Information obligation - GDPR

Detailed information concerning the processing[1] of personal data[2] of Payers using Przelewy24 Service

Personal Data Administrator.

The administrator of Payer's[3] personal data is PayPro S.A., with its registered seat at Kanclerska 15, 60-327 Poznań, entered in the Register of Entrepreneurs of the National Court Register [KRS] kept by the District Court Poznań Nowe Miasto i Wilda, 8th Commercial Division of the National Court Register, KRS entry no.: 0000347935, Tax Identity No. [VAT no.]: 7792369887, share capital: 4,500,000.00 PLN  fully paid up.

 

Contact details of the Administrator:

Adres: Address:
PayPro S.A. Kanclerska 15, 60-327 Poznan, Poland
Email:  Email:
ado@przelewy24.pl

 

  1. Data Protection Officer.

The Administrator has appointed a Data Protection Officer that you as a Payer may contact via email at iod@przelewy24.pl .

Aims and legal bases of personal data processing.

PayPro processes your personal data (Payer's personal data) primarily for the purposes of payment services provided by PayPro within the agreement for acceptance of payments on behalf of the Merchant, including in particular, processing of payment orders to the Merchant made by you.

The above includes also processing of data connected with communication between PayPro and yourself in the regard of the purpose referred to in the first sentence, in particular, sending to you information on the payment order and its completion.

The above includes also processing of data connected with consideration of complaints issued by you as a Payer or a potential Payer and related to failure to provide or improper provision of payment services or related to other objections regarding provided payment services.

PayPro processes the personal data based on art. 6 (1) (f) of the Regulation[4], i.e., because the processing of the data is necessary for the purpose of legally justified interests executed by the Administrator, i.e., proper provision of payment services by PayPro, including communicating with you about provided payment services.

In the capacity of considering complaints, PayPro processes the personal data also based on art. 6 (1) (c) of the Regulation, as processing of these data is necessary for fulfillment of the legal obligation to consider complaints and keep documentation connected with the process.

Paypro processes your personal data related to the provision of payment services also with a view to the possible redress related to your or Merchant's failure to perform or improper performance of the obligations arising from to the agreement for accepting payments, in the capacity of payments ordered by you; in particular, the obligations related to the payment of the amounts you or the Merchant owe PayPro as a result of provision and/or failure to provide or improper provision of a payment service.

PayPro processes the personal data based on art. 6 (1) (f) of the Regulation[5], i.e., because the processing of the data is necessary for the purpose of legally justified interests executed by the Administrator, connected with asserting claims.

PayPro processes your personal data, excluding the so-called sensitive data[6],[7], with regard to the rendered payment services, in the capacity necessary for relevant bodies to prevent, investigate and detect fraud.

PayPro processes the personal data based on art. 6 (1) (c), (d) and (f) of the Regulation, i.e., due to the fact that the processing is necessary to comply with the legal obligation of the Administrator, protection of interests of payment services users, as well as the purposes arising from legitimate interests pursued by providers of payment services.

PayPro processes your personal data related to the provision of payment services, in order to perform obligations under anti-money laundering and counter-terrorism financing regulations, in particular, to identify and assess the risks of money laundering and terrorism financing, applying security measures including, but not limited to, customer identification and verification of identity.

PayPro processes the personal data based on art. 6 (1) (c) of the Regulation, in relation to the provisions of anti-money laundering and counter-terrorism financing act, i.e., due to the fact that the processing is necessary to comply with legal obligations on the Administrator as an obliged entity in the meaning of the provisions of the anti-money laundering and counter-terrorism financing act.

PayPro processes your personal data for information purposes, especially marketing its services and services offered by affiliates of PayPro. The above also includes processing of data connected with communication between PayPro and yourselves in the regard of the aforementioned information and marketing purposes.

PayPro processes the personal data based on art. 6 (1) (f) of the Regulation, i.e., for legally justified purposes of the Administrator, and it may also process it based on your consent (article 6 (1) (a) of the Regulation).

