PAYSURF is committed to respecting your privacy and protecting the data you share with us when you subscribe to products and/or services and throughout your exchanges with our teams. This strong commitment is reflected in our Data Protection Policy.
PAYSURF makes privacy and the protection of personal data a priority. This document demonstrates our commitment to implementing appropriate technical and organisational measures when collecting and using your data when you subscribe to products and/or services and throughout our relationship, for the responsible use of your personal data.
PAYSURF undertakes to comply with all the obligations incumbent upon it resulting from the regulations applicable to the processing of personal data, especially:
- regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 applicable as of 25th May 2018 (hereinafter “the General Data Protection Regulation” or “GDPR”)
- the French Data Protection Act n°78-17 of 6th January 1978 as amended
- the opinions and recommendations of the supervisory authorities, the Working Party on the Protection of Individuals with regard to the Processing of Personal Data (“G29 Group”) or the European Data Protection Committee.
Personal data is also protected by the professional secrecy by which we are bound.
1. Some definitions
- “Personal data”: any information relating to a natural person who is identified or can be identified directly or indirectly by an identifying element such as a name, telephone number, postal address, email address, identification number, location data, etc.
- “Processing of personal data”: any operation carried out on personal data such as collection, recording, organisation, retention, adaptation, modification, extraction, consultation, use, interconnection, limitation, erasure, destruction, etc.
- “Controller”: the natural or public or private legal person or service which determines the purposes and means of the processing, either alone or in coordination with others.
- “Processor”: the natural or public or private legal person or service which processes personal data on behalf of the controller.
2. The Data Protection Officer
PAYSURF has appointed a Data Protection Officer. Specialised in the protection of personal data, their task is to inform and advise the controller, to ensure compliance with the applicable regulations and in particular to ensure that the rights of individuals are respected (see paragraph 9 below).
The Data Protection Officer is also the privileged contact for the French National Commission on Informatics and Liberty (CNIL).
3. Personal Data collected
The personal data that we collect or hold about you is strictly necessary for our business to enable us to offer you suitable products and/or services.
We are required to collect:
- data relating to your identity such as your first name(s), surname(s), date and place of birth, etc.
- contact information such as your postal address, email address, telephone number(s), etc.
- identification and authentication data such as your specimen signature, IP address, etc.
- tax data such as tax number, tax status, principal residence, etc.
- banking and financial data such as bank details, transfers, assets, card number
- data collected through cookies (Article 11 below).
Data may be collected directly from you or from the following sources (non-exhaustive list):
- publications or databases such as the French Official Gazette, the French Official Bulletin of Civil and Commercial Announcements
- anti-fraud agencies
- websites, social networks concerning data that you have made public
- our subcontractors
- the use of prospect files.
Finally, we may become aware of personal data of persons who are not customers of PAYSURF. Example (non-exhaustive list):
4. Purposes of the processing operations
The processing operations implemented by PAYSURF fulfil specific, explicit and legitimate purposes.
In particular, your data may be processed to:
- provide you with products and services adapted to your needs
- communicate information to you about these products and services, in particular by email, post, or telephone calls. These communications relate to our existing products and services as well as new services and exclusive offers that may be of interest to you. The electronic communications (emails, SMS, etc.) sent to you may concern products and services similar to those to which you have subscribed, in accordance with Article L34-5 of the French Postal and Electronic Communications Code. You can let us know at any time that you no longer wish to receive commercial communications. If you ask us to stop receiving communications or if you wish to receive such communications again, we will keep a computer record of such requests as evidence.
- manage the business relationship and more generally the commercial relationship
- manage and execute our services for the products and services to which you have subscribed, such as payment transactions (acquisition of payment transactions, transfers, direct debits, etc.)
- collect our receivables
- engage in prospecting, sales promotion, profiling and segmentation, and statistical studies
- comply with legal and regulatory obligations, in particular with regard to “know your customer”, the fight against money laundering and the financing of terrorism, risk assessment, security and the prevention of non-payment and fraud, the fight against tax fraud, compliance with obligations to determine tax status, tax audits and declarations, and obligations relating to financial markets
- record and store some of the conversations and communications that we may have with you, whatever their medium (mainly electronic messages, face-to-face interviews, telephone calls, etc.), in particular for the purposes of improving the telephone manner, complying with legal and regulatory obligations relating to the financial markets and ensuring the security of the transactions carried out.
