Lawfulness of Processing

Conditions for consent











Designation of data protection officer

DataProtectionResponsibilitieswithinAMAL UK EXPRESS





We at AMAL UK EXPRESS are committed to protecting your privacy and this privacy policy sets out the use we make of any your information that we may obtain during the business relationship. 

This policy sets out the basis on which any personal data we collect from you, or that you provide to us, during the business relationship. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.  


The company is following Data Protection Act 2018 alongside with UK GDPR.



These definitions are taken as per UK GDPR Chapter 1 Article 4

·      Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

·      Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

·      Restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

·      Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

·      Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

·      Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with domestic law shall not be regarded as recipients.

·      Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

·      Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

·      International organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

·      Third country’ means a country or territory outside the United Kingdom.

A special note about children 

We ask that persons under the age of 18 (which we treat as children and minors) refrain from using our Service or submitting any personal information to us. Persons under the age of 18 years are not eligible to use our Service and if we discover that someone under the age of 18 has registered a Profile with us, we will close it. 


PrinciplesofAMAL UK EXPRESSProcessing


AMAL UK EXPRESSprocessespersonalinformationfromdatasubjectsonthebasisofthefollowingunderlying principles.


·      lawfully, fairly and in a transparent manner in relation to the data subject collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

·      adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

·      accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

·      kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest

·      processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Lawfulness of Processing

The lawfulness of the processing of customer data is derived from at least any of the following at any point in time:

·      the data subject has given consent to the processing of his or her personal data

·      processing is necessary for the performance of a contract to which the data subject is party

·      processing is necessary for compliance with a legal obligation to which the AMAL UK EXPRESS is subject

·      processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the AMAL UK EXPRESS.

Conditions for consent

·      Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

·      The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal


AMAL UK EXPRESSpoliciesandproceduresaretailoredto observeandpreservethefollowingrightsofdatasubjects

·      Right to transparency

·      Right of access

·      Right To rectification

·      Right to erasure

·      Right to restrict processing

·      Right of data portability

·      Right to notification

·      Right to object and automated individual processing

·      Right to judicial remedy

·      Right to compensation and liability



AMAL UK EXPRESS, acting as a data controller at the point of data collection, provides the customer with theinformation listed below. This information is detailed in the money transfer receipt which is thecontractual document with the customer. It is also provided on the online platform (for non-face toface customers) as a compulsory step which must be read and acknowledged before completion ofthetransaction.Theinformationwillbeprovidedinaclear,concise,transparentandeasilyaccessiblemannerusingplainlanguage.Theinformationisasfollows:

·      AMAL UK EXPRESS identity and contact details, that of the Data Protection Officer (the MLRO) and where applicable that of the agent

·      The purposes and the legal basis for obtaining the information

·      The recipients of the information or categories of recipients and the fact that we may transfer the information to a third (fund destination) country and if so, the appropriate safeguards involved pursuant to article 47 of the GDPR and/or section 76 of the Data Protection Act 2018 as well as reference to those safeguards

·      The period of data storage and the criteria for determining it

·      The existence of the right to request access, rectification, erasure, restriction of processing or object to processing

·      The existence of data portability rights

·      Where the data is obtained and processed strictly based on consent in line with article 6(1) or article 9(2) of the GDPR, the existence of a right to withdraw such consent without affecting the lawfulness of processing before it was withdrawn

·      The existence of a right to lodge a complaint with a supervisory authority

·      Whether the provision of the personal data is a statutory or contractual requirement as well as whether the customer is obliged to provide such data and the possible consequences of failure to provide it

·      The existence of automated decision-making including profiling based on data providing meaningful information about the logic involved and the envisaged consequences of such processing for the data subject

·      The fact that where AMAL UK EXPRESS intends to use the data for other purposes, we will provide the customer with such information prior to further processing.

