Information obligation - GDPR

GDPR Information obligation – Merchant

Detailed information concerning the processing of personal data of the Merchant

I. Personal Data Administrator

The administrator of your personal data is PayPro S.A.., with its registered seat at Pastelowa 8, 60-198 Poznan, entered in the Register of Entrepreneurs of the National Court Register [KRS] kept by the District Court Poznań Nowe Miasto i Wilda, 8th Commercial Division of the National Court Register, KRS entry no.: 0000347935, Tax Identity No. [VAT no.]: 7792369887, share capital: 4 737 100,00 PLN fully paid up.

Contact details of the Administrator:

II. Data Protection Officer

The Administrator has appointed a Data Protection Officer (Mr. Aleksander Markiewicz) that you may contact via email at iod@przelewy24.pl .

III. Aims and legal basis for personal data processing.

1. PayPro processes your personal data primarily for the purposes of concluding and then performing, including considering complaints, terminating and settling the Agreement for accepting payments using payment instruments, i.e. for purposes related to PayPro's provision of payment services to the Merchant covered by the Agreement. The above also includes the processing of personal data related to communication between PayPro and you to the extent that it is related to the purposes referred to in the first sentence.
   
   PayPro processes the personal data based on art. 6 (1) (b) of the Regulation[1] , i.e. because data processing is necessary for concluding and performing the agreement on rendering payment services (the Agreement for acceptance of payments by means of payment instruments) that you are a party to, as well as for actions leading to the conclusion of the Agreement.
   
   
2. Paypro processes your personal data related to the provision of payment services and the conclusion of a payment services agreement (Agreement for acceptance of payments by means of payment instruments) also with a view to the possible redress related to your failure to perform or improper performance of the obligations resulting from to the Agreement, in particular the obligations related to the payment of the amounts you owe PayPro for performance and / and non-performance or improper performance of the Agreement.
   
   
3. PayPro processes the personal data based on art. 6 (1) (f) of the Regulation, i.e., because the processing of the data is necessary for the purpose of legally justified interests executed by the Administrator.
   
   PayPro processes your personal data (excluding the so-called sensitive data[2] ) with regard to the rendered payment services, in the extent necessary to prevent fraud related to the performed payment services or operating the payment system as well as to investigate and detect such fraud by competent authorities.
   
   PayPro processes the personal data based on art. 6 (1) (c), (d) and (f) of the Regulation, i.e., due to the fact that the processing is necessary to comply with the legal obligation of the Administrator, protection of interests of payment services users, as well as the purposes arising from legitimate interests pursued by providers of payment services.
   
   
4. PayPro processes your personal data related to the conclusion and performance of the Agreement for accepting payments using payment instruments in order to perform obligations under anti-money laundering and counter-terrorism financing regulations, in particular, to identify and assess the risks of money laundering and terrorism financing, applying security measures including, but not limited to, customer identification and verification of identity.
   
   PayPro processes the personal data based on art. 6 (1) (c) of the Regulation, in relation to the provisions of anti-money laundering and counter-terrorism financing act, i.e., due to the fact that the processing is necessary to comply with legal obligations on the Administrator as an obliged entity in the meaning of the provisions of the anti-money laundering and counter-terrorism financing act.
   
   
5. PayPro processes your personal data for information purposes, especially marketing its services and services offered by affiliates of PayPro. The above also includes processing of data connected with communication between PayPro and you in the regard of the aforementioned information and marketing purposes.
   
   PayPro processes the personal data based on art. 6 (1) (f) of the Regulation, i.e., for legally justified purposes of the Administrator, and it may also process it based on your consent (article 6 (1) (a) of the Regulation).
   
   
6. In addition, PayPro processes your personal data for other legally permissible purposes, directly or indirectly related to the objectives referred to in sections 1-4, in particular for archival and statistical purposes, for purposes related to audits, management control, or for purposes related to consulting and conducting surveys and customer satisfaction surveys.
   
   PayPro processes the personal data based on art. 6 (1) (f) of the Regulation, i.e., for legally justified purposes of the Administrator.

IV. Categories of personal data processed.

Paypro processes first and foremost, the personal information associated with identification of your person, and verification of your identity, which includes, in particular, name(s) and surname(s), citizenship, PESEL number (or the date and country of birth - in case you do not have a PESEL number), series and number of the document which confirms your identity, address of residence, the name of your business, its NIP number and the main address where the business is run.

