INFORMATIVE CLAUSE 3 July 2023 Fence’s Privacy Policy
INFORMATIVE CLAUSE 3 July 2023 Fence’s Privacy Policy
INFORMATIVE CLAUSE 3 July 2023 Fence’s Privacy Policy
BASIC INFORMATION ON DATA PROTECTION
BASIC INFORMATION ON DATA PROTECTION
BASIC INFORMATION ON DATA PROTECTION
Controller Fence Technology Spain, S.L.
Purpose
1. Registration in the Fence Platform (including, (i) User’s registration and access to the Fence Platform)
2. Provision of the Services to Users (including, (i) performing the contractual relationship with Users and (ii)performing the contractual relationship with Fence’s and Users’ service providers, including, without limitation, Electronic Money Institutions such as Monerium (iii) verifying the necessary information and documentation, (iv) maintaining the IT and data security of the Fence Platform and (v) preparing statistics for the User regarding the use and operation of the Services)
3. Business Intelligence (including, (i) anonymising Users’ personal data for statistics on the use and operation of the Fence Platform and the provision of the Services; these statistics will not contain personal data of Users )
4. Notifications and communications with Users (including, (i) notifying Users regarding the provision of the Services or registration in the Fence Platform and (ii) processing queries and requests sent to Fence)
5. Marketing communications (including, (i) sending personalised marketing communications to Users regarding the functionalities of the Fence Platform and products and services of Fence and other entities of the Fence Group tailored to Users’ basic profiles and (ii) sending marketing communications once the contractual relationship with Fence has ended)
6. Compliance with legal obligations (e.g. anti-money laundering, tax, labour and social security, data protection or e-commerce, including compliance with requests of User’s personal data from competent authorities).
Categories and sources of personal data
● Users’ personal data obtained directly from data subjects when registering in, interacting with or using the Fence Platform on their own behalf and/or in the name of the entity they are representing.
● Contact details provided from registered Users when inviting new users to register in the Fence Platform. ● Account personal data provided from your Electronic Money Institution account (e.g. Monerium). By registering, you authorise Fence to obtain data from your account.
Rights
Data subjects can exercise the rights of access, rectification, erasure, restriction, portability and all of those data protection rights recognised in the applicable laws and withdraw the consent previously given by writing to legal@fence.finance.
BASIC INFORMATION ON DATA PROTECTION
3 July 2023 Fence’s Privacy Policy
You may object to the processing of personal data included in purposes 2 (iv), 3, and 5 (i) by writing to legal@fence.finance .
Additional information
For further information on the processing of your data please check our Privacy Policy fence.finance/#/privacy.
3 July 2023 Fence’s Privacy Policy
FENCE’S PRIVACY POLICY
Fence Technology Spain, S.L. (“Fence”, “We” or “Us”) is a Spanish company that operates a software-as-a-service (SaaS) platform either through its website (fence.finance) or mobile or computer applications (the “Fence Platform”), that enables lenders and borrowers to originate, manage, operate and monitor a private contractual lending relationship through the combination of three complementary features: (a) its programming code (both proprietary and externally sourced), which, among other things, uses blockchain technology to allow live validation and instant settlement of transactions, as well as a transparent and automated auditing and monitoring of the lending relationship; (b) its interface, that puts together a wide range of actions and back-office indicators customarily used by lenders and borrowers in the monitoring of lending transactions; and (c) a collaboration with third parties to ensure the functionality of lending transactions on blockchain (the “Services”). As part of its business model, the Fence Platform relies on the tokenization of user funds. For that purpose, users convert fiat funds into e-money tokens (EMTs), which can be self-custodied and operated by the users directly via the smart contracts provided by the Fence Platform. This tokenization allows, among other things, for the automation of a number of actions that are typically required in every lending relationship (e.g. making a utilisation request, carrying out a voluntary or mandatory repayment, etc.), thus reducing operational, maintenance and reporting costs and significantly minimizing the risk of human error. This privacy policy (the “Privacy Policy”) provides information on the processing of the personal data of data subjects (sole traders, employees, contractors, agents or other representatives) acting on their own behalf and/or in the name of the entity they are representing as registered and non-registered users of the Fence Platform (the “Users” or “You”), in accordance with applicable laws and regulations, including, in particular, the General Data Protection Regulation (EU) 2016/679 (“GDPR”)1 and Spanish Basic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales) (“Spanish Data Protection Law”) (together, “Data Protection Regulations”). Fence will normally act as a data controller when processing Your personal data and during the provision of the Services. However, Fence may act on some occasions as a data processor. Personal data processed by Fence acting as a data processor will be processed according to the Annex.
*1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1. PURPOSES AND LEGAL BASIS OF PROCESSING In connection with Your use of the Fence Platform, Your personal data will be processed by Us for the following purposes and according to these legal basis: Please note that if You do not provide the data, where applicable, we may not be able to correctly provide the Services. 3 July 2023 Fence’s Privacy Policy Purpose Categories of personal data Legal basis
1. Registration in the Fence Platform
(i) User’s registration and access to the Fence Platform Registration Data: the information provided by Users when they create and maintain an account on the Fence Platform: Data subjects’ identifying data and contact details, including name and surname, ID, address, telephone, email, job title; economic and banking data. Management, control and performance of the contractual or pre-contractual relationship with Users.
2. Provision of the Services to Users (i) Providing Services to Users and managing, controlling and performing the contractual relationship with Users Data provided by the User during the provision of the Services: Data subjects’ identifying data and contact details, including name and surname, address, telephone number, email and ID number; economic and financial data, solvency information, transactional information. Management, control and performance of the contractual relationship with Users.
Purpose Categories of personal data
Legal basis (ii) Providing the Services to Users and managing, controlling and performing the contractual relationship with Users and Users’ service providers, including, without limitation, Electronic Money Institutions such as Monerium. Data provided by the User when providing access to the Electronic Money Institution account: Data subjects’ identifying data and contact details, access credentials, economic and financial data, solvency information, transactional information. Management, control and performance of the contractual relationship with Users and Users’ service providers, including, without limitation, Electronic Money Institutions such as Monerium . (iii) Verification of the necessary information and documentation provided by the User during the provision of the Services. Data provided by the User during the provision of the Services: Data subjects’ identifying data and contact details, including name and surname, ID, address, telephone, email, job title; economic and banking data. Management, control and performance of the contractual relationship with Users. (iv) Maintaining the IT and data security of the Fence Platform. Data necessary to ensure the security of the Fence Platform: Data subjects’ device identifying data, IP address, geolocation data, device information such as browser type, version and operating system, and type of device as well as browsing activity. Legitimate interest of Fence in safeguarding the security of the Fence Platform. (v) Preparing statistics for the User regarding Your use and operation of the Fence Platform and the Services. Data provided by the User during use of the Fence Platform and/or the Services: Data subjects’ identifying data and contact details, including name and surname, address, telephone number, email and ID number; economic and financial data, solvency information, transactional information. Management, control and performance of the contractual relationship with Users.
