Data Privacy Notice – Paytrail Customer Support Systems

Your security and privacy is important to us.

Data Privacy Notice – Paytrail Customer Support Systems

January 28th, 2022

1. General

This privacy notice provides information required by EU’s General data protection regulation (EU) 2016/679 (later data protection regulation) and national data privacy law (2018/1050) to both registrants and regulating authority.

2. Data controller

Paytrail Plc, later ”Paytrail”.

3. Contact person regarding registry

Markku Hänninen
Innova 2
Lutakonaukio 7
40100 Jyväskylä

Contact Paytrail’s customer service at:

4. Name of the register

Paytrail Customer Support Systems’ Data Register.

Register’s registrants are representatives of Paytrail’s merchant customers, consumers and representatives of corporate bodies, that require help concerning Paytrail’s services.

5. Purpose of processing and legal grounds for processing personal data

Personal data is processed to operate and improve customer service, develop services, support invoicing and statistical purposes.

Processing of personal data is based on data regulation’s article 6. Lawful basis for processing personal data and examples of each processing case can be found below:

Lawful basis



When using support services, person consents to processing of his personal data, so support can be provided.

When customer contacts support, consent for data processing is required.

Data controller’s or third party’s legitimate interest

Activity based on legitimate interest:

- Retention of support request content and personal data related to it.

Support request content is stored, so Paytrail can validate, what actions have been completed due to support request.


6. Data content of registry

Personal data of representative of Company or Organization or Consumer.

Paytrail’s customer support systems store following data:

- Name
- Email address
- Content of electronic communications

7. Collection of personal data

Personal data is provided by the person using the support service, as person contacts Paytrail’s customer service, or when person replies to Paytrail’s communication. Performing these acts, person accepts processing of personal data in manner set by part 5 of this privacy notice.

8. Data sharing

Personal data can be shared to public authority when required by law and to companies belonging to same corporation group within limitations set by law. Data stored to this registry may be provided to sales person of Paytrail’s products and services for customer care purposes.

9. International data transfers

Data may be disclosed outside the EU or the European Economic Area within the limits of the law. Transfers outside of EU/ETA area are only performed, when necessary data protection guarantees are in force, such as:

A. Country is deemed to have good enough data protection level for personal data by the EU commission
B. EU model clauses* are used to assure data protection methods in use when personal data is transferred.

*We aim to make sure, that subcontractors we use always have the latest version of model clauses in use based on legal praxis of GDRP.

10. Rights of registrant

Registrant has right to be notified when personal data is processed.

Registrant has right to inspect what information regarding registrant is collected to the register. Request to inspect information must be sent in written form or electronically to contact person of data registry found from part 3 of this privacy notice.

Request to inspect information can be done free of charge once in a year. Data controller can request moderate fee for any additional copies of personal data requested. Registrant’s data is stored separately based on payment assignment and the information will no be updated during payment process.

Registrant has right to demand correction of incorrect or faulty personal data and updating of personal data.

Registrant has right to object processing of personal data and right to restrict processing of personal data. If data processing is based on consent, it can be withdrawn by notification. However, withdrawal of consent does not prevent processing of personal data, that has been collected before consent was withdrawn.

Registrant has right to be forgotten, relating to payment service, data is stored for five years from the payment based on requirement by law. After five years, the data is automatically deleted/anonymized.

If registrant deems that the processing of personal data is not lawful, registrant has the right to make complaint to a relevant public authority.

11. Data retention

Personal data is stored three years from latest support request, followed by automatic deletion from the system.

12. Security principles regarding the register 

Personal data is protected with appropriate information security measures and physical access is restricted and monitored. Use of registry is restricted and every user of register has personal access credentials.

Appropriate measures are used, that keep the personal data secure from destruction, from being lost and unlawful changes. Paytrail’s personnel and personnel of subcontractors have professional confidentiality concerning all customer data.

Data controller has protected the personal data with appropriate technical and organizational measures. Following measures, among others, are taken with protection of registry data:

- Securing devices and files
- Access control
- Personal credentials
- Log of user activities 
- Instructions for data processing and monitoring of processing
- Data controller requires subcontractors to have appropriate measures to protect personal data