Which entity is the data controller and how will use your information
Satispay Europe S.A. (“Satispay”) is a financial regulated intermediary which acts as electronic money institution (“EMI”) authorized under the laws of Luxembourg. Satispay is, therefore, subject to the strict compliance of the laws and regulations applicable in this country and to the supervision of the competent authority of Luxembourg namely the Commission de Surveillance du Secteur Financier (additional information available at http://www.cssf.lu/).
Satispay, according to Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data (the “Regulation”), wishes to inform you about the way the information referring to users of the website and the Satispay services (the “Services”) is processed.
Satispay is the data controller of the processing of the User / Merchant personal data. Satispay has also appointed a data protection officer that the User / Merchant can contact at the email address email@example.com for information on the processing of his or her personal data or the rights that can be exercised.
As an EMI, operating from Luxembourg but with services in a number of European Economic Area (EEA) countries, Satispay will only process (i.e. collect, store and use) personal data of the User / Merchant in a manner that is compatible with the applicable law fairly and lawfully.
Satispay aims to collect data and information in an accurate, relevant and appropriate manner to the purpose for which this collection is necessary, without requiring unnecessary information.
This policy applies to the processing of personal data of Satispay Users / Merchants within all the services (present and future).
To ensure that we process your personal data fairly and lawfully we want to inform the User / Merchant and any data subjects:
How does Satispay collect personal data?
Personal data that Satispay collects about the User / Merchant come from:
With the consent of the User / Merchant, Satispay may access information about his/her contacts of the phonebook or recorded in the context of the email, messaging, social network services joined by the same and provided by third party companies (for example Gmail, WhatsApp, Facebook or other social network contacts) in order to allow the User / Merchant to invite other people to download the Satispay app and request the Services offered by Satispay. In this case, Satispay will process this information for the sole purpose of sending the invitation. Satispay will only process information relating to the contacts chosen by the User / Merchant.
Satispay could also collect information relating to individuals not yet User / Merchant in relation to requests of information, even of promotional nature, on Satispay, the industry in which it operates and its Services, including information on the Satispay’s projects delivered through social networks and other channels.
What is “personal data”?
“Personal data” refers to any information useful to identify a natural person directly or indirectly, that is already held by Satispay or which the latter could come into possession of.
Examples of personal data include:
Data generated through the use of our Services are personal data as well, such as:
What types of personal data does Satispay handle?
Satispay does not handle special categories of data but it processes the other types of data mentioned above. In particular, in order to carry out its duties as EMI, Satispay is required to request personal data such as names, dates of birth, addresses, telephone numbers, email addresses, bank account details and other useful documents to verify the identity of the User / Merchant.
Satispay uses the other information mentioned in the previous paragraph to provide its Services and comply with the legal obligations provided as EMI.
In relation to the use of data of the User / Merchant for direct marketing purposes, Satispay adopts the principle of minimization. Satispay may propose promotional offers based on data such as, for instance, your place of residence or the volume of transactions carried out in a certain period. These activities have been carefully evaluated and considered as not invasive and detrimental to the rights and fundamental freedoms of the User / Merchant.
In order to allow Users / Merchants to invite their contacts of the phonebook or recorded in the context of the email, messaging, social network services joined by the same and provided by third party companies (for example Gmail, WhatsApp, Facebook or other social network contacts), Satispay will use only the minimum identification and contact information of the subjects chosen by the User / Merchant (name, surname, email and / or telephone number). The minimum dataset may change in relation to the terms and conditions of the third party company providing the relevant email, messaging, social network service.
With reference to the information relating to individuals not yet User / Merchant, it includes the details requested within the relevant data collection forms and are usually limited to identification data (name, surname, VAT number) and contact data (email address and/or phone number, as the case may be).
Why does Satispay process personal data?
Satispay processes data of the User / Merchant for the following purposes:
The personal data collected may also be processed in the context of any corporate events (sale of the company or going concerns), due diligence exercises, in the event of defense of legal claims and related prodromal activities.
