Dear Visitor,

Thank you for visiting our website. Your privacy is really important to us. This document constitutes the privacy policy and the terms of use (the “Policy”) of this website. By visiting this website, you confirm that you have read, agreed and accepted this Policy provisions. Its scope is the recognition by the visitors of the Website of the terms of use and privacy policy, and of general provisions on data processing. For the sake of clarity, this Website does not collect nor ask for personal data. Personal data processing through the Website happens only when visitors send such data on their free will. This Website (the “Website”) is governed by the Albanian law. This Policy may change and update in the future, however, in any case it will not limit the rights guaranteed by law no.124/2024 “On protection of personal data”. It is your responsibility to read and to be in knowledge of the effective version of the Policy.

1. GENERAL INFORMATION

1.1 This Website that you are visiting provides information on the use of KUIK. KUIK is an electronic funds transfer service. KUIK is provided to users in accordance with the respective terms of use (“General Terms and Conditions of KUIK”).

1.2 The content of this Website is destined only for information. Using this Website is free. Links to other websites, if any, do not mean approval of these websites or their content. You are responsible for the information, opinions and/or recommendations provided by these third party websites, and for getting informed over the privacy conditions of these websites.

1.3 The visitors of the Website remain anonymous. The Website does not collect personal data, thus it does not collect information for the personal identification of your individual (except when you send this information on your free will), but only collects general information on the visitors, such as: how many visitors have visited the Website or which of its sections have been clicked on more, so, only standard information regarding the clicks on the Website’s sections. This information is collected only for statistical and study purposes (to see the visitors’ approach, which sections are more interesting for the visitors). You can send your specific data if you send an email in the email address made available herein. This information will be used only in accordance with the purpose for which it has been sent. By contacting us, the visitors shall be considered to have given their clear and expressed consent for the processing of their personal data sent from them. This consent can be revoked at any time.

1.4 The legal basis of this Policy is the applicable legislation in the field of personal data protection, including without limitation, Law No. 124/2024 “On the Protection of Personal Data”, the instructions and decisions of the Commissioner, etc.

2. DEFINITIONS

2.1 “Commissioner” – the Commissioner for the Right to Information and Personal Data Protection.

2.2 “Consent of the data subject” – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her for one or more specific purposes.

2.3 “Controller” – the natural or legal person and any public authority, which, alone or jointly with others, determines the purposes and means of the processing of personal data.

2.4 “Law” – law no.124/2024 “For the protection of personal data”.

2.5 “Personal data” – any information relating to a data subject.

2.6 “Personal data processing” – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.7 “Personal data subject” – any identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.8 “Sensitive data” – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health-related data, data concerning a person’s sex life or sexual orientation.

Regarding the terms used in this Policy, not included above, shall apply the definitions and provisions of the Law.

3. KUIK WEBSITE

3.1 The only data exchanged are email/s and/or names of subjects that choose to contact us voluntarily. All optional emails sent to the address(es) specified on the Website imply the receipt of the sender’s address/email required to return a response as well as the receipt of any other personal data contained in the email, provided voluntarily by the subject, if it contains such. Regarding the visitors of the Website, it collects only standard information related to the clicking of the sections on this Website. This information is collected for statistical and study purposes (to show visitor access, to see which sections are most interesting to visitors). No efforts are done for and no information is collected regarding any visitor identification. The Website does not use (and does not allow any third party) statistical analytical tools to track or collect personal information that makes the Website visitors identifiable. We do not link any data collected by the Website to any personal data that makes the visitor identifiable from any source that comes as part of using the Website.

3.2 We do not collect or keep cookies through the Website. So, cookies are not used for the collection of personal data, and no cookies of any kind are used to follow Website’s visitors.

3.3 By contacting us, visitors shall be considered to have given their clear and expressed consent for the processing of the personal data they choose to send. The veracity and accuracy of such data is responsibility of the Visitor.

4. PERSONAL DATA PROCESSING GENERAL PRINCIPLES

4.1 The processing of personal data is carried out in accordance with the following principles:

• Principle of lawfulness, fairness and transparency: processing is carried out lawfully, fairly and in a transparent manner in relation to the data subject.
• Principle of purpose limitation: personal data are collected for specified, explicit and legitimate purposes, clearly determined at the moment of collection, and not further processed in a manner that is incompatible with those purposes.
• Principle of data minimization: personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Principle of accuracy: Personal data are accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate or incomplete, having regard to the purposes for which they are processed, are erased or rectified without delay.
• Principle of storage limitation: Personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures in order to safeguard the rights and freedoms of the data subject.
• Principle of integrity and confidentiality: personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
• Principle of accountability: the controller shall be responsible for, and be able to demonstrate compliance with these principles.

4.2 During the use/visit of this Website by any visitor, no personal data are collected, unless the visitor chooses to contact us by e-mail by voluntarily providing personal data (e.g. e-mail, name). The personal data (if any) of the Website visitors are used only for responding to their requests.

4.3 The protection of personal data is guaranteed by its processing in a fair, just and lawful manner for the performance of contractual or legal obligations in force and as well to increase the quality of services.

