1.1 For Worldline (as defined in the definitions’ section of this privacy notice and hereafter referred to as ‘Worldline’, ‘it’, ‘its’), the protection of Personal Data is a topic of the utmost importance. The Processing of Data, including Personal Data, is part of its core activities and, accordingly, compliance with Data protection laws and regulations is one of Worldline’s main priorities.
1.2 This Privacy Notice aims at informing Data Subjects on the purposes, nature and scope of the various Processing activities Worldline carries out as a Data Controller when a Data Subject uses its Worldline’s Products and Services (e.g. commercial acquiring services).
1.3 This Privacy Notice may be supplemented by additional privacy information provided in the context of specific Products and Services or when required by applicable laws.
2. INFORMATION WORLDLINE COLLECTS AND ITS SOURCES
2.1 Worldline will qualify as the Data Controller for the processing of:
- Personal Data of Cardholders in its role as the commercial acquirer: e.g. card data (e.,g, card/PAN number, expiry date, card type, card issuer), transaction information (e.g. date/ time/ amount/ currency of transaction, authorisation code, transaction ID), cardholder’s photo;
- Personal Data related to Cardholders is collected through the execution of payment transactions in the context of the Products and Services provided to a Cardholder.
- Preferences: e.g. choices regarding marketing communications, purchasing history and preferences, language preferences.
- Special categories of Personal Data: e.g. biometric data (e.g. in case of online authentication and on the condition that this is allowed by applicable law or after having received explicit consent), data revealing political opinions (e.g. if a person is included in the list of politically exposed persons that Worldline has to consult in case of its compliance obligations when necessary by applicable laws).
3. Why does Worldline use the Personal Data?
3.1 Worldline Processes Personal Data for the following purposes:
- when it is necessary for the purposes of execution of the Products and Services and managing its relationship with the Cardholder (including processing the payment transactions, replying to requests for information).
- For operational, regulatory, reporting and administrative purposes and for providing its Products and Services in an efficient, sustainable and compliant way, Worldline may share Personal Data with other members of Worldline Group on the basis of its legitimate interest to improve the efficiency of its operations, enhance security and reduce administrative costs (see also clause 4.3).
- For the purpose of managing risk, detecting and preventing fraud and ensuring the security and business continuity of its operations (including performing fraud and risk analysis using real-time data for monitoring the performance of its systems and detect possible deficiencies or generate reports to assess performance and compliance with applicable service level agreements or regulatory requirements) on the basis of its and its partners legitimate interests to protect assets and promote safety and security on the payments market or on the basis to comply with applicable laws.
- For the purpose of analysing and improving its Products and Services or developing new ones (e.g., the availability of our services to assess and improve our performance or analyse the results and effectiveness of our Products and Services) on the basis of Worldline’s legitimate interest to ensure the quality and improvement of its Products and Services and meet the market’s expectations and requirements.
- For the purpose of market analysis, information services, business intelligence and research we may analyse data, including transaction information (such as generating statistics, aggregated reports or analysis of market trends for internal or external use, benchmarking,) on the basis of Worldline’s and its partners’ legitimate interest to improve their product offering, understanding market trends and predicting market behavior. Worldline will take measures to ensure that its legitimate interest will not cause a risk for the rights and freedoms of the Data Subjects by implementing appropriate technical and organizational measures (e.g. anonymization, provision of aggregated reports that do not allow for the re-identification of the Data Subject).
- Worldline Processes Personal Data on the basis of its own legal and regulatory obligations in order to comply with applicable laws and regulations (e.g. AML & KYC, tax, competition, labour, laws applicable to Worldline, accounting laws) and when requested by any judicial authority or governmental authority having or claiming jurisdiction over Worldline or Worldline’s affiliates.
- Worldline may record and monitor phone calls, on the basis of its legitimate interests, such as quality assurance, training, record keeping and being able to defend its legitimate interests and legal claims by retaining relevant evidence.
3.2 Finally, Worldline will process Personal Data in order to enforce its Terms and Conditions and other legal rights on the basis of its legitimate interest to protect its assets and restore any damage caused to Worldline by the Data Subject.
4. Who does Worldline share Personal Data with?
4.1 Worldline will share Personal Data with its affiliates, financial institutions, Card Schemes and other entities that are involved in the processing of electronic payment transactions for the purpose of delivering the Products and Services (e.g. during the processing of payment transactions, Worldline will transfer data to third parties, such as the issuer of the payment means and the card’s scheme in order for the transaction to be completed). In the context of this processing Worldline may transfer Personal Data outside the European Economic Area when this is necessary for the processing of the transaction (e.g. the issuing bank, card scheme or the recipient of the payment is located in a third country). In these cases the third parties act as independent data controllers and Worldline advises to carefully read their privacy notice in order to understand how Personal Data will be processed by them.
4.2 Worldline will share the Cardholders’ and transaction information with the Issuer and the Issuer’s service providers, when it is necessary for providing information on the executed transaction (e.g. response code of the authorization, information to be able to complete refund) and for the purposes of detecting and preventing fraud and proving compliance with its contractual obligations.
