Introduction

This Data Protection Policy (“Policy”) sets out the principles and rules adopted by “IFJB Capital” LLC (hereinafter “the Institution”), a licensed Non-Banking Financial Institution in the Republic of Kosovo, engaged in payment services, money transfers, and related financial activities.

The Policy ensures compliance with the Law No. 06/L-082 on Personal Data Protection, the Law on Payment Services, the Law on Prevention of Money Laundering and Terrorist Financing, and applicable regulations of the Central Bank of the Republic of Kosovo (CBK).

The Institution recognizes the importance of protecting the confidentiality, integrity, and availability of personal data of clients, employees, and partners, and commits to processing personal data lawfully, fairly, and transparently.

Scope

This Policy applies to:

• All personal data processed by the Institution, whether electronic, paper-based, or other format.
• All employees, contractors, consultants, and third-party service providers engaged by the Institution.
  
• All operations involving payment services, domestic and international transfers, customer onboarding (KYC), due diligence, monitoring, reporting, and communication.

Definitions

For the purpose of this Policy, the following terms have the meaning defined by the Law No. 06/L-082:

• Personal Data: Any information relating to an identified or identifiable natural person.
• Special Categories of Data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health data, biometric data, or data concerning sex life or sexual orientation.
  
• Data Subject: An individual whose personal data are processed by the Institution.
• Processing: Any operation performed on personal data (collection, storage, use, disclosure, erasure, etc.).
  
• Controller: The Institution, which determines the purposes and means of processing personal data.
  
• Processor: A natural or legal person processing personal data on behalf of the controller.
• Supervisory Authority: The Information and Privacy Agency (IPA) of the Republic of Kosovo.

Principles of Data Processing

The Institution commits to processing personal data in accordance with the following principles:

1. Lawfulness, fairness, and transparency – Data shall be processed only on lawful grounds, fairly, and in a transparent manner.
2. Purpose limitation – Data shall be collected only for specified, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes.
3. Data minimization – Only data necessary for the performance of financial services and compliance obligations shall be processed.
4. Accuracy – Data shall be accurate and, where necessary, kept up to date.
5. Storage limitation – Data shall not be retained longer than necessary for the purposes of processing or legal obligations.
6. Integrity and confidentiality – Data shall be secured against unauthorized access, alteration, disclosure, or destruction.
7. Accountability – The Institution shall demonstrate compliance with the data protection framework.

Categories of Data Processed

The Institution processes the following categories of personal data:

• Identification data: Name, surname, personal number, date of birth, nationality, ID card/passport details.
  
• Contact data: Address, telephone number, email.
• Financial data: Bank account numbers, payment transaction history, income, source of funds.
• KYC/AML data: Copies of identification documents, proof of address, occupation, tax information, politically exposed person (PEP) status.
  
• Employment data (for staff): Employment contracts, payroll, performance records.
• Technical data: IP addresses, device identifiers, online session logs (only to the extent necessary for security).

Lawful Bases for Processing

Processing activities are based on one or more of the following lawful bases:

1. Contractual necessity – For the execution of payment and transfer services.
2. Legal obligation – To comply with CBK regulations, AML/CFT obligations, tax reporting, and other laws.
   
3. Legitimate interest – For fraud prevention, internal controls, and business continuity.
4. Consent – For specific services requiring explicit consent (e.g., marketing communication, optional data sharing).

Rights of Data Subjects

The Institution guarantees the following rights to data subjects under Kosovo law:

• Right to information – To be informed about processing purposes, legal basis, and retention periods. 
  
• Right of access – To request confirmation whether data are being processed and to access such data.
  
• Right to rectification – To request correction of inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) – To request deletion of data where processing is no longer necessary or lawful.
  
• Right to restriction of processing – To request limitations on the use of data.
• Right to data portability – To receive data in a structured, machine-readable format and transfer them to another provider.
  
• Right to object – To object to processing for direct marketing or other legitimate interests.
• Right to lodge a complaint – With the Information and Privacy Agency (IPA) if rights are violated.

Requests shall be processed within 30 days unless extended under justified circumstances.

Data Security Measures

The Institution implements organizational and technical measures to ensure data protection, including:

Organizational measures:

• Data Protection Officer (DPO) appointed.
• Confidentiality agreements with staff and service providers.
• Regular training of employees on data protection and cybersecurity.
• Clear internal procedures for handling data breaches.

Technical measures:

• Encryption of sensitive data at rest and in transit.
• Access control systems with role-based permissions.
• Firewalls, intrusion detection, and antivirus protection.
• Secure backup systems and disaster recovery plans.
• Monitoring of unauthorized access attempts.

Data Retention

Data shall be retained for no longer than necessary, in accordance with:

• AML/CFT obligations – At least 5 years after the termination of the business relationship or execution of a transaction.
  
• Tax and accounting requirements – In line with national financial reporting laws.
• Employment records – As required under labor legislation.
• Other purposes – Retained only for as long as strictly necessary.

After expiry, data shall be securely deleted or anonymized.

Data Sharing and Transfers

The Institution may share data only with:

• Competent authorities (CBK, Financial Intelligence Unit, courts, tax authorities).
• Partner banks and payment institutions for execution of transfers.
• External service providers (IT, compliance, audit) under strict contractual safeguards.

Cross-border transfers shall only take place in compliance with Kosovo law, ensuring adequate protection measures are in place.

Data Breach Management

In the event of a personal data breach:

1. The Institution shall record and investigate the incident.
2. Notify the Information and Privacy Agency (IPA) within 72 hours, where required.
3. Inform affected data subjects if the breach poses a high risk to their rights and freedoms.
4. Take remedial measures to mitigate harm.

Roles and Responsibilities

Board of Directors – Ensures overall compliance with data protection.
Management – Implements operational measures for data protection.
Data Protection Officer (DPO) – Monitors compliance, advises management, responds to data  subject requests, and liaises with the IPA.
Employees – Must process data only in accordance with instructions and report any potential breaches.

Training and Awareness

All employees shall receive mandatory data protection training upon recruitment and periodic refreshers. Special training shall be provided to employees engaged in sensitive processing (compliance, IT, AML).

Monitoring and Review

This Policy shall be reviewed annually, or sooner if required by:

• Changes in applicable legislation.
• New regulatory guidance from the CBK or IPA.
• Organizational or technological developments.

Entry into Force

This Policy enters into force on 28.09.2025 and is binding on all employees, contractors, and service providers of “IFJB Capital” LLC.