Privacy and Data Protection
Introduction
Worldline is committed to respecting the privacy and protecting the personal data of all individuals whose personal data we collect, use, store or otherwise process. We expect nothing less from our merchants, suppliers and partners.
Purpose of this policy
To facilitate payments and transactions on your behalf certain personal data that you collect from your customers will unavoidably have to be shared with and disclosed to us. The EU General Data Protection Regulation, as well as other similar international privacy and Cyber Security laws, impose strict rules and demand careful observance with a host of specific obligations whenever you collect, use, and share your customers’ personal data with us. The purpose of this policy is to communicate to our you what our expectations from our merchants are when it comes to the processing and sharing of customers’ personal data.
Scope
Privacy laws set specific duties and obligations for the different key stakeholders involved in the payment process. We want to assist and guide you with the most salient obligations that may concern you as a key stakeholder, while simultaneously informing you of our own requirements for compliance.
Key stakeholders
Merchant (you)
You act as a Data Controller whenever you determine the purposes for which you need to collect and use the personal data of customers (i.e. why) and when you determine the means for collecting and using such personal data (i.e. how). An obvious purpose for which you collect and use personal data about one of your customers would be to share such personal data with us to enable us to facilitate an online transaction between you and the customer.
Payment Service Provider (us)
While we receive personal data about your customers from you in order to facilitate an online transaction on your behalf, we remain a Co-Controller of the personal data received from you. This is because the origin of the data is not decisive in determining our role as Controller. Additionally, the processing of the data is not the target of our services, but simply necessary to carry out our task, which is facilitating online transactions. Moreover, we decide independently from you why we process data, which data that have to be processed to provide the service, for how long the data must be stored, and which means we use to provide our services to you, etc.
Apart from facilitating online transactions and payments, we may also use the personal data that we receive from you for other compatible and related purposes such as fraud screening, the reporting of suspicious activities to relevant authorities, or the retention of such personal data in compliance with certain specific laws that may apply to us by virtue of our business or industry. When we collect and use personal data for these additional purposes, we assume the role of Data Controller since we independently from you determine the purposes and the means for which we intend to use such personal data.
Consumer (your client)
Customers are the Data Subjects who provide you with their personal data (such as full names, bank account or credit card details, physical address, etc.) and whose personal data you eventually share with us in order to facilitate the transaction between you and the customer.
Key legal obligations
Privacy laws place various legal obligations on key stakeholders. Generally speaking, as a Data Controller you have to:
- comply with all privacy and data protection laws that may be applicable to you and be able to demonstrate your compliance;
- collect, use and share personal data about your customers lawfully, fairly and in a transparent manner;
- ensure that only personal data that is adequate, relevant and necessary in relation to the purpose are collected;
- embed both security-by-design as well as privacy-by-design-and-by-default into your processes.
More specifically, the duty of transparency means that you are required to provide your customers with an assortment of information in a concise, transparent, easy to understand and accessible format. At the very least, the information listed below must be provided by you to customers the at the time when you collect their data. Practically speaking, when a customer navigates to and lands on your secure payment window, they will be prompted to supply the personal data required to conclude the transaction and to facilitate the payment of funds. At this point of the process, you should ensure that your secure payment window contains a link to your Privacy Notice / Statement and that it covers the following topics:
- Your identity and contact details;
- Your data protection officer's contact details (if there is one);
- Both the purpose for which data will be processed as well as the legal basis for processing, including, if relevant, the legitimate interests for processing;
- The recipients or categories of recipients of the personal data (for example, we fall in the category of recipients referred to as payment service providers);
- Details of international transfers;
- The period for which personal data will be stored by you or, if that is not possible, the criteria used to determine this;
- The existence of rights of the customers including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
- Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
- The consequences of failing to provide personal data necessary to enter into a contract;
- The existence of any automated decision making and profiling and the consequences for the data subject;
- In addition, where you intend to process existing data for a new purpose, you must inform your customers of that intended further processing.
Since we are a recipient of your customers’ personal data your Privacy Notice / Statement must declare that you intend to share their personal data with a third-party payment service provider. We require that you use the following language (or something similar) to inform customers that you will share their personal data with us. In addition, we require that you include a hyperlink to our own Privacy Notice.
Example:
To process payments for your purchases, we may work with third parties that offer payment services. In many cases, those payment service providers also conduct fraud checks and process your data in compliance with other laws that may govern their industry. These payment service providers have their own <privacy policies> that apply to the way they use your personal data.