Skip to main content
Try out the new IKEA Kreativ 3D planner

Przelewy24 service

Detailed information on the processing of[1] personal data[2] of payers using the Przelewy24 service
 

Data administrator.

The data administrator for payers[3] is PayPro SA, with its registered office at Kanclerska 15, 60-327 Poznań, registered in the Companies Register of the National Court Register [KRS], kept by the District Court of Poznań Nowe Miasto i Wilda, 8th Commercial Department of the National Court Register, KRS registration number: 0000347935, tax identification number: 7792369887, registered capital: PLN 4 500 ,000.00, fully paid.

Contact information for data administrator:

Address:
PayPro SA Kanclerska 15, 60-327 Poznań, Poland
E-mail:
ado@przelewy24.pl

 

II.      Commissioner for Personal Data Protection.
 

The administrator has appointed a Data Protection Officer, whom you can contact as a payer by e-mail at iod@przelewy24.pl

Objectives and legal basis for the processing of personal data.

PayPro processes your personal data (payer's personal data) primarily for the purposes of the payment services provided by PayPro under the payment acceptance agreement on behalf of the merchant, and which include in particular the processing of payment orders that you send to the merchant.

The above also includes the processing of data in relation to communication between PayPro and you for the purposes stated in the first clause, and in particular the sending of information to you on the payment order and its settlement.

The above also includes the processing of data in relation to the handling of complaints that you submit as a payer or potential payer and which relate to the non-provision or improper provision of payment services or to other objections to the payment services provided.

PayPro processes personal data on the basis of Art. 6 (1) f) of Regulation[4], i.e. because the processing of data is necessary for the purposes of the legally justified interests pursued by the administrator, i.e. the proper provision of payment services by PayPro, including communication with you about the payment services provided.

When processing a complaint, PayPro processes personal data on the basis of Art. 6 (1) c) of that Regulation, as the processing of such data is necessary in order to comply with the legal obligation to handle claims and to maintain records of this process.

Personal data that you provide in relation to the provision of payment services is also processed by PayPro with regard to possible remedies related to the non-performance or improper performance of obligations arising from the contract on acceptance of payments by you or the merchant as part of the payments ordered by you, especially if these are obligations related to the payment of amounts that you owe or that the merchant, PayPro, owes you as a result of non-provision or the improper provision of the payment service.

PayPro processes personal data on the basis of Art. 6 (1) f) of Regulation[5], i.e. because the processing of data is necessary for the purposes of the legitimate interests pursued by the administrator, which are connected with the handling of claims.

PayPro processes your personal data, with the exception of so-called sensitive data[6],[7], in relation to the payment services provided, and to the extent necessary for the relevant bodies to be able to prevent, investigate and detect fraud.

PayPro processes personal data on the basis of Art. 6 (1) c), d) and f) of the Regulation, i.e. due to the fact that processing is necessary to meet the administrator's legal obligation to protect the interests of users of the payment service, as well as for purposes arising from legitimate interests pursued by payment service providers.

PayPro processes your personal data in relation to the provision of payment services in order to meet its obligations under regulations intended to combat money-laundering and the financing of terrorism, and in particular to identify and evaluate the risk of money-laundering and the financing of terrorism, while applying security measures including, but not limited to, customer identification and identity verification.

PayPro processes personal data on the basis of Art. 6 (1) c) of the Regulation in connection with the provisions of the Act Against Money-Laundering and the Financing of Terrorism, i.e. due to the fact that processing is necessary in order to meet the administrator's statutory obligations as a liable entity within the meaning of the Act Against Money-Laundering and the Financing of Terrorism.

PayPro processes your personal data for information purposes, and in particular when offering its own services and services provided by PayPro's affiliates on the market. The foregoing also includes the processing of data associated with communications between PayPro and you regarding the above information and marketing purposes.

PayPro processes personal data on the basis of Art. 6 (1) f) of the Regulation, i.e. for the legitimate purposes of the administrator, and may also process it with your consent (Art. 6 (1) a) of the Regulation).

