Detailed information concerning the processing1 of personal data2 of Payers using Dotpay Service
I. Personal Data Administrator.
The administrator of Payer's3 personal data is PayPro S.A., with its registered seat at Kanclerska 15, 60-327 Poznań, entered in the Register of Entrepreneurs of the National Court Register [KRS] kept by the District Court Poznań Nowe Miasto i Wilda, 8th Commercial Division of the National Court Register, KRS entry no.: 0000347935, Tax Identity No. [VAT no.]: 7792369887, share capital: 5 476 300,00 PLN, fully paid up.
Contact details of the Administrator:
PayPro S.A. Kanclerska 15, 60-327 Poznan, Poland
II. Data Protection Officer.
The Administrator has appointed a Data Protection Officer (Katarzyna Ellerik) that you as a Payer may contact via email at email@example.com.
III. Aims and legal bases of personal data processing.
- PayPro processes your personal data (Payer's personal data) primarily for the purposes of payment services provided by PayPro within the agreement for acceptance of payments on behalf of the Merchant4, including in particular, processing of payment orders to the Merchant made by you.
The above includes also processing of data connected with communication between PayPro and you in the regard of the purpose referred to in the first sentence, in particular, sending to you information on the payment order and its completion.
The above includes also processing of data connected with consideration of complaints issued by you as a Payer or a potential Payer by email or telephone, as well as via the contact form, in particular, complaints about non-performed or improperly performed payment services, or regarding other objections related to the provision of payment services.
PayPro processes the personal data based on art. 6 (1) (f) of the Regulation5, because the processing of the data is necessary for the exercise of the Administrator’s legitimate interest, i.e., proper provision of payment services by PayPro, including communicating with you about the provided payment services.
In the capacity of considering complaints, PayPro processes the personal data also based on art. 6 (1) (c) of the Regulation, as processing of these data is necessary for fulfillment of the legal obligation to consider complaints and keep documentation connected with the process.
- PayPro processes your personal data related to the provision of payment services also with a view to possible claim for damages related to your or Merchant's failure to perform or improper performance of the obligations arising from to the agreement for accepting payments ordered by you; in particular, the obligations related to the payment of the amounts you or the Merchant owe PayPro for the performance and / or non-performance or improper performance of the payment service.
PayPro processes the personal data based on art. 6 (1) (f) of the Regulation6, because the processing of the data is necessary for the exercise of the Administrator’s legitimate interest connected with asserting claims.
- PayPro processes your personal data, excluding the so-called sensitive data7,8, with regard to the rendered payment services, in the extent necessary for the prevention of fraud related to the performed payment services or operating the payment system, as well as for investigation and detection of such fraud by competent authorities.
PayPro processes the personal data based on art. 6 (1) (c), (d) and (f) of the Regulation, i.e., due to the fact that the processing is necessary to comply with the legal obligation of the Administrator, protection of interests of payment services users, as well as the purposes arising from legitimate interests exercised by providers of payment services.
- PayPro processes your personal data related to the provision of payment services, in order to perform obligations under anti-money laundering and counter-terrorist financing regulations, in particular, to identify and assess the risks of money laundering and terrorist financing, applying security measures including, but not limited to, customer identification and identity verification.
PayPro processes the personal data based on art. 6 (1) (c) of the Regulation, in relation to the provisions of anti-money laundering and counter-terrorist financing regulations, i.e., due to the fact that the processing is necessary to comply with legal obligations of the Administrator as an obligated institution in the meaning of the anti-money laundering and counter-terrorist financing regulations.
- PayPro processes your personal data to market its services and services offered by affiliates of PayPro. The above also includes processing of data connected with communication between PayPro and yourself in the regard of the aforementioned marketing purposes.
PayPro processes the personal data based on your consent (art. 6 (1) (a) of the Regulation), provided that you have given such consent, which is entirely voluntary. If you have not consented, PayPro will not process your data for this purpose. Reading this information is not treated as such consent.