In addition, PayPro processes your personal data for other legally permissible purposes, directly or indirectly related to the objectives referred to in sections 1-4, in particular, archiving, statistical, audit, management control and consultation purposes.

PayPro processes the personal data based on art. 6 (1) (f) of the Regulation, i.e., for legally justified purposes of the Administrator.

Categories of personal data processed.

            Paypro processes first and foremost, the personal information connected with performance of payment services, which includes, in particular: name(s) and surname(s), address of residence, mailing address, e-mail address, numbers of payment accounts, including bank accounts, payment card number, other ID number of a payment instrument used, phone number, IP addresses used by you.

In addition, Paypro processes the personal information associated with identification of your person, and verification of your identity, which includes, in particular, name(s) and surname(s), citizenship, PESEL number (or the date and country of birth - in case you do not have a PESEL number), number of the document which confirms your identity, address of residence.

For communication purposes, PayPro primarily processes the names, phone numbers, email addresses, addresses of residence and mailing addresses.

  1. Information on the categories of recipients of the data.

Data recipient is a natural or legal person, public authority, body or other entity to whom PayPro reveals your personal information, regardless of whether it is a third party[8].

Public authorities which may receive personal data as part of a specific procedure in accordance with European Union law or Member State law are not regarded as recipients.

Therefore, PayPro informs about the following categories of recipients:

a. PayPro agents, that is, entities acting on behalf and for the benefit of PayPro as a payment institution – please note that currently, the only agent is DialCom24 Sp. z o.o. with its seat in Poznań;

b. other payment services providers, including your payment services provider, who made available to you the payment instrument you are currently using; personal data is disclosed to these recipients only in the capacity connected with rendered payment services (section III.1) and purposes mentioned in sections III.3 and III.4, as well as in other cases when the entities are entitled to obtain the information from PayPro; including in particular banks and local branches of foreign banks, lending institutions, e-money institutions, payment institutions, payment/credit/virtual card operators;

c. entities rendering legal services related to the activity of PayPro;

d. payment recipients, for purposes connected with the payment made;

e. entities rendering IT services related to the activity of PayPro, including hosting services;

f. entities rendering audit services and other services related to controlling the activities of PayPro;

g. expert auditors examining documents connected with the activities of PayPro;

h. the entities within PayPro group;

i. other than the above-listed entities (including in particular supervision authorities) which are legally entitled to obtain from PayPro information related to the activities of PayPro, which may include your personal data.

j. Recipients may also be other entities, if your personal data will be shared to them based on your consent indicating such recipient.

  1. Information on the intention to transfer personal data to a third country or an international organisation.

            Paypro does not intend to transfer your personal data to a third country (non-European Economic Area), or to an international organisation.

  1. The period for which personal data will be stored, or the criteria for determining this period.

Your personal data processed for the purposes referred to in section III.1 will be processed for the period of payment service provision and for 13 months from the date when your account was credited in relation to the provided payment service, or for 13 months from the date when the transaction was supposed to be made, and after expiry of this period, for a period indicated by law (including Payment Services Act and tax regulations). In particular, PayPro as a Polish payment institution is obligated to store documents related to payment services provision for 5 years from their creation or receipt.   

Your personal data processed for the purpose referred to in section III.2 will be processed for the period mentioned above, but no longer than the expiry of possible litigation period, i.e., period of limitation of claims, according to the provisions of law. In case the period of limitation of claims expires before the expiry of the period mentioned in the previous section, PayPro will cease to process the personal data for the purpose and in the capacity mentioned here in this section, but may still process your personal data for the purposes and in the capacity described in the previous section.

Your personal data processed for the purpose referred to in section III.3 will be processed for a period necessary for realisation of the purpose, in particular, taking into account the statue of limitations to prosecute against such crimes.

Your personal data processed for the purpose referred to in section III.4 will be processed for the period dictated by the referenced provisions of law on anti-money laundering and counter-terrorism financing, in particular, the data collected as a result of  using security measures will be stored for 5 years counting from the first day of the year following the date of transaction, and the data on transactions made by obliged entities and documents connected with these transactions are stored for 5 years from the first day of the year following the last register entry pertaining to the transaction. 