In addition, PayPro processes your personal data related to the performance of payment services and prevention of infringements on provisions of law, including in particular, in addition to the data referred to in the first subparagraph, the following data: your identification number assigned by PayPro in Przelewy24 system, telephone numbers, email addresses, mailing addresses, numbers of payment accounts, including bank accounts, IP addresses used by you and your representatives.

For communication purposes, PayPro primarily processes the name(s) and surname(s), phone numbers, addresses of residence, business addresses, mailing addresses and email addresses.

Paypro also processes your financial data, including those connected with provision of a given service, your economic and financial standing.

V. Information on the categories of recipients of the data.

Data recipient is a natural or legal person, public authority, body or other entity to whom PayPro reveals your personal information, regardless of whether it is a third party.

Public authorities which may receive personal data as part of a specific procedure in accordance with European Union law or Member State law, are not be regarded as recipients.

Therefore, PayPro informs about the following categories of recipients:

1. PayPro agents, that is, entities acting on behalf and for the benefit of PayPro as a payment institution;
2. other payment services providers, in the capacity connected with rendered payment services and purposes mentioned in sections III.3 and III.4, as well as in other cases when the entities are entitled to obtain the information from PayPro; including in particular banks and local branches of foreign banks, lending institutions, e-money institutions, payment institutions, payment/credit/virtual card operators;
3. entities rendering legal services related to the activity of PayPro;
4. entities rendering IT services related to the activity of PayPro, including hosting services;
5. entities rendering audit services and other services related to controlling the activities of PayPro;
6. expert auditors examining documents connected with the activities of PayPro;
7. the entities within PayPro group;
8. other than the above-listed entities (including in particular supervision authorities) which are legally entitled to obtain from PayPro information related to the activities of PayPro, which may include your personal data.

VI. Information on the intention to transfer personal data to a third country or an international organisation.

Paypro does not intend to transfer your personal data to a third country (non-European Economic Area), or to an international organisation.

VII. The period for which personal data will be stored, or the criteria for determining this period.

1. Your personal data processed for the purpose referred to in section III. 1 will be processed for the period of validity of the Agreement, and after its completion – according to the provisions of law.
2. Your personal data processed for the purpose referred to in section III.2 will be processed for the period of validity of the Agreement, and after its completion – for the period in which it is possible to pursue claims in court, i.e. until the expiry of the limitation period for claims.
3. Your personal data processed for the purpose referred to in section III.3 will be processed for a period necessary for realization of the purpose, in particular, taking into account the statue of limitations to prosecute against such crimes.
4. Your personal data processed for the purpose referred to in section III.4 will be processed for the period dictated by the referenced provisions of law on anti-money laundering and counter-terrorism financing, in particular, the data collected as a result of using security measures will be stored for 5 years counting from the first day of the year following the date of transaction, and the data on transactions made by obliged entities and documents connected with these transactions are stored for 5 years from the first day of the year following the last register entry pertaining to the transaction.
5. Your personal data processed for the purpose referred to in section III.5 will be processed for the period of validity of the Agreement - in case when the data are processed based on art. 6 (1) (f) of the Regulation, but no longer than the day of justified appeal. In case the data are processed based on your consent, they will be processed also after the completion of the Agreement, for a period indicated in the consent, following the period of Agreement validity, but not longer than to the day of consent withdrawal.
6. Your personal data processed for the purpose referred to in section III.6 will be processed for the period suitable for the purpose in which they were collected. If, however, additional data were collected for the purposes referred to in sections III.1-III.5, the data will be processed for the period of Agreement validity and 10 years from its completion, but not longer than to the day of justified objection.

VIII. Information on the obligation to provide personal data or lack thereof.

You are bound by legal and contractual obligation to provide the data referred to in section III.1. Therefore, in case you fail to provide the data, PayPro will not enter into an Agreement with you. In case the Agreement was concluded on condition of providing the data afterwards, should the data fail to be provided, the Agreement will be terminated.

You are bound by contractual obligation to provide the data referred to in section III.2. Therefore, in case you fail to provide the data, PayPro will not enter into an Agreement with you. In case the Agreement was concluded on condition of providing the data afterwards, should the data fail to be provided, the Agreement will be terminated.

You are bound by legal obligation to provide the data referred to in sections III.3. and III 4. Therefore, in case you fail to provide the data, PayPro will not enter into an Agreement with you, and if the Agreement was concluded - it will be terminated.

Providing the data referred to in section III.5 is optional, so you may choose againts it. However, if the data are also processed for the purposes described in sections III.1-III.4, failure to provide them will have the consequences mentioned above.

If within the purpose referred to in section III.6 you will be asked to provide other personal data for purposes referred to in sections III.1-III.5, the provision is optional and you may choose against it.

