- “Polskie ePłatności”, “Acquirer”, “Controller”, “we”, “us”, “ours” – Polskie ePłatności Sp. z o.o., a limited liability company incorporated and operating under the laws of the Republic of Poland, with its registered office: Tajęcina 113, 36-002 Jasionka, Poland, registered under KRS number 0000227278, NIP 586-214-10-89, REGON 220010531, with a share capital amounting to PLN 12.000.000.
- personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Customer – a person who pays for goods or services offered by the Merchant on Merchant’s website.
- Merchant – an entrepreneur who is a natural person, legal person or other entity having legal capacity that (i) sells goods and/or services over the Internet and (ii) has signed the Agreement with Acquirer.
- Merchant Account – means a subpage of Acquirer’s IT system assigned to the Merchant which it may access via https://merchant.pep.pl only with the use of a correct login and password; the Merchant Account is also a clearing account and an administrative panel, which allows the Merchant to manage its data connected with Payments and enables Acquirer to communicate with the Merchant; the Merchant Account can, at the same time, be a settlement/current account where Acquirer renders Acquiring Services for the benefit of the Merchant.
- Payment Gateway – means a functioning software that is linked with authorization and clearing centers, acquiring banks and other financial institutions, and enables transfer of data to their information systems where online payment transactions (such as credit card payments, MOTO and online payments, recurring payments) initiated by the Customers.
- Intermediary Institution – institution which participates in the process of transferring Customer’s financial funds in favor of the Merchant in order to execute a Payment, especially a bank, acquiring and clearing center, payment service provider, Card Associations such as MasterCard, American Express, JCB, Diners Club, electronic money institution.
II. General provisions
- Acquirer fully supports the necessity to protect your privacy at all times when you are visiting our websites or using our services via such websites or through any other means.
- “We”, “Polskie ePłatności” and “Acquirer” mean the same thing. “You” and “Customer” mean the same thing. “Merchant Account” means an account created by Acquirer that allows you to view transaction data from the Customer’s merchant account.
III. Information on processing and protection of personal data
- The controller of Personal Data of the Merchant, the Merchant’s Account, the Payment Gateway, persons representing the Merchant and Customers’ data within the meaning of Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter: “GDPR”) is Polskie ePłatności Sp. z o.o. z o.o. with its registered office in Tajęcina 113, 36-002 Jasionka, Poland, register under the number KRS 0000227278, NIP 586-214-10-89, REGON 220010531 hereinafter referred to as “Acquirer”.
- Acquirer, acting as an controller of personal data under GDPR, i.e. an entity determining purposes and means of personal data processing, will process your personal data for the following purposes and on the following legal grounds:
- the personal data of the Merchant, i.e. the natural person running a business – pursuant to Article 6(1)(b) of the GDPR, prior to the conclusion of the contract, i.e. the present you an offer of our product or service requested and in order to perform the contract;
- personal data of the Merchant, i.e. a natural person conducting business activity pursuant to Article 6 paragraph 1 letter b) of GDPR, in order to perform the contract;
- personal data of the Merchant, i.e. a natural person conducting business activity pursuant to Article 6(1)(c) of the GDPR, in order to meet the requirements of the law (including tax and accounting legal regulations);
- personal data of the users of the Merchant’s Account, pursuant to Article 6(1)(f) of GDPR, i.e. on the basis of Acquirer’s legitimate interest in taking actions necessary to perform the agreement concluded with the Merchant;
- personal data of persons representing the Merchant pursuant to Article 6(1)(f) of the GDPR, i.e. on the basis of Acquirer’s legitimate interest in order to secure unimpeded contact during the performance of the agreement concluded with the Merchant,
- personal data of the Merchant’s Customers pursuant to Article 6(1)(f) of the GDPR Act – i.e. on the basis of Acquirer’s legitimate interest in taking actions necessary to perform the contract with the Merchant.
- personal data of the Merchant’s Customers (Processed in connection with the execution of payments) pursuant to Article 6(1)(b) of the GDPR – in order to execute a transaction executed on behalf of the Merchant.
