EU PRIVACY NOTICE FOR CARDHOLDERS, OUR MERCHANTS AND OTHER BUSINESS RELATED PERSONAL DATA

1 WHO IS RESPONSIBLE FOR PROCESSING YOUR DATA AND HOW TO CONTACT US

This notice (“Notice”) describes the steps Securetrading Financial Services Ltd, trading as acquiring.com (“acquiring.com”, “we” or “us”) takes to protect the personal data that we process about merchants (our customers) and other business related personal data. This notice also applies to cardholders, by which we mean individuals that make a purchase with an online merchant that is signed up to use our payment facilitation services.
acquiring.com is committed to the protection of the personal data that we process about you in line with the data protection principles set out in the European Union’s (“EU”) General Data Protection Regulation 2016 (“GDPR”).
The controller in respect of your personal data is Securetrading Financial Services Ltd, a Financial Institution licensed by the Malta Financial Services Authority Reg. No. C 56013 and of Ewropa Business Centre, Level 2, Triq Dun Karm, Birkirkara, BKR 9034, Malta.
You can contact us using the following email address: [email protected].

2 WHAT PERSONAL DATA WE COLLECT AND WHY?

We may source, use and otherwise process your personal data in different ways. In all cases we are committed to protecting the personal data that we process.
In each of the sections listed below, we describe how we obtain your personal data and how we will treat it.

Section 2.1 Cardholders
Section 2.2 Representatives of our Existing or Prospective Merchants and Vendors
Section 2.3 Visitors to our Premises
Section 2.4 Website Visitors

2.1 Cardholders

A – Sources of personal data

We obtain your personal data from the merchants that use our services to facilitate online payments.

B – Personal data that we collect and process

We collect the following categories of personal data relating to cardholders:

a) Primary Account Number or PAN number (i.e. the long number on your payment card);
b) authentication data e.g. date of birth and identification documents e.g. national ID;
c) transaction data e.g. purchase amount, unique reference and transaction currency;
d) expiry date of your payment card.

C – Why do we collect your personal data and what are our lawful bases for it?

We may use your personal data to: Our lawful basis for doing so is: Reason for lawful basis:
Provide merchants with our payment facilitation services Performance of contract Legitimate Interest Efficiently fulfil our contractual obligations and facilitate the payment you want to make.
Manage security Legal obligation (AML / PCI DSS) Managing security, risk and crime prevention, including fraud detection
Management reporting (including at an intra-group level)

If you have any question about how we use your personal data, please send an email to us using the following email address: [email protected]

2.2 Representatives of our Existing or Prospective Merchants, Payment Service Providers and Vendors

A – Sources of personal data

We may obtain your personal data from the following sources:
a) from you directly;
b) from a company that employs you, if you are an employee of our merchants;
c) from affiliates of acquiring.com;
d) during networking events that we have either hosted, or sponsored, or attended; and/or
e) from publicly available sources (for example, your company website, social media sites and company registrars); and
f) from service providers that manage databases of personal data, e.g. credit reference agencies.

B – Personal data that we collect and process

We may collect the following categories of personal data relating to employees, officers, authorised signatories, and other associated individuals of our vendors and merchants. This may include:
a) name;
b) business address;
c) business email address;
d) business telephone number;
e) job title;
f) for directors and shareholders specifically, full name, job title, date of birth, country of residence, nationality, home address, identification number, company ownership (%), politically exposed person(s), utility bill, personal bank statement;
g) photocopy of government identification.

For the purposes of anti-money laundering and countering financing of terrorism requirements, we may also collect the following:

a) name;
b) date of birth;
c) residential address;
d) information from utility bills;
e) copies of passports;
f) copies of driving licences;
g) nationality;
h) bank details (account numbers, sort codes);
i) police conduct certificate (occasional use);
j) information from service providers which manage databases of personal data;
k) any other data which we may reasonably require from you from time to time.

C – Why do we collect your personal data and what are our lawful bases for it?

