Privacy Policy: Paytrail Payment Service

Your security and privacy are important to us.

Privacy Policy: Paytrail Payment Service

28.01.2022

If you are a former Checkout merchant (agreement signed before 5.10. 2021), read the Checkout privacy policy.

If you are a consumer and unsure which terms apply to you, please contact us and we will be happy to assist.

 This privacy policy also applies to the Online Exclusive powered by Paytrail service.

1. General

This privacy policy provides the information required under the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Finnish Data Protection Act (2018/1050) to both the data subject (the customer of the data controller) and the supervisory authority.

For personal data related to the payer’s transaction, the data controller is the merchant whose online service collects the payer’s information. Paytrail acts as the data processor for the payer’s personal data that the merchant transfers from its online service to Paytrail’s payment service in connection with the transaction. The processing of the payer’s personal data is governed by a separate Data Processing Agreement between the merchant and Paytrail.

During the payment process, Paytrail collects information required to provide the payment service, as well as information necessary to ensure data security. This privacy policy covers these data, which are described in detail in section 6.

2. Data controller

 Paytrail Plc, hereinafter referred to as “Paytrail”.

3. Contact person for matters concerning the register

Markku Hänninen
Innova 2
Lutakonaukio 7
40100 Jyväskylä
Finland

Contact Paytrail’s customer service at: https://www.paytrail.com/en/contact

4. Name of the register

Data register for Paytrail’s payment transmission and payment initiation services.

The data subjects in this register are individuals who use Paytrail’s payment services.

5. Purpose and legal basis for processing personal data

Personal data is processed to execute payments as defined in the Payment Services Act, to develop Paytrail’s services, for statistical analysis, for customer service, and to meet obligations arising from legislation or regulatory requirements and guidelines.

The processing of personal data is based on Article 6 of the General Data Protection Regulation (GDPR). The legal bases applied in this register, together with examples of processing under each basis, are outlined below:

Legal basis

Example

Statutory obligation

Act on Preventing Money Laundering and Terrorist Financing. Act on sanctions.

In payment processing, the data controller provides the payer’s or payee’s personal data related to the transaction to the other party of the payment or to that party’s payment service provider, as required by law.

Legitimate interests of the data controller or a third party

The following activities are based on legitimate interest:  

  • Provision of the service
  • Service security


6. Register data content

The following information is stored in the register when a payment transaction is created:

  • Payment method
  • Date/time of payment
  • IP address
  • Bank account number*
  • Name**

* Only when paying directly from a bank account
** Only in email refunds and in payment methods that use strong authentication

If the chosen payment method is invoice, a personal identity code is also requested. This code is not stored in Paytrail’s register, but only in the register of the invoice provider. In these cases, the data controller is the invoice provider, and any questions concerning the personal identity code must be directed to the invoice provider’s customer service.

 

7. Collection of personal data

Personal data is collected automatically when a payment is carried out. By completing the payment transaction, the Customer accepts the use of their data for the purposes described in section 5 of this privacy policy.

8. Regular disclosures of data

Data may be disclosed to authorities in cases required by law, to companies belonging to the same group within the limits permitted by law, and to payment method providers either on a contractual basis or when considered necessary for risk management purposes. The payment method stored in the register may also be made available to the seller of services or products for customer service purposes.

9. International data transfers

Personal data may be transferred outside the European Union (EU) or the European Economic Area (EEA) within the limits permitted by law. Such transfers are made only when appropriate safeguards are in place, including:

A. The country has been recognized by the European Commission as providing an adequate level of protection for personal data.
B. Appropriate safeguards are ensured through the use of the European Commission’s standard contractual clauses for personal data transfers.*

* We make every effort to ensure that the contractual clauses applied by our subcontractors are always the most recent version, in line with GDPR case law.

10. Rights of the data subject

The data subject has the following rights regarding the processing of their personal data.

The data subject has the right to access the personal data stored in the register concerning them. An access request must be submitted in writing or electronically to the contact person for the register referred to in section 3.

An access request may be made free of charge once per year. The data controller may charge a reasonable administrative fee for any additional copies requested by the data subject. The payer’s data is stored per payment transaction and is not updated during the course of the transaction.

The data subject has the right to request the rectification of inaccurate or incorrect personal data and the updating of their data.

The data subject has the right to object to and restrict the processing of their personal data. If the processing of personal data is based on consent, the consent may be withdrawn by notice. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

The data subject has the right to erasure (“the right to be forgotten”). In payment services, data is retained for five years from the date of the transaction for statutory reasons, after which it is automatically deleted or anonymized.

If the data subject believes their personal data has been processed unlawfully, they have the right to lodge a complaint with the supervisory authority.

11. Retention of personal data

Personal data connected to payment information is kept for five years, as required by the statutory obligations that apply to payment institutions.

After the legal obligations related to the payment transaction have expired, the data is automatically deleted or anonymized from the register.

12. Principles of register protection

Data is securely protected electronically, and physical access is both restricted and monitored. Use of the register is limited, and each authorized user has a personal username and password.

Appropriate safeguards are applied to protect personal data from destruction, loss, or unlawful alteration. Paytrail’s employees, as well as the employees of subcontractors involved in processing Paytrail’s service data, are bound by confidentiality obligations regarding all customer information.

The data controller has implemented appropriate technical and organizational measures to ensure data security. Protection of the register includes, among others, the following measures:

  • protection of equipment and files
  • Access control
  • User authorizations
  • User log data
  • Processing guidelines and monitoring
  • The data controller also requires subcontractors to apply proper safeguards when processing personal data.