Data Privacy Notice – Paytrail Customer Management Systems
Your security and privacy is important to us.
Data Privacy Notice – Paytrail Customer Management Systems
January 28th, 2022
This privacy notice provides information required by EU’s General data protection regulation (EU) 2016/679 (later data protection regulation) and national data privacy law (2018/1050) to both registrants and regulating authority.
2. Data controller
Paytrail Plc, later ”Paytrail”.
3. Contact person regarding registry
Contact Paytrail’s customer service at: www.paytrail.com/en/contact
4. Name of the register
Paytrail Customer Management Systems Data Registry.
Register’s registrants are representatives of customer entities that have contract with Paytrail.
5. Purpose of processing and legal grounds for processing personal data
Personal data is processed to provide for creation and delivery of agreed services to customer, development of services, invoicing, management and development of customer relationship, and statistical purposes.
Processing of personal data is based on data regulation’s article 6. Lawful basis for processing personal data and examples of each processing case can be found below:
Data controller’s or third party’s legitimate interest
Activity based on legitimate interest:
|Requirement by law or public authority
Act on Preventing Money Laundering and Terrorist Financing. Act on sanctions.
6. Data content of registry
Personal data of representative of Company or Organization.
Paytrail’s customer support systems store following data:
- Name of representative
- Email of representative
- Phone number of representative
- Electronic communications with support and sales
- Social security number *
- Person data from beneficial owners and persons in charge of the company **
* Social security number will be stored from person who signs the contract with Paytrail, in addition, information is gathered from persons in charge and beneficial owners, depending on company form.
** Suomen Asiakastieto ltd. Provides automatically following information: social security number, name, citizenship, residene, position in company, number of stock or ownership portion, new default notes. Information gathered depends on company form and changes in persons in charge and beneficial owners.
7. Collection of personal data
Customer data is provided by the customer or when the company represented by the person enters contract with Paytrail or when customer modifies information provided. Performing these acts, customer accepts processing of personal data in manner set by part 5 of this privacy notice.
8. Data sharing
Personal data can be shared to public authority when required by law and to companies belonging to same corporation group within limitations set by law. Data stored to this registry may be provided to sales person of Paytrail’s products and services for customer care purposes.
9. International data transfers
Data may be disclosed outside the EU or the European Economic Area within the limits of the law. Transfers outside of EU/ETA area are only performed, when necessary data protection guarantees are in force, such as:
A. Country is deemed to have good enough data protection level for personal data by the EU commission
B. EU model clauses* are used to assure data protection methods in use when personal data is transferred.
*We aim to make sure, that subcontractors we use always have the latest version of model clauses in use based on legal praxis of GDRP.
10. Rights of registrant
Registrant has right to be notified when personal data is processed.
Registrant has right to inspect what information regarding registrant is collected to the register. Request to inspect information must be sent in written form or electronically to contact person of data registry found from part 3 of this privacy notice.
Request to inspect information can be done free of charge once in a year. Data controller can request moderate fee for any additional copies of personal data requested. Registrant’s data is stored separately based on payment assignment and the information will no be updated during payment process.
Registrant has right to demand correction of incorrect or faulty personal data and updating of personal data.
Registrant has right to object processing of personal data and right to restrict processing of personal data. If data processing is based on consent, it can be withdrawn by notification. However, withdrawal of consent does not prevent processing of personal data, that has been collected before consent was withdrawn.
Registrant has right to be forgotten, relating to payment service, data is stored for five years from the payment based on requirement by law. After five years, the data is automatically deleted/anonymized.
If registrant deems that the processing of personal data is not lawful, registrant has the right to make complaint to a relevant public authority.
11. Data retention
Personal data will be removed one year after end of contractual relationship, if allowed by regulations, if no other agreement has been made. Otherwise, information is removed after regulation based requirements have ended.
12. Security principles regarding the register
Personal data is protected with appropriate information security measures and physical access is restricted and monitored. Use of registry is restricted and every user of register has personal access credentials.
Appropriate measures are used, that keep the personal data secure from destruction, from being lost and unlawful changes. Paytrail’s personnel and personnel of subcontractors have professional confidentiality concerning all customer data.
Data controller has protected the personal data with appropriate technical and organizational measures. Following measures, among others, are taken with protection of registry data:
- Securing devices and files
- Access control
- Personal credentials
- Log of user activities
- Instructions for data processing and monitoring of processing
- Data controller requires subcontractors to have appropriate measures to protect personal data