This site requires javascript to be enabled.

Privacy Policy
Worldline Connect Home Page
Global Collect (Connect)
Other Worldline developer portals

Results for

Results for Searching
  1. Home
  2. privacy policy
  3. Privacy Policy

Privacy Policy

The Privacy Policy outlines how we collect, use, and protect the information you provide when accessing and using our platform, ensuring transparency and demonstrating our dedication to maintaining the confidentiality of your data. By using our portal, you agree to the practices described in this policy.

Merchant Services Privacy Notice

1. Introduction

Worldline places the highest importance on the protection of Personal Data. The Processing of Data, including Personal Data, is central to its core activities, making compliance with Data Protection Laws a top priority.

This Privacy Notice informs Data Subjects about the purposes, nature, and scope of the various Processing activities Worldline undertakes as a Data Controller.

This Privacy Notice may be supplemented by additional privacy information provided in the context of specific Products and Services or as required by Applicable Laws.

If you are a cardholder, we recommend that you to review the privacy notice of the merchant with whom you engaged in transactions with to understand how they process your personal data.

2. Which Data Subjects does Worldline collect information about?

In the context of providing Merchant Services Worldline processes Personal Data related to its Merchants (to the extent that a Merchant may be considered a Data Subjects under Applicable Laws) and their employees, legal representatives and/or ultimate beneficial owners. Worldline also processes information about its Merchants’ customers and payers (Cardholders), even if there is no direct relationship with them (e.g., when Cardholders performing transactions with Worldline’s Merchants).

Cardholders may choose to share Personal Information directly with Worldline when participating in one of its offers or promotions. In such cases, service-specific privacy information may be provided to the Cardholder.

3. Which categories of personal data does Worldline process?

Worldline Processes the following categories of Personal Data:

  • Personal Data of Cardholders: Identification data (e.g., name, address); Card data (e.g., card/PAN number, expiry date, card type, card issuer); Transaction information (e.g., date, time, amount, currency, authorization code, transaction ID); Account data (e.g., bank account number, issuer); Device information (e.g., IP address, device ID). This information may be collected indirectly through Merchants (e.g., when a Payer performs a transaction at a cooperating Merchant) or via the issuer of the payment instrument (e.g., authorization code or in the case of a chargeback).
  • Personal Data of merchants and their staff: This data may be received directly from Data Subjects (e.g., during the use of Products and Services, day-to-day interactions, and communications), from the Data Subjects’ employer (e.g., contact persons in contracts, lists of legal representatives and ultimate beneficial owners), or from third parties and public sources (e.g., publicly available information, credit scoring agencies, public government registries). This includes:
    • contact information: e.g. name, surname, address, email, telephone number.
    • demographic information: e.g., birth date, gender, country of residence,
    • business information: e.g. job title, company name, merchant ID, terminal ID, tax identification number, merchant category code (MCC), business address, affiliations with the legal entity, including legal representatives and ultimate beneficial owners,
    • identification information: e.g. copies of national ID/passport and other documentation as required by Applicable Laws (including anti-money laundering and counter-terrorism financing laws) for due diligence (AML/KYC);
    • banking, financial, and Transaction Data: e.g. bank account details, revenue, creditworthiness information, transaction history, chargeback volume,
    • information from other sources: e.g. publicly available information (including interactions with Worldline’s social media pages, company registries, regulatory filings), government databases (e.g., lists of sanctioned persons) and information from private sources (e.g. fraud prevention agencies, data brokers, as permitted by Applicable Laws),
    • information collected from websites: e.g. IP address, cookies, website forms. The website’s privacy statement and cookie policy provide additional information on the Processing of Personal Data in this context,
    • preferences: e.g. choices regarding marketing communications, purchasing history, language preferences and
    • special categories of Personal Data: e.g. biometric data (if allowed by Applicable Law or with explicit consent), data revealing political opinions (e.g. if a person is listed as a politically exposed person, as required for compliance obligations).
4. Why does Worldline process Personal Data?

