Nexi Croatia d.o.o. in the process of accepting card-based payment transactions
INTRODUCTION
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter: the General Data Protection Regulation) contains a number of rules ensuring that the processing of personal data is carried out in accordance with the rights and fundamental freedoms of persons. This information on the processing of personal data (hereinafter: Information) includes the requirements of the General Data Protection Regulation.
In accordance with Articles of 13. and 14. of the General Data Protection Regulation, we inform you about the personal data that Nexi Croatia d.o.o., Zagreb, Slavonska avenija 1A (hereinafter: Nexi Croatia), as the data controller, collects and processes for the purposes prescribed by the General Data Protection Regulation, your privacy protection, legal bases and purposes of processing, categories and recipients of processing, storage periods as well as your rights as a data subject in relation to the processing of your personal data.
We process and use your personal data that you have entrusted to us lawfully, fairly and transparently, while protecting the security of your personal data from unauthorized or unlawful processing, applying the highest technical, security and organizational protection measures.
This Information applies to any natural person (data subject) who has requested and/or received a service, on whose behalf and/or on whose behalf the service was requested, and to all other natural persons (data subjects) who are not in an immediate contractual relationship with Nexi Croatia on the basis of which the requested/received service is performed, but in a certain way participate in the search and/or execution and/or reception of these services on the basis of a legal relationship with a natural or legal person who requested and/ or received a service.
I. DATA ON THE CONTROLLER
Nexi Croatia d.o.o., Zagreb, Radnička cesta 50 (Grad Zagreb), Tax no. 63558150971, registered in the court register of the Commercial Court in Zagreb, with court register number (MBS) 080693976 (hereinafter: Nexi Croatia) is the controller that processes personal data for the purposes specified in point III of this Information.
If Nexi Croatia is a joint controller of your personal data with another controller based on joint business cooperation and/or based on using a common service we provide to you, you can request additional information regarding the protection and processing of your personal data except from Nexi Croatia, you can also request from another controller who jointly processes your data with Nexi Croatia.
II. CONTACT DETAILS OF THE DATA PROTECTION OFFICE
Nexi Croatia has appointed a Data Protection Officer ("Data Protection Officer" or DPO), as required by Article 37. General Data Protection Regulation.
Regarding all matters related to the processing of your personal data and/or the exercise of the rights provided for in the General Data Protection Regulation, and as stated in point VIII of this Information, you can also contact the Data Protection Officer in writing at the address of the registered office of Nexi Croatia or to the e-mail address: dpo.CEE@nexigroup.com.
III. CATEGORIES OF PERSONAL DATA, PURPOSES AND LEGAL BASIS OF PROCESSING
We obtain information about the personal data processed by Nexi Croatia either from you as a data subject or from another source depending on the type of business relationship, or the basis and purpose of processing, but only to the extent necessary (for example, for the performance of a contract or for actions preceding the approval of a contract or for the purpose of complying with legal obligations of Nexi Croatia as a controller or for the purpose of legitimate interest of the data controller or on the basis of a legitimate interest of the data controller or on the basis of your consent).
Information about the categories of personal data processed by Nexi Croatia in connection with a particular type of service it provides either as a data controller or as a data processor, which are not contained in this Information, will be provided by Nexi Croatia when collecting them (in accordance with Article 13 of General Data Protection Regulation) in writing or by other means (for example, electronically). If you request this, information may also be provided orally provided that your identity is unequivocally established. If your identity cannot be determined with complete certainty when communicating with you, Nexi Croatia may ask you to provide additional information necessary to securely identify you.
If Nexi Croatia processes your personal data that has not been collected directly from you (for example, if you are a representative or procurator of a legal entity, etc.), you will be informed about the processing of such data within a reasonable period after obtaining the personal data, and no later than one month, taking into account the special circumstances of the processing of personal data, either directly to your e-mail address or in another usual way. Nexi Croatia is not obliged to comply with the foregoing if you already have knowledge of these processing or the provision of such information would be impossible or would be disproportionate efforts or obtaining such information is expressly required by EU or Croatian law to which Nexi Croatia is subject as the controller, which provides for appropriate measures to protect the legitimate interests of you as a data subject, or if the personal data must remain confidential in accordance with the obligation of professional secrecy which regulates EU or RH law.