5. Legal basis of the processing operations
We make sure that each of our processing operations is carried out in compliance with its legal basis, whether this is:
- the performance of a contract signed or to be signed with you or the provision of pre-contractual information
- meeting our legal and regulatory obligations
- the response to our legitimate interests
- obtaining your consent for a specific processing operation.
6. Recipients of the personal data collected and processed
Your personal data will only be communicated to authorised and specified recipients. These recipients may have access to your data to the extent necessary to fulfil the purposes described above.
Recipients may include the following parties:
- our institution as the controller
- our authorised personnel
- institutions and companies in the group to which we belong and our partners
- service providers and subcontractors performing services on our behalf
- duly empowered judicial and/or administrative authorities
- regulated professions (e.g. notaries, lawyers, bailiffs).
7. Retention of your personal data
Your personal data is kept for the duration of the relationship as long as you use our products and services. It may be retained beyond the term of the relationship, in particular to comply with applicable regulations, to assert our rights or to defend our interests.
Your data may be archived for a longer period of time for the management of complaints and/or disputes, to meet our regulatory obligations, to satisfy the request of duly authorised judicial or administrative authorities.
As regards customers, depending on their nature and the applicable legislation, data may be kept for up to 10 years after the end of the relationship or operation.
Data relating to prospects may be kept for a period of 3 years from the date of collection or from the last contact with you.
Personal data is kept for the duration necessary for the fulfilment of the purposes for which it is processed. It will then be securely destroyed or made anonymous.
Where personal data is collected for more than one purpose, it shall be kept until the end of the longest retention or archiving period.
8. Transfer of personal data outside the European Union
In limited cases and for strictly limited purposes, your personal data may be transferred to a country outside the European Union. We will ensure it is protected:
- by the existence of an adequacy decision issued by the European Commission which recognises an adequate level of protection in the recipient country
- if the level of protection has not been recognised as equivalent by the European Commission, we rely on the implementation of appropriate safeguards such as standard contractual clauses approved by the European Commission.
9. Your rights
You have rights regarding the collection and processing of your personal data, which may be exercised under the conditions set out in the regulations in force, namely:
- the right to be informed in a comprehensible, easily accessible way about the processing of your data that is carried out
- the right to access your data
- the right to rectify and request the modification of your data that is inaccurate or incomplete
- the right to have your data erased, unless we have legal or legitimate reasons to retain it
- the right to object to the processing when this is based on the legitimate interest of the controller
- the right to object, at no cost and without having to justify your request, to the use of your data for commercial prospecting purposes
- the right to limit the processing of your personal data
- the right to the portability of your data when the processing is based on consent or the execution of contracts and the processing is carried out by means of automated processes
- the right to withdraw your consent at any time when the processing of your personal data is based on your consent
- the right to give specific or general instructions concerning the storage, deletion and communication of your personal data, applicable after your death
- the right to file a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL), 3 place de Fontenoy TSA 80715 75334 PARIS CEDEX 07 or on the www.cnil.fr/fr/plaintes.
We would like to specify that the exercise of some of these rights may result, on a case-by-case basis, in PAYSURF being unable to provide the service.
In addition, we may be entitled to continue to process your personal data despite the exercise of your right to erase, limit or oppose the processing of your data if we have a legitimate interest in doing so or if regulatory provisions require us to retain your data. You can exercise one of the rights listed above, by writing to the following address:
Data Protection Officer
63 chemin Antoine Pardon
69814 Tassin CEDEX
10. Security of your personal data
We implement technical and organisational measures to protect your data, including the implementation of appropriate physical, logical, and organisational security measures, encryption, anonymisation to ensure the confidentiality and integrity of your data and to prevent unauthorised access.
11. CookiesOur cookie management policy is available on our website.
12. Update of the data protection policy
Our data protection policy will be regularly updated to take into account legislative and regulatory developments.
We invite you to consult the latest version available on our website.