GDPR
A&B GENERAL LIMITED DATA PROTECTION ADDENDUM RELATING TO THE PARTIES’ OBLIGATIONS UNDER THE GENERAL DATA PROTECTION REGULATION EU 2016/679 (“GDPR”)
1. Scope and Applicability
1.1 Who does the GDPR apply to?
The UK GDPR applies both to UK organisations that collect, store or otherwise process the personal data of individuals residing in the UK, and to non-UK organisations that offer goods or services to, or monitor the behaviour of, UK residents.
UK organisations therefore have at least two data protection laws to adhere to:
- The DPA 2018 and UK GDPR if they process only domestic personal data.
- The DPA 2018 and UK GDPR, and the EU GDPR if they offer goods and services to, or monitor the behaviour of, EU residents.
If you are a UK organisation bound by the EU GDPR, you may need to:
- Appoint an EU representative.
- Identify a lead supervisory authority in the EU; and/or
- Update your policies, procedures and other documentation in light of the changes you make. 1.2. This Data Protection Addendum (“Addendum”) supplements the FX and Payment Terms and Conditions (“Agreement”) between the parties. Any provision of the Agreement that is incompatible with this Addendum or with applicable requirements of the GDPR shall be deemed null and void.
1.3. Part A applies in situations where we act as a processor for you and Part B applies in situations where we act as a controller, in each case, in relation to Personal Data that is exchanged between the parties concerning Customers and other data subjects.
1.4. Capitalised terms not defined in the Agreement that are used in this Addendum shall have the meaning set out in Part C.
Part A: Our obligations as a processor
2. Our obligations as processor
2.1. We will act only on documented instructions from you (including in respect of any transfers of Personal Data outside the UK) unless the instructions require material changes to the Agreement.
2.2. We shall ensure that all persons authorised to process Personal Data on your behalf in relation to the Services have committed themselves to confidentiality in respect of the data.
2.3. We shall assist you, as far as is possible, in fulfilling your obligation to respond to the requests of data subjects seeking to exercise their rights under the GDPR, in so far as they relate to the provision of the Services.
2.4. To ensure the security of the Personal Data that we process on your behalf, and to safeguard the rights of data subjects, we have put in place and will maintain technical and organisational measures appropriate to the risks associated with the Services.
2.5. On receiving a written request, we shall assist you in meeting your GDPR obligations in relation to the following:
(a) the security of the processing of Personal Data in relation to the Services;
(b) the notification of Personal Data breaches where required; and
(c) 0the conduct of data protection impact assessments, where necessary. 2.6. Upon termination of the Agreement and your request, we shall either delete or return all Personal Data to you, unless we are legally obliged to keep such data.
2.7. Upon request, we shall provide you with information necessary to demonstrate our compliance with the obligations set out in this Section 2, and shall allow for and contribute to audits, including inspections, conducted by you in relation to the processing activities connected to the provision of the Services. Your right to audit will be limited to once in any twelve-month period, and limited in time to a maximum of two (2) business days and scope,
as reasonably agreed in advance between the parties. Reasonable advance notice of at least sixty (60) days is required, unless a Data Protection Law requires earlier audit. We will use current certifications or other audit reports to minimise unnecessary and repetitive audits. The parties will each bear their own expenses of audit, unless such audit reveals a breach by us (as independently verified by us), in which case we shall bear our own expenses of audit. If an audit determines that we have breached our obligations under the Agreement, we will promptly remedy the breach at our own cost.
2.7. We will promptly inform you if we become aware of any suspected or confirmed Personal Data Breach involving Customer Personal Data.
2.8. We shall immediately inform you if an instruction relating to Section 2.7 would, in our sole discretion, infringe the GDPR or other Data Protection Laws of the UK member State having jurisdiction over the Agreement.
2.9. We shall not engage any subprocessors to assist in providing the Services, unless we have:
(a) entered into a written contract with the subprocessor that obligates the subprocessor to comply with all relevant obligations applicable to us under this Section 2; and
(b) obtained prior written authorisation from you.2.10. A list of our existing subprocessors, their roles, and the location of the processing carried out by them is set out in the Schedule to this Addendum. By entering into this Addendum, you agree that we may use these subprocessors for the purposes of providing the Services.
2.11 We will notify you in advance of any changes to the list of subprocessors.
2.12 Subprocessors will have the same obligations as we do as a processor (or subprocessor) with regards to their processing of Personal Data.
Part B: Obligations of the parties when we act as a data controller in relation to you.
3. Compliance with the GDPR
3.1. The parties acknowledge that each is an independent controller of the Personal Data that it collects and processes in relation to activities that are necessary for carrying out the contractual relationship between them. This Personal Data includes, for example, the business contact data of each party’s employees and other stakeholders exchanged for the purposes of entering into the Agreement, sending promotional material and managing the business relationship.