If you provide us with personal data of third parties for the purpose of concluding a specific legal transaction, we will hold you responsible for the disposal of their personal data and for transmitting the content of this Information to the same persons.
Nexi Croatia will provide you with information on the categories of data not contained in this document at the time of their collection either orally or through a request and a contract on the acceptance of payment transactions based on cards, general terms and conditions, etc.
Categories of personal data
When establishing a business relationship and/or implementing due diligence measures or for some other purpose, such as entering a contract on one of our services, we collect your master data as a representative of the contractual partner – merchant for example name, surname, OIB, address of residence and identification document data authorized legal representatives and beneficial owners, as required by regulations related to the prevention of money laundering and terrorist financing.
In addition to the above category of data, we collect other data necessary to assess the possibilities for the timely fulfillment of all obligations under the card-based payment transaction acceptance agreement.
We use a copy of your identification document/official document with a photo as authorized legal representatives and/or beneficial owners of the contractual partner - merchant for the purpose of legal obligations Nexi Croatia as data controller according to the regulations governing the prevention of money laundering and terrorist financing and/or for the purpose of verifying and confirming your identification when contracting and using a particular service and communicating with you photography, as authorized legal representatives and/or beneficial owners of the contractual partner – the merchant, as well as updating your data, as well as in the case of Nexi Croatia's legitimate interests in preventing possible fraud, credit assessment of your company or, for example, protection against identity theft (Recital 47. General Data Protection Regulation).
In addition to the data mentioned above, in certain cases we also process your contact data (phone, mobile phone, e-mail address), as the person listed for the contact of the contractual partner – the merchant or in your smart device you have installed an application for execution of payment transactions, either for the purpose of executing the contract or notifying in case of prevention of potential card and other fraud or direct marketing in case if you have given us your consent, etc.).
In certain cases, we may record telephone conversations, which we will warn you about in advance. Depending about the interview, if the content of such conversation includes personal data, Nexi Croatia will request confirmation of your identity by checking your particular personal data.
To have transparent information about the basics as well as what data we need for processing for some purpose, we provide you with an informative overview of certain categories of personal data related to a particular type of service or to some other business relationship with Nexi Croatia.
Nexi Croatia may process your data (such as a card number) in case of complaints on behalf of other data controllers who have concluded payment card issuance agreements with you. In such a case, the controllers have concluded contracts on the protection of personal data with Nexi Croatia.
Data on natural persons with contractual partners of merchants and contact persons
Before concluding a contract on the provision of payment services, i.e. accepting cards, and in accordance with our obligations under the Act on Prevention of Money Laundering and Terrorist Financing, we also collect data of authorized persons and owners of a business entity that requests the conclusion of such a contract. For this purpose, for example, we collect first and last name, OIB (Tax no.), address of residence, date and place of birth, identification document data and political exposure (PEP) data.
PURPOSES AND LEGAL BASIS OF PROCESSING
Personal data relating to you, as a representative or as beneficial owner of the contractual partner – the merchant, whether directly collected by Nexi Croatia from you or collected from a third party, Nexi Croatia processes in the framework of its business activity and for the following purposes:
a) Compliance with legal obligations of Nexi Croatia as data controller
For the processing of personal data that is necessary to comply with the legal obligations of Nexi Croatia as a data controller based on national and EU regulations, your consent is not required.
Processing is mandatory, for example, when necessary for the purpose of implementing regulations in the field of anti-money laundering and terrorist financing, taxation, anti-corruption, regulations on the prevention of fraud in payment services or meeting instructions or requirements of supervisory authorities (such as monitoring and management operational at the level of a group of entrepreneurs in the country and abroad to which Nexi Croatia belongs).
b) Legitimate interest of Nexi Croatia as the data controller or a third party
When processing based on legitimate interests of Nexi Croatia or a third party (Article 6, paragraph 1, item 1. In accordance with Article 10(1) of the General Data Protection Regulation), Nexi Croatia conducts a risk balance test and may process your personal data after the balance test shows that the pursuit of the legitimate interests of Nexi Croatia and/or third parties referred to in this point does not override your fundamental rights and freedoms.