Representatives of our Existing or Prospective Merchants, Payment Service Providers and Vendors

We may use your personal data to: Our lawful basis for doing so is: Reason for lawful basis:

Provide you with our products or services

 

Performance of contract. Legal obligation Efficiently fulfil our contractual and legal obligations. Management reporting (including at an intra-group level)

Receive products or services from you

 

Performance of contract. Legal obligation Efficiently fulfil our contractual and legal obligations. Management reporting (including at an intra-group level)
Establish and manage our relationship Performance of contract. Legal obligation.  Legitimate interest Efficiently fulfil our contractual and legal obligations. Account Management. Exercise or defend legal claims. Understand the market in which we operate. Management reporting (including at an intra-group level)
Learn about how our products and services are or may be used Legitimate interest Understand the market in which we operate. Management reporting (including at an intra-group level)
Manage security Performance of contract. Legal obligation Managing security, fraud and credit risk. Management reporting (including at an intra-group level)
Notify you about mandates from Card and Payment Schemes and about regulatory authority requirements. Performance of contract. Legal obligation

Fulfill our Card and Payment Scheme and regulatory obligations.

 

Let you know about our products, services and events that may be of interest to you by letter, telephone, email or other forms of electronic communication Legitimate interest Promote our products and services. Management reporting (including at an intra-group level)
Anti-money laundering and sanctions lists Legal obligation Managing risk, prevention of crime and anti-money laundering and countering of financing of terrorism.

If you object to us using your contact details for these purposes, including direct marketing, please send an email to us using the following email address: [email protected].
Where we use your email to communicate marketing information to you we will seek your prior consent where required to do so by law.

2.3 Visitors to Our Premisses

A – Sources of personal data

We may obtain your personal data from you directly and/or from our systems’ records.

B – Personal data that we collect and process

a) name;
b) business contact details;
c) organisation;
d) role; and/or
e) image (for example, from CCTV cameras at our premises).

C – Why do we collect your personal data and what are our lawful bases for it?

We may use your personal data to: Our lawful basis for doing so is: Our legitimate interests in doing so are:
Manage security Legitimate Interest Managing security, risk and crime prevention
Maintain records of visitors to our premises Legitimate Interest Management reporting

2.4 Website Visitors

A – Sources of personal data

We may obtain your personal data from the following sources:

a) from you directly (for example, by filling in forms on the website);
b) when you register to use the website;
c) request further information via the website;
d) from your device or browser; and/or
e) if you contact us, we may keep a record of that correspondence.

B – Personal data that we collect and process

a) name;
b) username;
c) email address;
d) phone number;
e) postal address;
f) operating system;
g) browser type;
h) full Uniform Resource Locators (URL);
i) products or services you viewed or searched for;
j) other website data, including page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page;
k) cookie data (for more information please see our Cookie Notice published on www.securetradingfs.com);
l) preferences regarding online marketing; and/or
m) IP address.

C – Why do we collect your personal data and what are our lawful bases for it?

Representatives of our Existing or Prospective Merchants, Payment Service Providers and Vendors
We may use your personal data to: Our lawful basis for doing so is: Our legitimate interests in doing so are:
Provide our website services to you Legitimate interest Website management. Promote our products and services. Account management. Notifying you of any changes to our products and services. Provide you with password reminders. Notify you that a particular service has been suspended for maintenance.

Establish and manage our relationship

 

Performance of contract (account management) Understand the market in which we operate. Management reporting (including at an intra-group level). Account management. Make suggestions and recommendations to you about products or services that may interest you.

Learn about our websites(s) users’ browsing patterns and the performance of our website(s)

 

Legitimate interest Website management, including troubleshooting, data analysis, testing, research, statistical and survey purposes
Manage security

Managing security, risk and crime prevention

Management reporting (including at an intra-group level)

Let you know about our products, services and events that may be of interest to you by letter, telephone, email or other forms of electronic communication Promote our products and services. Management reporting (including at an intra-group level).
Learn about how our products or services may be used Understand the market in which we operate. Management reporting (including at an intra-group level)

If you object to us using your personal data for these purposes, including direct marketing, please send an email to us using the following email address: [email protected].

