DATA PROTECTION POLICY
Welcome to the PAYONE Service Portal. In the following, we will provide you with information about type, scope and purposes of processing your personal data and your rights.
You can rest assured that we process your personal data exclusively as mandated by statutory data protection provisions. But data protection is more than just a legal obligation for us. In fact, data protection in practice is a customer-oriented quality feature and is our highest priority at PAYONE.
| Controller: | PAYONE GmbH, Lyoner Strasse 15, 60528 Frankfurt am Main, email: info@payone.com |
| Data Protection Officer: | The Data Protection Officer of PAYONE GmbH, Lyoner Strasse 15, 60528 Frankfurt am Main, privacy@payone.com |
1. Categories of data which may be processed
1.1 When visiting our website and using the website functions
| Data categories: | Purpose of processing: | Legal basis: | Speicherdauer: |
|---|
| Name, address and contact details, payment details, company information (e.g. legal form, branche), contract data, invoices, transaction information (masked) and reporting, login data, registration code. | - Registration on the portal and use of the portal functions
- Storage and download of documents
- Order processing, correspondence
| Art. 6 (1) 1 lit. b) GDPR | - Until the user unsubscribes and the corresponding retention periods expire.
|
Server log data:
IP address, website usage data (log data about website access or file access, e.g. name of the file accessed, date and time of access, amount of data transferred) and device information (e.g. operating system, browser type and version), cookie information in session cookies
| - Network communications
- Functionality and security of the website
- Detection and elimination of faults and errors
| Art. 6 (1) 1 lit. f) GDPR, § 25 (2) TDDDG - The legitimate interest in the temporary storage of the log data (server log files) and session cookie information is in our interest for the efficient and secure provision of our website
| - 7 days
- If further storage is required for evidence purposes, the data will be deleted after the incident has been conclusively clarified
- Session cookies are automatically deleted at the end of the browser session
|
Analysis data:
IP address (partially anonymised, as described below), website usage data (cookie information) | - Website analysis and optimisation, marketing
- See also the following information
| Art. 6 (1) 1 lit. a) and f) GDPR, § 25 (1) TDDDG | - Cookies can be deleted at any time under Point 2.4 Cookie settings and revocation within this Data Protection Policy and using the browser settings
- See also the following information relating to the erasure of the stored data
|
| Name, email address, information about yourself or your company, type of data protection request, information about your enquiry, identification documents | - Replying to queries in the PAYONE data protection web form
- Other communication relating to your data protection request
| Art. 6 (1) 1 lit. c) GDPR | - 4 years
- Identification documents are deleted immediately after final processing
|
2. Data recipients
Personal data is transferred to the following data recipients for the purpose of providing our website services: Data centre operators and tracking service providers as well as other service providers that assist PAYONE in fulfilling our obligations and providing our services. See below for more information.
2.1 Group wide data transfers
PAYONE is part of the globally active Worldline Group with its headquarters in Paris, France. In the context of IT services, in particular for support services, certain group entities of the Worldline Group may process personal data in their capacity as our service provider. All group entities are based within the EU/EEA. We ensure an appropriate level of data protection through contractual as well as technical and organizational measures.
2.2 Website analysis and marketing tools
Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (provider of Google Analytics), https://www.google.de/intl/de/analytics/
This website uses Google Analytics, a web analytics service provided by Google Inc. Google Analytics makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and analyse the activities of a user across devices in this way.
Google Analytics enables an analysis of your use of the website. The information generated by Google Analytics about your use of this website is usually transferred to a Google server in the USA and stored there. By interposing a proxy server for server-side tagging of our data, we ensure that any PII (Personally Identifiable Information) is deleted or modified in such a way that user recognition is not possible. Only after this step is the tagged data sent to Google Analytics. Likewise, no data is collected or shared across websites. Google will use this information on our behalf to evaluate your use of the website, compile reports on website activity and provide us with other services related to website activity and Internet usage.
Your usage behaviour will only be analysed by Google Analytics with your express consent (opt-in). You can withdraw your consent at any time with future effect under Point 2.5 Cookie settings and revocation within this Data Protection Policy. The legal basis for the use of Google Analytics is § 25 (1) TDDDG and Art. 6 (1) 1 lit. a) GDPR.
Google is headquartered in the USA. The EU Commission has confirmed that all companies certified under the EU-U.S. Data Privacy Framework have an adequate level of data protection comparable to that in the EU. The companies that are part of the EU-U.S. Data Privacy Framework can be viewed at https://www.dataprivacyframework.gov/s/participant-search . Google is certified accordingly.
The data sent by us and linked with cookies, user IDs (e.g. user ID) or advertising IDs will be automatically deleted after 14 months. Data with an expired retention period is automatically deleted once a month.
More details are available in Google’s Terms of use and data protection policy.