- In addition, PayPro processes your personal data for other legally permissible purposes, directly or indirectly related to the objectives referred to in sections 1-4, in particular, for archiving and statistical purposes, for purposes related to audits, management control, or for purposes related to consulting and conducting surveys and customer satisfaction surveys.
PayPro processes the personal data based on art. 6 (1) (f) of the Regulation, i.e., for legally justified purposes of the Administrator.
IV. Categories of personal data processed.
PayPro processes first and foremost, the personal information connected with performance of payment services, which includes, in particular: name(s) and surname(s), address of residence, mailing address, e-mail address, numbers of payment accounts, including bank accounts, payment card number, other ID numbers of a payment instrument used, phone number, IP addresses used by you.
In addition, PayPro processes the personal information associated with identification of your person, and verification of your identity, which includes, in particular, name(s) and surname(s), citizenship, PESEL number (or the date and country of birth - in case you do not have a PESEL number), series and number of the document which confirms your identity, address of residence.
For communication purposes, PayPro primarily processes name(s) and surname(s), phone numbers, email addresses, addresses of residence and mailing addresses, as well as recordings of telephone conversations.
V. Information on the categories of recipients of the data.
Data recipient is a natural or legal person, public authority, body or other entity to whom PayPro discloses your personal data, regardless of whether it is a third party9.
Public authorities which may receive personal data as part of a specific procedure in accordance with EU law or Member State law are not considered recipients.
Therefore, PayPro informs about the following categories of recipients:
- PayPro agents, that is, entities acting on behalf and for the benefit of PayPro as a payment institution;
- other payment services providers, including your payment services provider, who made available to you the payment instrument you are using; personal data is disclosed to these recipients only in the extent connected with the rendered payment services (section II.1) and purposes mentioned in sections II.3 and II.4, as well as in other cases when the entities are entitled to obtain the information, including information containing personal data, from PayPro; this includes in particular banks and local branches of foreign banks, lending institutions, e-money institutions, payment institutions, payment/credit/virtual card operators;
- entities rendering legal services related to the activity of PayPro;
- payment recipients, for purposes connected with the payment made;
- entities rendering IT services related to the activity of PayPro, including hosting services;
- entities rendering audit services and other services related to controlling the activities of PayPro;
- expert auditors examining documents connected with the activities of PayPro;
- the entities within the PayPro group;
- other than the above-listed entities (including in particular supervision authorities) which are legally entitled to obtain from PayPro information related to the activities of PayPro, which may include your personal data.
- Recipients may also be other entities, if your personal data is be shared with them based on your consent indicating such a recipient.
VI. Information on the intention to transfer personal data to a third country or an international organisation.
PayPro does not intend to transfer your personal data to a third country (i.e. non-European Economic Area), or to an international organisation.
VII. The period for which personal data will be stored, or the criteria for determining this period.
- For the purposes referred to in section II.1, your personal data will be processed for the period of payment service provision and for 13 months from the date when your account was credited following the provided payment service, or for 13 months from the date when the transaction was supposed to be made, and after expiry of this period, for a period indicated by law (including Payment Services Act and tax regulations). In particular, PayPro as a Polish payment institution is obligated to store documents related to payment services provision for 5 years from their creation or receipt.
- For the purpose referred to in section II.2, your personal data will be processed for the period mentioned above, but no longer than the expiry of possible litigation period, i.e., period of limitation of claims, according to the provisions of law. In case the period of limitation of claims expires before the expiry of the period mentioned in the previous section, PayPro will cease to process the personal data for the purpose and in the capacity mentioned here in this section, but may still process your personal data for the purposes and in the capacity described in the first section.
- For the purpose referred to in section II.3, your personal data will be processed for a period necessary for realisation of the purpose, in particular, taking into account the statute of limitations to prosecute against such crimes.
- For the purpose referred to in section II.4, your personal data will be processed for the period dictated by the referenced provisions of the anti-money laundering and counter-terrorism financing law, in particular, the data collected as a result of using security measures will be stored for 5 years from the first day of the year following the date of transaction, and the data on transactions made by obligated institutions and documents connected with these transactions are stored for 5 years from the first day of the year following the last register entry pertaining to the transaction.
