Privacy Policy: Paytrail Marketing and Sales Systems

Your security and privacy is important to us.

Privacy Policy: Paytrail Marketing and Sales Systems

28.01.2022

1. General

This privacy policy provides the information required under the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Finnish Data Protection Act (2018/1050) to both registrants and the supervisory authority.

2. Data controller

Paytrail Plc, hereinafter referred to as “Paytrail”.

3. Contact person for matters concerning the register

Markku Hänninen
Innova 2
Lutakonaukio 7
40100 Jyväskylä
Finland

Contact Paytrail’s customer service at: www.paytrail.com/en/contact

4. Name of the register

Data register of Paytrail’s marketing and sales systems.

The register includes representatives of organizations that have a contractual relationship with Paytrail.

5. Purpose and legal basis for processing personal data

Personal data is used for sales, marketing, direct marketing, profiling and targeted marketing to customers, managing and developing customer relationships, conducting surveys, and for statistical purposes.

The processing of personal data is based on Article 6 of the General Data Protection Regulation (GDPR). The legal bases applied in this register, along with examples of processing under each basis, are described below:

 
 

Legal basis

Example

Consent

Direct marketing through electronic channels, for example a newsletter containing marketing content addressed to an individual.

Contact details of persons who have participated in a competition.

Legitimate interests of the data controller or a third party

The following activities are based on legitimate interest: 

  • Maintaining the customer register for sales purposes
  • Direct marketing where applicable

For example, an email sent to a person within an organization who is responsible for the relevant subject matter.

6. Register data content

The following data is stored in Paytrail’s marketing and sales systems:

  • Email address

  • IP address of the data subject

  • Social media profile information *

  • User profile **
  • Paytrail website usage data ***

In addition, the register may include the following information if the individual provides it to Paytrail:

  • First and last name

  • Address details

  • Phone number

  • Company or other organization of the individual

  • Electronic communication with sales

  • Information about mailing list subscriptions

 * Information such as public Facebook, Twitter, and LinkedIn profile details of the individual.
** The marketing system classifies the user profile of the individual, based on which Paytrail’s sales team may contact the person.
*** Website usage data includes visit details on www.paytrail.com, such as which materials have been downloaded and which pages the individual has visited.

7. Collection of personal data

For Paytrail’s customers, the data is obtained directly from the customer when the company or organization they represent enters into an agreement with Paytrail, or when the customer updates their information. By doing so, the Customer accepts the use of their data for the purposes described in section 5 of this privacy policy.

Data provided by the data subject when using the www.paytrail.com website or when contacting Paytrail’s sales team.

8. Regular disclosures of data

Data may be disclosed to authorities in cases required by law and to companies belonging to the same group, within the limits permitted by law. The customer’s contact details stored in the register (name, address, phone number) are available to the seller of the services or products for customer service purposes.

9. International data transfers

Personal data may be transferred outside the European Union (EU) or the European Economic Area (EEA) within the limits permitted by law. Such transfers are made only when appropriate safeguards are in place, including:

A. The country has been recognized by the European Commission as providing an adequate level of protection for personal data.
B. Appropriate safeguards are ensured through the use of the European Commission’s standard contractual clauses for personal data transfers.*

* We make every effort to ensure that the contractual clauses applied by our subcontractors are always the most recent version, in line with GDPR case law.


10. Rights of the data subject

The data subject has the following rights regarding the processing of their personal data.

The data subject has the right to access the personal data stored in the register concerning them. An access request must be submitted in writing or electronically to the contact person for the register referred to in section 3.

An access request may be made free of charge once per year. The data controller may charge a reasonable administrative fee for any additional copies requested by the data subject. The payer’s data is stored per payment transaction and is not updated during the course of the transaction.

The data subject has the right to request the rectification of inaccurate or incorrect personal data and the updating of their data.

The data subject has the right to object to and restrict the processing of their personal data. If the processing of personal data is based on consent, the consent may be withdrawn by notice. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

The data subject has the right to erasure (“the right to be forgotten”). In payment services, data is retained for five years from the date of the transaction for statutory reasons, after which it is automatically deleted or anonymized.

If the data subject believes their personal data has been processed unlawfully, they have the right to lodge a complaint with the supervisory authority.

11. Data retention

Personal data is retained for as long as the data subject remains active. Inactive individuals are deleted after one year of inactivity or upon request.

Customer personal data is deleted one year after the termination of the contractual relationship, unless otherwise agreed.

12. Principles of register protection

Data is securely protected electronically, and physical access is both restricted and monitored. Use of the register is limited, and each authorized user has a personal username and password.

Appropriate safeguards are applied to protect personal data from destruction, loss, or unlawful alteration. Paytrail’s employees, as well as the employees of subcontractors involved in processing Paytrail’s service data, are bound by confidentiality obligations regarding all customer information.

The data controller has implemented appropriate technical and organizational measures to ensure data security. Protection of the register includes, among others, the following measures:

  • protection of equipment and files
  • Access control
  • User authorizations
  • User log data
  • Processing guidelines and monitoring
  • The data controller also requires subcontractors to apply proper safeguards when processing personal data.