·      The fact that AMAL UK EXPRESS will provide information on action taken on a request for access to data, rectification, erasure, restriction of processing, data portability and objection made by a data subject (customer) within one month of receiving such request. This period may be extended by two months and AMAL UK EXPRESS will inform the customer of this with due reasons.

·      The right of recourse to the regulatory authorities and the further right to seek judicial remedy against either AMAL UK EXPRESS or the regulatory authorities

·      Wherethedatasubjectalreadyhasthisinformation,itdoesnotneedtobeprovidedagain


Where this information has been obtained from a third party, AMAL UK EXPRESS will, upon request by the datasubject, provide all the information detailed above including a copy of the personal data and thesource of the information being processedwithin one month of receipt of such requestand at the firstpoint of communication with the data subject except where the data subject has it already or itrequiresdisproportionateeffortorthereisastatutoryobligationofsecrecyoraprofessionalobligationofsecrecyregulatedbylaw.



AMAL UK EXPRESS recognisesthatupon request,a datasubjecthasa rightofaccess tothefollowinginformation:

·      Confirmation of processing of his personal data and access to the data being processed

·      Confirmation of the purpose of the processing

·      The categories of personal data involved

·      The recipients to whom the data will be disclosed in particular recipients in third countries

·      Where possible the envisaged storage period and if not possible the criteria for determining that period

·      The right to lodge a complaint with a regulatory authority

·      The source of the information if not obtained from him

·      The existence of automated decision making including profiling and meaningful information on the logic, significance and envisaged consequences of such processing for the subject

·      Where the personal data is transmitted to a third country, AMAL UK EXPRESS will provide the data subject with information on the safeguards involved in protecting his personal data pursuant to Article 47 of the GDPR

·      AMAL UK EXPRESS will provide a copy of the personal data being processed upon specific request, unless it adversely affects the rights of others, and AMAL UK EXPRESS may charge a reasonable fee based on administration costs for any subsequent request.



AMAL UK EXPRESS recognises that the data subject has a right to completion or correction of inaccurate orincompleteinformationabouthimwithoutunduedelay.AMAL UK EXPRESSwillthuspromptlymakesuchcorrectionsasnecessary.



AMAL UK EXPRESSrecognisesthatadatasubjecthasarighttoerasureofhispersonaldatauponrequestif:

·      The data is no longer necessary for the purpose it was obtained or

·      The customer withdraws consent on which the processing was based and there was no other legal basis for processing or

·      The customer objects to the processing pursuant to article 21(1-2) of the GDPR and there are no overriding legal grounds for the processing.

·      The processing of such information was unlawful


This right however does not apply if processing is necessary for exercising the right of freedom of expression and information, compliance with a legal obligation such as statutory record keeping or criminal investigation or litigation or archiving for the purpose of scientific record keeping or historical research in line with Article 89(1) of the GDPR. A request for erasure will thus not be granted if, for example, such request is made within the statutory storage period for the various countries within the EU as detailed elsewhere in this Policy.


AMAL UK EXPRESSrecognisesthatthedatasubjecthasarighttorestrictprocessingofhis personaldataif:

·      The accuracy of the data is contested by the customer

·      The processing of the data is unlawful and the customer opposes the deletion and opts for restriction of processing instead.

·      AMAL UK EXPRESS no longer needs the data for the purpose of processing but the customer needs it for legal claims or defence.

·      The customer has objected to processing pursuant to article 21(1) of the GDPR, pending the verification of whether the legitimate grounds of the controller override those of the customer


Whereprocessinghasbeenrestricted,there canonlybeprocessingwiththecustomer’sconsentorfor the establishment/exercise or defence of legal claims or protection of rights of another legalperson or for public interest and the data subject shall be duly informed before the restriction islifted.


