Privacy Information Notice

LAST UPDATED: 15 May 2018

Privacy Notice

At EMS, the privacy and security of your data is of the utmost importance. We have implemented global policies and procedures to ensure that we take all appropriate steps to protect your data in what we do and in support of our binding corporate rules (see here for more information).

This privacy notice will inform you how we collect, use, and protect your personal data and tell you about your rights and how the law protects you.

We may change this notice at any time but will notify you of any significant changes to it before they take effect.

1.         Important information and who we are

2.         The data we collect about you

3.         How is your personal data collected?

4.         How we use your personal data

5.         Automated Decisions, Credit Reference Agencies and Fraud Prevention Agencies

6.         Who we share your personal data with

7.         International transfers

8.         How we keep your data safe

9.         How long will you use my personal data?

10.       Your individual legal rights

11.       Complaints Handling Procedures

12.       Cookies

13.       This Website is Not Directed to Children or Teens

14.       This Website May Be Linked to Other Websites

1. Important information and who we are

Purpose of this privacy notice

It is important that you read this privacy notice together with any other privacy notice we may provide on specific occasions (such as when we conclude a contract with you). This privacy notice supplements the other notices and is not intended to override them.

Controller

First Data is made up of different legal entities. This privacy notice is issued on behalf of the First Data group of companies so when we mention "First Data", "we", "us" or "our" in this privacy notice, we are referring to the relevant company in the First Data group responsible for handling your data. We will let you know which member of the First Data group will be the controller for your data. That information will be provided either in the contract we sign with you or in a privacy notice we provide to you that specifically relates to the relationship we have with you.

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Contact details

Our full details are:​

Data Protection Officer, First Data

Email address: dpo@emspay.eu

Postal address: 

Floor 29
1 Canada Square
Canary Wharf
London E14 5AB

You have the right to make a complaint at any time to a data protection authority 

 

First Data’s Privacy Principles

All members of the First Data group are committed to the following privacy principles (more information on each principle is contained in our binding corporate rules, available here):

  • We process Personal Data fairly and lawfully
  • We obtain Personal Data only for carrying out lawful business activities
  • We limit our access to, and use of Personal Data and we do not store Personal Data longer than necessary
  • Personal Data will be accurate and, where necessary, kept up-to-date
  • We implement data protection by design and default
  • We transfer Personal Data only for limited purposes
  • We use appropriate security safeguards
  • We respect Data Subject rights as required by applicable data protection and privacy law
  • We recognise a Data Subject's right to object to direct marketing by First Data
  • We recognise the importance of data privacy and hold ourselves accountable to our Data Protection Standards

2. The data we collect about you

Personal data, or personal information, means any information that relates to an identifiable individual. It does not include data where all means of determining the individual’s identity has been removed (anonymous data).

In the course of our business, we process personal data relating to any or all of the following:

  • Our clients and their customers in connection with the provision of services;
  • Merchants accepting payments;
  • Individuals (cardholders) making payment transactions;
  • Vendors, partners and contractors in connection with their supply of services to us;
  • Independent sales organisations (ISOs) and referrers in connection with our relationships with them;
  • Our prospective clients;
  • The employees or other staff, agents or advisors of any of the above;
  • Applicants for employment, contingent worker, or contractor positions with First Data.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Category of Data

Description

Client Information (including Cardholder Information)

  • contact information of clients' personnel
  • information relating to the client's account
  • clients' customers' contact details including:
    • name
    • address
    • telephone numbers
    • account information (including other persons on the account)
    • spend thresholds
    • details of clients' customers' spending and spending patterns

Merchant Information

  • details of the merchants accepting payment transactions where these are individuals
  • contact information of merchants' personnel, including:
    • name
    • email address
    • telephone numbers
    • such other personal data as may be required in order for First Data to conduct business with them, e.g., role within organisation

Vendor, ISO and Referrer Information

  • contact information of the personnel of vendors, ISOs and referrers including:
    • name
    • email address
    • telephone numbers
    • such other personal data as may be required in order for First Data to conduct business with them, e.g., role within organisation

Correspondence

  • details and content of correspondence between you and us, including (where relevant) recordings of telephone calls

Financial Data

  • bank account, payment card or other payment details

Transaction Data

  • transactions initiated by cardholders with our clients and/or merchants, including in some cases details of products/services purchased by cardholders
  • payments relating to products and services purchased from or by us

Technical Data

  • details about the technology you use to access our websites, applications or other products or services, including:
    • IP address
    • Login data
    • Browser type

In respect of the information collected in connection with this website, more detail is included in Use of Cookies on this Website below.