4.3 Worldline will share Personal Data with Worldline Group Members for operational, regulatory, compliance and reporting purposes on the basis of its legitimate interest to ensure e.g. continuity, compliance, efficiency and cost reduction. For example, for security, efficiency or cost reduction purposes Worldline may use common infrastructure and IT systems (e.g. hosting servers, backup systems, central customer databases) or some functions may be centralised, (e.g. finance, legal, internal audit, communication, customer service, IT and security) for which employees of other Worldline Group members than the legal entity directly providing Products or Services with require access to Personal Data.
4.4 Worldline will share Personal Data with professional advisors and third party providers that assist it with its regulatory, compliance and operational tasks (e.g. fraud prevention, monitoring, detection and analysis agencies, risk and credit reference agencies, lawyers, accountants, external auditors, insurance providers).
4.5 Worldline will also share Personal Data with other entities (data processors) that Process Personal Data on its behalf, according to Worldline’s instructions (e.g. customer support agencies, hosting providers). Worldline will ensure that these entities provide adequate guarantees on the protection of Personal Data and are bound by written agreements to ensure the security of the Personal Data and the protection of rights and freedoms of individuals.
4.6 Worldline will share Personal Data with affiliates and business partners with which it combines its offered Products and Services for the purposes or executing the agreement, ensuring the quality and/or the commercial interests of the parties and complying with applicable standards and obligations. For example, if Worldline acts as a reseller of Products and Services of a third party or offers products in alliance with a Business Partner, Worldline may have to transfer Personal Data to the third party in order for the agreement to be executed (e.g. execution of the contract, calculation of compensation of Parties). In addition, Worldline might be required to share Personal Data with Card Schemes to the extent required by Card Scheme rules.
4.7 Worldline will disclose Personal Data to public authorities, government agencies and judicial authorities (i) if it is required to do so by law or legal process, (ii) when it believes disclosure is necessary to prevent harm or financial loss, (iii) in connection with an investigation of suspected or actual fraudulent or illegal activity, or (iv) when it is required for Worldline to defend itself against legal claims.
4.8 Applicable Anti-Money Laundering and Counter Terrorism Financing Laws authorise Worldline to share information concerning suspicious reported transactions with other entities belonging to Worldline group, including Worldline branches, that are established on the territory of the European Economic Area or third countries (subject to Worldline group policies and applicable laws), and with other financial institutions , when the financial institution receiving this information is involved in the same transaction with the same customer.
4.9 Worldline may also disclose Personal Data in the event of a change of its legal or internal structure. For example, in case of a merger, reorganisation, acquisition, joint venture, bankruptcy, etc. Personal Data will be disclosed to the new entity formed or the new owner of Worldline.
4.10 Worldline may anonymise Personal Data and share aggregated reports on the payment industry market with business partners, as long as Worldline has reasonably ensured that the Data Subject cannot be identified and that the further processing of these reports will not negatively impact the Data Subject.
5. International Data Transfers
5.1 Worldline may transfer Personal Data to third parties (as described in article 4 of the present notice) that may be located in countries other than the country where the Personal Data was collected, including countries outside the European Economic Area (EEA) where data protection and privacy laws or regulations may not be equivalent to the data protection and privacy laws and regulations in the EEA,. When the Personal Data is transferred to countries outside the EEA or countries that have not been recognised by the European Commission to have an adequate level of protection, Worldline will either rely on a derogation applicable to the specific situation (e.g. when the transfer is necessary for the performance of a contract with or for the establishment, exercise or defence of a legal claim) or ensure that adequate safeguards have been put in place to ensure the protection of the Personal Data processed in accordance with the applicable legislation (e.g. Standard Data Protection Clauses approved by the European Commission under Article 46 of the GDPR). Please contact Worldline using the contact details provided below for further information.
6. Data Subject Rights
6.1 As a Data Subject the Cardholders within the limitations of the applicable Legislation, have the right of information, access, rectification, erasure, restriction of processing, objection to processing and data portability. The Data Subject can direct such a request to Worldline’s Merchant Services Data Protection Office at email@example.com. For the protection of the privacy of Data Subjects, Worldline will be required to verify the identity of the Data Subject before taking actions to address the request.
6.2 The Data Subject can refuse the recording or monitoring of its telephone conversations with the Customer Relations Division of Worldline by other employees or consultants of Worldline for purposes of training and/or employee supervision on a call-by-call basis.
6.3 Under applicable laws, Worldline may be prohibited to disclose specific information to the Data Subject (e.g. prohibition of informing about money laundering or terrorist financing analysis or reporting of suspicious transactions to the competent regulator according to applicable anti-money laundering laws, prohibition of informing about tax law investigations by tax authorities, processing of personal data carried out by Worldline as an operator of essential services which is carried out in compliance with the EU Directive on security of network and information systems (NIS) and the national laws implementing it).