·      AMAL UK EXPRESS will notify other processors to whom it has disclosed the customer’s personal

·      data of any valid request (in line with articles, 16, 17(1) and article 18 of the GDPR) for rectification/erasure/objection/restriction of processing unless this proves impossible or requires disproportionate effort

·      AMAL UK EXPRESS will inform the data subject about these recipients/other processors if the data subject requests it


AMAL UK EXPRESS recognises that the customer has a right to receive his personal data in a structured, commonly used and machine-readable format and transmit same to another controller of his choice provided:

·      The data was obtained based on his consent or as a contractual requirement based on article 6(1) or on article 9(2a) of the GDPR

·      The processing is carried out by automated means

The customer also has a right to request the data to be passed on his behalf by AMAL UK EXPRESS to anotherprocessorwheretechnicallyfeasible

·      Therighttodataportabilitydoesnotapplyif:

·      AMAL UK EXPRESS must hold the data in a task pursuant to public interest, legal obligation or establishment/defence/ exercise of legal claims or, if applicable, exercise of official authority vested in AMAL UK EXPRESS

·      It shall adversely affect the rights and freedom of others.


AMAL UK EXPRESShas to hold the customer data pursuant to the statutory record keeping requirementhenceevenwhilstconsentingtoaportingrequest,itwillstillretainthedataforthestatutoryrecordkeepingperiod.


·      The data subject may object to processing of his personal data if the processing was strictly based on pursuance of legitimate interest of the processor, public interest or in pursuance of official authority vested in the processor unless the processor demonstrates compelling legitimate grounds which overrides the interest of the data subject. AMAL UK EXPRESS processing is based on its necessity to meet legal and contractual obligations, so this right will generally not apply.

·      The data subject may object to his data being used for the purpose of marketing in which case AMAL UK EXPRESS has to accede to such request.

·      These two rights must be clearly and separately spelt out in simple language at first point of contact with the data subject in AMAL UK EXPRESS money transfer receipt and the online portal



·      It is necessary for the purpose of entering into or performance of a contract with the customer or

·      It is authorised by law which also specifies suitable safeguards for the customer’s rights

·      freedoms and legitimate interest or

·      It is based on the customer’s explicit consent

AMAL UK EXPRESSprocessesarebasedonbothautomatedandhumanprocessingandarenecessaryforthepurposeofenteringintoandperformanceofacontract,sothisrightwillgenerallynotapply.


You can always exercise your right at any time by contacting us at 


What we collect 

You may give us information about you by filling in forms on our website or by corresponding with us by phone, e-mail or otherwise. This includes (but is not limited to) information you provide when you register with us, transfer money using our office or websites and when you report a problem with us. 

The information you give us may include: 

·       Name, address, job title and email address 

·       Date of birth 

·       Phone number 

·       Financial and Source of Fund information 

·       Payment reason 

·       Geographic location 

·       Copies of identification 

·       Proof of Address 


What we do with the information we gather:

The main reason we use this information is to provide you with our services of Money transfer as required by regulators, its necessary to collect this information, but we (or third party data processors, agents and sub-contractors acting on our behalf) may also use the information: 

·      To help us perform our services 

·      To communicate with you 

·      To assess the risk of performing our services 

·      To enable us to enforce our rights under our terms and conditions if necessary 

·      To administer our Sites and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes 

·      To improve our products and services 

·      As part of our efforts to keep our Sites safe and secure; 

·      For promotional purposes including, without limitation, to share the personal data with businesses and with selected third parties whom we believe have products or services that may be of interest to you 

·      To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you 

·      From time to time, we may also use your information to contact you for market research purposes 


We may combine information we receive from other sources with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive). 


Where we store your personal data:

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. 

All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted [using SSL technology]. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. 

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. 

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.


How long is your personal information retained? 

We will only retain your information for as long as is necessary for providing our service to you, usually no more than 5 years after the end of the business relationship. 


Security safeguard 

The GDPR mandates company to take technical and organizational measures to achieve a level of security appropriate to the imminent risk. This has become more urgent in wake of increasing cybersecurity threat to organisations. We advocates tokenisation, encryption of data, constant assurance of confidentiality, integrity, availability, and resilience of processing system and services to comply with GDPR. Our Privacy policy is embedded in the company’s design throughout its lifecycle.  