Usage Data

  • details about how you use our websites, applications or other products or services

Special Categories of Personal Data

  • in very limited circumstances we may need to process special categories of personal data, such as where we authenticate a payment using your fingerprint. Where that is the case, we will only process this type of data where the law allows.
  • special categories of personal data we may process are:
    • racial or ethnic origin;
    • any biometric data (where used to confirm your identity);
    • information relating to criminal convictions or offences.

We may also collect, create, use and share data on an aggregated basis such as statistical or demographic data.

3. How is your personal data collected?

We collect information from a number of sources:

Source

Examples

You

  • Financial and Transaction data relating to a payment transaction initiated by you with one of our clients
  • Where you complete one of our online forms
  • If you make an application for a product or service
  • Correspondence in the course of our business dealings with you
  • Technical and session information collected from your computer/device when you access our websites, applications, and/or platforms including as described in more detail below under Cookies and in our Cookies Disclosure
  • If you apply for a position with us

Our Clients

  • Financial and Transaction data relating to a payment transaction initiated by you with one of our clients

Other First Data Group Companies

  • Many of our group companies provide services to other members of the group involving your personal data. Where that is the case, your personal data will be shared between those group companies

Other Third Parties

  • You might be referred to us by an ISO or other referral business
  • We may also receive data from other third parties including:
    • Card associations
    • Credit reference agencies
    • Fraud prevention agencies
    • Government and law enforcement agencies
    • Data aggregators or other vendors
    • Agents working on our behalf

Public Sources

  • Company registries and filings
  • Information on the Electoral Roll

Information We Create

  • Our records of your use of our services
  • Correspondence we may have with you
  • Records of our contact with you about a potential position

 

If you fail to provide personal data

Where we request personal data directly from you, you do not have to provide it to us. If you decide not to provide the requested information, in some circumstances we, or our clients, may be unable to provide products or services to you. For example, we may be unable to process your transaction.

4. How we use your personal data

We will only use your personal data when doing so satisfies both the law and our privacy principles.

As part of that commitment, we will only use your personal data if we have an appropriate reason for doing so. Those reasons can be one or more of the following:

  • Where necessary to perform a contract with you;
  • Where processing your data is in our legitimate interest, and that interest is not overridden by your own interests, rights or freedoms;
  • Where we are obliged by law to process your personal data in a particular way or it is necessary in the public interest to do so;
  • You have consented to our processing your personal data.

Even where we have an appropriate reason for processing your personal data, we must ensure that we do so in a manner which is fair to you, and does not go beyond the reasons why we first collected your data.

Purposes for which we will use your personal data

Below is a list of the activities we undertake which could involve your personal data, along with our reasons for carrying them out. Where one of our reasons for a particular activity is our legitimate interest, we have also explained what those interests are. If you would like further information on our legitimate interests as applied to your personal information, please contact us.  

For simplicity, we have shortened references to our reasons for processing your personal data (described in more detail above) to “Contract”, “Legitimate Interest”, “Law” and “Consent”.

Activity

Reason

Our legitimate interest (if relevant)

Fulfilling a payment transaction initiated by you (either with us or our client)

  • Legitimate Interest
  • Law
  • Ensuring we comply with our contractual, legal and regulatory requirements

Managing our relationship with you or your company

  • Contract
  • Legitimate Interest
  • Law
  • Keeping our records up to date

Carrying out our obligations, and exercising our rights, under our agreement with your or your company

  • Contract

 

 

Research and development

  • Legitimate Interest
  • Law
  • Developing our product and service offerings
  • Ensuring we comply with our contractual, legal and regulatory requirements

Checking for fraud or money laundering and/or managing either our or our clients’ risk

  • Contract
  • Legitimate Interest
  • Law

(if special categories of personal data are processed for this Activity)

  • Consent
  • Ensuring we comply with our contractual, legal and regulatory requirements
  • Minimising our business risk
  • Improving how we detect fraud and/or manage risks

Administering and protecting our business

  • Legitimate Interest
  • Law

(if special categories of personal data are processed for this Activity)

  • Consent
  • Improving the efficiency of our business operations
  • Ensuring we comply with our contractual, legal and regulatory requirements
  • Keeping our records up to date

Developing and carrying out marketing activities

  • Legitimate Interest
  • Consent
  • Concluding how customers use our products and/or services and to develop them
  • Growing our business
  • Informing our marketing strategy
  • Obtaining your consent when we need it

Marketing

We may use your personal data to form a view on what products or services we think you may want or need, or what may be of interest to you.