Your personal data processed for the purpose referred to in section III.5 will be processed for the period of service provision - in the case when the data are processed based on art. 6  (1) (f) of the Regulation, but no longer than the day of justified objection.

In case the data are processed based on your consent, they will be processed also after completion of payment service provision, for a period indicated in the consent, but no longer than the date of consent withdrawal.

Your personal data processed for the purpose referred to in section III.6 will be processed for a period suitable for the purpose of collection. If, however, additional data were collected for the purposes referred to in sections III.1-III.5, the data will be processed for a period of payment service provision and 10 years from its completion, but no longer than the date of raising a justified objection to such processing.

Information on the obligation to provide personal data or lack thereof.

You are bound by legal and contractual obligation to provide the data referred to in section III.1. Therefore, in case you fail to provide the data, PayPro will not be able to accept your payment order and provide the payment service.

You are bound by contractual obligation to provide the data referred to in section III.2. Therefore, in case you fail to provide the data, PayPro will not be able to accept your payment order and provide the payment service.

You are bound by legal obligation to provide the data referred to in sections III.3. and III 4.  Therefore, in case you fail to provide the data, PayPro will not be able to accept your payment order and provide the payment service.

Providing the data referred to in section III.5 is optional, so you may choose against it. However, if the data are also processed for the purposes described in sections III.1-III.4, failure to provide them will have the consequences mentioned above.

If within the purpose referred to in section III.6 you will be asked to provide other personal data for purposes referred to in sections III.1-III.5, the provision is optional and you may choose against it.

Information on your rights.

You have the right to demand from the personal data Administrator access to your personal data, including copies of the personal data that is subject to processing.  The first copy is free of charge. For any subsequent copies you request, the Administrator may charge a reasonable fee resulting from administrative costs.

You have the right to demand that the Administrator amend your personal data if they are incorrect, in particular, because they were collected with errors, or because they changed after collection. This right also applies to incomplete data.

You have the right to demand that the Administrator remove your personal data in the cases specified in the Regulation, i.e., in the following circumstances:

Your personal data are no longer necessary for the purposes they were collected or otherwise processed, in particular, the time the Administrator planned or was obliged to process the data has expired;

you have revoked your consent (pursuant to the law referred to in section IX.7), on which data processing is based, unless the Administrator has got other legal grounds for processing;

you have raised objections to personal data processing (referred to in section IX.5) and there are no overriding legitimate grounds for the processing;

you have raised objections to processing (referred to in section IX. 6);

if your personal data was processed unlawfully;

if your personal data must be removed for the purpose of fulfilling a legal obligation arising from European Union law or Member State law relevant for the Administrator;

PayPro may deny a justified request to remove the personal data mentioned above in cases specified by law, in particular, if further processing is necessary for fulfilling legal obligations arising from European Union law or Member State law, as well as for establishing, investigating or defending claims.

You have the right to demand that the Administrator limit processing of your personal data, under conditions specified in the Regulation, i.e.:

  • when you question the accuracy of personal data - for a period enabling the Administrator to verify the accuracy of the data;
  • when data processing is unlawful, and you object to having the data removed, demanding that it is limited instead;
  • when the Administrator no longer needs the personal data for the purposes of processing, but you need them for establishing, investigating or defending claims;
  • when you have raised objections to the processing referred to in section IX.5. - until it is determined whether legally justified grounds of the Administrator override the bases for your objection.

You have the right to raise an objection to your personal data being processed by the Administrator, pursuant to art. 21  (1) of the Regulation, i.e., object on the grounds pertaining to your particular situation - to processing of your personal data based on art. 6  (1) (e) or (f) of the Regulation, including profiling based on these provisions.

In the case of the Administrator, the above right to raise objections refers to personal data processed for the purposes referred to in sections III.2, III.3, III.5 and III.6.