We will seek your prior consent, where required to do so by law, where we:

a) use cookies or similar technologies to fulfil this purpose; and/or
b) use your email to communicate marketing information.

3 WHO DO WE SHARE YOUR PERSONAL DATA WITH

We do not sell your personal data to third parties.

Affiliates
We may share your personal data with our affiliates, by which we mean a person or entity that directly or indirectly controls, is controlled by, or is under common control with, acquiring.com. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

Our Service Providers
We may disclose information about you to organisations that provide a service to us, on the understanding that they will keep the information confidential and will comply with the GDPR and other relevant data protection laws.

We may share your information with the following types of service providers:

a) technical providers who support us in providing our services to you;
b) technical support providers who assist with our website and IT infrastructure;
c) third party software providers, including ‘software as a service’ solution providers, where the provider hosts the relevant personal data on our behalf;
d) professional advisers such as solicitors, accountants, tax advisors, auditors and insurance brokers;
e) providers that help us generate and collate reviews in relation to our products and services;
f) our advertising and promotional agencies and consultants and those organisations selected by us to carry out marketing campaigns on our behalf; and/or
g) providers that help us store, collate and organise information effectively and securely, both electronically and in hard copy format, and for marketing purposes; and/or
h) regulators and other public authorities.

Company Mergers and Takeovers
We may transfer your personal data to potential purchasers and their advisors, subject to appropriate confidentiality obligations, in the event we decide to dispose of all or parts of our business.

4 TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EUROPEAN ECONOMIC AREA

If and when transferring your personal data outside the EU or European Economic Area (“EEA”), we will only do so using one of the following safeguards:

a) the transfer is to a non-EEA country that has been the subject of an adequacy decision by the EU Commission;
b) the transfer is covered by a contractual agreement, which covers the GDPR requirements relating to transfers to countries outside the EEA;
c) the transfer is to an organisation in the US that is EU-US Privacy Shield certified.

International transfers to our affiliates are governed by EU Commission-approved Standard Contractual Clauses for controllers, processors and sub-processors.

We may also transfer your data to third-party vendors outside the EU, such as our customer relationship management system and due diligence providers. Where we do so, the Standard Contractual Clauses or other safeguards approved by the EU Commission are in place to safeguard that personal data.

You may request a copy of these agreements by contacting us using the following email address: [email protected].

5 YOUR RIGHTS

 

The GDPR provides you with certain rights in relation to the processing of your personal data, including to:

Request access to personal data about you (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you, and to check that we are lawfully processing it.
Request rectification, correction, or updating to any of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request personal data provided by you to be transferred in machine-readable format (“data portability”).
Request erasure of personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove personal data where you have exercised your right to object to processing (see below).
Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you (e.g. if you want us to establish its accuracy or the reason for processing it).
Object to the processing of your personal data in certain circumstances. This right may apply where the processing of your personal data is based on the legitimate interests of acquiring.com, as explained above, or where decisions about you are based solely on automated processing, including profiling.
Right to lodge a complaint. You also have the right to lodge a complaint with the data protection supervisory authority, if you are not happy with how we process your personal data.

These rights are not absolute and are subject to various conditions under:
• applicable data protection and privacy legislation; and
• the laws and regulations to which we are subject.

If at any time you decide that you do not want to be contacted for marketing purposes or if you would like to exercise any of your rights as set out above, you can contact us by emailing the following email address: [email protected]

6 RETENTION PERIOD

 

We will keep and process your personal data only for as long as is necessary for the purposes for which it was collected in connection with your relationship with us, unless we have a legal right or obligation to retain the data for a longer period, or the data is necessary for the establishment, exercise or defence of legal claims. In the case of data received from merchants, including Cardholder data, we will retain such personal data for at least ten (10) years from the date when a person ceases to conduct relevant activity with us.