2.3 External media and third-party services
Use of social media plug-ins using the Shariff solution
Our website uses social plugins (“plugins”) from social networks. In order to increase the protection of your data when you visit our website, the plugins are not unlimited and are only added to the page using an HTML link („ShariffLösung“ from c't). This integration ensures that no connection is established with the servers of the provider of the respective social network when you access a page on our website which contains these plugins. If you click on one of the buttons, a new window will open in your browser and access the webpage of the respective service provider, where you can (for example, after entering your login data) press the Like or Share button. The purpose and scope of the data collection and the further processing and use of the data by the providers on their pages, as well as your rights in this regard and the setting options to protect your privacy, can be found in the providers' data protection information:
2.4 Cookie settings and revocation
Cookie-Settings
Note: You can also prevent cookies from being saved at any time by changing the appropriate settings in your browser software. You can also allow only certain types of cookies or delete individual or all cookies. However, we would like to point out that in this case, you may not be able to use all functions of this website to their full extent.
3. Data transfer to third countries
☐ No
☒ Yes
| Third-country recipient: | Appropriate guarantees: | Purpose of processing: |
|---|
Google Inc. / Google LLC
1600 Amphitheatre Parkway Mountain View, CA 94043, USA | ☒ EU standard contract clauses (SCC)
☒ Recognition as a safe third country by the EU Commission (adequacy decision)
☐ Officially approved Binding Corporate Rules (BCRs)
☐ Standard data protection clauses approved by the regulatory authorities
☐ Code of conduct approved by the regulatory authorities
☐ Approved certification process
☐ Statutory derogation (Art. 49 GDPR)
| Website analysis and optimisation, marketing Integration of videos and fonts |
4. Rights of data subjects
| Statutory data protection law: | Content: | Legal basis: |
|---|
| Access | Right to information about the processed personal data concerning you and further information relating to the data processing which concerns you (e.g. processing purposes, data recipients). | Art. 15 GDPR |
| Rectification | Right to rectify inaccurate personal data relating to you or to complete incomplete personal data. | Art. 16 GDPR |
| Erasure (“right to be forgotten”) | Right to erasure of personal data concerning you under certain conditions (e.g. cessation of purpose, revocation of consent). | Art. 17 GDPR |
| Restrictions on processing | Right to restrict the processing of personal data concerning you under certain conditions (e.g. contested accuracy of the data for the duration of the review). | Art. 18 GDPR |
| Data portability | Right to receive personal data prepared in a structured, widely used and machine-readable format in order to be able to transfer the data to another location or right to transfer the data directly to the other location, to the extent that this is technically feasible, under certain conditions.
| Art. 20 GDPR |
| Objection | Right to object to the processing of your personal data under certain conditions. | Art. 21 GDPR |
| Right of lodging a complaint with the responsible supervisory authority | Right to lodge a complaint with a competent data protection supervisory authority if you believe that the processing of your personal data breaches the GDPR. For example, this may be the supervisory authority responsible for PAYONE: The Hesse Data Protection Commissioner, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, https://datenschutz.hessen.de/.
| Art. 57(1) f GDPR, Art. 77 GDPR, Art. 77 DSGVO |
| Right of withdrawal | Right to withdraw your consent to the processing of your personal data at any time with future effect. | Art. 7 Abs. 3 GDPR |
To exercise your statutory data protection rights, please use our PAYONE Data protection web form.
Note on the right of objection
You may object to the processing of your data under the conditions of Art. 21 GDPR at any time, provided that the data processing is based on our legitimate interests or those of a third party (data processing based on Art. 6 (1) p. 1 lit. f) GDPR). In this case, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
5. Additional information about data processing
| Legal obligation to provide personal data: | ☒ No
☐ Yes |
| Contractual obligation to provide personal data: | ☐ No
☒ Yes, for the purposes specified above. |
| Possible consequences of non-provision: | Only relevant for contact and form fields. If you do not provide your data, we will be unable to process your request. |
| Will an automated decision-making process take place? | ☒ No
☐ Yes |
| What is the source of the personal data? (If not collected from the data subject): | Not relevant, as none of your personal data is obtained from third-party sources. |
6. Form fields/ TLS encryption
If you send us enquiries using the contact form, data such as your details on the enquiry form, including the contact details you provided, will be stored by us for the purpose of processing the enquiry and in the event of any follow-up questions. We will not pass on this data without your consent. Our website uses TLS encryption for security reasons and to protect the transmission of confidential content that you send to us. This means that data that you transfer through this website cannot be read by third parties. You can recognise an encrypted connection by the "https: //" address line of your browser and the lock symbol in the browser line. Further information about the processing and storage duration can be found in Point 1 Categories of data which may be processed.
7. Cookies
Version
01.2025