PAYTEND EUROPE, UAB
| Table of Contents |
- Purpose and Scope
- Principles relating to the processing of personal data
- What information we collect, for what purposes, and on what legal basis
3. 1 Categories of personal data being processed
3. 2 Purposes and legal basis for personal data processing - How we collect your personal data
- Our identification tools
- Direct marketing
- Automated decision making
- How we share your personal data
- International transfer of personal data
- How we protect your personal data
- How long we keep your personal data
- Your rights
- Cookie Policy
- Links to other websites
- Changes to this Policy
- Contact us
- Our Data Protection Officer
Used Terms and Abbreviations
| Terms and Abbreviations | Description |
| Policy |
this privacy policy. |
| You |
a potential, existing or former client, our client’s employee, or other parties, such as beneficial owners, authorised representatives, business partners, other associated parties or a person contacting us by e–mail or using other communication means. |
| We or the Company |
PAYTEND EUROPE, UAB is an electronic money institution licensed by the Bank of Lithuania (License No. 41), incorporated and existing in Republic of Lithuania, company registration number 304730875, having its registered office at Pamėnkalnio str. 25-1, LT-01113, Vilnius, Lithuania. |
| Website | https://www.paytend.com/ |
| Group |
any subsidiary, parent company or any related company of the Company in Lithuania or abroad. |
1. Purpose and Scope
In this Policy, we provide you with explanation on what kind of personal data we collect when you use our services (Services).
In any case, all personal data collected by us is processed in accordance with the EU General Data Protection Regulation No. 2016/679 (GDPR), Law on the Legal Protection of Personal Data of the Republic of Lithuania and other applicable legal acts.
2. Principles relating to processing of personal data
We are responsible for ensuring security of your personal data made available to us, in particular to prevent unauthorized access to your data. We are also responsible for ensuring all users with the opportunity to benefit their rights regarding their own personal data.
When processing personal data, we follow the principles of:
- legality, fairness and transparency;
- purpose limitation;
- data reduction;
- accuracy;
- limitation of the length of the storage;
- integrity and confidentiality.
3. What information we collect, for what purposes and on what legal basis
3. 1 Categories of personal data being processed
The personal data we collect can be grouped into the following categories:
|
Type of information |
Personal data |
|---|---|
| 1. Basic personal data |
First, last, middle, maiden names, etc. |
| 2. Identification information and other background verification data (your, or your representatives’ and, ultimate beneficiary owner’s) |
Name, surname, personal identity code, date of birth, any other unique sequence of symbols granted to you, intended for personal identification, country of birth, address, nationality (in the case of a stateless person – the state which issued the identity document), citizenship, gender, copy of passport or ID card and its details (e.g., type, number, place and date of issuance, expiry date, MRZ code, signature), evidence of beneficial ownership or the source of funds (funds for account opening or transactions, occupation/employment information, job title), source of wealth (information on how wealth was obtained), tax information (tax residence, tax identification number), number of shares held, voting rights or part of share capital, title, visually scanned or photographed image of your face or image that you provide through a mobile or desktop camera while using our identification application, video and audio recordings for identification, IP address. Other data that enables us to perform anti-money laundering requirements and ensure the compliance with international sanctions, including the purpose of the business relationship and whether you are a politically exposed person and other data that is required to be processed by us in order to comply with the legal obligation to “know your client” (collected data will differ depending on the client’s risk score). |
| 3. Monetary operations details |
Such as currency, amount, location, date, time, IP address, payer’s and payee's name and registration information, messages and documents sent or received with the payment. |
| 4. Details of your activities in your website account or mobile application |
History of the actions performed in your Website account, mobile application, technical information, including the internet protocol (IP) address used to connect your computer to the internet, your log-in information (e.g., login time), browser type and version, time-zone setting, operating system and platform, type of device you use, unique device identifier (for example, the MAC address of the device's wireless network interface). |
| 5. Details of your activities in our website |
History of the actions performed in our Website, technical information, including the internet protocol (IP) address used to connect your computer to the internet, browser type and version, time zone setting, operating system and platform, type of device you use. |
| 6. Details of your existing bank account/-s |
Financial institution account number, IBAN number, payment card number. |
| 7. Information related to legal requirements |
Data that the Company is required to provide to public authorities, such as state tax inspectorate, courts, including data on income, payments and other information held by the Company. |