- personal data of the Merchant’s Customers (available in the Merchant’s Account (processed after payment) pursuant to Article 6(1)(c) of GDPR – in order to fulfil the legal obligation imposed on Acquirer pursuant to the regulations on counteracting money laundering.
- personal data of new users of the Merchant’s Account, created and invited or instructed by the Merchant, will be held pursuant to Article 6(1)(b) of the GDPR, in order to perform the contract.
- We may also process your personal data on the basis of Article 6(1)(f) of the GDPR for the purpose:
- provide full support, including technical troubleshooting and feature provision,
- contact, in particular for purposes related to the provision of services, service, permitted marketing and advertising activities,
- carry out studies and analyses to improve the performance of the services available,
- to enforce compliance with the Agreement concluded between Polskie ePłatności and Merchant,
- analytical and statistical.
- Categories of personal data:
- within the framework of creating and inviting new users of the Merchant’s Account, Acquirer will process the following personal data: name and surname and e-mail address of the new user
- within the framework of information on the Merchant’s Account on payments made: country, IP address, information on payment method, information on card issuer, card number (partially encrypted), card expiry date, name and surname of the cardholder.
- Special categories of personal data. Please mind that personal data of Merchant’s Customers relates to the product or service purchased and which may reveal specific categories of personal data (e.g. political opinions, health data). We will process such personal data pursuant to Article 9(2)(f) of the GDPR, i.e. for the establishment, exercise or defence of legal claims, e.g. to handle the chargeback process.
- The Merchant acknowledges and accepts that with respect to the personal data indicated in Clause III sec. 2 above, Acquirer may also process them to the extent necessary to prevent, investigate and detect online payment fraud by the competent authorities on the basis of legitimate anti-money laundering and anti-terrorist financing obligations.
- Personal data may be transferred to the following recipients:
- persons authorized by Acquirer, employees and co-workers who must have access to data in order to perform their duties,
- processing entities commissioned by Acquirer to perform certain outsourced services, e.g. IT system service companies, companies providing hosting servers, Acquirer subcontractors, including companies providing debt collection or accounting services,
- Intermediary Institutions – for the purpose of providing Acquirer’s payment services and other duties set out in the Agreement.
- In case of personal data of the users of the Merchant’s Account, Acquirer and the Merchant shall remain independent data controllers. The Merchant is the data controller of the Payment Gateway users, i.e. Merchant’s employees, and processes this data on the basis of Article 6(1)(f) in order to properly perform the contract with his customers and verify the activities of Merchant’s personell.
- The period of data processing shall depend on the purpose of the processing. If the basis for processing is the conclusion and implementation of the agreement, the data will be processed until the termination of the agreement. Where the basis for the processing is the legitimate interest of the controller, the data shall be processed for a period sufficient to enable the exercise of that interest or to raise an objection, which shall be recognised by the controller. With regard to personal data that we process on the basis of your consent – we are entitled to process with our consent until your consent is revoked. The processing period may be extended if the basis for processing is investigation and defence against claims and if processing is necessary to fulfill a legal obligation of the controller, e.g. archiving purposes, related to the fulfilment of obligations related to the payment of taxes and keeping tax books.
- Due to the processing of personal data by Acquirer, you have rights to:
- access to the content of your personal data and the rectification, erasure or restriction of their processing,
- request the deletion of personal data, except when their processing is necessary to comply with a Acquirer’s legal obligation and to establish, enforce or defend claims by Acquirer,
- object to the processing of personal data for the purposes of Acquirer’s legitimate interests,
- lodge a complaint to the supervisory authority (the President of the Office for Data Protection: “Prezes Urzędu Ochrony Danych Osobowych”), if the processing of personal data violates the regulations of the GDPR.
- Voluntary submission of data:
- Contact forms: providing us with your personal data in order to accept a request or enquiry is voluntary. However, if you do not provide us with your details, which are marked as obligatory in the forms, handling of your request or enquiry will not be possible.
- Test Account/Merchant Account: providing us with your personal information in order to set up a Test Account or Merchant Account is voluntary. However, if you do not provide us with your details, we will not be able to create such account for you.