5. RIGHTS OF THE PERSONAL DATA SUBJECT

5.1 Personal data subjects have all the rights recognized by the Law. These rights are exercised in the form and terms provided by the Law.

5.2 Right to information

Where personal data are collected from the data subject and the data subject does not have the following information, the controller shall provide the data subject with all of the following information:

1. the identity and the contact details of the controller and, where applicable, of the controller’s representative and of the controller’s data protection officer;
2. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
3. the existence and logic of automated decision-making and profiling, referred to in the Law and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
4. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
5. the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal, where the processing is based on the consent and the legitimate interests pursued by the controller or by a third party, where processing is based on legitimate interests;
6. information, whether or not the data subject is obliged to provide the data and whether the provision of personal data is an obligation arising from the legislation in force, contract terms or conditions for entering into a contractual relationship, as well as the possible consequences of not providing this data;
7. the recipients or categories of recipients of the personal data, if any;
8. whether the data will be transferred to a third country and if so, how appropriate protection is guaranteed including information on appropriate safeguards and the means by which to obtain a copy of them or where they have been made available;
9. the exercise of rights under the Law, as well as the right to lodge a complaint with the Commissioner.

The above information shall be provided:

1. where the personal data are collected with the data subject’s cooperation, before the data subject provides the data;
2. where the personal data are not collected with the data subject’s cooperation:
3. within a reasonable time, but no later than 30 days after the data were collected; or
4. if the personal data are to be used for communication with the data subject, no later than the moment of the first communication with the data subject; or

• where it is foreseen the dissemination to another recipient, no later than the moment when the personal data are first disseminated.

5.3 Right of access

The data subject shall have the right to obtain from the controller, no later than 30 days from the date of submission of the request, confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to the personal data and the following information:

1. the purposes of the processing;
2. the existence and logic of automated decision-making and profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
3. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
4. the legal basis for the processing;
5. the categories of personal data concerned, including, where the personal data are not collected from the data subject, any available information as to their source;
6. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations including where personal data are transferred to a third country and if so, the data subject shall have the right to be informed of the appropriate safeguards;
7. the existence of the rights pursuant to the Law and the right to lodge a complaint with the Commissioner.

5.4 Right to rectification and erasure

The data subject shall have the right to obtain from the controller without undue delay but no later than 30 days from the date of receipt of the request, the rectification of inaccurate personal data concerning him/her. Taking in account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him/her and the controller shall have the obligation to erase personal data without undue delay but no later than 30 days from the date of receipt of the request, where one of the following grounds applies:

1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
3. the data subject objects to the processing pursuant to the Law;
4. the personal data have been unlawfully processed;
5. the personal data have to be erased for compliance with a legal obligation of the controller;
6. the personal data have been collected in relation to the online provision of goods or services as provided for by law.

Regarding this right, the Law provides for several exceptions in the cases of the processing mentioned therein.

5.5 Right to be forgotten

Where the controller has made the personal data public and is obliged pursuant to the Law to erase the personal data, the controller, taking account of the available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

At the request of the data subject, internet search engines operators are obliged to delete from the results displayed following a search conducted on the basis of the data subject’s name, the information which is no longer up-to-date over time but which, when found, has a significant negative impact on the data subject’s reputation.

5.6 Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the filing of a claim or exercise or defense of legal claims, obligations or interests before a court or public authority; or
4. the data subject has objected to processing pursuant to the Law. The restriction lasts for the period necessary for the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted under the above paragraph, such personal data shall, with the exception of storage, only be processed:

1. after receiving the data subject’s consent;
2. for the filing of a claim or exercise or defense of legal claims, obligations or interests before a court or public authority;
3. for the protection of the rights of another natural or legal person which override the rights of the data subject; or
4. for reasons of important public interest.

The controller must notify the data subject before the restriction of processing is lifted. If the controller refuses the request, the data subject may lodge a complaint with the Commissioner and request a preliminary decision on the restriction of processing.

5.7 Right to data portability

Where personal data are provided to a controller by the data subject, with his/her consent or for the performance of a contract, and the processing is carried out by automated means, the data subject shall have the right to receive from the controller the personal data concerning him/her in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

In exercising his/her right to data portability pursuant to the aforementioned paragraph, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The exercise of right to data portability shall not prejudice the right to erasure in accordance with the law. The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or where the controller has been granted the right to exercise public functions, tasks or powers by virtue of applicable law. The right to data portability shall not adversely affect the rights and freedoms of others.

5.8 Right to object

The data subject shall have the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her including profiling based on provisions of the Law. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, especially when they concern the filing of a claim or exercise or defense of legal claims, obligations or interests before a court or public authority.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object, at any time and without having to give reasons, to processing of personal data concerning him/her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the controller shall be obliged to cease processing of the personal data for such purposes.

At the latest at the time of the first communication with the data subject, the controller shall inform the data subject of the right to object. This shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his/her particular situation, shall have the right to object to processing of personal data concerning him/her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

5.9 Automated decision-making

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.

