“As a crypto-asset exchange provider, Paybis is obliged to meet the requirements of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 of the UK (hereinafter – MLR), record-keeping requirements included. According to Regulation 40 of the MLR, the records are:
· a copy of any documents and information* obtained by Paybis to satisfy the customer due diligence requirements;
· sufficient supporting records (consisting of the original documents or copies) in respect of a transaction (whether or not the transaction is an occasional transaction) which is the subject of customer due diligence measures or ongoing monitoring to enable the transaction to be reconstructed.
Regulation 40 of the MLR also prescribes that the period of keeping a customer’s records is 5 years. The lawfulness of such customer data processing is stipulated in Data Protection Act 2018 of the UK and Article 6 of the General Data Protection Regulation. Point (f) of the first subparagraph of Article 6 of the General Data Protection Regulation provides as follows: “processing shall be lawful only if and to the extent that at least one of the following applies […] processing is necessary for the purposes of the legitimate interests pursued by the controller”. Please note that the legitimate interest pursued by Paybis as the controller of your personal data is to comply with legal obligations under the MLR, to which Paybis is subject”.
*Paragraph (2) of Regulation 40 prescribes that the records Paybis must keep include: information obtained by the relevant person to satisfy the customer due diligence requirements in regulations 28, 29 and 33 to 37. Considering that Paybis verifies the identity of its customers online (without physical presence), video-face recognition data is an integral part of customer due diligence conducted by Paybis and therefore cannot be deleted before the 5 years term.