Privacy Policy: Paytrail Customer Management Systems

Your security and privacy is important to us.

Privacy Policy: Paytrail Customer Management Systems

23.01.2025

1. General

This privacy policy provides the information required under the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Finnish Data Protection Act (2018/1050) to both registrants and the supervisory authority.

2. Data controller

Paytrail Plc, hereinafter referred to as “Paytrail”.

3. Contact person for matters concerning the register

Markku Hänninen
Innova 2
Lutakonaukio 7
40100 Jyväskylä
Finland

Contact Paytrail’s customer service at: www.paytrail.com/en/contact

4. Name of the register

Data register of Paytrail’s customer relationship management systems.

The register includes representatives of organizations that have a contractual relationship with Paytrail.

5. Purpose and legal basis for processing personal data

Personal data is processed to provide and deliver the agreed services to the customer, to develop and improve the services, for invoicing purposes, as well as for the management and development of the customer relationship and for statistical analysis.

The data may also be used for marketing, direct marketing, and to target marketing communications to customers.

The processing of personal data is based on Article 6 of the General Data Protection Regulation (GDPR). The legal bases applied in this register, along with examples of processing under each basis, are described below:

Legal basis

Example

Consent

Direct marketing

The customer may refuse to receive direct marketing

Legitimate interests of the data controller or a third party

The following activities are based on legitimate interest: 

  • Direct marketing
  • Service-related communications
  • Merchant portal user analytics
  • Security logging

Direct marketing is permitted for a representative of a company that has a contractual relationship with Paytrail concerning the same service. However, the representative may opt out of direct marketing upon request.

Service-related communications may include, for example, matters related to invoicing
Legal obligation

 

Act on Preventing Money Laundering and Terrorist Financing. Act on sanctions.

As a licensed payment institution, Paytrail is subject to statutory obligations related to customer identification.

Example:

  • Legislation requires Paytrail to maintain personal data on the responsible persons of its corporate customers.


6. Register data content

Information about the representative of a company or organization

The following data is stored in Paytrail’s customer relationship management systems:

  • name of the contact person
  • email address of the contact person
  • phone number of the contact person
  • electronic communication with customer service and sales
  • Personal identity code *
  • Information about the company’s responsible persons and beneficial owners **
  • User analytics from Merchant portal ***

* The personal identity code is stored for the individual who signs the agreement with Paytrail. In addition, personal data of the company’s responsible persons and beneficial owners is collected, depending on the company form.
** The following data is also automatically retrieved from Suomen Asiakastieto Oy: personal identity code, name, nationality, domicile, position in the company, number of shares or ownership interest, and any new payment default records. The retrieved data depends on the company’s legal form and any changes in responsible persons or beneficial owners.
*** In the Merchant portal, user analytics are used to understand how users interact with the interface (including search parameters) and services, in order to improve portal functionality. No portal content is stored in the analytics, and any third-party usage data is pseudonymized, meaning it cannot be used to identify individual users.

7. Collection of personal data

Customer data is collected directly from the customer when the company or organization they represent enters into an agreement with Paytrail, or when the customer updates their information. By providing this information, the customer consents to its use for the purposes described in section 5 of this privacy policy.

8. Regular disclosures of data

Personal data can be shared to public authority when required by law and to companies belonging to same corporation group within limitations set by law. Data stored to this registry may be provided to sales person of Paytrail’s products and services for customer care purposes.

9. International data transfers

Personal data may be transferred outside the European Union (EU) or the European Economic Area (EEA) within the limits permitted by law. Such transfers are made only when appropriate safeguards are in place, including:

A. The country has been recognized by the European Commission as providing an adequate level of protection for personal data.
B. Appropriate safeguards are ensured through the use of the European Commission’s standard contractual clauses for personal data transfers.*

* We make every effort to ensure that the contractual clauses applied by our subcontractors are always the most recent version, in line with GDPR case law.

10. Rights of the data subject

The data subject has the following rights regarding the processing of their personal data.

The data subject has the right to access the personal data stored in the register concerning them. An access request must be submitted in writing or electronically to the contact person for the register referred to in section 3.

An access request may be made free of charge once per year. The data controller may charge a reasonable administrative fee for any additional copies requested by the data subject. The payer’s data is stored per payment transaction and is not updated during the course of the transaction.

The data subject has the right to request the rectification of inaccurate or incorrect personal data and the updating of their data.

The data subject has the right to object to and restrict the processing of their personal data. If the processing of personal data is based on consent, the consent may be withdrawn by notice. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

The data subject has the right to erasure (“the right to be forgotten”). In payment services, data is retained for five years from the date of the transaction for statutory reasons, after which it is automatically deleted or anonymized.

If the data subject believes their personal data has been processed unlawfully, they have the right to lodge a complaint with the supervisory authority.

11. Data retention

Personal data will be removed one year after end of contractual relationship, if allowed by regulations, if no other agreement has been made. Otherwise, information is removed after regulation based requirements have ended.

12. Principles of register protection

Data is securely protected electronically, and physical access is both restricted and monitored. Use of the register is limited, and each authorized user has a personal username and password.

Appropriate safeguards are applied to protect personal data from destruction, loss, or unlawful alteration. Paytrail’s employees, as well as the employees of subcontractors involved in processing Paytrail’s service data, are bound by confidentiality obligations regarding all customer information.

The data controller has implemented appropriate technical and organizational measures to ensure data security. Protection of the register includes, among others, the following measures:

  • protection of equipment and files
  • Access control
  • User authorizations
  • User log data
  • Processing guidelines and monitoring
  • The data controller also requires subcontractors to apply proper safeguards when processing personal data.