In addition, PayPro processes your personal data for other legally permissible purposes that are directly or indirectly related to the objectives set out in sections 1–4, in particular for archiving, statistics, audits, management, administration and consultation purposes.

PayPro processes personal data on the basis of Art. 6 (1) f) of the Regulation, i.e. for the legitimate purposes of the administrator.

Categories of personal data processed.

First and foremost, PayPro processes personal data in relation to the realisation of payment services, which include in particular: first and last name, residence addresses, postal addresses, e-mail addresses, payment account numbers, including bank accounts, number of payment card, other identification number of the means of payment used, telephone number, and the IP address that you use.

In addition, PayPro processes personal data in relation to the identification of your person and verification of your identity, which primarily includes your first and last name, citizenship, PESEL (Polish ID) number (or date and country of birth if you do not have a PESEL number), number of the document which confirms your identity, and your residence address.

For communication purposes, PayPro primarily processes names, telephone numbers, e-mail addresses, residence addresses and postal addresses.

V.          Information on categories of data recipients.

The recipient of the data is the natural or legal person, public authority, entity or other entity to which PayPro provides your personal information, irrespective of whether it is a third party or not[8].

Public authorities which may obtain personal data under a specific procedure in accordance with the law of the European Union or a Member State shall not be considered as recipients.

PayPro therefore informs you about the following categories of beneficiaries:

a.  representatives of PayPro, i.e. entities acting on behalf of and for the benefit of PayPro as a payment institution - we hereby state that the only current representative is DialCom24 Sp. z o.o., with its registered office in Poznań;

b.  other payment service providers, including your payment service provider, who has made available to you the payment instrument you are currently using; personal data is made available to recipients only in the context of the provision of payment services (Section III.1) and for the purposes set out in Sections III.3 and III.4, as well as in other cases where entities are entitled to obtain information from PayPro; including in particular banks and local branches of foreign banks, credit institutions, electronic money institutions, payment institutions, and operators of payment/credit/virtual cards;

c.  entities providing legal services in relation to PayPro's activities;

d.  payees, for purposes related to the payment made;

e.  entities providing IT services in relation to PayPro's activities, including hosting services;

f.  entities performing audit services and other services related to the management of PayPro's activities;

g.  professional auditors reviewing documents related to PayPro's business;

h.  entities within the PayPro group;

i.  entities other than those listed above (including, in particular, supervisory bodies), which are legally entitled to obtain from PayPro information related to PayPro's activities and which may include your personal data;

j. Recipients may also be other entities, provided that such data is shared on the basis of your consent specifying such a recipient.

 

VI.        Information about the intention to transfer personal data to a third country or international organisation

PayPro does not intend to transfer your personal data to a third country (outside the European Economic Area) or to an international organisation.

VII.        Period for which personal data will be retained or criteria for determining this period.

Personal data which is processed for the purposes set out in Section III.1 will be processed for the duration of the provision of payment services and 13 months from the date on which the money was credited to your account in connection with the payment services provided, or for 13 months from the date on which the transaction was to be realised and following the expiry of this period for the period stipulated by law (including the Payment Services and Tax Regulations Act) In particular, PayPro, as a Polish payment institution, is obliged to retain documents relating to the provision of payment services for 5 years following their creation or receipt.

Personal data that is processed for the purposes set out in Section III.2 shall be processed for the period specified above, but no later than the expiry of any legal disputes, i.e. the limitation period under the provisions of the law. If the limitation period expires before the end of the period set forth in the previous section, PayPro shall stop processing personal data for the purpose and function set forth in this section, but may continue to process your personal data for the purposes and function set forth in the previous section.

Personal data that is processed for the purposes set out in Section III.3 shall be processed for the time necessary to carry out the purpose, in particular with regard to the limitation period for prosecuting such offences.

