Payment Privacy Notice
Introduction
We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who uses our services and/or uses our website and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the General Data Protection Regulation (EU Regulation 2016/679), the Data Protection Act of 2018 (the “ UK GDPR”) or any other data protection legislation. Please read this Privacy Notice carefully and ensure that you understand it.
This policy applies where we are acting as a data controller with respect to the personal data of users and beneficiaries of payment services in other words, where we determine the purposes and means of the processing of that personal data. Even though we are acting as data processor in the majority of the cases, we may act as data controller in relation to certain payment services which are offered by Unifiedpost Payment SA or its branch offices.
1. Information about us
Unifiedpost Payment SA a limited liability company incorporated and existing under the laws of the Belgium with registered address at Avenue Reine Astrid 92, 1310 La Hulpe (Belgium), and with company number BE0649.890.804 or where Unifiedpost Payments has a branch office, this branch office. (hereinafter referred to as “Unfiedpost” or “we” or ‘us’).
You can contact our Data Protection Officer (‘DPO’) by writing him at the following address: Unifiedpost, for the attention of the DPO – Avenue Reine Astrid 92, 1310 La Hulpe, Belgium or by sending an email to gdpr@unifiedpost.com.
2. What is personal data?
Personal data is defined by the GDPR as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
The personal data that we use is set out in section 4 of this Privacy Notice.
3. What are my rights?
Under the GDPR, you have the following rights, which we will always work to uphold:
- The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in section 10.
- The right to access the personal data we hold about you. Section 9 will tell you how to do this.
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in section 10 to find out more.
- The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please note that this right is not absolute and can only be exercised if (i) we no longer need your personal data for the original purpose, (ii) if you withdraw your consent for processing it, (iii) if you object to us processing your personal data for our legitimate interest, (iv) if we unlawfully process your personal data or (v) if a local law requires us to erase your personal data. Please contact us using the details in section 10 to find out more.
- The right to restrict (i.e. prevent) the processing of your personal data. You have the right to ask us to restrict the use of your personal data if (i) you believe that the personal data which we hold is inaccurate, (ii) if we are processing the personal data unlawfully, (iii) you have objected to us processing your personal data for our legitimate interests or (iv) we no longer need the personal data for the purposes of processing but you want us to keep this for the establishment, exercise or defence of legal claims.
- The right to object to us using your personal data for a particular purpose or purposes. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise, or defence of legal claims
- The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
- Rights relating to automated decision-making and profiling. You have the right not to be subject to decisions which may legally or significantly affect you and that were based solely on automated processing using your personal data. We will however not use your personal data in this way.
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in section 10.
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. The contact details of your supervisory authority can be found here. If you are located in the UK, please contact the ICO. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first, using the details in section 10.
4. What personal data do we process?
Depending upon your use of our services, we may collect some or all of the following personal data:
| Category | Description |
| Usage Data | your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. |
| Identification Data |
your name, surname, address, phone number and email address, ID number, nationality, signature, fiscal code/social security number, electronical identification data required to log in to our services. Please note that we will only process your ID number to the extent that such is permitted by the applicable law. |
| Financial and transaction Data | withdrawals, amounts, notifications, payments to or from your accounts or the account of other parties, data on account statements , credit capacity, credit history and information about your payment accounts at other banks, if you have selected to provide us with such information in accordance with the provisions of the second Payment Services Directive as implemented in the relevant national laws. |
| KYC Data | Data which we process as part of our customer due diligence and to prevent fraudulent conduct or behaviour that contravenes international sanctions and to comply with regulations against money laundering, terrorism financing and tax fraud. This includes name, nationality, date of birth, national register number, country of birth, city of birth, country of residence, address, telephone number, e-mail address, ID card, politically exposed, shareholder percentage, card number, card type, date of issuance, place of issuance, ID expiry date. |
| Data obtained via others | Data which we have obtained from other Unifiedpost affiliates or other third parties, such as the relevant national register, the official national gazettes or data from external companies which Unifiedpost payments is using to supplement or enhance its own data. |
In certain cases, we may process sensitive personal data. Sensitive personal data is data relating to your health, ethnicity, religious or political beliefs, genetic or biometric data or criminal data (e.g. information on fraud). We will only process such data if:
- we have your explicit consent;
- if we are required to do so by the applicable local law (e.g. in connection with money laundering or terrorism financing monitoring)
The above data may be obtained in any of the following ways:
- if shared by you with us when you become a customer, register for our services or make use of our services;
- from your organisation when it becomes a customer
- from available third party services (e.g. publications/data bases made available by official authorities or our corporate clients and/or services providers.