- Newsletter: providing us with your data in order to receive the newsletter is voluntary. however, if you do not provide us with your personal data, it will not be possible for you to receive the Newsletter.
- Contract conclusion and identification: providing us with your personal data for the purpose of concluding a contract is voluntary. However, if you do not provide us with your details required to conclude a contract, we will not be able to enter a valid contract with you and carry out the legally required identity verification process.
- Payment Gateway: providing us with your personal data is voluntary. However, if you do not provide us with your details, we will not be able to process your payment.
- Personal data may be transferred outside the European Economic Area. If such a transfer takes place, we will take reasonable steps to ensure appropriate data protection safeguards, in particular:
- transfer to countries for which the European Commission has issued an adequacy decision,
- application of so-called standard contractual clauses between a controller or processor and a controller, processor or recipient of personal data in a third country or an international organization,
- if we transfer your data outside the EEA, you will have the right to obtain a copy of the data and the place where the data will be made available.
- Contact with the controller:
- The controller has appointed a Data Protection Officer, with whom you can contact in a dedicated e-mail box: email@example.com, by phone at +48 691101419 or by post at Polskie ePłatności Sp. z o.o. z, Tajęcina 113, 36-002 Jasionka, Poland
IV. Underage persons
Acquirer does not solicit or knowingly or actively collect information from persons under 18 years old. Our Websites are not intended for minors, especially children under the age of 13. Children may use our Websites only if they are under the direct supervision of their legal guardians.
V. Collection of information
The types of information we receive or collect about you, as well as the purpose and methods of collecting such information, are set out below. You may provide us with information about yourself in the following ways:
- Opening a Merchant Account, user account and using Acquirer Services. If you choose to open a Merchant Account and each user account on our Websites and use Acquirer’s Services and fill in the appropriate form, we will ask you to provide us with certain information about you. The scope of this information will depend on the type of service you would like to receive from Acquirer. In particular, we may ask you to provide the following information:
- a password,
- email address,
- name and surname or company name,
- postal address,
- payment details, e.g. billing address, credit card number and expiry date, name of the cardholder,
- tax identification number.
We may also ask you for other (optional) personal or business information, for example:
- phone number,
- the number of years of operation of the company,
- business description,
- addresses of your own websites,
- value of monthly processed payments,
- other personal or business data.
We may also receive this information when you update or supplement your Account information.
By using the Merchant Account you can also create additional user accounts within your Merchant Account. In this case, we will jointly process your personal data of users such as:
- the e-mail address of the account user.
- Information received upon subscription for certain services, competitions, functions on the Websites. If you would like to add comments to our reviews or articles, complete surveys, receive newsletters, participate in contests, promotions or otherwise make use of the options available on our Websites, we may ask you to provide us with information such as:
- name and surname or company name,
- email address, URL, and information related to your participation in contests, promotions, surveys, or use of additional services or features. This data is usually gathered when you fill in an online form or questionnaire.
- Information provided by Merchants and Customers. When you purchase products or services from a Merchant (using a payment card or any other payment method in connection with which we provide certain services to that Merchant), you are required to provide the Merchant with certain cardholder or billing details, including your name, credit card number and bank account number. Our Merchants must provide Acquirer with some of this information to enable us to complete your transaction.
- Your inquiries. If you contact us to obtain information about our services or the Acquirer company in general, Acquirer may store information about your questions and their content when
- you fill in and send the form available on our Website,
- you send us an email, a fax,
- you’re contacting us by phone.
VI. Browse the Websites and “Cookies”.
Whenever you visit our Websites, Acquirer’s servers may automatically collect information about your use of the Websites. Such information shall include in particular:
- the domain name and hostname from which you access the Internet,
- the IP address of the computer or Internet Service Provider you are using,
- the operating system used (e.g. Mac OS, Windows),
- the browser used and its version (e.g. Mozilla Firefox, Internet Explorer, Opera),
- the name of the website that redirected you to us and other such information.
This information allows us to determine your browsing habits, the content you are interested in and the specific sites you are visiting. It also allows us to determine the dates of visits to our Websites, the browsing paths and the time spent on each subpage.