| 8. Contact details |
Phone number, e-mail, residential address. |
| 9. Communication details |
Content of email correspondence or any other form of communication with us (i.e., live chat, blogs, posts). |
| 10. Information about your behaviour |
Social media account details, interests, product or service preferences, other information about your behaviour and your activity on our Website, mobile application. |
| 11. Special category data |
Biometric data. |
3.2 Purposes and legal basis for personal data processing
|
Purpose |
Legal basis |
Categories of personal data |
|---|---|---|
| To enter into a contract with you, or to take pre-contractual steps at your request |
|
|
| To perform the contract concluded with you, including (but not limited to) provision of the Services |
|
|
| To carry out ongoing Client Due Diligence (CDD) and prevent, identify, investigate and report money laundering, terrorism financing (ML/TF) and other related violations, including suspicious transactions and potential market abuse |
|
(the scope of personal data depends on the client's profile, specific situation and may include all or part of personal data specified above) |
| To comply with other legal requirements under applicable legislation |
|
|
| To identify you remotely |
|
|
| To prevent, limit and investigate any misuse or unlawful use or disturbance of Services or to establish, exercise and defend legal claims |
|
|
| To ensure adequate provisions of Services, the safety of information within the Services, as well as to improve and deliver better Services |
|
|
| To provide an answer when you contact us via our Website or other communication means |
|
|
| To manage documents |
|
|
| To archive documents |
|
|
We do not process special category data related to your health, ethnicity, or religious or political beliefs unless required by law or in specific circumstances where, for example, you reveal such data while using the Services (e.g., in payments details).
If you provide us personal data about other people (such as your spouse or family) or you ask us to share their personal data with third parties, you confirm that you have brought this Policy to their attention beforehand.
The definitions used above are understood as follows:
Legitimate interest: legitimate interests are our business needs in conducting and managing our Services to create better benefits for our clients, increase the quality of our Services, and at the same to ensure ours and our clients' interests.
Contract performance: processing your personal data where it is necessary for the performance of a contract to which you are a party or to take pre-contractual measures before entering into such a contract.
Legal obligations: processing your personal data where it is necessary for compliance with a legal or regulatory obligations that we are subject to.
Consent: your consent shall mean any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify your agreement to the processing of personal data relating to you. We can request from you a consent for processing when we do not have another legal basis for processing of your data.
4. How we collect your personal data
We collect information that you provide directly to us when you:
- fill out any forms on our Website and/or mobile application;
- open an account or use any other Services;
- contact us by using other means of communication (e.g., via our social network accounts).
We may also receive your personal data from third parties. In particular:
- we may receive personal data from third parties such as public or private registers and databases. This includes information to help us check your identity, if applicable, information about your spouse and family, and information relating to your transactions;
- occasionally we will use publicly available information about you from publicly available sources (e.g., media, online registers and directories) and websites for enhanced due diligence checks, security searches and other purposes related to client due diligence processes;
- we may receive personal data from a third party which is connected to you or is dealing with us, for example, business partners, sub–contractors, service providers, merchants and etc.;
- we may receive personal data from banks or other financial institutions in case the personal data is received while executing payment operations;
- we may receive personal data from other entities which we collaborate with.
5. Our identification tools
In order to perform your identity verification, we use the services provided by our partner Sum and Substance LTD (hereinafter – Sumsub). The Service Provider takes the photo images or video recordings of your face and your ID document that you provide through a mobile application or a dedicated website using the camera. For more information on Sumsub please read their Privacy Policy.
Sumsub solution is used for comparing live photographic data or video record of you and your ID document, to comply with legal obligations (e.g., implementation of the obligations under the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania and other fraud and crime prevention purposes) and risk management obligations.
The result of the face similarity (match or mismatch) will be retained for as long as it is necessary to carry out verification and for the period required by anti-money laundering laws.
Your face similarity check is a process of comparing data acquired at the time of verification, i.e., this is a one-time user authorization by comparing person's photos to each other. Your facial template is not created, recorded or stored. It is not possible to regenerate the raw data from the retained information.