Personal data that is processed for the purposes set out in Section III.4 shall be processed for the period set out in the aforementioned provisions of the Act Against Money-Laundering and the Financing of Terrorism, and in particular data collected as a result of security measures, shall be stored for 5 years from on the first day following the date of the transaction and data on transactions realised by liable entities and documents related to these transactions shall be retained for a period of 5 years from the first day of the year following the last entry in the register relating to the transaction.

Personal data that is processed for the purposes set out in Section III.5 shall be processed for the duration of the service - in the event that data is processed under Art. 6 (1) f) of the Regulation, but no later than the date on which a reasoned objection is raised.

If the data is processed on the basis of your consent, it shall be processed after the completion of the provision of payment services, for the period specified in your consent, but no later than the date of withdrawal of consent.

Personal data that is processed for the purposes set out in Section III.6 shall be processed for a period appropriate to the purpose of collection. However, if additional data has been collected for the purposes set out in Sections III.1 to III.5, the data shall be processed for the duration of the payment service provision and for 10 years after its completion, but no later than the date of a reasoned objection to such processing.

 

Information on the obligation to provide personal data or its absence.

Under legal and contractual obligations, you are required to provide the information listed in Section

III.1.  Therefore, if you do not provide the information, PayPro will not be able to accept your payment order and provide the payment service.

You are bound by a contractual obligation to provide the data referred to in Section III.2. Therefore, if you do not provide the information, PayPro will not be able to accept your payment order and provide the payment service.

You are bound by the legal obligation to provide the data listed in Sections III.3 and III.4. Therefore, if you do not provide the information, PayPro will not be able to accept your payment order and provide the payment service.

The provision of the information referred to in Section III.5 is voluntary and may be refused. However, if the data is also processed for the purposes described in Sections III.1 to III.4, failure to provide it shall lead to the consequences set out above.

If you are asked to provide additional personal data for the purposes set out in Section III.6 for the purposes set out in Sections III.1 to III.5, their provision is voluntary and you may refuse.

 

Information about your rights.

You have the right to request access to your personal data from the data administrator, including copies of the personal data being processed. The first copy is provided free of charge. For all other copies you request, the controller may charge a reasonable amount deriving from administrative costs.

You have the right to request that the controller change your personal data if they are incorrect, primarily due to the occurrence of errors during or changes made following their collection. This right also applies to incomplete data.

You have the right to request that the controller delete your personal data in the cases specified in the Regulation, i.e. in the following cases:

your personal data is no longer necessary for the purposes for which they were collected or otherwise processed, especially if the period in which the controller planned or was obliged to process the data has expired;

you have revoked your consent (according to the law referred to in Section IX.7) on which the processing of the data is based, unless the controller has other legal reasons for the processing;

you have raised objections to the processing of personal data (listed in Section IX.5) and there are no overriding legitimate reasons for the processing;

you have raised objections to the processing (listed in Section IX.6); if your personal data have been processed illegally;

if your personal data must be deleted in order to comply with a statutory obligation under the law of the European Union or a Member State that applies to the controller;

PayPro may refuse a legitimate request to delete the personal data referred to above in cases provided by law, in particular if further processing is necessary to fulfil legal obligations under European Union or Member State law, as well as for the purpose of creating, investigating or defending claims.

You have the right to request that the controller restrict the processing of your personal data under the conditions set out in the Regulation, e.g.:

  • if you have doubts about the accuracy of your personal data - for a period of time that allows the controller to verify the accuracy of the information;
  • if the processing is unlawful and if you object to the deletion of the data and request that the processing be restricted instead;
  • if the controller no longer requires personal data for processing purposes, but you require them for the purpose of creating, investigating or defending claims;
  • if you have raised objections to the processing referred to in Section IX.5 - until it is determined whether the legitimate legal grounds of the controller outweigh your objection.

You have the right to object to the processing of your personal data by the controller under Art. 21  (1) of the Regulation, i.e. to raise an objection due to a reason related to your specific situation, namely to the processing of your personal data under Art. 6 (1)  E) and f) of the Regulation, including profiling according to these provisions.

