Data Privacy Notice – Paytrail Marketing and Sales Systems

Your security and privacy is important to us.

Data Privacy Notice – Paytrail Marketing and Sales Systems

January 28th, 2022

1. General

This privacy notice provides information required by EU’s General data protection regulation (EU) 2016/679 (later data protection regulation) and national data privacy law (2018/1050) to both registrants and regulating authority.

2. Data controller

Paytrail Plc, later ”Paytrail”.

3. Contact person regarding registry

Markku Hänninen
Innova 2
Lutakonaukio 7
40100 Jyväskylä

Contact Paytrail’s customer service at:

4. Name of the register

Paytrail Customer Management Systems Data Registry.

Register’s registrants are representatives of merchant customers and persons, who are target of sales and marketing activities.

5. Purpose of processing and legal grounds for processing personal data

Personal data is processed for sales, marketing, direct marketing, profiling and targeting marketing for customers, managing and developing of customer relationship, implementing questionaires and statistics.

Processing of personal data is based on data regulation’s article 6. Lawful basis for processing personal data and examples of each processing case can be found below:

Lawful basis



Direct marketing via electronic mediums, for example newsletter with marketing content sent to person.

Contact information of persons participating contest.

Data controller’s or third party’s legitimate interest

Activity based on legitimate interest:

- Maintaining customer registry for sales activities
- Direct marketing on relevant parts

Email sent to person in organization, in charge of relevant issues.

6. Data content of registry

Personal data stored in Paytrail’s marketing and sales system:

- Email address
- IP-address
- Social media profile information *
- User profile **
- Activity on Paytrail’s web pages ***

In addition, the registry might include following information, if person provides that information to Paytrail:

- First name
- Last name
- Address information
- Phone number
- Registrant’s company or other organization
- Information about joining maling lists

* For example, information about registrants public Facebook-, Twitter- and LinkedIn-profiles.
** Marketing system classifies registrants user profile, that may lead Paytrail’s sales to contact the registrant
*** Web page user information contain -web page visitor information, like what materials registrant has downloaded and what pages registrant has visited.

7. Collection of personal data

Paytrail’s customer data is provided by the customer or when the company represented by the person enters contract with Paytrail or when customer modifies information provided. Performing these acts, customer accepts processing of personal data in manner set by part 5 of this privacy notice.

Information provided by registrant when registrant uses -web pages or when contacting Paytrail’s sales.

8. Data sharing

Personal data can be shared to public authority when required by law and to companies belonging to same corporation group within limitations set by law. Data stored to this registry may be provided to sales person of Paytrail’s products and services for customer care purposes.

9. International data transfers

Data may be disclosed outside the EU or the European Economic Area within the limits of the law. Transfers outside of EU/ETA area are only performed, when necessary data protection guarantees are in force, such as:

A. Country is deemed to have good enough data protection level for personal data by the EU commission
B. EU model clauses* are used to assure data protection methods in use when personal data is transferred.

*We aim to make sure, that subcontractors we use always have the latest version of model clauses in use based on legal praxis of GDRP.

10. Rights of registrant

Registrant has right to be notified when personal data is processed.

Registrant has right to inspect what information regarding registrant is collected to the register. Request to inspect information must be sent in written form or electronically to contact person of data registry found from part 3 of this privacy notice.

Request to inspect information can be done free of charge once in a year. Data controller can request moderate fee for any additional copies of personal data requested. Registrant’s data is stored separately based on payment assignment and the information will no be updated during payment process.

Registrant has right to demand correction of incorrect or faulty personal data and updating of personal data.

Registrant has right to object processing of personal data and right to restrict processing of personal data. If data processing is based on consent, it can be withdrawn by notification. However, withdrawal of consent does not prevent processing of personal data, that has been collected before consent was withdrawn.

Registrant has right to be forgotten, relating to payment service, data is stored for five years from the payment based on requirement by law. After five years, the data is automatically deleted/anonymized.

If registrant deems that the processing of personal data is not lawful, registrant has the right to make complaint to a relevant public authority.

11. Data retention

Personal data is stored as long as registrant is active. Inactive registrants will be removed after one year of inactivity or by request.

Customer personal data is removed one year after contractual relationship has ended, unless otherwise agreed.

12. Security principles regarding the register

Personal data is protected with appropriate information security measures and physical access is restricted and monitored. Use of registry is restricted and every user of register has personal access credentials.

Appropriate measures are used, that keep the personal data secure from destruction, from being lost and unlawful changes. Paytrail’s personnel and personnel of subcontractors have professional confidentiality concerning all customer data.

Data controller has protected the personal data with appropriate technical and organizational measures. Following measures, among others, are taken with protection of registry data:

- Securing devices and files
- Access control
- Personal credentials
- Log of user activities
- Instructions for data processing and monitoring of processing
- Data controller requires subcontractors to have appropriate measures to protect personal data