Data Erasure Procedure

At Nebeus, we prioritize privacy and are committed to compliance with the General Data Protection Regulation (GDPR), Anti-Money Laundering (AML) regulations, the Markets in Crypto-Assets Regulation (MICA), and the Digital Operational Resilience Act (DORA). This document outlines the structured process for handling data erasure requests, ensuring compliance while balancing regulatory requirements that mandate data retention.

How to Submit a Data Erasure Request

Individuals seeking to have their personal data erased can submit a request through the following channels:

¨      Customer Support: Requests can be sent via email to [email protected]. The Customer Support team will authenticate the request and forward it to the Data Protection Officer (DPO) for further processing.

¨      Direct Contact with the DPO: Alternatively, requests can be submitted directly to the DPO at [email protected], ensuring a direct and secure review of the request.

To prevent unauthorized data access or fraudulent requests, all requests must undergo an identity verification process before they can be processed.

Verification Process

To ensure that all data erasure requests are legitimate, secure, and compliant with GDPR, a structured verification process is conducted before any data is processed.

1.     Identity Authentication: The requester must provide a valid government-issued ID or other legally recognized identification to confirm their identity. Additional verification steps, such as providing account details or security questions, may be required to prevent unauthorized access or fraudulent requests. Requests submitted on behalf of another individual (e.g., by a legal representative) must include official documentation proving authorization.

2.     Request Logging and Reference ID Assignment: Each request is assigned a unique reference ID and logged in the Data Erasure Register, ensuring full traceability for compliance and audit purposes. The log will include the requester’s identity, request date, type of data involved, and the processing status.

3.     Acknowledgment and Timeline Notification: Within 10 business days, an official acknowledgment will be sent to the requester confirming receipt of the request. This notification will provide a reference number, estimated processing timeline, and next steps. If additional information is required to validate the request, the requester will be contacted promptly.

4.     Preliminary Legal and Compliance Assessment: The request is reviewed to determine if the data is eligible for erasure under Article 17 GDPR or if it falls under a legal exemption requiring retention (e.g., AML, financial compliance, operational resilience under DORA). If exemptions apply, the requester will be informed with a clear legal justification and details of any pseudonymization measures taken.

Only after completing these verification and assessment steps will the request proceed to data erasure or pseudonymization processing.

Legal Deadlines for Processing Requests

Once a data erasure request has been successfully authenticated, the processing will adhere to the following GDPR-mandated timelines:

1.     Standard Processing Timeframe: The request will be completed within one month from the date of receipt, in accordance with Article 12(3) GDPR. During this period, data will be assessed for eligibility under Article 17 GDPR (Right to Erasure) and any necessary compliance verifications will be conducted.

2.     Extension for Complex Cases: If the request involves a high volume of data, cross-border data transfers, third-party notifications, or requires legal assessments due to regulatory obligations (e.g., AML, financial audits, blockchain-linked records), the processing period may be extended by up to two additional months.

3.     Notification of Delays: If an extension is required, the requester will be formally notified within the initial one-month period. The notification will include a clear justification for the delay, an updated processing timeline, and details of any additional steps required to complete the request.

4.     Urgent and High-Risk Requests: Requests involving potential data breaches, security concerns, or regulatory enforcement actions may be prioritized and handled with expedited processing, in coordination with the DPO and ICT Committee to ensure compliance with DORA and cybersecurity regulations.

Strict adherence to these timelines ensures full compliance with GDPR while maintaining operational efficiency in handling data erasure requests.

Data Eligible for Erasure

Once identity verification is completed, the data erasure request will be reviewed to determine whether the requested data can be erased or must be retained due to legal obligations.

1. Legal Review and Retention Requirements

Data may be subject to mandatory retention under regulatory frameworks, including:

• Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations require financial institutions to retain transaction records, identity verification documents, and financial data for a period of up to 5 years, as mandated by law.
• Article 6(1)(c) GDPR mandates the retention of data when necessary for compliance with financial, tax, and regulatory obligations.
• MICA (Markets in Crypto-Assets Regulation) prohibits the deletion of blockchain transactions but allows pseudonymization of linked metadata to protect personal data.
• DORA (Digital Operational Resilience Act) requires retention of security logs and financial service data for operational resilience and cybersecurity compliance.
1. Data Eligible for Erasure

If no legal retention requirement applies, the following personal data will be permanently erased:

• Personal Information: Name, date of birth, and national identification numbers.
• Contact Information: Email addresses, phone numbers, and physical addresses.
• Account Information: Usernames, account IDs, and passwords.
• Financial Information: Credit card or bank account details, unless retention is required for financial reporting, tax audits, or legal compliance.
• Cookies and Tracking Data: Preferences, analytics, and behavior-related data collected from website interactions.
• Marketing Preferences: Removal from mailing lists, targeted advertising databases, and marketing platforms.

All data erasure actions will be logged in the Data Erasure Register to maintain full traceability. If certain data cannot be erased due to legal obligations, the requester will receive a formal explanation detailing the retention period and applicable regulations.

