DATA PROTECTION POLICY
Welcome to the PAYONE website. In the following, we will provide you with information about nature, scope and purposes of processing your personal data and your rights.
You can rest assured that we process your personal data exclusively as mandated by statutory data protection provisions. But data protection is more than just a legal obligation for us. In fact, data protection in practice is a customer-oriented quality feature and is our highest priority at PAYONE.
| Controller: | PAYONE GmbH, Lyoner Strasse 9, 60528 Frankfurt am Main, email: info@payone.com |
| Legal Representatives: | Managing Directors: Niklaus Santschi, Frank Hartmann, Björn Hoffmeyer, Roland Schaar Chairman of the Supervisory Board: Ottmar Bloching |
| Data Protection Officer: | Data Protection Officer of PAYONE GmbH, Lyoner Strasse 9, 60528 Frankfurt am Main, privacy@payone.com |
1. Categories of data which may be processed
| Categories of data: | Purpose of processing: | Legal basis: | Duration of storage: |
|---|---|---|---|
| Name, address and contact details, payment data, company information (esp. legal form, industry), contract data, transaction information (masked) | § Order processing upon request § Contract initiation and possible conclusion of contract § Provision of our services |
§ Art. 6 (1) 1 lit. b) GDPR. | § Max. 1 year § In the event of a contract being concluded or existing contract: Storage until the end of the contractual relationship and expiry of corresponding retention periods |
| Name and contact details, information about your request | § Contact form/getting in touch § Sending information material upon request § Contract initiation and possible conclusion of contract |
§ Art. 6 (1) 1 lit. b) and f) GDPR | § Max. 1 year § In the event of a contract being concluded: Storage until the end of the contractual relationship and the expiry of corresponding retention periods |
|
Server log data: IP address, website usage data (log data about website access or file access, e.g. name of the file accessed, date and time of access, amount of data transferred) and device information (e.g. operating system, browser type and version), cookie information in session cookies |
§ Network communication § Functionality and security of the website § Detection and elimination of faults and errors |
§ Art. 6 (1) 1 lit. f) GDPR, § 25 (2) TTDSG § The legitimate interest in the temporary storage of the log data (server log files) and session cookie information is in our interest for the efficient and secure provision of our website. |
§ 7 days § If further storage is required for evidence purposes, the data will be deleted after the incident has been conclusively clarified § Session cookies are deleted at the end of the browser session |
| Analysis data: IP address (partially anonymised, as described below), website usage data (cookie information) |
§ Website analysis and optimisation, marketing § See also the following information |
§ Art. 6 (1) 1 lit. a) and f) GDPR, § 25 (2) TTDSG |
§ Cookies can be deleted at any time under Point 2.4 Cookie settings and revocation within this Data Protection Policy and using the browser settings § See also the following information relating to the erasure of the stored data |
2. Data recipients
Personal data is passed on to the following data recipients for the purpose of providing our website services: Hosting service providers, data centre operators, email marketing and tracking service providers. See below for more information.
2.1 Website analysis and marketing tools
Matomo
InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand (provider of Matomo), https://www.matomo.org/
We use the web analysis service Matomo on our website in order to better understand the needs of our users and to optimize our website on this basis. Matomo only provides the technology and does not process any personal data as a third party, as we do not transfer any data to Matomo, but use the tool via self-hosting, i.e. on our own server.
Events such as the date and time of use, the links clicked on by the user and the files clicked on and downloaded are recorded. In addition, the IP address is recorded anonymously, as well as an user ID, the page URL, the screen resolution, the device type, information about the browser used and the user's location (country only). Matomo uses cookies to collect information about the behaviour of our users as well as information about their end devices. Matomo stores the information in a pseudonymised user profile.
The information stored by the cookies is stored on our own server. The data is not used to personally identify the users of the website, is not merged with other data and is not passed on to third parties.
Your user behaviour will only be analysed by Matomo with your express consent (opt-in). A revocation of your given consent is possible at any time with effect for the future under point 2.4 cookie setting and revocation. The legal basis for the use of Matomo is § 25 (1) TTDSG and Art. 6 (1) 1 lit. a) GDPR.
Further information is available in the GDPR-Notes and the Privacy Policy of Matomo.