In the case of the controller, the above right to object applies to personal data processed for the purposes set out in Sections III.2, III.3, III.5 and III.6.

In the event of such an objection, the controller may no longer process personal data unless it demonstrates the existence of valid legal grounds for processing which outweighs the interests, rights and freedoms of the data subject or grounds for creating, investigating or defending claims. In particular, despite further objections, further processing of the data may result from the purposes set out in Sections III.2 and III.3.

You have the right to object to the processing of your personal data by the controller under Art. 21  (2) of the Regulation, i.e. to object to the processing of your personal data for direct marketing purposes, including profiling in direct marketing processing.

If this right is exercised, the controller is not permitted to continue to process personal data for direct marketing purposes.

You have the right to the transfer of data. You have the right to obtain the personal data you have provided to the controller in a structured, commonly used machine-readable format, and you have the right to send this personal data to another controller without hindrance by the controller.

However, this right is restricted to personal data processed on the basis of your consent or a contract and to cases of automated data processing (we hereby state that PayPro does not process data automatically in the sense of Section X).

When exercising this right, you may request that the controller send your personal data directly to another controller, if technically possible.

You may revoke the consent referred to in Section III.5 at any time. Please note that the revocation of your consent does not affect the lawfulness of any processing that took place on the basis of your consent prior to the revocation.

If consent is revoked, the administrator will stop processing that of your personal data that is being processed solely on the basis of consent. If your personal data is processed for reasons other than consent, the controller may continue to process it as long as the relevant reasons remain valid.

You have the right to file a complaint with a supervisory authority, i.e. one of the bodies appointed by specific EU Member States for the purpose of monitoring compliance with the Regulation.

The supervisory authority in the Republic of Poland is the Inspector General for Personal Data Protection or the Chairman of the Office for Personal Data Protection.

 

Information on automated decision-making, including profiling.

Your data shall not be processed by any automated methods or by profiling.

Processing for purposes other than those for which the data was collected.

With the exception of Section III.6, PayPro does not intend to process your data for purposes other than those for which the data was collected.

 

 

[1]                     The processing of personal data is defined as an act or set of acts performed on personal data or sets of personal data by automated or non-automated means, such as collection, uploading, organisation, storage, customisation or modification, downloading, browsing, use, disclosure or other sharing, pairing, restriction, deletion or destruction.

[2]                     Personal data is defined as information concerning an identified or identifiable natural person (the person to whom the data relates); an identifiable person is a person who can be

directly or indirectly identified, in particular on the basis of such an identifying feature as first and last name, localising data and Internet identifier, as well as one or more specific factors describing the physical, physiological, genetic, psychological, economic, cultural or social identity of a natural person.

 

[3]                     Payer: the person who intends to pay, as well as a person who has just paid a specific amount to the payee (e.g. the entity that owns an online store at which the payer has purchased goods for which it wishes to pay or for which it has already paid) via Przelewy24 services. The payee (also called the merchant) makes the payment methods operated by the Przelewy24 service available. The payer uses a means of payment such as electronic banking or a payment card to make the payment.

 

[4]                     Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [referred to in this document as the "Regulation" only]

[5]                     Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [referred to in this document as the "Regulation" only]

[6]                     i.e. personal data revealing racial or ethnic origin; political, religious or philosophical views, membership of parties or unions, health data, genetic code, addictions and sexual life, as well as data on convictions, decisions on penalties, fines and other legal decisions issued during judicial or administrative proceedings [Art. 27, Section 1 of the Personal Data Protection Act of 29 August 1997]

[7]                   i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of trade unions, and including the processing of genetic data, biometric data for the purpose of unambiguous identification of a natural person, or health data, data relating to the sexual life or sexual orientation of the person [Art. 9 Section 1 of the Regulation]

 

[8]                     Third party means a natural or legal person, public authority or other entity which is not a data subject, a processor or a person authorised by the controller or processor to process personal data. Processor means a natural or legal person, public authority or other entity that processes personal data on behalf of the controller.