Who is the data controller and how can you contact the DPO?
Satispay Europe S.A. (“Satispay” or “we” or “us”) is a financial regulated intermediary that acts as an electronic money institution (“EMI”) authorized under the laws of Luxembourg.
At Satispay, we take the protection of personal data seriously. As a data controller, Satispay follows the applicable laws on data protection to make sure we handle personal data correctly when providing our services.
Satispay has appointed a data protection officer (“DPO”) who may help with any questions about the data processing we carry out and/or how to exercise your rights. You can reach our DPO at dpo@satispay.com.
Whose personal data does Satispay process?
Satispay processes personal data concerning a range of individuals (“Data Subjects” or “you”), including:
How does Satispay collect personal data?
Satispay is committed to collecting only personal data strictly necessary for the pursuit of its purposes. In particular, Satispay collects personal data:
What types of personal data does Satispay process? For what purposes and on what legal basis?
“Personal data” refers to any information capable of identifying directly or indirectly a natural person. In particular, Satispay processes personal identification data (like name, surname, home address, tax code, user ID, photo, age, etc.), contact information (like phone number, email address), financial data (bank account details), as well as other specific data tailored and necessary for each purpose. We only process special categories of personal data (so-called “sensitive data”, like biometric data) where expressly required by law or in case of public interest.
Below, we detail the types of personal data we process, why we do it and the legal grounds:
a) To enable sign-up and provide the services requested by the Users, including service-related communications.
Processing is necessary for the performance of a contract or to take steps at the Users’ request before entering into a contract (art. 6.1, lett. b, GDPR). Plus, we have a legitimate interest in ensuring our services are as effective and efficient as possible (art. 6.1, lett. f, GDPR).
b) To prevent and detect financial crimes and fraud, as well as combat terrorism to ensure the service security. To this end, Satispay also uses machine learning models as a measure to better identify potential risks and enforce protective actions against certain Users.
Processing is necessary to comply with legal obligations to which Satispay is subject (art. 6.1, lett. c, GDPR). Plus, we have a legitimate interest in avoiding financial crime and safeguarding our business (art. 6.1, lett. f, GDPR).
c) To comply with the legal obligations established for all the EMIs, such as verifying Users’ identity and reporting suspicious activities to competent authorities. To this end, Satispay also uses technologies that enable remote automated recognition.
Processing is necessary for the performance of a contract or to take steps at the Users’ request before entering into a contract (art. 6.1, lett. b, GDPR), as well as to comply with legal obligations to which Satispay is subject (art. 6.1, lett. c, GDPR). Plus, we process biometric data to perform a task in the public interest (art. 9.2, lett. g, GDPR).
d) To send communications to:
We have a legitimate interest in increasing the use and awareness of the services (art. 6.1, lett. f, GDPR). Any direct marketing activities are carried out without the prior consent of the Users when allowed by applicable law.
e) To send promotional communications to:
For this purpose, Satispay may also use machine learning models that help optimize the content of promotional campaigns. For Users under 18, Satispay limits profiling to be less intrusive.
Processing is based on the prior consent of the Users (art. 6.1, lett. a, GDPR).
f) To carry out statistical and trends analyses aimed at improving the services and giving Users the best user experience possible.
We have a legitimate interest in improving its services (art. 6.1, lett. f, GDPR). For this purpose, personal data may also be aggregated and/or anonymized in such a way that identification of Data Subjects is no longer possible.
g) To follow up on requests or communications of any nature coming from Data Subjects.
Processing is necessary for the performance of a contract or to take steps at the Users’ request before entering into a contract (art. 6.1, lett. b, GDPR). Plus, we have a legitimate interest in properly replying to requests or communications coming from Data Subjects (art. 6.1, lett. f, GDPR).
h) To establish, exercise or defend Satispay’s rights and/or those of its employees, as well as to carry out corporate transactions (e.g., in case of bankruptcy, merger, acquisition, reorganization, sale of assets, and/or assignments).
We have a legitimate interest in establishing, exercising or defending our rights and/or the rights of our employees, as well as in carrying out transactions essential for our business (art. 6.1, lett. f, GDPR).
To find out how Satispay processes personal data through the use of cookies and similar technologies, please see the cookie policy available here.
Who can receive personal data?
Only where strictly necessary, Satispay may share personal data with:
These recipients may act as autonomous data controllers or as data processors. Data processors follow Satispay’s instructions.
Where is data stored and where may it be transferred?
Personal data is stored on servers located in the European Union. If needed for specific purposes, personal data is also transferred to companies located outside the European Union. In this case, Satispay ensures that the data is processed safely and that it has entered into agreements that guarantee an adequate level of protection and/or include the standard contractual clauses provided by the European Commission.
How does Satispay ensure the security of personal data?
Satispay has set up strong internal data security measures as well as technical and organizational measures (like encryption, pseudonymization and anonymization) to keep personal data safe from accidental loss, misuse, alteration, destruction and/or unauthorised access.
Special measures are implemented to safeguard data concerning minors, enhancing their protection and security.
How long does Satispay retain personal data?
Satispay keeps personal data as long as needed to fulfil specific purposes and comply with applicable laws (such as tax or anti-money laundering laws). In particular:
In any case, personal data may be stored longer in the event of disputes or requests by the competent authorities.
Which rights may you exercise?
You may exercise at any time the following rights:
To exercise your rights, you may contact support@satispay.com or dpo@satispay.com.
You also have the right to lodge a complaint with the relevant Data Protection Authority. However, we encourage reaching out to us first to resolve any issues amicably and promptly.