3.2 We, A&B General (UK) Limited register with information commissioner’s office (ICO) number ZB383685 or visit https://ico.org.uk/ESDWebPages/Entry/ZB383685 Our Privacy Notice can be found at www.abmoneyplus.com and www.ab-money.co.uk
4.Mutual Cooperation
4.1. The parties shall cooperate with one another, upon reasonable request, in relation to compliance with the provisions of the GDPR relating to the provision of the Services, including with regard to responses to data subject requests for the exercise of their rights under the GDPR and any information requests, investigations, complaints or other actions of a national data protection supervisory authority.
4.2 Where each party is acting as a controller, each party shall notify the other of any incident that involves a Personal Data Breach that relates to the provision of the Services without undue delay. The notification should describe the incident, the type of Personal Data involved, the identity of any affected persons or the approximate number of individuals affected, the potential consequences of a breach, and any immediate mitigation steps required or in progress.
Part C: Definitions
-
(a) “Data Protection Law(s)” shall mean the Data Protection Act 2018 (the “DPA”) regulations relating to Personal Data and privacy which are enacted from time to time in any relevant jurisdiction, including (where applicable) the guidance and codes of practice issued by the Information Commissioner’s Office (ICO) and any other competent authority, and the equivalent of any of the foregoing in any relevant jurisdiction. Where the term Laws in used in the Agreement, it shall be construed to include the Data Protection Laws.
-
(b) “GDPR” means Regulation (UK) 2018. General Data Protection Regulation (GDPR) has now been in place and has modernised the laws that protect the personal information of individuals. GDPR has replaced previous data protection rules across Europe that were almost two decades old - with some of them first being drafted in the 1990s. The Regulation came into force on 24 May 2016 and took effect on 25 May 2018.
-
(c) The UK GDPR is supplemented by the DPA (Data Protection Act) 2018. The DPA 2018 applies GDPR’s provisions to certain types of processing that are outside the Regulation’s scope, including processing by public authorities. It sets out data processing regimes for law enforcement processing and intelligence processes.
-
(d) as applied, modified, added to, limited, widened, substituted, replaced or repealed by UK law or regulation (and references to any Article or provision of the Regulation shall be interpreted accordingly).
-
(e) “Personal Data” shall mean any information relating to an identified or identifiable individual; an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
-
(f) “Personal Data Breach” shall mean accidental, unauthorised, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data.
4.3 The terms “controller”, “processor”, “data subject” and “processing” shall have the meanings given to such terms in the GDPR, except where and to the extent that the context requires otherwise.
5 Liability
5.1. Subject to clause 6 of the Agreement, we shall only be liable for damage caused by processing where we have not complied with our obligations under Clause 2 of this Addendum or where we have acted outside or contrary to lawful and agreed instructions from you.
SCHEDULE TO ADDENDUM
This list identifies the subprocessors authorised to access Personal Data used by our systems. Sub processors are permitted to process Personal Data to deliver the services we have retained them to provide. They are prohibited from using Personal Data for any other purpose.
| Subcontractor | Location | Function(s) Performed |
|---|---|---|
| Crown Agents Bank | United Kingdom | Safeguarding account for secured customer money for Transaction Processing and Settlement |
| Comply Advantage | United Kingdom | Customer screen checks |
| Amazon | Ireland United Kingdom | Operations and Service Maintenance |
| IFX | United Kingdom | Transaction Processing and Settlement |
| Digital Ocean | United States of America | Cloud web hosting and server |
| Dropbox | United States of America | Storage |
| Exchange (Outlook) | United States of America | Email services |
| Apple Inc | United States of America | Mobile Application |
| Barclays | United Kingdom | Transaction Processing and Settlement |
| Cloudflare | United States of America | Content Delivery Network |
| Trust Payment | United Kingdom and Malta | Transaction Processing and Settlement |
| Finastra | United Kingdom | Operations and Service Maintenance |
| First Data | United Kingdom | Transaction Processing and Settlement |
| TSB | United Kingdom | Transaction Processing and Settlement |
| Mastercard | United Kingdom Europe United States of America | Cardholder Fraud Monitoring Transaction Processing |
| Microsoft | United States of America Ireland | Operations and Service Maintenance |
| Clickup | United States of America | internal communication |
| TWILIO | United States of America | Global Text Message Services |
| VERISURE SERVICES | United Kingdom | Security & Monitoring Services |
| API Compliance | United Kingdom | FCA consultancy |
| FSCOM | United Kingdom | Compliance Assurance Auditors |
Notice and Disclaimer
This Schedule is subject to change at any time. Last updated: 12 September 2025