- For the purpose referred to in section II.5 , your personal data will be processed for the period of providing the payment service and after its completion - for the period specified in the consent, but no longer than until the consent is withdrawn.
- For the purpose referred to in section II.6, your personal data will be processed for a period suitable for the purpose of collection. If, however, additional data were collected for the purposes referred to in sections II.1-II.5, the data will be processed for a period of payment service provision and 10 years from its completion, but no longer than the date of raising a justified objection to such processing.
VIII. Information on the obligation to provide personal data or lack thereof.
You are bound by legal and contractual obligation to provide the data referred to in section II.1. Therefore, in case you fail to provide the data, PayPro will not be able to accept your payment order and provide the payment service.
You are bound by contractual obligation to provide the data referred to in section II.2. Therefore, in case you fail to provide the data, PayPro will not be able to accept your payment order and provide the payment service.
You are bound by legal obligation to provide the data referred to in sections II.3. and II 4. Therefore, in case you fail to provide the data, PayPro will not be able to accept your payment order and provide the payment service.
Providing the data referred to in section II.5 is optional, so you may not provide it and you may not consent to such processing of personal data for marketing purposes. However, if the same personal data is also processed for the purposes described in sections II.1-II.4, you provide them for these other purposes, therefore, failure to provide them has the consequences described above. However, if you provide these data for these other purposes, PayPro will not process it for marketing purposes.
IX. Information on your rights.
- You have the right to demand from the personal data Administrator access to your personal data, including copies of the personal data that is subject to processing. The first copy is free of charge. For any subsequent copies you request, the Administrator may charge a reasonable fee resulting from administrative costs.
- You have the right to demand that the Administrator amend your personal data if they are incorrect, in particular, because they were collected with errors, or because they changed after collection. This right also applies to incomplete data.
- You have the right to demand that the Administrator remove your personal data in the cases specified in the Regulation, i.e., in the following circumstances:
- your personal data are no longer necessary for the purposes they were collected or otherwise processed, in particular, the time the Administrator planned to or was obliged to process the data has expired;
- you have revoked your consent (pursuant to the law referred to in section VIII.7), on which data processing is based, unless the Administrator has got other legal grounds for processing;
- you have raised objections to personal data processing (referred to in section VIII.5) and there are no overriding legitimate grounds for the processing;
- you have raised objections to processing (referred to in section VIII. 6);
- if your personal data was processed unlawfully;
- if your personal data must be removed for the purpose of fulfilling a legal obligation arising from European Union law or Member State law relevant for the Administrator;
PayPro may deny a justified request to remove the personal data mentioned above in cases specified by law, in particular, if further processing is necessary for fulfilling legal obligations arising from European Union law or Member State law, as well as for establishing, investigating or defending claims.
- You have the right to demand that the Administrator limit processing of your personal data, under conditions specified in the Regulation, i.e.:
- when you question the accuracy of personal data - for a period enabling the Administrator to verify the accuracy of the data;
- when data processing is unlawful, and you object to having the data removed, instead demanding that their use be limited;
- when the Administrator no longer needs the personal data for the purposes of processing, but you need them for establishing, investigating or defending claims;
- when you have raised objections to the processing referred to in section VIII.5. - until it is determined whether legally justified grounds of the Administrator override the bases for your objection.
- You have the right to raise an objection to your personal data being processed by the Administrator, pursuant to art. 21 (1) of the Regulation, i.e., object on the grounds pertaining to your particular situation - to processing of your personal data based on art. 6 (1) (e) or (f) of the Regulation, including profiling based on these provisions.
For the Administrator, the above right to raise objections refers to personal data processed for the purposes referred to in sections II.2, II.3, II.5 and II.6.