2.2 External media and third-party services
Google Fonts
Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (provider of Google Fonts), https://fonts.google.com/
We use Google Fonts on our website. These are "Google fonts" which are downloaded from a Google server to be displayed on our website. You do not need to log in or enter a password to use Google fonts. No cookies are stored in your browser when using Google Fonts. However, the IP address and URL of the page from which you as a user access our website are transferred to Google in order to display the fonts in your browser. The files required to display the fonts are requested via the Google domains fonts.googleapis.com and fonts.gstatic.com. According to Google, the inquiries in the context of Google Fonts are separate from all other Google services and the data collected is not merged with other data. According to Google, an evaluation is only carried out in an aggregated form.
Google fonts are only displayed with your express consent (opt-in). You can withdraw your consent at any time with future effect under Point 2.4 Cookie settings and revocation within this Data Protection Policy. The legal basis for the use of Google Fonts is § 25 (1) TTDSG and Art. 6 (1) 1 lit. a) GDPR.
Google has its headquarters in the USA. The European Court of Justice (ECJ) has found that the US does not provide an adequate level of data protection equivalent to the European data protection law (ECJ, 16.7.2020 - C-311/18 "Schrems II"). In particular, there is a risk that your data may be processed by U.S. authorities for control and monitoring purposes and possibly also without the possibility of legal recourse (e.g. under Section 702 of the Foreign Intelligence Surveillance Act (FISA 702). By accepting Google's cookies, you consent to the processing of your data in the USA, knowing the possible risks in accordance with Art. 49 (1) 1 lit. a) GDPR.
More details are available in Google’s Terms of Use and Data Protection Policy.
YouTube
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (provider of YouTube), https://www.youtube.com/?gl=DE
We embed videos from the YouTube platform on our website. The videos are loaded directly from the YouTube server for this purpose. The YouTube server is automatically informed of your IP address and which of our pages you have visited. If you are logged into your YouTube account, this allows Google to assign your usage behaviour directly to your personal profile.
YouTube videos are only shown with your express consent (opt-in). You can withdraw your consent at any time with future effect under Point 2.4 Cookie settings and revocation within this Data Protection Policy. The legal basis for the use of YouTube is § 25 (1) TTDSG Art. 6 (1) 1 lit. a) GDPR.
Google LLC has its headquarters in the USA. The European Court of Justice (ECJ) has found that the US does not provide an adequate level of data protection equivalent to the European data protection law (ECJ, 16.7.2020 - C-311/18 "Schrems II"). In particular, there is a risk that your data may be processed by U.S. authorities for control and monitoring purposes and possibly also without the possibility of legal recourse (e.g. under Section 702 of the Foreign Intelligence Surveillance Act (FISA 702). By accepting Google's cookies, you consent to the processing of your data in the USA, knowing the possible risks in accordance with Art. 49 (1) 1 lit. a) GDPR.
More details are available in Google’s Terms of Use and Data Protection Policy.
Use of social media plug-ins using the Shariff solution
Our website uses social plugins (“plugins”) from social networks. In order to increase the protection of your data when you visit our website, the plugins are not unlimited and are only added to the page using an HTML link „ShariffLösung“ from c‘t). This integration ensures that no connection is established with the servers of the provider of the respective social network when you access a page on our website which contains these plugins. If you click on one of the buttons, a new window will open in your browser and access the webpage of the respective service provider, where you can (for example, after entering your login data) press the Like or Share button. The purpose and scope of the data collection and the further processing and use of the data by the providers on their pages, as well as your rights in this regard and the setting options to protect your privacy, can be found in the providers' data protection information:
• http://www.facebook.com/policy.php• https://twitter.com/privacy
• https://policies.google.com/privacy
• https://help.instagram.com/155833707900388
• http://www.addthis.com/privacy/privacy-policy
• https://www.linkedin.com/legal/privacy-policy.
• https://www.xing.com/app/share?op=data_protection
2.3 Technical security measures
Google reCAPTCHA
Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (provider of Google reCAPTCHA), https://www.google.com/recaptcha/intro/v3.html
We integrate the "reCaptcha" function from Google Inc. for the detection of bots, for example with regard to inputting details in contact forms. The behavioural information of users (e.g. mouse movements or queries) are included in the “captchas" and evaluated to distinguish people from bots. The name "bot" is a short form of the English term "robot". These bots are controlled by a computer program, which, like an automated machine, is programmed to process certain tasks without human intervention. The “captchas” are another security function of our website. “Captcha” means “Completely Automated Public Turing test to tell Computers and Humans Apart”. When you access our website, we transfer information to Google about your visit. Google in particular uses the following information to check whether you are a human or a computer:
• The IP address of your device• Referrer https://portal.bs-card-service.com/
• Information about the browser you use (e.g. browser type and version, screen resolution, language, installed plugins, time and date)
• If you are registered and logged in to Google, your Google account
• Your surfing behaviour on websites
• Your input behaviour (e.g. your mouse movements on the reCAPTCHA areas)
• In some cases, small tasks where you have to identify pictures or numbers.