You may receive marketing communications from us if you have actively expressed your interest in making a purchase or have made a purchase from us and, in each case, you have not opted out of receiving that marketing.

We will get your express opt-in consent before we share your personal data with any company outside the First Data group for marketing purposes.

You can ask us or third parties to stop sending you marketing messages at any time by contacting us using the details at Contact us above or clicking on the opt-out link included in each marketing message.

Should you choose to opt out of receiving our marketing messages, we will continue to carry out our other relevant activities using your personal data.

5. Automated Decisions, Credit Reference Agencies and Fraud Prevention Agencies

We sometimes make automated decisions based on your personal data (whether provided by you or collected by us from third parties such as credit reference and fraud prevention agencies). Where an automated decision is made, it will relate to credit scoring, anti-money laundering checks or fraud prevention checks. Such checks will be based on information available to us, which will be verified against minimum contractual / legal requirements. We will only do this where it is required in connection with a contract, or by law.

In connection with all automated decisions, the methods used are regularly tested to make sure that they remain fair, effective and unbiased.

You can contact us for more information on automated decision making. Please also see Your individual legal rights below.

6. Who we share your personal data with

Where we are permitted to, we will share your personal data with other First Data group companies and any of the following:

  • our clients;
  • companies who need it to process a transaction, such as merchants, banks or other card issuers card associations, debit network operators and their members;
  • credit reference agencies;
  • fraud protection and risk management agencies;
  • identification and information verification agencies;
  • vendors and others that help us process payments (including their sub-contractors);
  • third party suppliers engaged to host, manage, maintain and develop our website and IT systems;
  • our professional advisers, including lawyers and auditors;
  • any third party that you have given us permission to use who is not otherwise covered by the other listed categories;
  • third parties to whom we may sell or transfer all or part of our business in the future; and
  • any third party where we are required by law to do so (such as tax authorities).

Where we do share your personal data with third parties, we will only do so where they will apply appropriate security measures to the data they receive from us. If you would like further information on the ways in which we share your personal information, please contact us.

7 International transfers

We share your personal data within the First Data Group, including outside the European Economic Area (EEA).

We ensure your personal data is protected by requiring all our group companies to apply our global policies and procedures and to legally commit to our privacy principles when processing your personal data. These polices are called "binding corporate rules", a copy of them can be found here.

Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA to an external third party, we ensure it is protected by using one of the following safeguards:

  • Ensuring data is transferred only to a country that has laws that protect your personal data in the same way as it would be in the EEA.
  • Using a contract approved by the European Commission (sometimes called “Model Clauses”). 
  • Using companies in the US that have signed up to Privacy Shield, an approved set of privacy standards specifically designed for data sent to the US from the EEA.

You can contact us to obtain further details of the safeguards applicable to your personal data.

8. How we keep your data safe

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We maintain annual compliance with global Payment Card Industry Data Security Standard (PCI DSS) adopted by the payment card brands for all companies that process, store or transmit cardholder data. 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9. How long will you use my personal data?

We will use your personal data for as long as necessary based on why we collected it and what we use it for. This may include our need to satisfy a legal, regulatory, accounting, or reporting requirement.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

You can contact us for details of the retention periods applicable to your personal data. In general terms, we will retain your personal data for the duration of your involvement/engagement with us and for as long as reasonably necessary afterwards. There are also certain types of information which are required to be retained for a certain period by law.

10. Your individual legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. There may be legal or other reasons why we cannot, or are not obliged to, fulfil a request to exercise your rights. We will confirm what they are if that is the case.