In the event of such an objection, the Administrator may no longer process the personal data, unless he demonstrates the existence of legally valid grounds for processing that override the interests, rights and freedoms of the data subject or grounds for establishing, investigating or defending claims. In particular, further data processing, despite the objection, may stem from purposes referred to in section II.2 and II.3.
- You have the right to raise an objection to your personal data being processed by the Administrator, pursuant to art. 21 (2) of the Regulation, i.e., object to processing of your personal data for direct marketing purposes, including profiling, in the capacity of processing related to direct marketing.
In case this right is exercised, the Administrator may not continue to process your personal data for the purposes of direct marketing.
- You have the right to transfer data. Therefore, you have the right to receive the personal data with which you provided the Administrator, in a structured, commonly used machine-readable format, and you have the right to send this personal data to another administrator without any obstacles on the part of the Administrator.
However, this right is restricted to the personal data processed based on your consent or the agreement, and in the capacity in which the data are subject to automated processing (note that according to section IX, PayPro does not process data in any automated way).
When exercising this right, you may demand that your personal data be sent by the Administrator directly to another administrator, if it is technically possible.
- You may withdraw the consent referred to in II.5 at any point. Please be advised that the withdrawal of your consent does not affect the lawfulness of the processing that was carried out on the basis of your consent before the withdrawal.
In the event of consent withdrawal, the Administrator ceases to process your personal data, which are only processed based on the consent. In case your personal data are processed on grounds different than the consent, the Administrator may continue to process them as long as the grounds remain valid.
- You have the right to lodge a complaint to a supervision body, i.e., one of the bodies appointed by particular EU member states in order to monitor the compliance with the Regulation.
The competent supervision body in the Republic of Poland is the President of the Office for Personal Data Protection.
X. Information on automated decision-making, including profiling.
Your data will not be processed in any automated way, including profiling.
XI. Processing for purposes different to those for which the data was collected.
With the exception of section II.6, PayPro does not intend to process your personal data for purposes different to those for which the data was collected.
XII. Data sources.
The administrator obtains your data primarily from you. However, the Administrator receives some of your personal data from the Merchant as part of the transfer of the payment to be handled by PayPro, initiated on the Merchant's website.
1 Processing of personal data means an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated way, such as collection, recording, organising, storing, adapting or modifying, downloading, browsing, using, disclosing through sending, distributing or otherwise sharing, matching and joining, limiting, removing and destroying.
2 Personal data mean information about an identified or identifiable natural person (the person to whom the data pertains); an identifiable natural person is a person who may be directly or indirectly identified, in particular on the basis of such an identifier as name and surname, ID number, location data, internet ID, as well as one or more particular factors describing physical, physiological, genetic, psychological, economic, cultural or social identity of a natural person.
3Payer a person who intends to pay, as well as a person who has just made a payment of a specific amount to the recipient of payment (e.g., an entity owning an online shop in which the Payer purchased goods they wish to pay for or have already paid for) through Przelewy24 Service. The recipient (also referred to as the Merchant) makes available payment methods operated by Przelewy24 service. In order to make the payment, the Payer uses a payment instrument such as electronic banking or his payment card.
4Merchant the recipient of the payment made by the Payer to whom PayPro renders payment services through Przelewy24 service.
5 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in this document referred to as the Regulation]
6 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [in this document referred to as the Regulation]
7 I.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade union affiliation, data on health, genetic code, addictions or sex life, as well as data on convictions, punishment decisions and fines, and also other judgments issued in court or administrative proceedings [Art. 27 sec. 1 of the Act of August 29, 1997 on the protection of personal data.]
8 I.e. personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships and include the processing of genetic data, biometric data for the purpose of unequivocally identifying a natural person, or health data, data concerning a natural person's sex life or sexual orientation [Art. 9 section 1 of the Regulation.]
9Third party means a natural or legal person, a public administration body or an entity other than a person the data pertains to, a processing entity or persons authorised by an administrator or a processing entity to process personal data. A processing entity means a natural or legal person, a public administration body or another entity that processes personal data on administrator’s behalf.