When using Sumsub services, the personal data is used for your identification, since Sumsub compare the image of the person in the identity document and the person captured in the photo. This process shall allow us to verify your identity more precisely and make the process quicker and easier to execute. If you do not feel comfortable with this identification method, you may contact us by e-mail at dpo@paytend.com for an alternative way to identify you.
6. Direct marketing
In case you are existing clients (i.e., you already use our Services), we may use your e-mail address for direct marketing purposes, but only regarding products and/or services that are similar or related to the Services, and only if you do not object to such use of your e-mail address. You are also granted with a clear, free of charge and easily enforceable possibility to object or withdraw from such use of your contact details.
In other cases, we may use your personal data for the purpose of direct marketing, only if you give us your prior consent regarding such use of the data.
We are entitled to offer the services provided by our business partners or other third parties to you or find out your opinion on different matters in relation to our business partners or other third parties taking account of the legal basis for this, i.e., your prior consent.
In case you do not agree to receive these marketing messages offered by us, our business partners or third parties, this will not have any impact on the provision of Services to you as the client.
We provide a clear, free-of-charge and easily enforceable possibility not to give your consent or, at any time, to withdraw your consent to receive our marketing messages. We shall state in each notification sent by e-mail that you are entitled to object to the processing of the personal data, and to refuse receiving messages from us. You shall be able to refuse receiving our marketing messages by clicking on the respective link in each marketing e-mail received from us.
7. Automated decision making
In some cases, we may use automated decision-making which refers to a decision taken solely on the basis of automated processing of your personal data.
Automated decision-making refers to the processing using, for example, a software code or an algorithm, which does not require human intervention.
We may use forms of automated decision making on processing your personal data for some services and products. You can request a manual review of the accuracy of an automated decision in case you are not satisfied with it.
For more information about your rights please see the section Your rights.
8. How we share your personal data
The following is a list of key recipients, to whom your personal data might be disclosed to:
- Thunes:
- UAB kredito unijų namai:
- Tribepayments LTD:
- UnionPay International:
- Mastercard:
- Visa
We may also share your personal data with other recipients, such as:
- public authorities, institutions, organisations, courts and other third parties, but only upon request and only when required by applicable laws, or in cases and under procedures provided for by applicable laws;
- third parties providing services to the Company including providers of legal, financial, auditing, tax, business management, personnel administration, accounting, advertising (including online advertising), direct marketing, communications, data centres, hosting, cloud and/or other services. In each case, we provide such third parties with only as much data as necessary to provide their services. Service providers engaged by us may process your personal data only in accordance with our instructions and may not use them for other purposes;
- third parties for the purpose of performance of the contract concluded with you;
- third parties, when we intend to enter into a business sale transaction and/or to perform legal and/or financial due diligence of us prior to such transaction;
- Centrolink (personal data included in the payment orders and payment handling instructions will be processed within the Centrolink system);
- other persons with your consent.
9. International transfer of personal data
In case your personal data is transferred outside the European Economic Area (EEA), we will take necessary steps to ensure that your data is treated securely and in accordance with this Policy and we will ensure that it is protected and transferred in a manner consistent with the legal requirements applicable to the personal data. This can be done in a number of different ways, for example:
- the country to which we send the personal data, a territory or one or more specified sectors within that third country, or the international organization is approved by the European Commission as having an adequate level of protection;
- the recipient has signed or contains in its terms of service (service agreement) standard contractual clauses adopted by the European Commission;
- special permission has been obtained from a supervisory authority.
We may transfer personal data to a third country by taking other measures if it ensures appropriate safeguards as indicated in the GDPR or on the basis of derogations.
We also inform you that some of the cookies used on our Website may transfer the personal data collected to third countries (e.g. United States of America). The transfer of cookies personal data to third countries is carried out in order to ensure the functioning of our Website to improve your experience and to provide you with communications that we consider relevant to you. For more information, please see our Cookie policy.
10. How we protect your personal data
Please note that, although no system of technology is completely secure, we have to implement appropriate security measures in order to minimize the risks of unauthorized access to or improper use of your personal information.
We and our third-party service providers that may be engaged in the processing of personal data on our behalf (for the purposes indicated above) are contractually obligated to respect the confidentiality of the personal data.