3. Business Intelligence
Purpose Categories of personal data
Legal basis
(i) Anonymization of data for the elaboration of statistics for Fence regarding the use and operation of the Fence platform and the provision of the services including the use and operations of contact channels or support forms. These statistics may eventually be published or disclosed to third parties (e.g. to other companies within the Fence group) but will not contain personal data of Users. Data provided by the User during registration and the provision of the Services. Fence’s legitimate interest in anonymizing the data in order to gather anonymised information for analysing, advertising, and improving the use and operation of the Fence Platform and the provision of the Services.
4. Notifications and communications to Users
(i) Notifying Users regarding the provision of the Services or registration in the Fence Platform. User’s contact details. Management, control and execution of the contractual relationship with the Users. (ii) Processing and actioning queries and requests of Users sent via contact channels or support forms. Data provided by Users when using Fence’s contact channels or support forms: Data subjects’ identifying data and contact details, and data related to the query or request in question). Management, control and performance of the contractual or pre-contractual relationship with Users when using Fence contact channels or support forms.
5. Marketing communications
Purpose Categories of personal data
Legal basis (i) Sending personalised marketing communications to Users regarding the functionalities of the Fence Platform and products and services of Fence and other entities of the Fence Group tailored to Users’ basic profiles. A basic profile is understood as the combination of elementary characteristics of User regarding information provided directly by the Users in the use of the Fence Platform that does not include data inferences or enrichment of the data with different sources. Data subjects’ identifying data and contact details; economic and financial data, solvency information, transactional information. Fence’s legitimate interest in offering Users products and services that may be of interest to You and that are similar to those already contracted by You. (ii) Sending marketing communications to Users regarding the functionalities of the Fence Platform and products and services of Fence, once the contractual relationship has ended. Data subjects’ identifying data and contact details. User’s provided clicking corresponding check box. Consent may be withdrawn at any time. consent when on the 6. Compliance with legal obligations with legal applicable to anti-money laundering, tax, labour and social security, data protection, e-commerce) including compliance with requests of User’s information from competent authorities. (i) Compliance obligations Fence (e.g. Data subjects’ identifying data and contact details, tax information, economic and financial data, transactional information and data related to the Services. Compliance Fence’s obligations applicable laws. with legal under
3. ● ● ● Directly from data subjects when You are registering in, interacting with or using the Fence Platform and/or the Services on your own behalf and/or in the name of the entity you are representing. From registered Users when inviting new users to register in the Fence Platform (mainly contact details). From Your Electronic Money Institution (“EMI”) account (e.g. Monerium). By registering on the Fence Platform, You authorise Fence to access and manage the data contained in your EMI account in order to provide the Services.
RECIPIENTS AND INTERNATIONAL TRANSFERS OF DATA Users’ personal data will not be disclosed to any third parties unless: (i) it is necessary in order to provide the Services such as to other Users or where Fence is collaborating with third parties (in particular Fence’s service providers, hosting services or EMI such as Monerium); (ii) required by law, e.g. where it has been requested by a competent authority pursuant to its functions or (iii) the User has given its authorization. The Fence Platform will generally not transfer the personal data outside the European Economic Area. However, if international transfers of data ever take place, Fence will ensure that the necessary safeguards pursuant to the Data Protection Regulations are complied with (e.g. an adequacy decision is in place or standard contractual clauses are executed). For further information on the safeguards on international transfers of data please write to the following email address: legal@fence.finance.
4. DATA RETENTION PERIODS Users’ personal data will be processed during the performance and maintenance of the contractual relationship and thereafter will be retained for the necessary period to attend to legal or contractual liabilities. Where Users have used contact channels or support forms of the Fence Platform, personal data will only be processed for the time necessary for actioning the query or request. Where Users have provided their consent, personal data may continue to be used by Fence after the contractual relationship has ended for marketing purposes. In other cases, information may only be retained anonymously. 5. DATA PROTECTION RIGHTS Data subjects’ may exercise their rights by sending an email to the following email address: legal@fence.finance. by specifying the right they wish to exercise and providing proof of identity. Fence may contact the data subject if additional information is needed to verify Your identity or action your request.
2. ORIGIN OF THE DATA The personal data processed by Fence has been obtained:
The data subject may exercise the following rights vis-à-vis Fence, as well as any other rights according to the Data Protection Regulations:
▪ The right of access and to obtain a copy of Your personal data in order to know which data is being processed and the processing operations carried out thereon. ▪ The right to rectification in order to correct any inaccuracies in relation to Your personal data.
▪ The right to the erasure of Your personal data.
▪ The right to restriction of processing of your personal data in certain cases as set out by law (e.g. when the accuracy, legality or need for processing of the data is in question)
▪ The right to object to processing of Your personal data in certain cases (e.g. to the processing indicated in points 2 (iv), 3 and 5 above).
▪ The right to data portability
▪ The right to withdraw consent that has been previously given, without affecting the lawfulness of processing based on consent before withdrawal. If you believe that Fence is in breach of the Data Protection Regulations, please do not hesitate to contact Us at the email address legal@fence.finance so that We can resolve the problem as soon as possible. In any event, You may lodge a complaint with the competent data protection supervisory authority, in Spain, the Spanish Data Protection Authority (Agencia Española de Protección de Datos: www.aepd.es) in relation to Your data protection rights. A complete list of European data protection authorities is available here.
The parties undertake to comply with the Data Protection Regulations and any other data protection regulation applicable from time to time. The parties will not be liable for the consequences of infringements of data protection legislation committed by the other party. Where the provision of the Services entails accessing and processing personal data by Fence –acting as data processor– to which the User is the data controller, the terms included in this Annex will apply and will form part of the contractual agreement between Fence and the User. The obligations established under this Annex constitute the data processing agreement between Fence (hereinafter, the “Data Processor” or “Processor”) and the User (hereinafter, the “Data Controller” or “Controller”), the duration and remuneration of which are the same as those agreed for the Services. The categories of the Personal Data and the processing activities the Data Processor will carry out are described below: 3 July 2023 Fence’s Privacy Policy ANNEX - DATA PROCESSING AGREEMENT Data Subjects Data Subjects’ categories of Personal Data Processing activities involving the Personal Data The data subjects of the Personal Data are the “Data Subjects”. Identifying data, contact data, professional information, financial and economic data and any other personal data the User includes in or shares through the Fence Platform. Collection, access, transfer, structuring, storage, consultation, comparison, rectification, extraction, restriction, and erasure.