Like other commercial websites, we may send one or more “cookies” to your computer (small text files sent to your browser; they may be stored on your hard drive so that we can recognize you when you return to visit us).
In order to optimize usage of the content of cookies, we use analytical tools to manage the advertising and marketing of our services and products. These tools also allow us to process the information contained in cookies in a way that supports our research and development work on products. This is possible thanks to the statistics provided to us, which are related to the interest in particular products.
VIII. Purpose of the collection of information
- Acquirer uses the information received from you or otherwise collected only to the extent necessary to manage, maintain, improve and provide the Acquirer services. This includes, but is not limited to, the use of all functionalities available on our Websites and the proper performance of our contractual obligations, in particular those arising from payment transaction service agreements concluded with our Merchants. We also analyze the abovementioned information in order to identify trends and preferences of our Merchants, improve the quality of our Websites and services – including the creation and provision of new features and functions.
- The following is a detailed description of the use of the information:
- Information received or collected by Acquirer in the course of opening the Merchant Account and/or user acounts. Such information may be used by Acquirer for any purpose:
- assess whether you are eligible to open a Merchant Account,
- the proper provision of services to you,
- greet you when you enter your Merchant Account via your user acount,
- to verify your identity,
- providing technical and content-related support in the scope of using the Merchant Account or Acquirer’s services,
- comply with applicable laws and regulations, in particular the obligation to collect, verify and record such information,
- inform you, with your prior consent, of contests, promotions and special offers available from us or our partners.
- Information received in connection with subscription for certain services, contests and functionalities on the Websites. Such information shall be used to the extent necessary to: (i) provide you with such services, functionality, admission to promotions or contests, etc., (ii) contact you.
- Information provided by Merchants (Acquirer’s clients). Such information is used for the purpose: (i) facilitate the execution of payment transactions initiated by you and notified to us by the Merchant in the course of providing Acquirer Services to that Merchant, (ii) terminate payment transactions referred to in subsec. (i) above – this includes in particular verification of the information provided by you when conducting a transaction with the Merchant, (iii) comply with applicable laws and regulations of relevant payment card organizations or other payment institutions (e.g. Visa, MasterCard).
- Information provided by you with your inquiry. The information submitted by you in connection with your enquiry may be used by Acquirer for the purpose of the processing of your enquiry:
- to answer that question,
- to contact you,
- inform you about Acquirer’s services or its partners that could be useful to you,
- taking actions aimed at concluding the agreement.
- Information collected through “cookies” or in the course of browsing the Site. We may use the information collected in this way for the following purposes:
- to remember information about you so that you do not have to provide it again when you visit our Websites or when you re-enter our Websites,
- monitor trends in the use of our Websites and generate statistics,
- monitor your entries, requests and status in any of our promotions or other activities related to your use of the Websites or your Merchant Account and user accounts,
- management or improvement of the operations of Acquirer,
- meet the requirements resulting from applicable laws and regulations established by payment card organisations.