You have a right to:

  • Access. You are entitled to ask us if we are processing your personal data and, if so, for a copy of the personal data we hold about you and to check that we are lawfully processing it, as well as obtain other information about our processing activities.
  • Correction. If any personal data we hold about you is incomplete or inaccurate, you can require us to correct it, though we may need to verify the accuracy of the new data you provide to us.
  • Erasure. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.
  • Object. Where our reason for processing your personal data is legitimate interest you may object to processing as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Restriction. You may ask us to suspend our use of your personal data in the following scenarios:
  • if you want us to establish the data's accuracy;
  • where our use of your personal data is unlawful but you do not want us to erase it;
  • where you need us to hold your data for a longer period than we usually would, because you need it to establish, exercise or defend legal claims; or
  • you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Transfer. Where it is possible, we will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to personal data provided by you which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent. Where our reason for processing is based on your consent, you may withdraw that consent at any time. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
  • Automated decision making. The right not to be subject to automated decision making (e.g., profiling) that significantly affects you. The exercise of this right is not available to you in the following cases:
    • The automated decision is required to enter into, or perform, a contract with you.
    • We have your explicit consent to make such a decision.
    • The automated decision is authorised by local law of an EU member state.

However, in the first two cases set out above, you still have the right to obtain human intervention in respect of the decision, to express your point of view and to contest the decision.

How to make an Individual Rights Request

Individuals may contact First Data to request that we take some action in connection with their personal data. Requests should be referred to the DPO: dpo@emspay.eu.

No fee usually required

You will not have to pay a fee to exercise any of your rights relating to your personal data. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure you are entitled to exercise a right in respect of your personal data, for example, a merchant identification number or account number. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Processing your Information Request

We will respond to all legitimate requests promptly and, in any event, within any timeframes prescribed by applicable law. In general, we must respond to queries within one month from the receipt of the request, so it is important that requests are identified and sent to dpo@emspay.eu as soon as possible. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

In the event that we are not able to provide the information you requested, we will provide you with a written explanation for our decision. For example, we are not required to comply with a request to erase data if processing the data is necessary to: exercise freedom of expression and information; comply with law or legal claims; act in the interest of the public health or public interest; or support scientific or historical research purposes or statistical purposes.

We will use available lawful exemptions to your individual rights to the extent appropriate.

Any transmission of your personal data will be handled in a secure manner.

11. Complaints Handling Procedures

Should you have any complaints or inquiries related to:

  • our handling of your individual rights as a data subject;
  • our compliance with our binding corporate rules;
  • our privacy practices generally;

you may contact our Data Privacy Hotline at +1 800-368-1000, which is available 24 hours per day. The Hotline is the most appropriate contact for an urgent concern, such as a potential breach regarding your personal data, and we will work together with the Data Protection Officer to resolve your concerns.

Alternatively, you may contact our Data Protection Officer and local privacy officers at dpo@emspay.eu You also have the right to make a complaint at any time to a data protection authority.

12. Cookies

We, our service providers, and partners collect certain information by using automated means, such as cookies and web beacons, when you interact with our advertisements, mobile applications, or visit our websites, pages, or other digital assets. This information may include IP address, browser type, operating system, referring URLs, and information on actions taken or interaction with our digital assets. A “cookie” is a text file placed on a computer’s hard drive by a web server. A “web beacon,” also known as an Internet tag, pixel tag or clear GIF, is used to transmit information back to a web server.

We may use third-party web analytics services on our websites and mobile apps, such as those of Adobe Omniture. The analytics providers that administer these services use technologies such as cookies and web beacons to help us analyze how visitors use our websites and apps.

We, our service providers, and our partners may also collect information about your activities on our websites and apps for use in providing you with content and advertising tailored to your individual interests. The information collected for these purposes may include details about things like the particular pages or advertisements you view on our websites and the actions you take on our websites and apps.

For more information about cookies, including how to see what cookies have been set and how to manage, block and delete them, see www.allaboutcookies.org/

13. This Website is Not Directed to Children or Teens

Our website is not directed to children or teens under the age of majority. First Data does not knowingly collect Personal Data at our website from persons who are not legal adults.

14. This Website May Link to Other Websites

When you visit our website, you may click to websites of our affiliated companies. Those websites may have their own privacy notices that are tailored to the products and services our affiliated companies offer; in those cases, this privacy notice does not apply. If you visit the websites of our affiliated companies, please read the privacy notices for those websites.

We may also link to third-party websites. EMS is not responsible for the privacy practices of any third party, and this privacy notice does not apply to their websites. EMS does not guarantee, approve, or endorse any information, material, services, or products contained on or available through any linked third-party website. EMS is not responsible for any content on third-party websites linked from or to www.emspay.nl. EMS provides links to third-party websites as a convenience and visiting or using linked third-party websites is at your own risk.

This privacy notice applies only to the information we collect on www.emspay.nl This privacy notice does not apply to information we collect through other methods or sources, including sites owned or operated by our affiliates, vendors, or partners.