With regard to the processing of the Personal Data, the Data Processor and the Data Controller recognise that they each have the following rights and obligations: (A) The Data Controller is solely responsible for deciding on the purpose, content and use of the Data Processor’s processing of the Personal Data. (B) The Data Processor undertakes to process the Personal Data in accordance with this data processing agreement as well as with any other data protection regulations applicable from time to time (in particular, the Data Protection Regulations). (C) The Data Controller will at all times oversee compliance with the Data Protection Regulations and supervise the processing carried out by the Data Processor. (D) The Data Processor undertakes to follow the Data Controller’s documented instructions. The Data Processor will not use the Personal Data received for any purpose other than for providing the Services and will immediately inform the Data Controller if, in its opinion, an instruction violates the Data Protection Regulations. (E) The Data Processor will process the Personal Data in accordance with the security standards and types of content provided for in the Data Protection Regulations, particularly Article
GDPR, and will implement the necessary or appropriate technical and organisational security measures. (F) The Data Processor guarantees that the persons authorised to process the Personal Data have committed to respect confidentiality, or are subject to a statutory confidentiality obligation. (G) The Data Processor will not communicate or disclose the Personal Data to third parties, not even for their conservation, except as permitted by law or in the event the Data Controller directly, expressly and in writing orders the Data Processor to do so. (H) Once the provision of the Services is terminated, the Data Processor will destroy or return the Data to the Data Controller following the Data Controller’s instructions. As an exception, a copy of the Data may be kept by the Data Processor exclusively for the purpose of defending against future claims or contractual liability. (I) The Data Processor will inform the Data Controller by the agreed means of notification, without undue delay, and in any case within 72 hours, of security breaches or cyberattacks suffered by the Data Processor in relation to the Personal Data. (J) The Data Processor will, by the agreed means of notification and without undue delay, forward to the Data Controller any complaint, notice of inquiry, notification or request it receives concerning the Data Controller’s obligations under the Data Protection Regulation, including any data subject request to exercise any of the rights recognised in Articles 15 to 22 GDPR, in order for the Data Controller to process it as it deems appropriate. (K) Taking into account the nature of the processing and the information available to it, the Data Processor will collaborate with, assist and inform the Data Controller in relation to its reasonable requests in order to facilitate the Data Controller’s compliance with its obligations under the Data Protection Regulations and, in particular, regarding security measures, the communication of security breaches to the supervisory authorities and – where appropriate – the data subjects, privacy impact assessments, and prior consultations with the supervisory authorities, as well as data subject requests to exercise rights recognised in Articles 15 to 22 GDPR. (L) The Data Processor may not engage another Data Processor (i.e. a “sub-processor”), except for the auxiliary services necessary for the Data Processor’s normal performance of the Services (e.g. IT service providers such as Amazon Web Services or professional advisors), unless it receives the Data Controller’s prior authorization. In its request for that authorization, the Data Processor must state the identity of the sub-processor and the service it will provide. (M) The Data Processor will sign a written agreement with all sub-processors with terms similar to the content included in this Annex and will communicate to the sub-processor the instructions provided by the Data Controller. The Data Controller acknowledges and accepts that the Personal Data may be processed, directly or indirectly (through sub-processors), outside the European Economic Area (the “EEA”) in compliance, in all cases, with the guarantees set out in the Data Protection Regulations in 3 July 2023 Fence’s Privacy Policy relation to international transfers (e.g. an adequacy decision is in place or standard contractual clauses are executed)). (N) The Data Processor will make available to the Data Controller all information and documentation necessary to prove the Data Processor’s compliance with the obligations under this Annex. The Data Processor will allow and assist periodic audits, including inspections, by the Data Controller or an auditor authorised by the Data Controller. The Data Controller will notify the Data Processor of its intention to carry out an audit, doing so by the agreed means of notification and reasonably in advance and, in any case, at least one month before the audit’s start date. The Controller, or the authorised auditor, will be subject to strict confidentiality obligations in relation to the Data Processor’s information accessed in the course of an audit. The Controller, or the authorised auditor, will only have access to data or information that is strictly related to the Data Processor’s performance of the obligations under this Annex and may under no circumstances have – even potential – access to the Data Processor’s trade secrets or any other reserved or protected information. The Data Processor reserves the right to reject, suspend or discontinue any access if these guarantees cannot be upheld.
Controller Fence Technology Spain, S.L.
Purpose
1. Registration in the Fence Platform (including, (i) User’s registration and access to the Fence Platform)
2. Provision of the Services to Users (including, (i) performing the contractual relationship with Users and (ii)performing the contractual relationship with Fence’s and Users’ service providers, including, without limitation, Electronic Money Institutions such as Monerium (iii) verifying the necessary information and documentation, (iv) maintaining the IT and data security of the Fence Platform and (v) preparing statistics for the User regarding the use and operation of the Services)
3. Business Intelligence (including, (i) anonymising Users’ personal data for statistics on the use and operation of the Fence Platform and the provision of the Services; these statistics will not contain personal data of Users )
4. Notifications and communications with Users (including, (i) notifying Users regarding the provision of the Services or registration in the Fence Platform and (ii) processing queries and requests sent to Fence)
5. Marketing communications (including, (i) sending personalised marketing communications to Users regarding the functionalities of the Fence Platform and products and services of Fence and other entities of the Fence Group tailored to Users’ basic profiles and (ii) sending marketing communications once the contractual relationship with Fence has ended)
6. Compliance with legal obligations (e.g. anti-money laundering, tax, labour and social security, data protection or e-commerce, including compliance with requests of User’s personal data from competent authorities).
Categories and sources of personal data
● Users’ personal data obtained directly from data subjects when registering in, interacting with or using the Fence Platform on their own behalf and/or in the name of the entity they are representing.
● Contact details provided from registered Users when inviting new users to register in the Fence Platform. ● Account personal data provided from your Electronic Money Institution account (e.g. Monerium). By registering, you authorise Fence to obtain data from your account.
Rights
Data subjects can exercise the rights of access, rectification, erasure, restriction, portability and all of those data protection rights recognised in the applicable laws and withdraw the consent previously given by writing to legal@fence.finance.