The processing of your personal data, which is necessary for the pursuit of a legitimate interest of Nexi Croatia as a data controller or a third party, includes:
· use of video surveillance for security purposes (CCTV) in accordance with the regulations of the Republic of Croatia
· record telephone conversations for the purpose of preventing fraud or resolving disputed transactions
· joint management of the clients and products portfolio, which implies your reasonable expectations as a respondent/client of Nexi Croatia and a member of the Nexi Group, which are based on the offer of products and services of similar characteristics and /or the realization of certain benefits related to belonging to the Nexi Group, which implies but does not limit the availability of information such as, for example, monitoring and risk management at the level of a group of entrepreneurs in the country and abroad to which Nexi Croatia belongs (Recital 47. General Data Protection Regulation).
· Responses to surveys and market research, when you are approached as a contact person or representative in an existing contractual partner – a merchant, which includes profiling to the extent related to such direct marketing, i.e. customer market research.
· additional legitimate interests in which Nexi Croatia, as the controller individually or as a joint controller with members of the Nexi Group and/or with legal entities with proprietary links with a superior institution abroad, may process your personal data, provided that the interests or fundamental rights and freedoms of the data subject do not take precedence over the legitimate interests of Nexi Croatia.
In cases of data processing based on legitimate interest, your consent is not required, but you have the right at any time to object to such processing in the manner described in point VIII of this Information, including profiling.
c) Consent
If you have so far given us your consent to the processing of personal data for certain purposes (e.g. marketing, etc.), the lawfulness of such processing is based on your consent. Any consent may be withdrawn at any time. This also applies to the withdrawal of statements and consents given to us before the entry into force of the General Data Protection Regulation, i.e. before 25 May 2018. Please note that the withdrawal will only take effect for future processing. Likewise, giving or denying consent on your part does not affect the performance of the contract, nor does the termination of a contractual relationship result in the termination of the consent you have given us.
IV. THIRD PARTIES TO WHOM YOUR PERSONAL DATA MAY BE COMMUNICATED
Your personal data related to card acceptance payment services may be provided to: (i)third parties with whom Nexi Croatia has concluded contracts involving the processing of personal data for the purpose of signing sand execution of contracts of acceptance of payment transactions via cards, data collection to fulfill obligations from the Law on anti-money laundering and anti-terrorist financing and assessment of credit and other risks enabling cross-platform users to details on transactions or other products offered by business partners and for promotion and market research, (ii) archiving of contracts and destruction of documentation or (iii) recipients in respect of whom Nexi Croatia has a prescribed obligation to provide certain data, including, but not limited to, members of the group to which Nexi Croatia belongs at home and abroad and to regulatory authorities.
Personal data may be provided to recipients in respect of whom Nexi Croatia has a prescribed obligation to provide certain data (Croatian National Bank, Tax Office, Office for Prevention of Money Laundering and Terrorist Financing, courts, Ministry of the Interior and other competent authorities).
Nexi Croatia, member of the Nexi Group (Nexi S.p.A.) and third parties to whom your personal data may be transferred may be either (i) controllers (legal entities that determine the purposes and bases of the processing of personal data or (ii) processors, i.e. legal entities processing personal data on behalf of the controller or (iii) joint controllers, who determine, together with Nexi Croatia, the relevant purposes and means of processing, as well as consensually determine the roles in processing.
With regard to data on natural persons with contractual partners - merchants and contact persons data, and before concluding a contract on the provision of payment services, i.e. card acceptance, and in accordance with our obligations under the Anti-Money Laundering and Terrorist Financing Act, we also collect data of authorized persons and beneficial owners of a business entity that requests the conclusion of such a contract through an authorized partner of PBZ Card d.o.o., Radnička cesta 44, Zagreb, Tax No. 28495895537, registered in the court register of the Commercial Court in Zagreb, with court register (MBS) 080258649 (hereinafter: PBZ Card).
PBZ Card in this role acts as the data processor, on behalf of and for the account of Nexi Croatia as the data controller, and processes personal data for the purposes of collecting data such as name and surname, Tax. no., address of residence, date and place of birth, identification document data and data on political exposure of legal representatives of contractual partners - merchants, or of other persons as dedicated contact points, for the purpose of communications related to the business relationship with the contractual partner – the merchant.
Addtionally, Nexi Croatia can also process your data as the designated contact of the contractual partner– merchant, that will have access to applications that enable cross-platform reviewing of transactions.
V. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
Your personal data is processed in the Republic of Croatia or the Member States of the European Union where Nexi Croatia or the processors of your data have a registered office
If necessary, for some technical or operational reasons, Nexi Croatia reserves the right to transfer your personal data to countries outside the European Union, in relation to the European Commission's adequacy decisions or based on appropriate safeguards or certain derogations governed by the General Data Protection Regulation or when such transfer is necessary for the realization of a payment transaction.
VI. PERIOD OF RETENTION OF PERSONAL DAT
Your personal data will be processed using manual and electronic means and in a way that ensures their security and confidentiality.
Your personal data are kept for no longer than is necessary to achieve the purpose for which they were processed, without prejudice to statutory retention periods. For example, your personal data are generally kept for the period of 10 years from the termination of the business relationship, in accordance with the retention periods prescribed by the Anti-Money Laundering and Terrorist Financing Act.
In the event that you have made available to us personal data for the purpose of concluding a contractual relationship, but it has not been concluded, we keep personal data exclusively for the time necessary to make a final decision on the conclusion of a contractual relationship, i.e. to accept the offer.
Likewise, your personal data may also be processed for a longer period, if these are objective reasons that lead to the extension of data retention periods beyond the aforementioned period (for example, in the case of court proceedings, and similar.). The data retention periods in certain cases are determined by Nexi Croatia as the data controller, but in these cases the data are kept only for as long as necessary for the purposes for which the personal data are processed.
VII. TECHNICAL AND ORGANIZATIONAL MEASURES FOR THE PROTECTION OF PERSONAL DATA
Base do the rules for access rights to personal data, access is provided only to authorized persons who strictly need the data for the purpose of performing daily work tasks or gain access to personal data based on specific decisions of the controller. All employees and external associates have accepted and signed the appropriate statements for respect of privacy and personal data protection, and the same obligation is prescribed by several internal acts of Nexi Croatia as data controller. Any change of data in the information system is audited/recorded and periodic controls are carried out.
The most up-to-date organisational and technical procedures shall be applied to ensure an adequate level of security as opposed to the risk at hand, using the most advanced mechanisms to prevent any accidental or unauthorised destruction of personal data, their loss, unauthorised alteration or disclosure, and unauthorised access to and/or processing of personal data, including in particular:
· protecting and maintaining the security of premises, equipment and system software
· protection, provision and maintenance of software applications for the processing of personal data
· preventing unauthorised access to personal data during transmission, including transmission by telecommunications and over networks
· ensuring effective means of blocking, destroying, deleting or anonymising personal data
· supervision of the information system and the implementation of internal acts shall be carried out within the framework of the established system of internal controls.
VIII. RIGHTS OF DATA SUBJECTS
As a data subject, you may exercise your rights under this point at any time in accordance with the rules set out below, by submitting a request to the contact address of f the data protection officer of the controller (point II).
With the same procedures, you can withdraw your consent at any time if you have given it to Nexi Croatia.
At your request, Nexi Croatia will provide you with information about the actions taken without undue delay, and no later than within one month. Exceptionally, that period may, where necessary, be extended by a further two months, considering the complexity and number of applications.
If you have submitted your request electronically, the information will be provided to you electronically, if possible, unless you have requested otherwise in your request. If Nexi Croatia does not comply with your request, within one month without delay and no later than one month of receipt of the request, it will inform you of the reasons why it was not able to act on your request as well as the possibilities of filing a complaint with the supervisory authority.
Any communication and actions taken by Nexi Croatia in connection with the exercise of the rights listed below will be free of charge for you. However, if your claims are manifestly unfounded or excessive, due to their repetitive character, Nexi Croatia may charge you a fee, considering the costs incurred or may refuse to act on your requests.
1. Right of access
You can obtain confirmation from Nexi Croatia whether your personal data is being processed and, if this is the case, you have the right of access to personal data and information provided for in Article 15 of General Data Protection Regulation, including, for example: processing purposes, categories of personal data, and similar.
If personal data are transferred to a third country or an international organisation, you have the right to be informed of the appropriate safeguards relating to the transfer.
If you request this, Nexi Croatia will provide you with a copy of the personal data being processed.
For any further requested copies, we may charge you a reasonable fee based on administrative costs. If you submit the request through electronic channels, and unless otherwise stated in your request, Nexi Croatia will provide you with the request in the usual electronic form. Your identity in the event of an application should be unequivocally established.
2. Right to rectification
You can request from Nexi Croatia the rectification of your personal data if they are inaccurate, as well as, considering the purpose of processing, their amendment, if the data are incomplete.