IX. Retaining and protecting the information
Your personal and business data is stored and processed on our computers in Poland. We have implemented a wide range of measures to ensure the security and confidentiality of your data. In particular, we use mechanical, electronic and administrative security measures such as firewalls, data encryption, SSL and other up-to-date technologies. We apply physical access control to our buildings and files. Additionally, only those employees who need personal data of our Merchants or Customers in order to fulfill their labour duties are granted access to such information. We meet the requirements of the Data Protection Standards of the Payment Card Industry (we are PCI certified) and we make every effort to meet these requirements at any time. In accordance with the above requirements, we are periodically reviewed by relevant third parties. We also subject to periodic network scanning to ensure, among other things, that we have and maintain an appropriate firewall configuration for data protection purposes; we encrypt any transmission of cardholder data and other sensitive data on the public network; we do not use default, vendor-supplied credencials to encrypt any transmission of cardholder data and other sensitive data across public networks. We use and regularly update anti-virus software; develop and maintain secure systems and applications; restrict access to data to those individuals who need it for the proper performance of our business; track and monitor every access to network resources and cardholder data; regularly test our security systems and processes; assign a unique identifier to every person with computer access; limit physical access to cardholder data. It is essential that you do not share your Merchant Account password with anyone. Acquirer has created internal security processes that encrypt each Customer’s password to protect it from unauthorized access by third parties or disclosure to anyone other than you. None of Acquirer’s employees or contractors will receive access to your password. Neither Acquirer contractors nor Acquirer itself will ask you to enter your password without being asked to do so, whether by email, telephone, letter or any other means. It is your responsibility to keep your unique password and account details confidential at all times. We would like to point out that we cannot guarantee the security of your data when it is transmitted over the Internet or via servers that are not under our control. We are committed to protecting your personal and business information, but we cannot ensure or warrant the security of any data you transmit to our Websites or in connection with our services. Therefore, if you carry out any data transmission on the Internet, you do so at your own risk. However, as soon as we receive information from you, we make every effort to ensure that it is secure and confidential in our systems. Your personal and business data is stored for as long as it is necessary for Acquirer to properly provide the Services to you and to perform the obligations arising from the contracts that bind us – also taking into account the applicable laws.
X. Information about the Recipients of your personal data
- Acquirer Merchants. If you – as a Customer – would like to purchase products or services available on the Merchant’s website and pay for this purchase using an IT tool provided to the Merchant as part of Acquirer’s services, we may be required to provide the Merchant with your credit card information or other financial information to the extent necessary to process your payment. Please note that the Merchant with whom you purchase and conclude contracts may have their own privacy policies and Acquirer is not responsible for their actions – including data protection practices.
- If you are or become our Merchant, Acquirer may, in the course of providing Acquirer’s services, disclose information about you to payment card organizations, banks and other financial institutions that process or control transactions carried out on your behalf, as well as other entities with whom Acquirer has entered into agreements for the provision of certain services related to our services (e.g. charging fees, marketing services, fraud prevention, IT services). In addition, Acquirer may use or share your data with third parties for additional purposes to facilitate the execution and termination of transactions authorized or initiated by the Merchants, or to inform you about current events concerning Acquirer, updates and expansion of our services, regulations in force in the payment card organizations.
- Other business divisions of our company or a company within the group of companies to which Acquirer belongs. Your data may be shared with them solely for the purpose of jointly providing you with services such as: registration, transaction and customer service, assistance in detecting and preventing illegal activities and violations of our policies, advice in deciding whether to purchase products or services of group companies, communication with you. The above entities may use information about you to send you marketing messages only if you have ordered their services.
- Other service providers who, at our express request, act in connection with the performance of a contract, the provision of a service, or the provision of solutions to support our work, the operation of our websites or other products and services.
- Your personal data may be transferred outside the European Economic Area. If such a transfer takes place, we will take reasonable steps to ensure appropriate data protection safeguards, in particular:
- transfer to countries for which the European Commission has issued an adequacy decision
- the application of contractual clauses between a controller or processor and a controller, processor or recipient of personal data in a third country or an international organisation
- If you transfer your data outside the EEA, you will have the right to obtain a copy of the data and the place where the data will be made available.
- If third parties provide some of our Services on behalf of Acquirer, we oblige them to use your data only to the extent necessary to provide those services and never to use them for their own benefit.
XI. Access, modification and deletion of data
You have the right to review, rectify or delete your personal and business information at any time by contacting us by email: firstname.lastname@example.org. If you want to unregister and stop using your Merchant Account, you can close it – subject to terms of an agreement that may be binding. Please note, however, that if you close your Merchant Account as described in this paragraph, it will be permanently closed. You should only close your account if you are sure you will never use it again. You can close your Account by contacting us via email: email@example.com. We store deleted information in back-up copies for up to 180 days, unless otherwise required by law. This back-up copy is not accessible to third parties. If you unsubscribe from us and close your Merchant Account, you agree that we will retain your data, which we have already collected, for the sole purpose of keeping the registries.
Polskie ePłatności Sp. z o.o.
36-002 Jasionka, Polska