BASIC INFORMATION ON DATA PROTECTION
3 July 2023 Fence’s Privacy Policy
You may object to the processing of personal data included in purposes 2 (iv), 3, and 5 (i) by writing to legal@fence.finance .
Additional information
For further information on the processing of your data please check our Privacy Policy fence.finance/#/privacy.
3 July 2023 Fence’s Privacy Policy
FENCE’S PRIVACY POLICY
Fence Technology Spain, S.L. (“Fence”, “We” or “Us”) is a Spanish company that operates a software-as-a-service (SaaS) platform either through its website (fence.finance) or mobile or computer applications (the “Fence Platform”), that enables lenders and borrowers to originate, manage, operate and monitor a private contractual lending relationship through the combination of three complementary features: (a) its programming code (both proprietary and externally sourced), which, among other things, uses blockchain technology to allow live validation and instant settlement of transactions, as well as a transparent and automated auditing and monitoring of the lending relationship; (b) its interface, that puts together a wide range of actions and back-office indicators customarily used by lenders and borrowers in the monitoring of lending transactions; and (c) a collaboration with third parties to ensure the functionality of lending transactions on blockchain (the “Services”). As part of its business model, the Fence Platform relies on the tokenization of user funds. For that purpose, users convert fiat funds into e-money tokens (EMTs), which can be self-custodied and operated by the users directly via the smart contracts provided by the Fence Platform. This tokenization allows, among other things, for the automation of a number of actions that are typically required in every lending relationship (e.g. making a utilisation request, carrying out a voluntary or mandatory repayment, etc.), thus reducing operational, maintenance and reporting costs and significantly minimizing the risk of human error. This privacy policy (the “Privacy Policy”) provides information on the processing of the personal data of data subjects (sole traders, employees, contractors, agents or other representatives) acting on their own behalf and/or in the name of the entity they are representing as registered and non-registered users of the Fence Platform (the “Users” or “You”), in accordance with applicable laws and regulations, including, in particular, the General Data Protection Regulation (EU) 2016/679 (“GDPR”)1 and Spanish Basic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales) (“Spanish Data Protection Law”) (together, “Data Protection Regulations”). Fence will normally act as a data controller when processing Your personal data and during the provision of the Services. However, Fence may act on some occasions as a data processor. Personal data processed by Fence acting as a data processor will be processed according to the Annex.
*1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1. PURPOSES AND LEGAL BASIS OF PROCESSING In connection with Your use of the Fence Platform, Your personal data will be processed by Us for the following purposes and according to these legal basis: Please note that if You do not provide the data, where applicable, we may not be able to correctly provide the Services. 3 July 2023 Fence’s Privacy Policy Purpose Categories of personal data Legal basis
1. Registration in the Fence Platform
(i) User’s registration and access to the Fence Platform Registration Data: the information provided by Users when they create and maintain an account on the Fence Platform: Data subjects’ identifying data and contact details, including name and surname, ID, address, telephone, email, job title; economic and banking data. Management, control and performance of the contractual or pre-contractual relationship with Users.
2. Provision of the Services to Users (i) Providing Services to Users and managing, controlling and performing the contractual relationship with Users Data provided by the User during the provision of the Services: Data subjects’ identifying data and contact details, including name and surname, address, telephone number, email and ID number; economic and financial data, solvency information, transactional information. Management, control and performance of the contractual relationship with Users.
Purpose Categories of personal data
Legal basis (ii) Providing the Services to Users and managing, controlling and performing the contractual relationship with Users and Users’ service providers, including, without limitation, Electronic Money Institutions such as Monerium. Data provided by the User when providing access to the Electronic Money Institution account: Data subjects’ identifying data and contact details, access credentials, economic and financial data, solvency information, transactional information. Management, control and performance of the contractual relationship with Users and Users’ service providers, including, without limitation, Electronic Money Institutions such as Monerium . (iii) Verification of the necessary information and documentation provided by the User during the provision of the Services. Data provided by the User during the provision of the Services: Data subjects’ identifying data and contact details, including name and surname, ID, address, telephone, email, job title; economic and banking data. Management, control and performance of the contractual relationship with Users. (iv) Maintaining the IT and data security of the Fence Platform. Data necessary to ensure the security of the Fence Platform: Data subjects’ device identifying data, IP address, geolocation data, device information such as browser type, version and operating system, and type of device as well as browsing activity. Legitimate interest of Fence in safeguarding the security of the Fence Platform. (v) Preparing statistics for the User regarding Your use and operation of the Fence Platform and the Services. Data provided by the User during use of the Fence Platform and/or the Services: Data subjects’ identifying data and contact details, including name and surname, address, telephone number, email and ID number; economic and financial data, solvency information, transactional information. Management, control and performance of the contractual relationship with Users.
3. Business Intelligence
Purpose Categories of personal data
Legal basis
(i) Anonymization of data for the elaboration of statistics for Fence regarding the use and operation of the Fence platform and the provision of the services including the use and operations of contact channels or support forms. These statistics may eventually be published or disclosed to third parties (e.g. to other companies within the Fence group) but will not contain personal data of Users. Data provided by the User during registration and the provision of the Services. Fence’s legitimate interest in anonymizing the data in order to gather anonymised information for analysing, advertising, and improving the use and operation of the Fence Platform and the provision of the Services.
4. Notifications and communications to Users
(i) Notifying Users regarding the provision of the Services or registration in the Fence Platform. User’s contact details. Management, control and execution of the contractual relationship with the Users. (ii) Processing and actioning queries and requests of Users sent via contact channels or support forms. Data provided by Users when using Fence’s contact channels or support forms: Data subjects’ identifying data and contact details, and data related to the query or request in question). Management, control and performance of the contractual or pre-contractual relationship with Users when using Fence contact channels or support forms.
5. Marketing communications
Purpose Categories of personal data
Legal basis (i) Sending personalised marketing communications to Users regarding the functionalities of the Fence Platform and products and services of Fence and other entities of the Fence Group tailored to Users’ basic profiles. A basic profile is understood as the combination of elementary characteristics of User regarding information provided directly by the Users in the use of the Fence Platform that does not include data inferences or enrichment of the data with different sources. Data subjects’ identifying data and contact details; economic and financial data, solvency information, transactional information. Fence’s legitimate interest in offering Users products and services that may be of interest to You and that are similar to those already contracted by You. (ii) Sending marketing communications to Users regarding the functionalities of the Fence Platform and products and services of Fence, once the contractual relationship has ended. Data subjects’ identifying data and contact details. User’s provided clicking corresponding check box. Consent may be withdrawn at any time. consent when on the 6. Compliance with legal obligations with legal applicable to anti-money laundering, tax, labour and social security, data protection, e-commerce) including compliance with requests of User’s information from competent authorities. (i) Compliance obligations Fence (e.g. Data subjects’ identifying data and contact details, tax information, economic and financial data, transactional information and data related to the Services. Compliance Fence’s obligations applicable laws. with legal under
3. ● ● ● Directly from data subjects when You are registering in, interacting with or using the Fence Platform and/or the Services on your own behalf and/or in the name of the entity you are representing. From registered Users when inviting new users to register in the Fence Platform (mainly contact details). From Your Electronic Money Institution (“EMI”) account (e.g. Monerium). By registering on the Fence Platform, You authorise Fence to access and manage the data contained in your EMI account in order to provide the Services.