Worldline Processes Personal Data for the following purposes:

  • to process Transactions and comply with obligations as a regulated financial institution,
  • when necessary for the performance of the Agreement or to enter into an Agreement with the Merchant, including providing Products and Services, managing the Merchant relationship, responding to information requests, administering the merchant account, onboarding customers, making commercial offers, invoicing, providing security alerts and sharing transaction information,
  • for operational, regulatory, and administrative reporting,
  • to prevent money laundering and terrorism financing, as mandated by Applicable Laws in the public interest,
  • to manage risk, detect and prevent fraud, and ensure the security and continuity of operations to comply with Applicable Laws and industry standards. This includes conducting fraud and risk analysis, updating Special Registers, auditing systems, and using real-time data to monitor performance and compliance with service level agreements and regulatory requirements,
  • to analyse and improve Products and Services, develop new Products and Services, and deliver them efficiently and sustainably (this may involve assessing the time required to fulfil Merchant requests and evaluating service availability to enhance performance for internal or external use, benchmarking) based on Worldline’s legitimate interest in quality improvement and meeting Merchant and market expectations and requirements,
  • for market analysis, creating and providing information services, business intelligence and research, including analysing transaction data (to generate statistics, aggregated reports, and market trend analyses. Worldline shall implement appropriate technical and organisational measures (e.g. pseudonymisation, anonymisation) to protect Data Subjects' rights and freedoms,
  • to comply with its obligations under Applicable Laws (e.g. AML & KYC, tax, competition, labour, accounting laws),
  • when requested by any judicial or governmental authority with jurisdiction over Worldline or its Affiliates, and,
  • to enforce the Agreement and other rights, based on Worldline’s legitimate interest in protecting its assets and addressing any damage caused by Data Subjects.
  • If Worldline is unable to guarantee that Personal Data will be processed for the purposes outlined in this Privacy Policy or similar purposes aligned with the reasonable expectations of Data Subjects, it will obtain the freely given, informed, specific, and unambiguous consent of the Data Subjects. Data Subjects have the right to withdraw their consent at any time.
5. Who does Worldline share Personal Data with?
  • Worldline will share Personal Data with its Affiliates, financial institutions, Payment Schemes, and other entities involved in processing Transactions. For example, during Transaction processing, Worldline may transfer data to third parties, such as the merchant, the issuer of the payment means, and the relevant Payment Scheme, to complete the transaction. In this context, Worldline may transfer Personal Data outside the European Economic Area when necessary for transaction processing (e.g. if the issuing bank, Payment Scheme, or payment recipient is located in a third country). In such cases, these third parties act as independent Data Controllers, and Worldline recommends that Data Subjects carefully review their privacy notices to understand how their Personal Data will be processed.
  • Worldline will share Cardholders’ and Transaction information with the Merchant and the Merchant’s service providers when necessary to provide information about executed Transactions (e.g. authorization response codes, information needed to complete refunds), to detect and prevent fraud, and to demonstrate compliance with its contractual obligations.
  • Worldline will share Personal Data with other Worldline Group Members, located inside or outside of the EEA, for: operational, regulatory, compliance, and reporting purposes on the basis of its legitimate interest to ensure e.g. continuity, security, compliance, efficiency, reduction of friction, and cost reduction. For example, for security, efficiency, purposes Worldline may use common infrastructure and IT systems (e.g. hosting servers, backup systems, central customer databases) or some functions may be centralised, (e.g. finance, legal, internal audit, communication, customer service, IT and security) for which employees of other Worldline Affiliates than the legal entity with the Agreement was signed requires access to Personal Data.
  • Worldline will share Personal Data with professional advisors and third-party providers that assist with regulatory, compliance and operational tasks (e.g. agencies for fraud prevention, monitoring, detection, and analysis, as well as risk and credit reference agencies, anti-money laundering check service providers, lawyers, accountants, debt collectors, external auditors, and insurance providers).
  • Worldline will also share Personal Data with other entities (Data Processors) that Process Personal Data on its behalf, following Worldline’s instructions (e.g., customer support agencies, hosting providers, technical processing providers, advertising agencies). Worldline will ensure these entities provide adequate guarantees for the protection of Personal Data and are bound by written agreements to secure the Personal Data and protect individuals' rights and freedoms.
  • Worldline will share Personal Data with Affiliates and business partners when combining its Products and Services to execute agreements, ensure quality, and uphold commercial interests of the parties while complying with applicable standards and obligations. For instance, if Worldline acts as a reseller for a third party or Affiliate’s Products and Services or collaborates with a business partner, it may transfer Personal Data to fulfil the agreement (e.g., contract execution, compensation calculations). Additionally, Worldline may be required to share Personal Data with Payment Schemes as mandated by their rules.
  • Worldline may disclose Personal Data to public authorities, government agencies, and judicial authorities (i) when required by law or legal process, (ii) when it believes disclosure is necessary to prevent harm or financial loss, (iii) in connection with investigations of suspected or actual fraudulent or illegal activity, or (iv) when necessary for Worldline to defend itself against claims.
  • Applicable Anti-Money Laundering Laws authorise Worldline to share information about suspicious reported transactions with its Affiliates, including branches located in the European Economic Area or third countries (subject to Worldline group policies and Applicable Laws) and other financial institutions involved in the same transaction with the same customer.
  • Worldline may disclose Personal Data in the event of a change in its legal or internal structure, such as a merger, reorganisation, acquisition, joint-venture, or bankruptcy. In such cases, Personal Data will be transferred to the newly formed entity or the new owner of Worldline.
  • Worldline may anonymise Personal Data and share aggregated reports on the payment industry market with business partners, provided that it has reasonably ensured that Data Subjects cannot be identified, and that further processing of these reports will not negatively impact them.
6. International Data Transfers