The legal basis and purpose for which we process the personal data shall be the following:
| Legal basis | Purpose |
| Compliance with our legal obligations | We may process data to comply with our legal obligations and statutory requirements, including (i) anti- money laundering and terrorist financing laws and regulations, (ii) compliance with legislation relating to sanctions and embargoes, (iii) tax legislation (e.g. to prevent tax fraud or to comply with our notification obligations, (iv) applicable financial regulations. In addition we may process personal data in order to reply to an official request from a duly authorised public or judicial authority. |
| Legitimate interest |
In addition to our compliance with our legal obligations, we may process your personal data for ulterior legitimate interests. When processing personal data for such purposes, we shall always ensure that the impact on your privacy is reduced to a minimum. We may process the data on the basis of legitimate interest for the following purposes: (i) for detection and prevention of fraud, cyber and credit risks, (ii) for internal reporting and/or internal control (i.e. to assess potential risks within Unifiedpost), (iii) for maintaining insurance coverage, (iv) for marketing purposes (i.e. to offer similar products or services (v) necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. |
| Consent | We may process your personal data upon receipt of your consent. This will be the case when (i) you grant us the right to use PSD2 data when we are acting as TPP, (ii) we are processing biometric data for identification purposes or (iii) to answer questions of third parties (unless we have another legal basis such as compliance with our legal obligations). |
| Protection of your vital interests | We may process your personal data to protect your vital interest. We will only process the data necessary if we cannot base it on any of the other purposes mentioned. |
We will not sell your personal data to third parties and will only use your personal data for the purpose(s) for which it was originally collected unless we reasonably believe that another purpose is compatible with that or those original purpose(s) and need to use your personal data for that purpose. If we do use your personal data in this way and you wish us to explain how the new purpose is compatible with the original, please contact us using the details in section 10. If we need to use your personal data for a purpose that is unrelated to, or incompatible with, the purpose(s) for which it was originally collected, we will inform you and explain the legal basis which allows us to do so. In some circumstances, where permitted or required by law, we may process your personal data without your knowledge or consent. This will only be done within the bounds of the GDPR, the UK GDPR (or other applicable data protection laws) and your legal rights.
5. Do we share your personal data?
Use of processor(s)
We are free to rely on data processors (which may include any member of the Unifiedpost group). A processor is the natural or legal person who processes your personal data upon request and on behalf of us, the controller. The processor is required to ensure the security and confidentiality of the personal data. The processor will always act on our instructions. We rely on processors for application, security or infrastructure purposes, administrative purposes, customer onboarding, identification and prevention of fraud, , analytic purposes and communication purposes. In addition we may use legal, auditing or other
With a view to the optimal protection of your personal data, we have made the necessary contractual arrangements with our processors to ensure that they apply the highest privacy standards. In any event, data processors shall be required to have the necessary technical and organisational measures in place to protect the personal data.
Sharing of personal data to third parties (other than processors)
In some circumstances we may share certain of your data. Such sharing can be internally, i.e. with other affiliates of the Unifiedpost group or externally, i.e. with other third parties.
| Internal/external | Details on sharing |
| Internally | We may share certain data with other affiliates of the Unifiedpost Group in order to provide you with certain services offered by our Affiliates. We will only do so if we have a legitimate basis to share such data and shall request your consent where such would be required. |
| Externally |
We may share certain data with or receive certain data from:
|
6. International transfers of your personal data
In certain circumstances, we may store or transfer some or all of your personal data in countries that are not part of the EEA. This might for instance be the case when we are making use of processors who make use of specific sub- processors. These are known as "third countries" and may not have data protection laws that are as strong as those in Belgium and/or the EEA. This means that we will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the EEA and under the Data Protection Legislation as follows:
We transfer your personal data to third countries whose levels of data protection are deemed 'adequate' by the European Commission. More information is available from the European Commission.
We use specific contracts with external third parties that are approved by the European Commission for the transfer of personal data to third countries. These contracts require the same levels of personal data protection that would apply under the Data Protection Legislation.
Please contact us using the details below in section 10 for further information about the particular data protection mechanisms used by us when transferring your personal data to a third country.
7. How long will we keep your personal data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was originally collected. After that we will, in accordance with the applicable laws and regulations, delete your personal data, anonymize it or aggregate the data to a level that it can no longer be identified.
The effective retention period may depend on the circumstances. Often such retention period is defined by a specific law. For instance: personal data which is obtained within the framework of anti- money laundering must be kept for a period of 10 years after the end of the contractual relationship or the transaction has been executed. Where there is no specific legal requirement, we will look at the applicable statutes of limitations and keep your personal data for such period. In most cases this will be 10 years after the end of the contractual relationship that we have with you but it is possible that we use a shorter retention period.
8. How do we protect your personal data
The security of your personal data is essential to us, and to protect your data we will take appropriate technical and organisational precautions. This means that we have the necessary policies and procedures and IT security measures in place to ensure the confidentiality and integrity of your personal data. These policies, procedures and measures are periodically updated to keep them in line with regulations and market developments.
Internal access to the personal data is limited on a strict ‘need-to-know’ basis. Only authorized personnel, whose activity will be monitored to prevent any misuse, will be able to access the personal data.
9. How can I access my personal data?
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown in section 10 (How do I exercise my rights?).
There is in principle no charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request within 15 working days and, in any case, not more than one month after receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
10. How do I exercise my rights?
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:
Email address: gdpr@unifiedpost.com
In writing to the following address: Unifiedpost, Avenue Reine Astrid 92, 1310 La Hulpe, Belgium (for the attention of the DPO)11. Acting as a data processor
In respect of other data collected through our payment services, we do not act as a data controller; instead, we act as a data processor. Insofar as we act as a data processor rather than a data controller, this policy shall not apply. Our legal rights and obligations as a data processor are instead set out in the contract between us and the relevant data controller.
12. About cookies
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
For more information on the cookies that we use, we refer to our cookie policy.
13. Changes to this Privacy Notice
We reserve the right to change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our website in a way that affects personal data protection and privacy.
Every change will be published on our platform or through our other usual communication channels.
Last update: 19/07/2022