RECIPIENTS AND INTERNATIONAL TRANSFERS OF DATA Users’ personal data will not be disclosed to any third parties unless: (i) it is necessary in order to provide the Services such as to other Users or where Fence is collaborating with third parties (in particular Fence’s service providers, hosting services or EMI such as Monerium); (ii) required by law, e.g. where it has been requested by a competent authority pursuant to its functions or (iii) the User has given its authorization. The Fence Platform will generally not transfer the personal data outside the European Economic Area. However, if international transfers of data ever take place, Fence will ensure that the necessary safeguards pursuant to the Data Protection Regulations are complied with (e.g. an adequacy decision is in place or standard contractual clauses are executed). For further information on the safeguards on international transfers of data please write to the following email address: legal@fence.finance.
4. DATA RETENTION PERIODS Users’ personal data will be processed during the performance and maintenance of the contractual relationship and thereafter will be retained for the necessary period to attend to legal or contractual liabilities. Where Users have used contact channels or support forms of the Fence Platform, personal data will only be processed for the time necessary for actioning the query or request. Where Users have provided their consent, personal data may continue to be used by Fence after the contractual relationship has ended for marketing purposes. In other cases, information may only be retained anonymously. 5. DATA PROTECTION RIGHTS Data subjects’ may exercise their rights by sending an email to the following email address: legal@fence.finance. by specifying the right they wish to exercise and providing proof of identity. Fence may contact the data subject if additional information is needed to verify Your identity or action your request.
2. ORIGIN OF THE DATA The personal data processed by Fence has been obtained:
The data subject may exercise the following rights vis-à-vis Fence, as well as any other rights according to the Data Protection Regulations:
▪ The right of access and to obtain a copy of Your personal data in order to know which data is being processed and the processing operations carried out thereon. ▪ The right to rectification in order to correct any inaccuracies in relation to Your personal data.
▪ The right to the erasure of Your personal data.
▪ The right to restriction of processing of your personal data in certain cases as set out by law (e.g. when the accuracy, legality or need for processing of the data is in question)
▪ The right to object to processing of Your personal data in certain cases (e.g. to the processing indicated in points 2 (iv), 3 and 5 above).
▪ The right to data portability
▪ The right to withdraw consent that has been previously given, without affecting the lawfulness of processing based on consent before withdrawal. If you believe that Fence is in breach of the Data Protection Regulations, please do not hesitate to contact Us at the email address legal@fence.finance so that We can resolve the problem as soon as possible. In any event, You may lodge a complaint with the competent data protection supervisory authority, in Spain, the Spanish Data Protection Authority (Agencia Española de Protección de Datos: www.aepd.es) in relation to Your data protection rights. A complete list of European data protection authorities is available here.
The parties undertake to comply with the Data Protection Regulations and any other data protection regulation applicable from time to time. The parties will not be liable for the consequences of infringements of data protection legislation committed by the other party. Where the provision of the Services entails accessing and processing personal data by Fence –acting as data processor– to which the User is the data controller, the terms included in this Annex will apply and will form part of the contractual agreement between Fence and the User. The obligations established under this Annex constitute the data processing agreement between Fence (hereinafter, the “Data Processor” or “Processor”) and the User (hereinafter, the “Data Controller” or “Controller”), the duration and remuneration of which are the same as those agreed for the Services. The categories of the Personal Data and the processing activities the Data Processor will carry out are described below: 3 July 2023 Fence’s Privacy Policy ANNEX - DATA PROCESSING AGREEMENT Data Subjects Data Subjects’ categories of Personal Data Processing activities involving the Personal Data The data subjects of the Personal Data are the “Data Subjects”. Identifying data, contact data, professional information, financial and economic data and any other personal data the User includes in or shares through the Fence Platform. Collection, access, transfer, structuring, storage, consultation, comparison, rectification, extraction, restriction, and erasure.
With regard to the processing of the Personal Data, the Data Processor and the Data Controller recognise that they each have the following rights and obligations: (A) The Data Controller is solely responsible for deciding on the purpose, content and use of the Data Processor’s processing of the Personal Data. (B) The Data Processor undertakes to process the Personal Data in accordance with this data processing agreement as well as with any other data protection regulations applicable from time to time (in particular, the Data Protection Regulations). (C) The Data Controller will at all times oversee compliance with the Data Protection Regulations and supervise the processing carried out by the Data Processor. (D) The Data Processor undertakes to follow the Data Controller’s documented instructions. The Data Processor will not use the Personal Data received for any purpose other than for providing the Services and will immediately inform the Data Controller if, in its opinion, an instruction violates the Data Protection Regulations. (E) The Data Processor will process the Personal Data in accordance with the security standards and types of content provided for in the Data Protection Regulations, particularly Article
GDPR, and will implement the necessary or appropriate technical and organisational security measures. (F) The Data Processor guarantees that the persons authorised to process the Personal Data have committed to respect confidentiality, or are subject to a statutory confidentiality obligation. (G) The Data Processor will not communicate or disclose the Personal Data to third parties, not even for their conservation, except as permitted by law or in the event the Data Controller directly, expressly and in writing orders the Data Processor to do so. (H) Once the provision of the Services is terminated, the Data Processor will destroy or return the Data to the Data Controller following the Data Controller’s instructions. As an exception, a copy of the Data may be kept by the Data Processor exclusively for the purpose of defending against future claims or contractual liability. (I) The Data Processor will inform the Data Controller by the agreed means of notification, without undue delay, and in any case within 72 hours, of security breaches or cyberattacks suffered by the Data Processor in relation to the Personal Data. (J) The Data Processor will, by the agreed means of notification and without undue delay, forward to the Data Controller any complaint, notice of inquiry, notification or request it receives concerning the Data Controller’s obligations under the Data Protection Regulation, including any data subject request to exercise any of the rights recognised in Articles 15 to 22 GDPR, in order for the Data Controller to process it as it deems appropriate. (K) Taking into account the nature of the processing and the information available to it, the Data Processor will collaborate with, assist and inform the Data Controller in relation to its reasonable requests in order to facilitate the Data Controller’s compliance