GDPR Information obligation - Merchant

Detailed information concerning the processing of Payee’s personal data

I. Personal Data Administrator.

The administrator of your personal data is PayPro S.A., with its registered seat at Pastelowa 8, 60-198 Poznań, entered in the Register of Entrepreneurs of the National Court Register [KRS] kept by the District Court Poznań Nowe Miasto i Wilda, 8th Commercial Division of the National Court Register, KRS entry no.: 0000347935, Tax Identity No. [VAT no.]: 7792369887, share capital: 5 476 300,00 PLN, fully paid up.

Contact details of the Administrator:

II. Data Protection Officer.

The Administrator has appointed a Data Protection Officer (Mrs. Katarzyna Ellerik) that you may contact via email at  iod@przelewy24.pl.

III. Aims and legal bases of personal data processing.

1. PayPro processes your personal data primarily for the purpose of concluding, performing (including consideration of complaints), terminating and settling dues resulting from the Agreement for the acceptance of payments by means of payment instruments, i.e., for the purpose of providing the Merchant with payment services under the Agreement. The above also includes processing of data connected with communication between PayPro and yourself to extent resulting from the purposes listed in the first sentence.
   PayPro processes these personal data based on art. 6 (1) (b) of the Regulation¹, because the processing of the data is necessary for the conclusion and performance of the payment services agreement (Agreement for the acceptance of payments by means of payment instruments), to which you are a party, as well as for the purpose of activities connected with its conclusion - prior to the conclusion of the Agreement.
   
   
2. Paypro processes your personal data related to the provision of payment services and the conclusion of a payment services agreement (Agreement for the acceptance of payments by means of payment instruments) also with a view to the possible claims related to your failure to preform or improper performance of the obligations resulting from to the Agreement, in particular, the obligations related to the payment of the amounts you owe PayPro as a result of performance and/or non-performance or improper performance of the Agreement.
   PayPro processes the personal data based on art. 6 (1) (f) of the Regulation¹, because the processing of the data is necessary for the exercise of the Administrator’s legitimate interest.
   
   
3. PayPro processes your personal data, excluding the so-called sensitive data^2,3, with regard to the rendered payment services, in the extent necessary for the prevention of fraud related to the performed payment services or operating the payment system, as well as for investigation and detection of such fraud by competent authorities.
   PayPro processes the personal data based on art. 6 (1) (c), (d) and (f) of the Regulation, i.e., due to the fact that the processing is necessary to comply with the legal obligation of the Administrator, protection of interests of payment services users, as well as the purposes arising from legitimate interests exercised by providers of payment services.
   
   
4. Paypro processes your personal data related to the conclusion of the Agreement for the acceptance of payments by means of payment instruments in order to fulfil its obligations arising from anti-money laundering and counter-terrorist financing regulations, in particular, to identify and assess the risks of money laundering and terrorist financing, applying security measures including, but not limited to, customer identification and identity verification.
   PayPro processes these personal data based on art. 6 (1) (c) of the Regulation, in relation to the provisions of anti-money laundering and counter-terrorist financing regulations, i.e., due to the fact that the processing is necessary to comply with legal obligations of the Administrator as an obligated institution in the meaning of the anti-money laundering and counter-terrorist financing regulations.
   
   
5. PayPro processes your personal data for information purposes, especially marketing its services and the services offered by the affiliates of PayPro. The above also includes processing of data connected with communication between PayPro and yourself in the extent necessary for the aforementioned information and marketing purposes.
   PayPro processes these personal data based on art. 6 (1) (f) of the Regulation, i.e. for legally justified purposes of the Administrator, and may also process these data based on your consent (art. 6 (1) (a) of the Regulation).
   
   
6. In addition, PayPro processes your personal data for other legally permissible purposes, directly or indirectly related to the objectives referred to in sections 1-4, in particular, for archiving and statistical purposes, for purposes related to audits, management control, or for purposes related to consulting and conducting surveys and customer satisfaction surveys.
   PayPro processes these personal data based on art. 6 (1) (f) of the Regulation, i.e., for legally justified purposes of the Administrator.

IV. Categories of personal data processed.

Paypro processes first and foremost, the personal information connected with identification of your person and verification of your identity, which includes, in particular, name(s) and surname(s), citizenship, PESEL number (or - in case you do not have a PESEL number - the date and country of birth), number of the document which confirms your identity, address of residence, the name of your business, its tax ID number and the main address where the business activity is conducted.

In addition, PayPro processes your personal data related to the performance of payment services and prevention of infringements on provisions of law, including in addition the data referred to in the first subparagraph, in particular, the following data: your identification number in the Przelewy24 system assigned by PayPro, telephone numbers, email addresses, mailing addresses, numbers of payment accounts, including bank accounts, IP addresses used by you and your representatives.

