your personal data confidential and secure and to protect it in accordance with the law and our policies. They are only permitted to process your data for the lawful purpose for which it has been shared and in accordance with the services they provide us.
      • The services these companies provide us, include cash and electronic payment collection, processing, and wire payment services. These companies will require data of all our customers to meet their legal obligations.
      • We do not send your personal data outside the European Economic Area. If this changes you will be notified of this and the protections which are in place to protect the security of your data will be explained.

       

      Procedures for when an employee leaves:

      • Office keys must be returned
      • Change security keypad settings at the front door
      • Office computer and USB sticks should be returned
      • Ensure no files and records are still at the employee’s residence or personal laptop
      • Remove employee access/login to remote desktop
      • Change passwords for the systems
      • Redirect emails to the director
      • Check the employee cannot access work emails from their phone

      13. Why we might process your personal data

      We have to process your personal data in various situations during ID verification or onward payment to your recipient.

      For example:

      • to verify your ID and address;
      • to check you have the legal right to work for us;
      • to comply with relevant Regulations which affect us;
      • to prevent and detect fraud or other criminal offences;
      • to defend the Company in respect of money laundering and terrorist financing Laws and Regulations;

       

      We do not need your consent to process your personal data when we are processing it for the following purposes:

      • when we are processing your funds to your beneficiary
      • when funds are processed by our banks/ FX Brokers, and they request us to provide details of the originators of the funds
      • when the Regulators (HMRC and FCA) request us the same information
      • when other authorities request us data

       

      14. Subject access requests

      • Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information we hold about them. This request must be made in writing. All such requests should be emailed to the Data Protection Officer who will coordinate a response.
      • If the data subject would like to make a SAR in relation to their own personal data, they should make this in writing to the DPO. A response will be given within 15 days unless the request is complex or numerous in which case the period in which we must respond within 30 days.

       

      • There is no fee for making a SAR. However, if the request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse to respond to your request.

      15. Recording and Reporting Data Breaches

      A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

      We have robust measures in place to minimise and prevent data breaches from taking place. Should a breach occur (whether in respect of staff or customers), we must take a note and keep evidence of that breach.

      If staff are aware of a data breach, they must contact the DPO immediately and keep any evidence in relation to the breach.

      Each case must be considered on its own merits. Breaches that are considered by the company to be ‘serious’ should be reported to the Information Commissioner’s Office (ICO). The seriousness of a breach will depend on: -

      • the potential detriment to data subjects
      • the volume of personal data lost / released / corrupted
      • the sensitivity of the data lost / released / corrupted

      There is no need to report a breach if it is “unlikely to result in a risk to the rights and freedoms of natural persons”.

      The company has 72 hours from the time it becomes aware of a reportable breach within which to report it. Serious breaches should be reported to the ICO using the DPA security breach helpline on 0303 123 1113. To report the breach in writing, use the DPA security breach notification form (found on the ICO https://ico.org.uk/for-organisations/report-a- breach/)

      The Company has agreed that serious breaches will be reported to the ICO by Farhad Khan Niaz. In his absence, serious breaches will be reported to the ICO by the Deputy MLRO of the Company.

      If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the breach must also be reported to the affected individual(s) without undue delay. The Company has agreed that Mr. Farhad Khan Niaz will notify the affected individuals of all such breaches.