Data Privacy Notice – Paytrail Customer Management Systems

Your security and privacy is important to us.

Data Privacy Notice – Paytrail Customer Management Systems

January 23rd, 2025

1. General

This privacy notice provides information required by EU’s General data protection regulation (EU) 2016/679 (later data protection regulation) and national data privacy law (2018/1050) to both registrants and regulating authority.

2. Data controller

Paytrail Plc, later ”Paytrail”.

3. Contact person regarding registry

Markku Hänninen
Innova 2
Lutakonaukio 7
40100 Jyväskylä
Finland

Contact Paytrail’s customer service at: www.paytrail.com/en/contact

4. Name of the register

Paytrail Customer Management Systems Data Registry.

5. Purpose of processing and legal grounds for processing personal data

Personal data is processed to provide for creation and delivery of agreed services to customer, development of services, invoicing, management and development of customer relationship, and statistical purposes.

Processing of personal data is based on data regulation’s article 6. Lawful basis for processing personal data and examples of each processing case can be found below:

Lawful basis	Example
Consent	Direct marketing Customer can withdraw consent for direct marketing.
Data controller’s or third party’s legitimate interest	Activity based on legitimate interest: - Direct marketing - Communications related to service - Merchant portal user analytics - Information security logs Direct marketing is allowed to representative of entity in regards of service that is contractually provided. Representative can withdraw consent for direct marketing via request. Communications to representative for example for purposes of invoicing issues
Requirement by law or public authority	Act on Preventing Money Laundering and Terrorist Financing. Act on sanctions. As Payment institution, Paytrail is mandated by law to know their customers. Example: - Law requires, that Paytrail has the personal information of persons in charge.

6. Data content of registry

Personal data of representative of Company or Organization.

Paytrail’s customer support systems store following data:

- Name of representative
- Email of representative
- Phone number of representative
- Electronic communications with support and sales
- Social security number *
- Person data from beneficial owners and persons in charge of the company **
- User analytics from Merchant portal ***

* Social security number will be stored from person who signs the contract with Paytrail, in addition, information is gathered from persons in charge and beneficial owners, depending on company form.
** Suomen Asiakastieto ltd. Provides automatically following information: social security number, name, citizenship, residene, position in company, number of stock or ownership portion, new default notes. Information gathered depends on company form and changes in persons in charge and beneficial owners.
*** Merchant portal user analytics monitors how users are using the user interface (including used search parameters) and functionality to improve the merchant portal. Analytics does not store any content from the portal and 3rd party data about the use of the portal is pseudonymized, so it alone cannot be used to identify user in question.

7. Collection of personal data

Customer data is provided by the customer or when the company represented by the person enters contract with Paytrail or when customer modifies information provided. Performing these acts, customer accepts processing of personal data in manner set by part 5 of this privacy notice.

8. Data sharing

Personal data can be shared to public authority when required by law and to companies belonging to same corporation group within limitations set by law. Data stored to this registry may be provided to sales person of Paytrail’s products and services for customer care purposes.

9. International data transfers

Data may be disclosed outside the EU or the European Economic Area within the limits of the law. Transfers outside of EU/ETA area are only performed, when necessary data protection guarantees are in force, such as:

A. Country is deemed to have good enough data protection level for personal data by the EU commission
B. EU model clauses* are used to assure data protection methods in use when personal data is transferred.

*We aim to make sure, that subcontractors we use always have the latest version of model clauses in use based on legal praxis of GDRP.

10. Rights of registrant

Registrant has right to be notified when personal data is processed.

Registrant has right to inspect what information regarding registrant is collected to the register. Request to inspect information must be sent in written form or electronically to contact person of data registry found from part 3 of this privacy notice.

Request to inspect information can be done free of charge once in a year. Data controller can request moderate fee for any additional copies of personal data requested. Registrant’s data is stored separately based on payment assignment and the information will no be updated during payment process.

Registrant has right to demand correction of incorrect or faulty personal data and updating of personal data.

Registrant has right to object processing of personal data and right to restrict processing of personal data. If data processing is based on consent, it can be withdrawn by notification. However, withdrawal of consent does not prevent processing of personal data, that has been collected before consent was withdrawn.

Registrant has right to be forgotten, relating to payment service, data is stored for five years from the payment based on requirement by law. After five years, the data is automatically deleted/anonymized.

If registrant deems that the processing of personal data is not lawful, registrant has the right to make complaint to a relevant public authority.

11. Data retention

Personal data will be removed one year after end of contractual relationship, if allowed by regulations, if no other agreement has been made. Otherwise, information is removed after regulation based requirements have ended.

12. Security principles regarding the register

Personal data is protected with appropriate information security measures and physical access is restricted and monitored. Use of registry is restricted and every user of register has personal access credentials.

Appropriate measures are used, that keep the personal data secure from destruction, from being lost and unlawful changes. Paytrail’s personnel and personnel of subcontractors have professional confidentiality concerning all customer data.

Data controller has protected the personal data with appropriate technical and organizational measures. Following measures, among others, are taken with protection of registry data:

- Securing devices and files
- Access control
- Personal credentials
- Log of user activities
- Instructions for data processing and monitoring of processing
- Data controller requires subcontractors to have appropriate measures to protect personal data