For communication purposes, PayPro primarily processes names and surnames, phone numbers, addresses of residence, business addresses, mailing addresses and email addresses.

Paypro also processes your financial data, including those connected with provision of a given service and your economic and financial standing.

V. Information on the categories of recipients of the data.

Data recipient is a natural or legal person, public authority, body or other entity to whom PayPro discloses your personal data, regardless of whether it is a third party.

Public authorities which may receive personal data as part of a specific procedure in accordance with EU law or Member State law are not considered recipients.

Therefore, PayPro informs about the following categories of recipients:

1. PayPro agents, that is, entities acting on behalf and for the benefit of PayPro as a payment institution;
2. other payment services providers, in the extent necessary for the provision of payment services and purposes mentioned in sections II.3 and II.4, as well as in other cases when the entities are entitled to obtain information, including information containing personal data, from PayPro; this includes in particular banks and local branches of foreign banks, lending institutions, e-money institutions, payment institutions, payment/credit/virtual card operators;
3. entities rendering legal services related to the activity of PayPro;
4. entities rendering IT services related to the activity of PayPro, including hosting services;
5. entities rendering audit services and other services related to controlling the activities of PayPro;
6. expert auditors examining documents connected with the activities of PayPro;
7. the entities within the PayPro group;
8. other than the above-listed entities (including in particular supervision authorities) which are legally entitled to obtain from PayPro information related to the activities of PayPro, which may include your personal data.

VI. Information on the intention to transfer personal data to a third country or an international organisation.

PayPro does not intend to transfer your personal data to a third country (i.e. non-European Economic Area), or to an international organisation.

VII. The period for which personal data will be stored, or the criteria for determining this period.

1. For the purpose referred to in section II.1, your personal data be processed for the period of validity of the Agreement, and after its termination, for a period specified by the provisions of law.
2. For the purpose referred to in section II.2, your personal data will be processed for the period of validity of the Agreement, and after its termination – for a period for the period in which it is possible to pursue claims in court, i.e. until the expiry of the period of limitation of claims.
3. For the purpose referred to in section II.3, your personal data will be processed for a period necessary for realisation of the purpose, in particular, taking into account the statute of limitations to prosecute against such crimes.
4. For the purpose referred to in section II.4, your personal data will be processed for the period dictated by the referenced provisions of the anti-money laundering and counter-terrorist financing law, in particular, the data collected as a result of using security measures will be stored for 5 years from the first day of the year following the date of transaction, and the data on transactions made by obligated institutions and documents connected with these transactions are stored for 5 years from the first day of the year following the last register entry pertaining to the transaction.
5. For the purpose referred to in section II.5, your personal data will be processed for the duration of the Agreement - if the data are processed pursuant to art. 6 sec. 1 lit. f) of the Regulation, but no longer than until the date of raising a justified objection. When the data are processed based on your consent, they will be processed also after the termination of the Agreement, for the period specified in the consent, but no longer than until the consent is withdrawn.
6. For the purpose referred to in section II.6, your personal data will be processed for a period suitable for the original purpose of collection. If, however, additional data were collected for the purposes referred to in sections II.1-II.5, the data will be processed for a period of payment service provision and 10 years from its completion, but no longer than the date of raising a justified objection to such processing.

VIII. Information on the obligation to provide personal data or lack thereof.

You are bound by legal and contractual obligation to provide the data referred to in section II.1. Therefore, in case you fail to provide the data, PayPro will not enter into an Agreement with you. In case the Agreement was concluded on condition of providing the data afterwards, should the data fail to be provided, the Agreement will be terminated.

You are bound by contractual obligation to provide the data referred to in section II.2. Therefore, in case you fail to provide the data, PayPro will not enter into an Agreement with you. In case the Agreement was concluded on condition of providing the data afterwards, should the data fail to be provided, the Agreement will be terminated.

You are bound by legal obligation to provide the data referred to in sections II.3. and II 4. Therefore, in case you fail to provide the data, PayPro will not enter into an Agreement with you, and if the Agreement has been concluded - it will be terminated.

Providing the data referred to in section II.5 is optional, so you may choose against it. However, if these data are also processed for the purposes described in sections II.1-II.4, failure to provide them will have the consequences mentioned above.

If within the purpose referred to in section II.6 you will be asked to provide other personal data for purposes referred to in sections II.1-II.5, the provision is optional and you may choose against it.

IX. Information on your rights.

1. You have the right to demand from the personal data Administrator access to your personal data, including copies of the personal data that is subject to processing. The first copy is free of charge. For any subsequent copies you request, the Administrator may charge a reasonable fee resulting from administrative costs.
   