Prompt notification in case of accident or breach. 

The GDPR introduces mandatory security breach notification and requires administrative and technical safeguards for personal data to reduce identified risks and to prevent data breaches. The data subject is required to be notified without undue delay if the breach portends high risk to his rights and freedoms. Notification can be dispensed with if the data breach is unlikely to result in any risk to the data subject. 

We will inform the supervisory authority of data breach incident within 72 (Seventy-two) hours of discovery. In addition, the company has an incidence response plan and trained its employee on how to respond.  


Cross-border data transfer 

The “flow of personal data from countries outside the EU and International organisations are necessary for the expansion of international trade and cooperation.” Being a money remittance company, our operations involve transfer of personal data of employees and clients across jurisdictions to manage our global workforce and ease operations as our processing is outsourced too but we have Binding corporate rules – our internal codes of conduct. We export personal data from the territory of the EU to other companies within our group located in third countries.  

We also, follow following Steps for processing EU personal data to comply with GDPR: 

·      We will ensure consent is freely given and data subjects must “opt-in” rather than “opt-out” of data collection schemes. We will utilise personal data strictly for the purpose of collection and keep it only as long as needed. 

·      We will ensure security of personal data at rest and in transit with strong encryption. Tokenisation can be adopted to ensure safeguard. 

·      We have developed a data security breach response scheme and comprehensive incidence response plan. We trained our employees on how to identify a breach in real-time and spot potential threat. The notification and report should be prompt. 

·      We will review and regularly update our privacy policy, and other documentation and communications. Information provided in our privacy policy will always be easy to understand. 

·      We will conduct privacy and data security audit. Carefully evaluate the existing data subjects’ data and processing activities and detect potential inconsistency with the GDPR. 

·      We will regularly run compliance test before implementing a new technology.  

·      We will ensure Cross-border data transfer policy complies with the GDPR by our binding corporate rules. 

Designation of data protection officer

AMAL UK EXPRESS has a Data Protection officer (Mr. Abdulkadir Daad) who is ultimately responsible for data protection. This is the MLRO who reports to the MD/CEO.



·      To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions

·      To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of AMAL UK EXPRESS in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.

·      To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 36 of the GDPR

·      To cooperate with the supervisory authorities.

·      To act as the contact point for the supervisory authorities on issues relating to processing, including the prior consultation referred to in Article 37 of the GDPR

·      and to consult, where appropriate, with regard to any other matter.



DataProtectionResponsibilitieswithinAMAL UK EXPRESS

All employees, agents and counterparts have some responsibility to ensure that data is collected,stored and utilised appropriately. Each team which handles personal data must ensure that it works incompliancewiththeDataProtectionPolicyandAMAL UK EXPRESS’sdataprotectionprinciples.

However, it is the following people who are particularly responsible for the implementation andupholdingofdataprotectionproceduresandprinciples.


The Director:Ultimately, the Director is responsible for ensuring that AMAL UK EXPRESS meets its legal obligations.

The Compliance Team: The compliance team is responsible for:

·      Updating the board of directors and company executives on all matters regarding data protection

·      Facilitating data protection advice and training for staff, agents and all individuals relevant to this policy

·      Handling data protection questions from employees, agents and anyone relevant to the policy

·      Dealing with ‘Subject Access Requests’: the compliance team is required to address customers and other subjects who wish to see the data AMAL UK EXPRESS holds in their name

·      The team must review all data protection procedures and related policies at set intervals to ensure all criteria are being met and the data protection policy is being adhered to

·      Checking and approving any contracts or agreements with third parties that may handle AMAL UK EXPRESS’s sensitive data

·      The MLRO shall be designated Data Protection Officer with overall responsibility for data protection.


·      Ensuringallsystems, services and equipment used for storing data are up-to-date and meet acceptable standards of security

·      Monitoring the security hardware and software to check that these are functioning properly