Worldline may transfer Personal Data to third parties (as outlined in the section “Who does Worldline share Personal Data with?”) located in countries other than where the data was collected, including those outside the European Economic Area (EEA) where data protection and privacy laws may not be equivalent to those in the EEA, such as Australia, India, the USA, Brazil, Armenia, and Morocco.

When transferring Personal Data to countries outside the EEA or to those not recognized by the European Commission as having adequate protection, Worldline will implement adequate safeguards to ensure compliance with applicable legislation (e.g., Standard Data Protection Clauses approved by the European Commission under Article 46 of the GDPR).

For further information, please contact Worldline using the contact details provided below.

7. How to exercise Data Subjects Rights

As Data Subjects, Cardholders, Merchants, and their staff have rights under Applicable Laws, including the right to information, access, rectification, erasure, restriction of processing, objection to processing, and data portability. Requests can be directed to Worldline’s Merchant Services Data Protection Office at using our online form to protect privacy, Worldline will verify the identity of Data Subjects before addressing any requests.

Please note, with respect to exercising Data Subjects Rights:

  • if you are a Cardholder: Worldline may not be able to identify Cardholders based on information received indirectly from Merchants during transaction processing. For this reason, Worldline advises Cardholders to directly contact the Merchant to exercise their rights,
  • for processing of Personal Data based on Worldline’s legitimate interests, including profiling and direct marketing: Data Subjects have the right to object at any time, citing their particular situation, by contacting Worldline using the contact details provided above. Worldline will cease processing unless it can demonstrate compelling legitimate grounds that override the Data Subjects' interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims,
  • for processing of Personal Data based on consent: Data Subjects may withdraw their consent at any time by contacting Worldline using the contact details provided above, with the withdrawal being effective only for future processing,
  • under Applicable laws, Worldline may be prohibited from disclosing certain information to Data Subjects (e.g., regarding money laundering or terrorist financing analysis or reporting, tax law investigations, or compliance with the EU Directive on security of network and information systems (NIS) and the implementing national laws),
  • Data Subjects whose Personal Data is processed under Anti-Money Laundering laws may not have the following rights: (i) access to, and correction of, their data, (ii) right to be informed about the processing (iii) right to erasure, (iv) right to data portability, (v) right to object, (vi) right not to be profiled. National laws may provide alternative mechanisms for exercising these rights.
  • Data Subjects have the right to lodge a complaint with the competent supervisory authority if they believe any processing by Worldline is non-compliant with applicable legislation or if their requests have not been adequately addressed by Worldline. Complaints can be filed with the supervisory authority in the Member State of the Data Subject's habitual residence, workplace, or place where the alleged infringement occurred.
8. Call recording

Worldline may monitor and record calls made to or from its representatives to verify commercial commitments, resolve misunderstandings, provide training, and for evidential purposes. Worldline’s monitoring staff may listen to calls live or review recordings. Merchants are responsible for informing their staff about this practice. Data Subjects can refuse the recording or monitoring of their telephone conversations on a call-by-call basis.