IX. Information on your rights.

1. You have the right to demand from the personal data Administrator access to your personal data, including copies of the personal data that is subject to processing. The first copy is free of charge. For any subsequent copies you request, the Administrator may charge a reasonable fee resulting from administrative costs.
2. You have the right to demand that the Administrator amend your personal data if they are incorrect, in particular because they were collected with errors, or because they changed after collection. This right also applies to incomplete data.
3. You have the right to demand that the Administrator remove your personal data in the cases specified in the Regulation, i.e., in the following circumstances:
   1. Your personal data are no longer necessary for the purposes they were collected or otherwise processed, in particular, the time the Administrator planned or was obliged to process the data has expired;
   2. you have revoked your consent (pursuant to the law referred to in section IX.7), on which data processing is based, unless the Administrator has got other legal grounds for processing;
   3. you have raised objections to personal data processing (referred to in section IX.5) and there are no overriding legitimate grounds for the processing;
   4. you have raised objections to processing (referred to in section IX. 6);
   5. if your personal data was processed unlawfully;
   6. if your personal data must be removed for the purpose of fulfilling a legal obligation arising from European Union law or Member State law relevant for the Administrator;

4. PayPro may deny a justified request to remove the personal data mentioned above in cases specified by law, in particular, if further processing is necessary for fulfilling legal obligations arising from European Union law or Member State law, as well as for establishing, investigating or defending claims.

5. You have the right to demand that the Administrator limit processing of your personal data, under conditions specified in the Regulation, i.e.:
   1. when you question the accuracy of personal data - for a period enabling the Administrator to verify the accuracy of the data;
   2. when data processing is unlawful, and you object to having the data removed, demanding that it is limited instead;
   3. when the Administrator no longer needs the personal data for the purposes of processing, but you need them for establishing, investigating or defending claims;
   4. when you have raised objections to the processing referred to in section IX.5. - until it is determined whether legally justified grounds of the Administrator override the bases for your objection.
      
      
6. You have the right to raise objection to your personal data being processed by the Administrator, pursuant to art. 21 (1) of the Regulation, i.e., object on the grounds pertaining to your particular situation - to processing of your personal data based on art. 6 (1) (e) or (f) of the Regulation, including profiling based on these provisions.
   
   In the case of the Administrator, the above right to raise objections refers to personal data processed for the purposes referred to in sections III.2, III.3, III.5 and III.6.
   
   In the event of such objection, the Administrator may no longer process the personal data, unless he demonstrates the existence of legally valid grounds for processing that override the interests, rights and freedoms of the data subject or grounds for establishing, investigating or defending claims. In particular, further data processing, despite the objection, may stem from purposes referred to in section III.2 and III.3.
   
   
7. You have the right to raise an objection to your personal data being processed by the Administrator, pursuant to art. 21 (2) of the Regulation, i.e., object to processing of your personal data for direct marketing purposes, including profiling, in the capacity of processing related to direct marketing.
   
   In case this right is exercised, the Administrator may not continue to process your personal data for the purposes of direct marketing.
   
   
8. You have the right to transfer data. Therefore, you have the right to receive the personal data with which you provided the Administrator, in a structured, commonly used machine-readable format, and you have the right to send this personal data to another administrator without any obstacles on the part of the Administrator.
   
   However, this right is restricted to the personal data processed based on your consent or the Agreement (i.e., in the cases referred to in sections III.5 and III.1), and in the capacity of automated processing (note that according to section X,
   
   PayPro does not process data in any automated way).
   When exercising this right, you may demand that your personal data be sent by the Administrator directly to another administrator, if it is technically possible.
   
   
9. You may withdraw the consent referred to in III.5 at any point. Please be advised that the withdrawal of your consent does not affect the lawfulness of the processing that was carried out on the basis of your consent before the withdrawal.
   
   In the event of consent withdrawal, the Administrator ceases to process your personal data, which are only processed based on the consent. In case your personal data are processed on grounds different than the consent, the Administrator may continue to process them as long as the grounds remain valid.
   
   
10. You have the right to lodge a complaint to a supervision body, i.e., one of the bodies appointed by particular EU member states in order to monitor compliance with the Regulation.
    
    The supervision body in the Republic of Poland is the Inspector General for Personal Data Protection / the President of the Office for Personal Data Protection.

X. Information on automated decision-making, including profiling.

Your data will not be processed in any automated way, including profiling.

XI. Processing for purposes different to those for which the data was collected.

With the exception of section III.6, PayPro does not intend to process your personal data for purposes different to those for which the data was collected.