with its obligations under the Data Protection Regulations and, in particular, regarding security measures, the communication of security breaches to the supervisory authorities and – where appropriate – the data subjects, privacy impact assessments, and prior consultations with the supervisory authorities, as well as data subject requests to exercise rights recognised in Articles 15 to 22 GDPR. (L) The Data Processor may not engage another Data Processor (i.e. a “sub-processor”), except for the auxiliary services necessary for the Data Processor’s normal performance of the Services (e.g. IT service providers such as Amazon Web Services or professional advisors), unless it receives the Data Controller’s prior authorization. In its request for that authorization, the Data Processor must state the identity of the sub-processor and the service it will provide. (M) The Data Processor will sign a written agreement with all sub-processors with terms similar to the content included in this Annex and will communicate to the sub-processor the instructions provided by the Data Controller. The Data Controller acknowledges and accepts that the Personal Data may be processed, directly or indirectly (through sub-processors), outside the European Economic Area (the “EEA”) in compliance, in all cases, with the guarantees set out in the Data Protection Regulations in 3 July 2023 Fence’s Privacy Policy relation to international transfers (e.g. an adequacy decision is in place or standard contractual clauses are executed)). (N) The Data Processor will make available to the Data Controller all information and documentation necessary to prove the Data Processor’s compliance with the obligations under this Annex. The Data Processor will allow and assist periodic audits, including inspections, by the Data Controller or an auditor authorised by the Data Controller. The Data Controller will notify the Data Processor of its intention to carry out an audit, doing so by the agreed means of notification and reasonably in advance and, in any case, at least one month before the audit’s start date. The Controller, or the authorised auditor, will be subject to strict confidentiality obligations in relation to the Data Processor’s information accessed in the course of an audit. The Controller, or the authorised auditor, will only have access to data or information that is strictly related to the Data Processor’s performance of the obligations under this Annex and may under no circumstances have – even potential – access to the Data Processor’s trade secrets or any other reserved or protected information. The Data Processor reserves the right to reject, suspend or discontinue any access if these guarantees cannot be upheld.
Controller Fence Technology Spain, S.L.
Purpose
1. Registration in the Fence Platform (including, (i) User’s registration and access to the Fence Platform)
2. Provision of the Services to Users (including, (i) performing the contractual relationship with Users and (ii)performing the contractual relationship with Fence’s and Users’ service providers, including, without limitation, Electronic Money Institutions such as Monerium (iii) verifying the necessary information and documentation, (iv) maintaining the IT and data security of the Fence Platform and (v) preparing statistics for the User regarding the use and operation of the Services)
3. Business Intelligence (including, (i) anonymising Users’ personal data for statistics on the use and operation of the Fence Platform and the provision of the Services; these statistics will not contain personal data of Users )
4. Notifications and communications with Users (including, (i) notifying Users regarding the provision of the Services or registration in the Fence Platform and (ii) processing queries and requests sent to Fence)
5. Marketing communications (including, (i) sending personalised marketing communications to Users regarding the functionalities of the Fence Platform and products and services of Fence and other entities of the Fence Group tailored to Users’ basic profiles and (ii) sending marketing communications once the contractual relationship with Fence has ended)
6. Compliance with legal obligations (e.g. anti-money laundering, tax, labour and social security, data protection or e-commerce, including compliance with requests of User’s personal data from competent authorities).
Categories and sources of personal data
● Users’ personal data obtained directly from data subjects when registering in, interacting with or using the Fence Platform on their own behalf and/or in the name of the entity they are representing.
● Contact details provided from registered Users when inviting new users to register in the Fence Platform. ● Account personal data provided from your Electronic Money Institution account (e.g. Monerium). By registering, you authorise Fence to obtain data from your account.
Rights
Data subjects can exercise the rights of access, rectification, erasure, restriction, portability and all of those data protection rights recognised in the applicable laws and withdraw the consent previously given by writing to legal@fence.finance.
BASIC INFORMATION ON DATA PROTECTION
3 July 2023 Fence’s Privacy Policy
You may object to the processing of personal data included in purposes 2 (iv), 3, and 5 (i) by writing to legal@fence.finance .
Additional information
For further information on the processing of your data please check our Privacy Policy fence.finance/#/privacy.
3 July 2023 Fence’s Privacy Policy
FENCE’S PRIVACY POLICY
Fence Technology Spain, S.L. (“Fence”, “We” or “Us”) is a Spanish company that operates a software-as-a-service (SaaS) platform either through its website (fence.finance) or mobile or computer applications (the “Fence Platform”), that enables lenders and borrowers to originate, manage, operate and monitor a private contractual lending relationship through the combination of three complementary features: (a) its programming code (both proprietary and externally sourced), which, among other things, uses blockchain technology to allow live validation and instant settlement of transactions, as well as a transparent and automated auditing and monitoring of the lending relationship; (b) its interface, that puts together a wide range of actions and back-office indicators customarily used by lenders and borrowers in the monitoring of lending transactions; and (c) a collaboration with third parties to ensure the functionality of lending transactions on blockchain (the “Services”). As part of its business model, the Fence Platform relies on the tokenization of user funds. For that purpose, users convert fiat funds into e-money tokens (EMTs), which can be self-custodied and operated by the users directly via the smart contracts provided by the Fence Platform. This tokenization allows, among other things, for the automation of a number of actions that are typically required in every lending relationship (e.g. making a utilisation request, carrying out a voluntary or mandatory repayment, etc.), thus reducing operational, maintenance and reporting costs and significantly minimizing the risk of human error. This privacy policy (the “Privacy Policy”) provides information on the processing of the personal data of data subjects (sole traders, employees, contractors, agents or other representatives) acting on their own behalf and/or in the name of the entity they are representing as registered and non-registered users of the Fence Platform (the “Users” or “You”), in accordance with applicable laws and regulations, including, in particular, the General Data Protection Regulation (EU) 2016/679 (“GDPR”)1 and Spanish Basic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales) (“Spanish Data Protection Law”) (together, “Data Protection Regulations”). Fence will normally act as a data controller when processing Your personal data and during the provision of the Services. However, Fence may act on some occasions as a data processor. Personal data processed by Fence acting as a data processor will be processed according to the Annex.