A variety of logical and physical security measures are used to keep your personal data safe and prevent unauthorized access, usage, or disclosure of it (the list indicated below is not exhaustive): we use antivirus software, information security policies, access restriction, we regularly review our information collection, storage, and processing practices to prevent unauthorized access to our systems, we use mandatory data encryption and password protection, carry out regular penetration tests and backup of data, etc.
1. Data storage and display
- Sensitive data involving individuals is stored using AES-RSA double encryption.
- No displaying sensitive personal data, only showing part of data that necessary to be displayed.
- Strictly restrict the printing of personal sensitive data in the system log.
- Regularly destroy expired personal data.
2. General principles of access control
Logical access to IT systems can only be granted to authorized persons. Depending on the tasks and responsibilities of the users, authorization can only be granted to persons who are properly trained and whose access to the systems is properly controlled.
Access to data and systems must be limited to the maximum extent necessary for the performance of a particular function or service.
The logical access control of information and processing facilities shall take into consideration of:
- Operation and security requirements; classification of information.
- The Law on Legal Protection of Personal Data of the Republic of Lithuania and other legal, regulatory and contractual requirements.
- Job functions ("need to know" principle).
3. Granting and revoking access
Access to the company's information systems must be provided only on the basis of a valid contract (work or services).
Access to information systems is restricted to authorized users, and users can only use specific, defined, documented and validated applications and the level of access rights.
Computer and communication system access control must be based on a user ID, which must be unique to each individual user, thus ensuring individual accountability.
Any user who has access (remote or internal) to the company’s networks and systems must be authenticated. The level of authentication must be appropriate to the classification of the information and the method of data transmission. The user can be authenticated in the following ways (but not limited to):
Unique user identifier and At least one of the following:
- Biometric identification
- Electronic signature
- Password
- Tokens
Access control functions are separated, and procedures of approving, reviewing, and revoking access requests are established, which are performed when registering a request for system administrators. System access cannot be granted to any user without proper authentication. Employee access is created on the instructions of the company manager. When granting access to customers, the data of the supervisor shall be specified in the service agreement. The head of the company/supervisor of the client must immediately inform the system administrator of any significant changes in the duties or employee status of the end user.
User access must be terminated immediately if the employment has been terminated. In addition, the User’s privileges must be changed accordingly if the user is transferred to another position. The responsible person, together with the system administrator, must regularly (at least once a year) review the access privileges granted to users.
Transferring access privileges (passwords, keys, access cards) to other persons or attempting to access unclassified data is considered a serious breach of information security and the user may be subject to disciplinary action.
Infrastructure and systems administrators have the right to block access of users and software without notice if there is a suspicion of a potential security breach. System users must alert infrastructure and system administrators if they notice a security breach or potential one when working with resources to which they have been granted access.
4. Third party access
When it comes to sharing user data with third parties, we will regularly maintain a list of such third-party organizations.
Signing a corresponding written contract or commitment with a third-party organization to clarify the responsibility of the third-party organization for the security protection of user data.
Before sharing user data with a third-party organization, make sure that the organization has measures and methods to protect user data safely.
11. How long we keep your personal data
We will keep your personal data for as long as it is needed for the purposes for which your data was collected and processed, including for the purposes to comply with any legal, regulatory, tax, accounting or reporting obligations. This means that we store your data for as long as it is necessary for provision of the Services and as required by the retention requirements in laws and regulations. If the legislation of the Republic of Lithuania does not provide any applicable data retention period, it shall be determined by us, taking into account the legitimate purpose of the data retention, the legal basis and the principles of lawful processing of the personal data.
The terms of data retention of the personal data for the purposes of the processing of the personal data as specified in this Policy are as follows:
a) as long as your consent remains in force, if there are no other legal requirements which shall be fulfilled with regard to the personal data processing. We reserve the right to retain records of any consent given and withdrawn for a period of time necessary to protect our rights;b) in case of the conclusion and execution of contracts – until the contract concluded between you and us remains in force and up to 10 years after the relationship between you and us has ended;
c) the personal data collected for the implementation of the obligations under the Law on the Prevention of Money Laundering and Terrorist Financing shall be stored up to 8 (eight) years as provided in the same law. The retention period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority;
In the cases when the terms of data keeping are indicated in the legislative regulations, the legislative regulations are applied.