   
2. You have the right to demand that the Administrator amend your personal data if they are incorrect, in particular, because they were collected with errors, or because they changed after collection. This right also applies to incomplete data.
   
   
3. You have the right to demand that the Administrator remove your personal data in the cases specified in the Regulation, i.e., in the following circumstances:

1. your personal data are no longer necessary for the purposes they were collected or otherwise processed, in particular, the time the Administrator planned to or was obliged to process the data has expired;
2. you have revoked your consent (pursuant to the law referred to in section VIII.7), on which data processing is based, unless the Administrator has got other legal grounds for processing;
3. you have raised objections to personal data processing (referred to in section VIII.5) and there are no overriding legitimate grounds for the processing;
4. you have raised objections to processing (referred to in section VIII. 6);
5. if your personal data was processed unlawfully;
6. if your personal data must be removed for the purpose of fulfilling a legal obligation arising from European Union law or Member State law relevant for the Administrator;
   
   PayPro may deny a justified request to remove the personal data mentioned above in cases specified by law, in particular, if further processing is necessary for fulfilling legal obligations arising from European Union law or Member State law, as well as for establishing, investigating or defending claims.

4. You have the right to demand that the Administrator limit processing of your personal data, under conditions specified in the Regulation, i.e.:

1. when you question the accuracy of personal data - for a period enabling the Administrator to verify the accuracy of the data;
2. when data processing is unlawful, and you object to having the data removed, instead demanding that their use be limited;
3. when the Administrator no longer needs the personal data for the purposes of processing, but you need them for establishing, investigating or defending claims;
4. when you have raised objections to the processing referred to in section VIII.5. - until it is determined whether legally justified grounds of the Administrator override the bases for your objection.

5. You have the right to raise an objection to your personal data being processed by the Administrator, pursuant to art. 21 (1) of the Regulation, i.e., object on the grounds pertaining to your particular situation - to processing of your personal data based on art. 6 (1) (e) or (f) of the Regulation, including profiling based on these provisions.
   For the Administrator, the above right to raise objections refers to personal data processed for the purposes referred to in sections II.2, II.3, II.5 and II.6.
   In the event of such an objection, the Administrator may no longer process the personal data, unless he demonstrates the existence of legally valid grounds for processing that override the interests, rights and freedoms of the data subject or grounds for establishing, investigating or defending claims. In particular, further data processing, despite the objection, may stem from purposes referred to in section II.2 and II.3.
   
   
6. You have the right to raise an objection to your personal data being processed by the Administrator, pursuant to art. 21 (2) of the Regulation, i.e., object to processing of your personal data for direct marketing purposes, including profiling, in the capacity of processing related to direct marketing.
   In case this right is exercised, the Administrator may not continue to process your personal data for the purposes of direct marketing.
   
   
7. You have the right to transfer data. Therefore, you have the right to receive the personal data with which you provided the Administrator, in a structured, commonly used machine-readable format, and you have the right to send this personal data to another administrator without any obstacles on the part of the Administrator.
   However, this right is restricted to the personal data processed based on your consent or the agreement, and in the capacity in which the data are subject to automated processing (note that according to section IX, PayPro does not process data in any automated way).
   When exercising this right, you may demand that your personal data be sent by the Administrator directly to another administrator, if it is technically possible.
   
   
8. You may withdraw the consent referred to in II.5 at any point. Please be advised that the withdrawal of your consent does not affect the lawfulness of the processing that was carried out on the basis of your consent before the withdrawal.
   In the event of consent withdrawal, the Administrator ceases to process your personal data, which are only processed based on the consent. In case your personal data are processed on grounds different than the consent, the Administrator may continue to process them as long as the grounds remain valid.
   
   
9. You have the right to lodge a complaint to a supervision body, i.e., one of the bodies appointed by particular EU member states in order to monitor the compliance with the Regulation.
   The competent supervision body in the Republic of Poland is the President of the Office for Personal Data Protection.

X. Information on automated decision-making, including profiling.

Your data will not be processed in any automated way, including profiling.

XI. Processing for purposes different to those for which the data was collected. 

With the exception of section II.6, PayPro does not intend to process your personal data for purposes different than those for which the data was collected.

¹Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in this document referred to as the Regulation]

² I.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade union affiliation, data on health, genetic code, addictions or sex life, as well as data on convictions, punishment decisions and fines, and also other judgments issued in court or administrative proceedings [Art. 27 sec. 1 of the Act of August 29, 1997 on the protection of personal data.]

³ I.e. personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships and include the processing of genetic data, biometric data for the purpose of unequivocally identifying a natural person, or health data, data concerning a natural person's sex life or sexual orientation [Art. 9 section 1 of the Regulation.]