*1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1. PURPOSES AND LEGAL BASIS OF PROCESSING In connection with Your use of the Fence Platform, Your personal data will be processed by Us for the following purposes and according to these legal basis: Please note that if You do not provide the data, where applicable, we may not be able to correctly provide the Services. 3 July 2023 Fence’s Privacy Policy Purpose Categories of personal data Legal basis
1. Registration in the Fence Platform
(i) User’s registration and access to the Fence Platform Registration Data: the information provided by Users when they create and maintain an account on the Fence Platform: Data subjects’ identifying data and contact details, including name and surname, ID, address, telephone, email, job title; economic and banking data. Management, control and performance of the contractual or pre-contractual relationship with Users.
2. Provision of the Services to Users (i) Providing Services to Users and managing, controlling and performing the contractual relationship with Users Data provided by the User during the provision of the Services: Data subjects’ identifying data and contact details, including name and surname, address, telephone number, email and ID number; economic and financial data, solvency information, transactional information. Management, control and performance of the contractual relationship with Users.
Purpose Categories of personal data
Legal basis (ii) Providing the Services to Users and managing, controlling and performing the contractual relationship with Users and Users’ service providers, including, without limitation, Electronic Money Institutions such as Monerium. Data provided by the User when providing access to the Electronic Money Institution account: Data subjects’ identifying data and contact details, access credentials, economic and financial data, solvency information, transactional information. Management, control and performance of the contractual relationship with Users and Users’ service providers, including, without limitation, Electronic Money Institutions such as Monerium . (iii) Verification of the necessary information and documentation provided by the User during the provision of the Services. Data provided by the User during the provision of the Services: Data subjects’ identifying data and contact details, including name and surname, ID, address, telephone, email, job title; economic and banking data. Management, control and performance of the contractual relationship with Users. (iv) Maintaining the IT and data security of the Fence Platform. Data necessary to ensure the security of the Fence Platform: Data subjects’ device identifying data, IP address, geolocation data, device information such as browser type, version and operating system, and type of device as well as browsing activity. Legitimate interest of Fence in safeguarding the security of the Fence Platform. (v) Preparing statistics for the User regarding Your use and operation of the Fence Platform and the Services. Data provided by the User during use of the Fence Platform and/or the Services: Data subjects’ identifying data and contact details, including name and surname, address, telephone number, email and ID number; economic and financial data, solvency information, transactional information. Management, control and performance of the contractual relationship with Users.
3. Business Intelligence
Purpose Categories of personal data
Legal basis
(i) Anonymization of data for the elaboration of statistics for Fence regarding the use and operation of the Fence platform and the provision of the services including the use and operations of contact channels or support forms. These statistics may eventually be published or disclosed to third parties (e.g. to other companies within the Fence group) but will not contain personal data of Users. Data provided by the User during registration and the provision of the Services. Fence’s legitimate interest in anonymizing the data in order to gather anonymised information for analysing, advertising, and improving the use and operation of the Fence Platform and the provision of the Services.
4. Notifications and communications to Users
(i) Notifying Users regarding the provision of the Services or registration in the Fence Platform. User’s contact details. Management, control and execution of the contractual relationship with the Users. (ii) Processing and actioning queries and requests of Users sent via contact channels or support forms. Data provided by Users when using Fence’s contact channels or support forms: Data subjects’ identifying data and contact details, and data related to the query or request in question). Management, control and performance of the contractual or pre-contractual relationship with Users when using Fence contact channels or support forms.
5. Marketing communications
Purpose Categories of personal data
Legal basis (i) Sending personalised marketing communications to Users regarding the functionalities of the Fence Platform and products and services of Fence and other entities of the Fence Group tailored to Users’ basic profiles. A basic profile is understood as the combination of elementary characteristics of User regarding information provided directly by the Users in the use of the Fence Platform that does not include data inferences or enrichment of the data with different sources. Data subjects’ identifying data and contact details; economic and financial data, solvency information, transactional information. Fence’s legitimate interest in offering Users products and services that may be of interest to You and that are similar to those already contracted by You. (ii) Sending marketing communications to Users regarding the functionalities of the Fence Platform and products and services of Fence, once the contractual relationship has ended. Data subjects’ identifying data and contact details. User’s provided clicking corresponding check box. Consent may be withdrawn at any time. consent when on the 6. Compliance with legal obligations with legal applicable to anti-money laundering, tax, labour and social security, data protection, e-commerce) including compliance with requests of User’s information from competent authorities. (i) Compliance obligations Fence (e.g. Data subjects’ identifying data and contact details, tax information, economic and financial data, transactional information and data related to the Services. Compliance Fence’s obligations applicable laws. with legal under
3. ● ● ● Directly from data subjects when You are registering in, interacting with or using the Fence Platform and/or the Services on your own behalf and/or in the name of the entity you are representing. From registered Users when inviting new users to register in the Fence Platform (mainly contact details). From Your Electronic Money Institution (“EMI”) account (e.g. Monerium). By registering on the Fence Platform, You authorise Fence to access and manage the data contained in your EMI account in order to provide the Services.
RECIPIENTS AND INTERNATIONAL TRANSFERS OF DATA Users’ personal data will not be disclosed to any third parties unless: (i) it is necessary in order to provide the Services such as to other Users or where Fence is collaborating with third parties (in particular Fence’s service providers, hosting services or EMI such as Monerium); (ii) required by law, e.g. where it has been requested by a competent authority pursuant to its functions or (iii) the User has given its authorization. The Fence Platform will generally not transfer the personal data outside the European Economic Area. However, if international transfers of data ever take place, Fence will ensure that the necessary safeguards pursuant to the Data Protection Regulations are complied with (e.g. an adequacy decision is in place or standard contractual clauses are executed). For further information on the safeguards on international transfers of data please write to the following email address: legal@fence.finance.
4. DATA RETENTION PERIODS Users’ personal data will be processed during the performance and maintenance of the contractual relationship and thereafter will be retained for the necessary period to attend to legal or contractual liabilities. Where Users have used contact channels or support forms of the Fence Platform, personal data will only be processed for the time necessary for actioning the query or request. Where Users have provided their consent, personal data may continue to be used by Fence after the contractual relationship has ended for marketing purposes. In other cases, information may only be retained anonymously. 5. DATA PROTECTION RIGHTS Data subjects’ may exercise their rights by sending an email to the following email address: legal@fence.finance. by specifying the right they wish to exercise and providing proof of identity. Fence may contact the data subject if additional information is needed to verify Your identity or action your request.