3. Right to erasure ("right to be forgotten")
You can request the individual deletion of your personal data, if one of the reasons stated in Article 17 of the General Data Protection Regulation, including, for example, if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or if the consent on which the processing of your personal data is based has been withdrawn and there is no other legal basis for the processing.
Nexi Croatia must not delete your personal data if their processing is necessary, for example: to comply with a legal obligation of retention, for reasons of public interest, to exercise or defend legal claims, and similar.
4. Right to restriction of processing
You can restrict the processing of your personal data if one of the cases is provided for in Article 18 of General Data Protection Regulation, among which, for example: if necessary to verify the accuracy of your personal data, and similar.
5. Right to data portability
If the processing of your personal data is based on consent or is necessary for the performance of a contract or for activities undertaken prior to the conclusion of the contract and the processing is carried out by automated means, you can:
· request the acquisition of personal data in a structured, commonly used and machine-readable format
· transfer your personal data to another controller.
In addition, you can request that your personal data be transferred directly from Nexi Croatia to another controller if this is technically feasible for Nexi Croatia. In this case, you will provide Nexi Croatia with all the correct information about the new controller to whom you intend to transfer your personal data, giving Nexi Croatia written consent to that transfer.
6. Right to object
You may object at any time to the contact addresses referred to in point II of this Information regarding processing carried out for the performance of tasks in the public interest or is necessary for the purposes of the legitimate interest of the controller (including profiling) or if your data are processed by the controller for direct marketing purposes.
If you object, Nexi Croatia shall refrain from further processing of your personal data, unless we can demonstrate compelling legitimate grounds for the processing (grounds overriding the interests, rights and freedoms of the data subject), or the processing is necessary for the establishment, exercise or defence of legal claims.
7. Automated decision-making process, including profiling
Automated processing, including profiling (use of personal data to evaluate certain personal aspects relating to the data subject concerning economic/financial situation, personal preferences, interests, behaviour, reliability, location, etc.), which produces legal effects concerning you or similarly significantly affects you, is authorised if such a decision is necessary for entering into, or for entering into, a contract between you and Nexi Croatia is either permitted under Croatian or EU law or is based on your explicit consent.
In cases of performance of a contract or explicit consent, Nexi Croatia will implement appropriate measures to protect your rights, your freedoms, and your legitimate interest, and you can exercise the right to obtain human intervention by Nexi Croatia, in order to express your views and challenge our decision.
8. Right to lodge a complaint with the competent data protection authority
If you believe that the processing of your personal data is a violation of the General Data Protection Regulation and/or applicable regulations, you can also file a complaint with the Personal Data Protection Agency (Web: www.azop.hr), as a national supervisory authority in the Republic of Croatia or a supervisory authority in the EU.
Notwithstanding the foregoing, if you believe that the processing of personal data by Nexi Croatia violates the General Data Protection Regulation or the national implementing regulation, you can contact the controller/data protection officer referred to in points I and II of this Information.
IX. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
With regard to the processing of special categories of personal data (for example, disclosure of racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or data relating to the sexual life or sexual orientation of a natural person) necessary for the provision of certain services and products, explicit consent is required through consent, without prejudice to specific cases prescribed by the General Data Protection Regulation allowing the processing of special categories of personal data and without explicit consent. Nexi Croatia does not process your special categories of personal data.
In accordance with Article 21, paragraph 2. 4 of the General Data Protection Regulation, we draw your attention to your right to object pursuant to Article 21 paragraphs 1 and 2 of the General Data Protection Regulation:
Each data subject shall have the right granted by the European legislator to object to processing of personal data concerning him or her, which is based on point (e) of Article 6 paragraph 1 and point (f) of Article paragraph 1 of General Data Protection Regulation); including profiling based on those provisions, within the meaning referred to in Article 4 paragraph 4 of General Data Protection Regulation.
If you file a complaint, we will no longer process your personal data for the purposes in question, unless we are able to present compulsory legal grounds for processing that override your interests, rights and freedoms, or if the processing is carried out for the establishment, exercise or defence of legal claims.
In certain cases, we process your personal data for direct marketing purposes. Each data subject shall have the right to object to processing of personal data concerning him or her for such marketing, which shall include profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.
Nexi Croatia d.o.o.
Zagreb, December 2022