In the event of such objection, the Administrator may no longer process the personal data, unless he demonstrates the existence of legally valid grounds for processing that override the interests, rights and freedoms of the data subject or grounds for establishing, investigating or defending claims. In particular, further data processing, despite the objection, may stem from purposes referred to in section III.2 and III.3.

You have the right to raise an objection to your personal data being processed by the Administrator, pursuant to art. 21 (2) of the Regulation, i.e., object to processing of your personal data for direct marketing purposes, including profiling, in the capacity of processing related to direct marketing.

In case this right is exercised, the Administrator may not continue to process your personal data for the purposes of direct marketing.

You have the right to transfer data. Therefore, you have the right to receive the personal data with which you provided the Administrator, in a structured, commonly used machine-readable format, and you have the right to send this personal data to another administrator without any obstacles on the part of the Administrator.

However, this right is restricted to the personal data processed based on your consent or the Agreement, and in the capacity of in which data are subject to automated processing (note that according to section X, PayPro does not process data in any automated way).

When exercising this right, you may demand that your personal data be sent by the Administrator directly to another administrator, if it is technically possible.     

You may withdraw the consent referred to in III.5 at any point. Please  be advised that the withdrawal of your consent does not affect the lawfulness of the processing that was carried out on the basis of your consent before the withdrawal.

In the event of consent withdrawal, the Administrator ceases to process your personal data, which are only processed based on the consent. In case your personal data are processed on grounds different than the consent, the Administrator may continue to process them as long as the grounds remain valid.

You have the right to lodge a complaint to a supervision body, i.e., one of the bodies appointed by particular EU member states in order to monitor compliance with the Regulation.

The supervision body in the Republic of Poland is the Inspector General for Personal Data Protection / the President of the Office for Personal Data Protection.

Information on automated decision-making, including profiling.

Your data will not be processed in any automated way, including profiling.

Processing for purposes different to those for which the data was collected. 

With the exception of section III.6, PayPro does not intend to process your personal data for purposes different to those for which the data was collected.


[1]              Processing of personal data means an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated way, such as collection, recording, organising, storing, adapting or modifying, downloading, browsing, using, disclosing through sending, distibuting or otherwise sharing, matching and joining, limiting, removing and destroying.

[2]              Personal data mean information about an identified or identifiable natural person (the person to whom the data pertains); an identifiable natural person is a person who may be directly or indirectly identified, in particular on the basis of such an identifier as name and surname, ID number, location data, internet ID, as well as one or more particular factors describing physical, physiological, genetic, psychological, economic, cultural or social identity of a natural person.

[3]              Payer a person who intends to pay, as well as a person who has just made a payment of a specific amount to the recipient of payment (e.g., an entity owning an online shop in which the Payer purchased goods they wish to pay for or have already paid for) through Przelewy24 Service. The recipient (also referred to as Merchant) makes available payment methods operated by Przelewy24 service. In order to make the payment, the Payer uses a payment instrument such as electronic banking or a payment card.

[4]              Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in this document referred to as the Regulation]

[5]              Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in this document referred to as the Regulation]

[6]              I.e., personal data revealing racial or ethnic background; political, religious or philosophical views; religion, party or union membership, medical data, genetic code, addictions and sexual life, as well as data pertaining to sentencing, penalty decisions, fines and other legal decisions issued in the course of court and administative proceedings [Art. 27, section 1 of the Act of 29 August 1997 on protection of personal data.]

[7]              I.e. personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships and include the processing of genetic data, biometric data for the purpose of unequivocally identifying a natural person, or health data, data concerning a natural person's sex life or sexual orientation [Art. 9 section 1 of the Regulation.]

[8]              Third party means a natural or legal person, a public administration body or an entity other than a person the data pertains to, a processing entity or persons authorised by an administrator or a processing entity to process personal data. A processing entity means a natural or legal person, a public administration body or another entity that processes personal data on administrator’s behalf.

© DialCom24 sp. z o.o. PayPro SA