9. Does Worldline carry out automated decision making?
  • Transaction Processing
Worldline may process Transactions partially through automated means, which is necessary for fulfilling the Agreement with the Merchant. The processing of Cardholders’ data in this context is based on legal and contractual obligations of both Worldline and the Merchant.

If a Transaction was not initiated by the Cardholder, Merchants should follow the refund process by contacting Worldline, while Cardholders can initiate a Chargeback process with their issuer in accordance with PSD2, Payment Scheme rules, and the Agreement.

 

  • Fraud Management
Worldline may use automated decision-making for purposes such as fraud detection, analysis, and monitoring. This may involve defining specific parameters that could indicate an electronic payment transaction as fraudulent (e.g., based on amount, origin, or Transaction volume). Additionally, to comply with Applicable Laws, including Anti-Money Laundering Laws, Worldline may use automated decision-making to determine whether to enter into an agreement (e.g. checking if a counterparty's name appears on a government sanctions list). In such cases, Data Subjects have the right to request human intervention from Worldline, express their viewpoint, and contest the decision.
10. How long does Worldline keep personal data? (Data Retention)
Worldline will retain Personal Data as long as necessary to deliver Products and Services during and after its contractual relationship with the Merchant, in accordance with industry standards and Applicable Laws. For example, transaction information may be retained for up to 10 years after the transaction date, and merchant information may be kept for up to 10 years after contract termination, as defined by Anti-Money Laundering Laws, tax law, and contractual law.

Worldline may also retain data based on its legitimate business interests, unless prohibited by law. For instance, Worldline may continue to contact Data Subjects for a period after the contract ends, unless consent is withdrawn, or objections are made against marketing communications.

Worldline will make reasonable efforts to dispose of personal information that is no longer required.

11. How does Worldline protect personal data? (Security)

Worldline implements appropriate technical and organizational measures to safeguard Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, and other unlawful Processing, in compliance with applicable laws. Worldline also adheres to the Payment Card Industry Data Security Standard (PCI/DSS). A detailed list of these measures can be found on Worldline’s website.

12. Does a merchant need to provide Personal Data to Worldline?
The Products and Services provided by Worldline require the processing of Personal Data. Without this data, Worldline cannot enter, perform, or terminate agreements with a Merchant. Personal Data necessary for commencing, executing, and terminating the contractual relationship as well as for compliance with applicable laws (including KYC obligations) must be provided.

13. Contact details

For further information, requests, or complaints regarding the processing of Personal Data, please contact Worldline’s Merchant Services Data Protection Office using our online form or via email at one of the email addresses available in Worldline’s group privacy notice.

14. California residents

This Privacy Notice also applies to residents of California, subject to the California Consumer Privacy Act (CCPA), with the following clarifications:

Sections 2 – 4 and 8 - 11. of this notice provide information on the categories, sources and purposes for which Worldline may have processed your Personal Information (referred to as Personal Data) over the past 12 months, including third parties with whom Worldline may have shared your Personal Data.

You have the right, subject to applicable limitations, to request disclosure of: (i) the categories of Personal Information collected about you and their sources; (ii) the specific pieces of Personal Information collected; (iii) the business or commercial purpose for collecting your Personal Information; and (iv) the categories of Personal Information shared or disclosed, along with the categories of third parties involved in the past 12 months. You also have the right to request deletion of your Personal Information, subject to certain exceptions. Additionally, you have the right not to be discriminated against in pricing or services for exercising any of your rights under the CCPA. Worldline does not offer financial incentives or differences in pricing or services in exchange for the retention or sale of Personal Information.

To exercise your rights, please contact Worldline using the details provided in the section “How to Exercise Data Subjects Rights” of this Privacy Notice."

15. Updates to the Privacy notice

Worldline may update this Privacy Notice periodically to provide Data Subjects with current and transparent information about its data processing activities. Worldline will take reasonable measures to communicate these updates, such as posting the notice on its website, sending emails or postal notifications, or using messages in the merchant intranet. Cardholders can access the latest version of this Privacy Notice on our website or by requesting it from the Merchant at any time.