Satispay also makes available to Users / Merchants the opportunity to invite some or all their contacts to download the Satispay app and request the services offered by Satispay. In this case, where the User / Merchant has granted his / her consent, the third party personal data recorder in the context of the phonebook or of the email, messaging, social network services joined by the same and provided by third party companies (for example Gmail, WhatsApp, Facebook or other social network contacts), can be processed in order to send a communication concerning the invitation to download the Satispay app and request the Services offered by Satispay to the contacts chosen by the User / Merchant. The aforementioned processing is carried out to allow the User / Merchant to select the contacts as addressees of the invitation. Contacts that have not been selected by the User / Merchant will not be saved and further processed by Satispay.
With reference to the data relating to individuals not yet User / Merchant, they are processed to follow up any requests of details, even of promotional nature, on Satispay, the industry in which it operates and its Services, including information on the Satispay’s projects delivered through social networks and other channels.
Whose personal data does Satispay handle?
In order to carry out our duties as an EMI, Satispay processes personal data from a range of individuals. This includes:
In addition, in order to allow the delivery of the invitation to download the Satispay app and request the Services offered by Satispay to the contacts in the phonebook or recorded in the context of the email, messaging, social network services joined by the User / Merchant and provided by third party companies (for example Gmail, WhatsApp, Facebook or other social network contacts), Satispay processes the personal data of:
Whom may personal data being shared with?
Satispay obtains and shares personal data by and with several entities, which include:
All these entities act as autonomous data controllers or have been authorized by Satispay where they act on its behalf (as data processors).
If this is instrumental to the pursuit of the purposes set out above, personal data may also be transferred abroad to companies located both within and outside the European Union. Some of these jurisdictions may not guarantee the same level of data protection guaranteed by the country in which the data subject resides. In this case, Satispay undertakes to ensure that the data is processed with the utmost confidentiality, stipulating, if necessary, agreements that guarantee an adequate level of protection and / or adopting the standard contractual clauses provided by the European Commission.
Information held is only shared with those entities which have a “need to know basis”.
Where you engage a regulated third party payment services provider (the “TPP”) to access to your Satispay account for account information, confirmation on the availability of funds or payment initiation services, Satispay will share with the TPP, subject to your consent, the relevant information on your Satispay account, including, as the case may be, the transaction history and the availability of funds, the initiation of the payment transaction on your behalf and the execution of such payment transaction. The data received by the TPP will include your personal data (for example, your Satispay ID, your Satispay account balance and currency and your payment transaction history details, including the Satispay ID of the payments’ beneficiaries). Satispay will transfer the personal data described in this section to follow up any of your request and to comply with the legal obligations established for all payment services providers.
How does Satispay ensure the security of personal data?
Satispay takes the security of the data subjects’ personal data held very serious. For this purpose, Satispay has set up data security procedures and an Information Security Policy to ensure that all data is protected from accidental loss or misuse. Satispay only permits access to information where there is a legitimate reason to do so.
Satispay is also bound by strict confidentiality obligations, as well as professional secrecy.
What if the data Satispay holds about you is incorrect?
It is important that the data held by Satispay is accurate and up to date. If the data provided to Satispay will change, please contact Satispay (firstname.lastname@example.org or via social media) immediately so that it can update its records.
How long does Satispay store the data?
Personal data will be stored in compliance with the applicable laws, for a period of time not exceeding what is necessary to achieve the purposes for which they are processed. The criteria for determining the data retention period take into account the lawful processing period and applicable laws (for example, tax or anti-money laundering laws), the statute of limitation periods and the nature of legitimate interests where they are the legal basis of the processing.
Personal data may be stored for a longer period than the one originally planned, in the event of any disputes or requests by the relevant Authorities.
Your information is only held for as long as necessary and will be disposed of in a secure manner when it is no longer needed.