2. ORIGIN OF THE DATA The personal data processed by Fence has been obtained:
The data subject may exercise the following rights vis-à-vis Fence, as well as any other rights according to the Data Protection Regulations:
▪ The right of access and to obtain a copy of Your personal data in order to know which data is being processed and the processing operations carried out thereon. ▪ The right to rectification in order to correct any inaccuracies in relation to Your personal data.
▪ The right to the erasure of Your personal data.
▪ The right to restriction of processing of your personal data in certain cases as set out by law (e.g. when the accuracy, legality or need for processing of the data is in question)
▪ The right to object to processing of Your personal data in certain cases (e.g. to the processing indicated in points 2 (iv), 3 and 5 above).
▪ The right to data portability
▪ The right to withdraw consent that has been previously given, without affecting the lawfulness of processing based on consent before withdrawal. If you believe that Fence is in breach of the Data Protection Regulations, please do not hesitate to contact Us at the email address legal@fence.finance so that We can resolve the problem as soon as possible. In any event, You may lodge a complaint with the competent data protection supervisory authority, in Spain, the Spanish Data Protection Authority (Agencia Española de Protección de Datos: www.aepd.es) in relation to Your data protection rights. A complete list of European data protection authorities is available here.
The parties undertake to comply with the Data Protection Regulations and any other data protection regulation applicable from time to time. The parties will not be liable for the consequences of infringements of data protection legislation committed by the other party. Where the provision of the Services entails accessing and processing personal data by Fence –acting as data processor– to which the User is the data controller, the terms included in this Annex will apply and will form part of the contractual agreement between Fence and the User. The obligations established under this Annex constitute the data processing agreement between Fence (hereinafter, the “Data Processor” or “Processor”) and the User (hereinafter, the “Data Controller” or “Controller”), the duration and remuneration of which are the same as those agreed for the Services. The categories of the Personal Data and the processing activities the Data Processor will carry out are described below: 3 July 2023 Fence’s Privacy Policy ANNEX - DATA PROCESSING AGREEMENT Data Subjects Data Subjects’ categories of Personal Data Processing activities involving the Personal Data The data subjects of the Personal Data are the “Data Subjects”. Identifying data, contact data, professional information, financial and economic data and any other personal data the User includes in or shares through the Fence Platform. Collection, access, transfer, structuring, storage, consultation, comparison, rectification, extraction, restriction, and erasure.
With regard to the processing of the Personal Data, the Data Processor and the Data Controller recognise that they each have the following rights and obligations: (A) The Data Controller is solely responsible for deciding on the purpose, content and use of the Data Processor’s processing of the Personal Data. (B) The Data Processor undertakes to process the Personal Data in accordance with this data processing agreement as well as with any other data protection regulations applicable from time to time (in particular, the Data Protection Regulations). (C) The Data Controller will at all times oversee compliance with the Data Protection Regulations and supervise the processing carried out by the Data Processor. (D) The Data Processor undertakes to follow the Data Controller’s documented instructions. The Data Processor will not use the Personal Data received for any purpose other than for providing the Services and will immediately inform the Data Controller if, in its opinion, an instruction violates the Data Protection Regulations. (E) The Data Processor will process the Personal Data in accordance with the security standards and types of content provided for in the Data Protection Regulations, particularly Article
GDPR, and will implement the necessary or appropriate technical and organisational security measures. (F) The Data Processor guarantees that the persons authorised to process the Personal Data have committed to respect confidentiality, or are subject to a statutory confidentiality obligation. (G) The Data Processor will not communicate or disclose the Personal Data to third parties, not even for their conservation, except as permitted by law or in the event the Data Controller directly, expressly and in writing orders the Data Processor to do so. (H) Once the provision of the Services is terminated, the Data Processor will destroy or return the Data to the Data Controller following the Data Controller’s instructions. As an exception, a copy of the Data may be kept by the Data Processor exclusively for the purpose of defending against future claims or contractual liability. (I) The Data Processor will inform the Data Controller by the agreed means of notification, without undue delay, and in any case within 72 hours, of security breaches or cyberattacks suffered by the Data Processor in relation to the Personal Data. (J) The Data Processor will, by the agreed means of notification and without undue delay, forward to the Data Controller any complaint, notice of inquiry, notification or request it receives concerning the Data Controller’s obligations under the Data Protection Regulation, including any data subject request to exercise any of the rights recognised in Articles 15 to 22 GDPR, in order for the Data Controller to process it as it deems appropriate. (K) Taking into account the nature of the processing and the information available to it, the Data Processor will collaborate with, assist and inform the Data Controller in relation to its reasonable requests in order to facilitate the Data Controller’s compliance with its obligations under the Data Protection Regulations and, in particular, regarding security measures, the communication of security breaches to the supervisory authorities and – where appropriate – the data subjects, privacy impact assessments, and prior consultations with the supervisory authorities, as well as data subject requests to exercise rights recognised in Articles 15 to 22 GDPR. (L) The Data Processor may not engage another Data Processor (i.e. a “sub-processor”), except for the auxiliary services necessary for the Data Processor’s normal performance of the Services (e.g. IT service providers such as Amazon Web Services or professional advisors), unless it receives the Data Controller’s prior authorization. In its request for that authorization, the Data Processor must state the identity of the sub-processor and the service it will provide. (M) The Data Processor will sign a written agreement with all sub-processors with terms similar to the content included in this Annex and will communicate to the sub-processor the instructions provided by the Data Controller. The Data Controller acknowledges and accepts that the Personal Data may be processed, directly or indirectly (through sub-processors), outside the European Economic Area (the “EEA”) in compliance, in all cases, with the guarantees set out in the Data Protection Regulations in 3 July 2023 Fence’s Privacy Policy relation to international transfers (e.g. an adequacy decision is in place or standard contractual clauses are executed)). (N) The Data Processor will make available to the Data Controller all information and documentation necessary to prove the Data Processor’s compliance with the obligations under this Annex. The Data Processor will allow and assist periodic audits, including inspections, by the Data Controller or an auditor authorised by the Data Controller. The Data Controller will notify the Data Processor of its intention to carry out an audit, doing so by the agreed means of notification and reasonably in advance and, in any case, at least one month before the audit’s start date. The Controller, or the authorised auditor, will be subject to strict confidentiality obligations in relation to the Data Processor’s information accessed in the course of an audit. The Controller, or the authorised auditor, will only have access to data or information that is strictly related to the Data Processor’s performance of the obligations under this Annex and may under no circumstances have – even potential – access to the Data Processor’s trade secrets or any other reserved or protected information. The Data Processor reserves the right to reject, suspend or discontinue any access if these guarantees cannot be upheld.