This shall not apply if the decision:

1. is necessary for entering into, or performance of, a contract between the data subject and a data controller; or
2. is authorized by a law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
3. is based on the data subject’s consent.

In these cases, the controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests and the right to obtain human intervention on the part of the controller, to express his/her point of view and to contest the decision.

5.10 The right to complain

Every person who claims that his/her rights, freedoms and legal interests concerning his/her personal data have been violated shall have the right to complain or to notify the Commissioner and to request his intervention to remedy the infringed right. When the data subject has filed a complaint, the controller shall have no right to make any changes to the personal data until a final decision ruled.

5.11 Right to compensation of the damage

Everyone who has suffered damage due to an unlawful processing of personal data is entitled to compensation, pursuant to the rules defined by the Civil Code.

5.12 Any kind of request or if you think that your privacy has been breached should be addressed to [email protected] or sent to MPAY: Njësia Administrative nr.5, Bulevardi “Dëshmorët e Kombit”, Kullat Binjake, Kulla 1, Tirana, Albania.

6. REQUESTS FOR INFORMATION AND COMPLAINTS

6.1 If you think your privacy has been breached you may contact us at any time. We are glad to provide you with the required assistance.

6.2 Reply to any request or complaint shall be within 30 days of its receipt or according to other deadlines provided by the applicable legislation. The response will be in writing to the address from which the request or complaint has come and/or in electronic form when the request or complaint was received electronically.

7. PERSONAL DATA PROCESSING

7.1 All personal data will be properly kept during their processing period, under technical and organizational measures for their protection, and will pursuant to legal terms.

7.2 MPAY company has registered the domain name www.kuik.al with the Electronic and Postal Communications Authority (AKEP) in accordance with the relevant legal framework in force.

7.3 Personal data are processed in full compliance with the provisions of the Law and relevant legislation. These actions are carried out according to the principle of respecting and guaranteeing fundamental human rights and freedoms, and in particular the right to privacy.

8. INTELLECTUAL PROPERTY

8.1 This Website is considered as whole and indivisible. The information contained in it is strictly for personal use. It is not allowed copying or transmitting it. All the information contained in the sections of the Website is property of the relevant owners. Copying, displaying or distributing all or part of the contents of this Website, except for personal purposes, is prohibited in any way. Any failure to comply with this rule constitutes a breach and could result in civil and/or criminal penalties. It is strictly forbidden to use or copy the “KUIK” name and/or its logo, individually or jointly, for any purpose, and in particular for advertising purposes without the prior written consent of the company.

8.2 Downloading or copying information from the Website will not transfer the ownership right to the information aforementioned. You cannot copy, in whole or in part, transmit, either electronically or by other means, modify or use the Website for public or commercial purposes, or create links to this Website, without the prior written consent of the company. The data and intellectual and industrial property objects provided in this Website are exclusive property of their respective owners.

9. TERMS OF USE OF THE WEBSITE

9.1 Acceptance of the Policy. If you do not agree with this Policy, please do not use this Website. By using this Website you will be deemed to have agreed to this Policy. We reserve the right to modify this Policy without prior notice by updating it on the Website. You should visit this Website regularly to review the Policy in force.

 

How to contact us. This Website belongs to and is operated by MPAY company with address at Njësia Administrative nr.5, Bulevardi “Dëshmorët e Kombit”, Kullat Binjake, Kulla 1, Tirana, Albania. For any complaints, questions or general correspondence please contact [email protected].

 

Trademarks and copyright. This Website, content and materials in it are protected by copyright, trademark rights, trade secrets or other rights of industrial or intellectual property.

 

Your use of material contained in this Website. Your use of the Website is subject to these terms of use and this privacy policy. Modification or use of materials of this Website for any purpose not permitted by this Policy may be an infringement of copyright and/or industrial property and is prohibited. You may access and display material from the Website for personal or non-commercial use only. Materials from the Website may not be copied, reproduced, republished, uploaded, posted, transmitted, distributed or used in any way unless specifically authorized by us. The use of any materials on any other website, applications, services or media other than the Website is prohibited.

 

Applicable law. This Policy shall be governed by and shall be construed and enforced under the Albanian law.

Severability of the Policy. If any of the provisions herein results unenforceable, void or against the legislation in force, then the said provision will be considered separate from these terms and shall not affect the validity and enforceability of the remaining provisions.

9.2 We reserve the right to exercise ownership rights on the information and content published on the Website. In this site are provided data and information about using KUIK. For this reason, we authorize the Visitors to use this information according to their needs, taking in account and meeting the following conditions:

• We reserve the right to modify and update this information and data published on this Website. In such cases, the Visitor should always refer to the latest information and data;
• We are not responsible and are not liable for any harm of any kind that may result from the use of the information published on the Website;
• The information published on the Website (including logos, images, press releases, newsletters, documents, etc.) are property of the company or of their respective owners.

This Policy was compiled in order to be clear and brief. It does not provide full details of all aspects of personal data processing. We are at your disposal to give you any additional information or explanation necessary. Any request should be sent to this email address: [email protected].

This document is drafted in Albanian and English, with the Albanian version prevailing.

This Policy is effective upon its publication in the Website.