Which rights can the data subject exercise in relation to the information processed by Satispay?
Any data subject (namely any User / Merchant as well as those who are not yet User / Merchant but have requested information and provided their personal data to Satispay) may exercise specific rights, including to obtain from the data controller:
Any data subject has the right to withdraw the consent to the processing of his or her personal data (if this was given) at any time, without prejudice to the lawfulness of the processing based on consent before its withdrawal.
Furthermore, any data subject has the right to object to the direct marketing activities carried out by Satispay, including any segmentation for marketing purposes. As regards the management of push notifications, where active, this must be done through the settings of the devices of the User / Merchant.
In case of IOS devices, the relevant operating system provides for a consent request, during the download of the app and registration to access the Services, in order to send the push notifications and to use tracking technologies for analytics on app download and usage. As described above, in Satispay’s opinion other legal basis justify the dispatch of such communications and the use of such technologies. However, as of today, for technical reasons this is the only way to authorise push notifications or the collection of information on app download and usage on IOS devices. Accordingly, in the absence of push notification consent, the User will not be able to receive, for example, information relating to the receipt of money from other Users, the dispatch or confirmation of a payment, the existence of a new functionality in the app and, in the absence of tracking technology consent, for example, it will not be possible to analyse app usage data to improve functionalities and Services. On the contrary, the operating system of Android devices, in line with the legal basis previously mentioned, does not require the granting of a consent, during the download of the app and registration to access the Services, neither to receive the notifications in app nor to use such tracking technologies. The User is, in any case, free to handle separately at any time both the push notifications and the tracking through the settings of his Android device and to disable or reactivate the same according to his own preference.
Any personal data provided by the User from the early stage of download of the app (e.g. name, surname, email address, phone number) will be stored by Satispay as long as it is necessary in order to comply with legal obligations provided under the relevant anti-money laundering and terrorism prevention laws applicable to an EMI. Accordingly, the request of erasure of the personal data provided from the early stage of the download of the app will be followed up with reference to those purposes of the data processing which are different from those deriving from the above-mentioned legal obligations. Where Satispay is prevented to proceed with the request of erasure, Satispay specifies the following:
To exercise his or her rights, the data subject can write to the email address email@example.com or use the dedicated tools in the app.
Sometimes Satispay will not be able to provide with all the requested information and follow up the User / Merchant requests, due to the obligations deriving from the EMI qualification. Anyway Satispay will make every reasonable effort to follow-up to the requests of the Users / Merchants and any data subjects.
According to the Regulation, Satispay is not authorized to charge costs for fulfilling one of the requests set out in this paragraph, unless they are manifestly unfounded or excessive, in particular because of their repetitive character. In cases where the data subject requires more than one copy of his or her personal data, or in cases of excessive or unfounded requests, Satispay may (i) charge a reasonable fee, taking into account the administrative costs of providing the information or (ii) refuse to act on the request. In these cases, Satispay will inform the data subject of the costs before processing the request.
Satispay may request further information before processing requests if it needs to verify the identity of the individual who does the submission.
Without prejudice to any other administrative or judicial appeal, the data subject shall also have the right to lodge a complaint with the competent Supervisory Authority (Commission nationale pour la protection des données), if he or she considers that the processing concerning him or her is done in violation of the Regulation. Further information is available on the website https://cnpd.public.lu/en.html.
In any case, Satispay is interested in being informed of any grounds for complaint and invites any data subject to use the above mentioned contact channels before referring to the supervisory authority, so as to be able to prevent and resolve any disputes in a friendly and timely manner, with the utmost courtesy, seriousness and discretion.
Links to external websites
Satispay may provide links to other content such as websites, web apps and downloadable apps. Unless expressly stated, this content is not under Our control. Satispay neither assumes nor accepts responsibility or liability for such third party content. The provision of a link by Satispay is for reference only and does not imply any endorsement of the linked content or of those in control of it.