We may retain your personal data for a longer period if:
a) it is necessary in order for us to defend ourselves against existing or threatened claims, or to exercise our rights, or for the proper resolution of dispute, complaint or claim;b) there is a reasonable suspicion of illegal activity;
c) it is required by applicable laws.
Upon expiration of the retention period, we will delete and/or reliably and irrevocably depersonalize your data as soon as possible, within a reasonable time required to perform such action.
12. Your rights
- The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data.
- The right to access. You have the right to request from us the copies of your personal data. Where your requests are excessive, in particular if they are being sent with a repetitive character, we may refuse to act on the request, or charge a reasonable fee taking into account the administrative costs for providing the information. The assessment of the excessiveness of the request will be made by us.
- The right to rectification. You have the right to request us to correct or update your personal data at any time, in particular if your personal data is incomplete or incorrect.
- The right to data portability. The personal data provided by you is portable. You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
- The right to be forgotten. When there is no good reason for us to process your personal data anymore, you can ask us to delete your data. We will take reasonable steps to respond to your request. If your personal data is no longer needed and we are not required by law to retain it, we will delete, destroy or permanently de-identify it.
- The right to restrict processing. You have the right to restrict the processing of your personal data in certain situations (e. g. you want us to investigate whether it is accurate; we no longer need your personal data, but you want us to continue holding it for you in connection with a legal claim).
- The right to object processing. Under certain circumstances you have the right to object to certain types of processing (e. g. receiving notification emails). However, if you object us using personal data which we need in order to provide our Services, we may need to close your payment account as we will not be able to provide the Services.
- The right to file a complaint with a supervisory authority. You have the right to file a complaint directly the State Data Protection Inspectorate of Lithuania if you believe that the personal data is processed in a way that violates your rights and legitimate interests stipulated by applicable legislation. You may apply in accordance with the procedures for handling complaints that are established by the State Data Protection Inspectorate and which may be found by this link: https://vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas.
- Rights related to automated decision-making. You have the right not to be subject to a decision which is based solely on automated processing and which produces legal or other significant effects. In particular, you have the right:
- to obtain human intervention;
- to express point of view;
- to obtain an explanation of the decision reached after an assessment; and
- to challenge such a decision.
- Right to withdraw your consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
If you would like to exercise any of these rights, please contact us via e-mail: dpo@paytend.com. We may request additional information from you to verify your identity.
Your requests will be fulfilled, or fulfilment of your requests will be refused by specifying the reasons for such refusal, within 30 (thirty) calendar days from the date of submission of the request that complies with our internal rules and the GDPR. The afore-mentioned time frame may be extended by 60 (sixty) calendar days taking into account the complexity and number of the requests. The Company will inform you of any such extension within 30 (thirty) calendar days of receipt of the request, together with the reasons for the delay.
We may refuse to satisfy you request if the exception and/or limitation to the exercise of data subjects’ right set out in the GDPR apply, and/or if your request is found to be manifestly unfounded or disproportionate. If we refuse to satisfy your request, we will give you our reason for such refusal in writing.
13. Cookie policy
If you access our information or Services through our Website, you should be aware that we use cookies.
For more information on how to control your cookie settings and browser settings or how to delete cookies from your device, please read the Cookie Policy available on our Website.
14. Links to other websites
Our Website may contain links to other websites which are not operated by the Company. When you decide to click on these links and be led to such websites, we recommend familiarising yourself with their privacy policies or notices, cookie policies and/or other documents. The Company assumes no responsibility for the content, policies or practices of such third-party websites or services.
15. Changes of this Policy
We regularly review this Policy and reserve the right to modify it at any time in accordance with applicable laws and regulations. Any changes will take effect immediately upon their publication on our Website.
Please review this Policy from time to time to stay updated regarding any changes.
16. Contact us
You may contact us by writing an e-mail to service@paytend.com.
17. Our Data Protection Officer
Our Data Protection Officer (DPO) continuously monitors our privacy compliance and communicates with us on data protection matters relevant to the provision of our Services. You may contact our DPO regarding all issues relating to our Company’s processing of your personal data and the exercise of your data protection rights by sending an email to the address: dpo@paytend.com.