6.4 The Data Subject whose Personal Data are processed in accordance with Anti-Money Laundering laws may not have (i) the right to access and correct his or her data, (ii) the right to be forgotten, (iii) the right to portability of these data, (iv) the right to object, (v) to the right not to be profiled, or (iv) to the notification of security failures. In these cases, applicable national laws may foresee alternative mechanisms for the data subject to exercise their rights.
6.5 In cases of processing activities based on the Data Subject’s consent the Data Subject’s consent may be withdrawn at any time by informing Worldline accordingly. Note that this withdrawal will be valid for the future only.
6.6 The Data Subject has the right to lodge a complaint with the competent supervisory authority, if, according to its view, one of the processing activities of Worldline is not in compliance with the applicable legislation or Worldline failed to address its Data Subject requests adequately. The Data Subject has the right to lodge the complaint with the competent supervisory authority in the Member State of its habitual residence, its place of work or the place where the alleged infringement of the applicable legislation took place.
7. Does WORLDLINE CARRY OUT AUTOMATED DECISION-MAKING?
7.1 The processing of electronic payments by Worldline is carried out via automated means. This processing is necessary for the performance of the service. The processing of Cardholders’ data in this context is based on Worldline’s and the Cardholder’s legitimate interest to process the electronic payment efficiently, securely and quickly.
7.2 In the context of providing a service Worldline may carry out processing based on automated decision making. For example, Worldline may rely on automated decision making for fraud detection, analysis and monitoring purposes by defining specific parameters that may mark an electronic payment transaction as fraudulent (e.g. based on the amount, origin or volume of transactions). In these cases the Data Subject has the right to obtain human intervention on the part of Worldline, to express its point of view and to contest the decision.
8. Retention period
8.1 Worldline will retain the Personal Data for as long as necessary to deliver the Products and Services, according to the industry standards and applicable legislation (for example, transaction information may be retained for a period of up to 10 years after the date of transaction,) and according to its legitimate business interest, unless prohibited by law, in accordance to this Privacy Notice (for example, Worldline may continue contacting Data Subjects for a period after the end of the Contract or transaction, unless the consent was withdrawn or objection were against marketing communications).
8.2 Worldline will use reasonable efforts to ensure that personal information which is no longer required will be disposed of or destroyed in a secure manner.
9. how does WORLDLINE PROTECT MY PERSONAL DATA?
9.1 Worldline implements appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, and other unlawful or unauthorized forms of Processing, in accordance with applicable law. Worldline maintains compliance with the Payment Card Industry Data Security Standard (PCI DSS).
10. Do I have to provide my Personal Data?
The Products and Services provided by Worldline require Personal Data to be processed. When processing an electronic payment transaction the Personal Data referenced in article 2.3 must be provided and processed in order for Worldline to successfully process the transaction.
11. Contact details
11.1 For any further information, request or complaint concerning the Processing of Personal Data, please contact Worldline’s Financial Services Data Protection Office by email at firstname.lastname@example.org or by post at:
- Worldline Latvia, SIA, Dzirnavu street 37 Riga, LV-1010, Latvia
- Worldline Lietuva, UAB, Ukmerges str. 220 Vilnius 07166, Lithuania
- Worldline Payment Estonia OU, Lõõtsa tn 2a Tallinn, 11415, Harjumaa, Estonia.
12. Updates to this Privacy notice
Worldline may update this Privacy Notice from time to time in order to provide the Data Subjects with up to date and transparent information on its data processing activities. Worldline will take reasonable measures to communicate this Privacy Notice to the Data Subjects (e.g. by posting it on Worldline’s website). Cardholder can at any time find the latest version of this Privacy Notice on our website.
- Worldline Group Member: any entity that is part of the Worldline group. An entity that leaves the Worldline group of companies will continue to qualify as a Worldline Group Member for the purposes of the Contract during a transition-out phase of maximum 6 months.
- Worldline Baltics:
- Worldline Latvia, SIA, Dzirnavu street 37 Riga, LV-1010, Latvia
- Worldline Lietuva, UAB, Ukmerges str. 220 Vilnius 07166, Lithuania
- Worldline Payment Estonia OU, Lõõtsa tn 2a Tallinn, 11415, Harjumaa, Estonia
- Card Scheme: the set of rules, practices, standards and/or implementation guidelines for the execution of payment transactions, and includes any specific decision-making body, organization or entity accountable for the functioning of the scheme. Examples are , Visa, MasterCard, American Express.
- Controller, Processor, Personal Data, Data Subject: These terms shall have the same meaning as the definition given to them in GDPR.
- Legislation: General Data Protection Regulation, formally known as Regulation (EU) 2016/679 (GDPR) and any other relevant EU and national privacy legislation.
- Cardholder: user of electronic payment means making an electronic payment transaction in ATM network owned by Worldline
- Personal Information: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
- Products and Services: the products and services provided by Worldline to the Cardholder and subject to changes from time to time.
- Worldline: dependent on the context, any of the operating entities and the local branches of Worldline in Lithuania, Latvia, Estonia.
- Website: https://medusatm.com/