Data Privacy Notice – Paytrail Payment Service

Your security and privacy is important to us.

Data Privacy Notice – Paytrail Payment Service

January 28th, 2022

If you are an old Checkout merchant customer (agreement entered into before October 5, 2021), see the Privacy policy here.

If you are a consumer and you are not sure which terms apply to you, please contact us, we will be happy to help.

This privacy notice covers also Online Exclusive powered by Paytrail -service.

1. General

This privacy notice provides information required by EU’s General data protection regulation (EU) 2016/679 (later data protection regulation) and national data privacy law (2018/1050) to both registrants and regulating authority.

Relating to payer payments’ personal data, the data controller is the merchant that provides the web service, where personal information is collected. Paytrail functions as data processor for the personal data that is forwarded from the merchant’s web service to Paytrail’s payment service with the payment information. Payer’s personal data processing is agreed between merchant and Paytrail with separate data processing agreement.

During payment, Paytrail collects information that is required to provide the payment service and for information security purposes. This privacy notice covers that information, specified in detail at part 6.

2. Data controller

Paytrail Plc, later ”Paytrail”.

3. Contact person regarding registry

Markku Hänninen
Innova 2
Lutakonaukio 7
40100 Jyväskylä

Contact Paytrail’s customer service at:

4. Name of the register

Paytrail Payment Service and Payment Assignment Service information registry

Register’s registrants are persons using Paytrail’s payment service.

5. Purpose of processing and legal grounds for processing personal data

Personal data is used to process payment assignments defined in Payment Service Law, development of Payment service Paytrail is offering, for statistics, customer service and fulfilling requirements set by law and rules and orders by lawful public authority.

Processing of personal data is based on data regulation’s article 6. Lawful basis for processing personal data and examples of each processing case can be found below:

Lawful basis


Requirement by law or public authority

Act on Preventing Money Laundering and Terrorist Financing. Act on sanctions.

In Payment mediation activities data controller will provide personal data of payer or payment receiver to other party or provider of this payment service based on requirements of law.

Data controller’s or third party’s legitimate interest

Activity based on legitimate interest:

- Providing the payment service
- IT security of the service



6. Data content of registry

Following information is collected to registry during payment:

- Payment method
- Date/time of payment
- IP address
- Bank account number*
- Name**

* Only when using bank account to account payments
** Only in email refunds and payment methods using strong authentication.

If payment method chosen is invoice, social security number will be asked. Social security number is not collected to Paytrail’s registry, only in registry of invoice service provider. In these cases, data collector is invoice service provider and requests for personal data relating to social security number should be addressed to invoice provider’s customer service.

7. Collection of personal data

Personal data is automatically collected during payment. When customer carries out payment, customer accepts processing of personal data according to part 5 of this privacy notice.

8. Data sharing

Personal data can be shared to public authority when required by law and to companies belonging to same corporation group within limitations set by law and to payment method providers based on contract or when it is deemed necessary for the purposes of risk management. Payment method information in registry is available for the merchant for customer service purposes.

9. International data transfers

Data may be disclosed outside the EU or the European Economic Area within the limits of the law. Transfers outside of EU/ETA area are only performed, when necessary data protection guarantees are in force, such as:

A. Country is deemed to have good enough data protection level for personal data by the EU commission
B. EU model clauses* are used to assure data protection methods in use when personal data is transferred.

*We aim to make sure, that subcontractors we use always have the latest version of model clauses in use based on legal praxis of GDRP.

10. Rights of registrant

Registrant has right to be notified when personal data is processed.

Registrant has right to inspect what information regarding registrant is collected to the register. Request to inspect information must be sent in written form or electronically to contact person of data registry found from part 3 of this privacy notice.

Request to inspect information can be done free of charge once in a year. Data controller can request moderate fee for any additional copies of personal data requested. Registrant’s data is stored separately based on payment assignment and the information will no be updated during payment process.

Registrant has right to demand correction of incorrect or faulty personal data and updating of personal data.

Registrant has right to object processing of personal data and right to restrict processing of personal data. If data processing is based on consent, it can be withdrawn by notification. However, withdrawal of consent does not prevent processing of personal data, that has been collected before consent was withdrawn.

Registrant has right to be forgotten, relating to payment service, data is stored for five years from the payment based on requirement by law. After five years, the data is automatically deleted/anonymized.

If registrant deems that the processing of personal data is not lawful, registrant has the right to make complaint to a relevant public authority.

11. Data retention

Personal data concerning payments is stored for five years based on requirements set by law to Payment institutions.

When requirements set by law have ended, personal data related to payments will be automatically deleted/anonymized.

12. Security principles regarding the register

Personal data is protected with appropriate information security measures and physical access is restricted and monitored. Use of registry is restricted and every user of register has personal access credentials.

Appropriate measures are used, that keep the personal data secure from destruction, from being lost and unlawful changes. Paytrail’s personnel and personnel of subcontractors have professional confidentiality concerning all customer data.

Data controller has protected the personal data with appropriate technical and organizational measures. Following measures, among others, are taken with protection of registry data:

- Securing devices and files
- Access control
- Personal credentials
- Log of user activities
- Instructions for data processing and monitoring of processing
- Data controller requires subcontractors to have appropriate measures to protect personal data