The legal basis for the use of Google reCAPTCHA is Art. 6 (1) 1 lit. c) in conjunction with Art. 24, 32 GDPR. The use of the service meets a legal obligation (by preventing website malfunctions resulting from attacks and/or technical faults and fraud prevention) which we are subject as PAYONE. Google reCaptcha supports us in ensuring a level of protection to meet the risks through appropriate technical measures.
More details are available in Google’s Terms of Use and Data Protection Policy.
2.4 Cookie settings and revocation
Revocation of the cookie settings/Cookie settings
Note: You can also prevent cookies from being saved at any time by changing the appropriate settings in your browser software. You can also allow only certain types of cookies or delete individual or all cookies. However, we would like to point out that in this case, you may not be able to use all functions of this website to their full extent.
3. Data transfer to third countries
☐ No☒ Yes
| Third-country recipient: | Appropriate safeguards: | Purpose of processing: |
|---|---|---|
| Google Inc./Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA |
☒ EU standard contract clauses (SCC) ☐ Recognition as a safe third country by the EU Commission ☐ Officially approved Binding Corporate Rules (BCR) ☐ Standard data protection clauses approved by the regulatory authorities ☐ Regulatory code of conduct ☐ Approved certification process ☒ Legal exception (Art. 49 GDPR) |
Website analysis and optimisation, marketing |
4. Rights of data subjects
| Statutory data protection right: | Content: | Legal basis: |
|---|---|---|
| § Access | Right to information about the processed personal data concerning you and further information relating to the data processing which concerns you (e.g. processing purposes, data recipients). | Art. 15 GDPR |
| § Rectification | Right to rectify inaccurate personal data relating to you or to complete incomplete personal data. | Art. 16 GDPR |
| § Erasure ("right to be forgotten") | Right to erasure of personal data concerning you under certain conditions (e.g. cessation of purpose, revocation of consent). | Art. 17 GDPR |
| § Restriction of processing | Right to restrict the processing of personal data concerning you under certain conditions (e.g. contested accuracy of the data for the duration of the review). | Art. 18 GDPR |
| § Data portability | Right to receive personal data prepared in a structured, widely used and machine-readable format in order to be able to transfer the data to another location or right to transfer the data directly to the other location, to the extent that this is technically feasible, under certain conditions. | Art. 20 GDPR |
| § Objection | Right to object to the processing of your personal data under certain conditions. | Art. 21 GDPR |
| § Right to lodge a complaint with a supervisory authority |
Right to lodge a complaint with a competent data protection supervisory authority if you believe that the processing of your personal data breaches the GDPR. For example, this may be the supervisory authority responsible for PAYONE: The Hesse Data Protection Commissioner, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, https://datenschutz.hessen.de/. |
Art. 57 (1) f GDPR, Art. 77 GDPR |
| § Right of withdrawal | Right to withdraw your consent to the processing of your personal data at any time with future effect. | Art. 7 (3) GDPR |
To assert the legal rights of the data subject and for all other questions regarding data processing, please write to the above address or send an email to privacy@payone.com.
5. Additional information about data processing
| Legal obligation to provide personal data: | ☒ No ☐ Yes |
|---|---|
| Contractual obligation to provide personal data: | ☒ No ☒ Yes, for the purposes specified above. |
| Possible consequences of non-provision: |
Only relevant for contact and form fields. If you do not provide your data, we will not be able to make contact as requested, forward any information material and/or send the newsletter. It will also not be possible to process the requested order. |
| Will an automated decision-making process take place? | ☒ No ☐ Yes |
| What is the source of the personal data? (If not collected from the data subject): | Not relevant, as none of your personal data is obtained from third-party sources. |
6. Form fields/ TLS encryption
If you send us enquiries using the contact form, data such as your details on the enquiry form, including the contact details you provided, will be stored by us for the purpose of processing the enquiry and in the event of any follow-up questions. We will not pass on this data without your consent. Our website uses TLS encryption for security reasons and to protect the transmission of confidential content that you send to us. This means that data that you transfer through this website cannot be read by third parties. You can recognise an encrypted connection by the "https: //" address line of your browser and the lock symbol in the browser line. Further information about the processing and storage duration can be found in Point 1 Categories of data which are processed.
Version
02.2022