Data That May Not Be Erased

Certain data categories are subject to mandatory retention requirements under GDPR, financial regulations, and sector-specific compliance frameworks. These data types cannot be erased immediately but will be securely stored and, where possible, pseudonymized to enhance privacy protection.

1. Financial Records: Transactional data required for financial reporting, tax compliance, and auditing must be retained for up to 5 years under applicable laws, including AML and financial regulations.
2. Blockchain Data: Due to the immutable nature of blockchain technology, personal data embedded in blockchain transactions cannot be deleted or altered. However, any identifiable metadata linked to blockchain transactions (e.g., wallet addresses, off-chain personal information) will be anonymized or pseudonymized in accordance with MICA (Markets in Crypto-Assets Regulation) and GDPR principles.
3. Ongoing Legal Claims and Investigations: Data must be retained if required for legal proceedings, regulatory investigations, or dispute resolution, as permitted under Article 17(3) GDPR. This includes data that may be necessary for defending legal claims, fraud prevention, or compliance with court orders.

If data cannot be erased due to legal requirements, the requester will receive a formal notification specifying:

¨      The legal basis for retention (e.g., AML, financial compliance, MICA, or legal dispute requirements).

¨      The expected retention period before data becomes eligible for deletion.

¨      Any applied pseudonymization or encryption measures to protect the data during retention.

All retained data will be securely stored with restricted access, and access logs will be maintained for compliance audits and regulatory oversight.

Third-Party Data Processors

If personal data has been shared with third-party processors such as cloud service providers, marketing platforms, payment processors, or identity verification services, these entities must be formally notified of the data erasure request.

1. Obligation to Inform Third Parties:

In compliance with Article 19 GDPR, we will inform all relevant third parties of the request and require them to take appropriate action—either erasing the data or applying pseudonymization techniques where retention is legally required.

2. Verification of Compliance:

Third-party processors must confirm the completion of data deletion or pseudonymization within an agreed timeframe. This confirmation must include:

¨     A statement that the data has been deleted or anonymized in compliance with GDPR, AML, MICA, and contractual obligations.

¨     The date of compliance and reference to the request ID.

¨     An explanation if full erasure is not possible, citing the applicable legal or regulatory retention requirements.

3. Escalation and Auditability:

If a third party fails to comply, the case will be escalated to the DPO and ICT Committee for review. This may include:

¨     Revisiting contractual agreements (Data Processing Agreements - DPAs) to enforce compliance.

¨     Reporting non-compliance to relevant regulatory authorities if necessary.

All communications and confirmations from third parties will be logged in the Third-Party Data Processing Register, ensuring full traceability for audits and compliance reviews.

Confirmation of Data Erasure

Once a data erasure request has been fully processed, a formal confirmation will be provided to ensure transparency and compliance with GDPR requirements.

1. Data Erasure Confirmation:

If the requested data has been successfully deleted, a confirmation notice will be sent to the requester within the legally required timeframe. This notification will include:

¨     Reference number of the request for tracking purposes.

¨     Details of the erased data categories, ensuring clarity on the scope of the action taken.

¨     Confirmation that third-party processors have also been instructed to delete the data, where applicable.

2. Explanation for Data Retention:

If certain data could not be deleted due to legal obligations, the requester will receive a detailed explanation outlining:

¨     The specific legal basis for retention (e.g., AML, financial reporting, MICA compliance).

¨     The retention period before the data becomes eligible for erasure.

¨     Any pseudonymization measures applied to protect the retained data.

3. Right to Appeal or Seek Further Clarification:

If the requester has concerns regarding the scope of deletion or retention decisions, they will have the option to escalate their request to the DPO and ICT Committee for further review.

All confirmations will be logged in the Data Erasure Register, ensuring full auditability and compliance with Article 13(2)(d) GDPR.

Your Rights

As a data subject, you are entitled to the following rights under the General Data Protection Regulation (GDPR):

1.     Right of Access (Article 15 GDPR):

You have the right to request access to the personal data we hold about you, including information about how it is processed, stored, and shared with third parties.

2.     Right to Rectification (Article 16 GDPR):

If your personal data is inaccurate, incomplete, or outdated, you may request that we correct or update it.

3.     Right to Restriction of Processing (Article 18 GDPR):

Under certain circumstances, you may request that we restrict the processing of your personal data instead of deleting it. This applies when:

¨     The accuracy of the data is contested, and verification is pending.

¨     Processing is unlawful, but you prefer restriction over erasure.

¨     We no longer need the data, but you require it for legal claims.

4.     Right to Data Portability (Article 20 GDPR):

You have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

5.     Right to Object (Article 21 GDPR):

You may object to the processing of your personal data for direct marketing purposes or based on legitimate interests, unless we demonstrate compelling legitimate grounds that override your rights.

6.     Right to Lodge a Complaint:

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant data protection authority.

For any further questions regarding your rights or how to exercise them, please contact our Data Protection Officer (DPO) at [email protected].