Privacy policy effective from March 1st 2018 to April 1st 2021
This communication is provided pursuant to S. 5(2)(as of Act No. 101/2000 Coll., which makes provision with respect to personal data protection, as amended, and with effect from 25/5/2018 pursuant to Article 6(1)(c) of Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
About Us
- GOPAY (hereinafter also referred to as the “Data Controller”) means GOPAY s. r. o., registered office in Planá 67, 370 01 České Budějovice, company identification number: 26046768, entered in the Commercial Register maintained by the Regional Court in České Budějovice, Section C, Entry 11030. Terms such as “we”, “us”, “our”, “ours”, etc., that may be used in the Privacy Policy also have the same meaning. GOPAY is an electronic money institution that issues Electronic Money within the meaning of S. 4 of Czech Act No. 370/2017 Coll., which makes provision with respect to the payment system, and operates the GoPay Payment System.
Basic Information
- This Privacy Policy (hereinafter referred to as the “Privacy Policy”) governs the way we process personal data and ensure their protection in the GoPay Payment System. We abide by Czech Act No. 101/2000 Coll., which makes provision with respect to personal data protection, as amended (hereinafter referred to as the “Personal Data Protection Act”), and with effect from 25/5/2018 by Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”).
- When processing personal data, we take care that no harm is done to the rights of natural persons in relation to the processing of personal data. At the same time, we are obliged to fulfil the provisions of pertinent legal regulations and apply reasonable measures to protect the legal order, democratic society and its specific important interests, as stated hereinafter.
- Pursuant to S. 2(1)(b)(5) of Act No. 253/2008 Coll., which makes provision with respect to selected measures against the legalisation of proceeds of crime and financing of terrorism (hereinafter referred to as the “AML Act”), we are an obliged entity.
- Pursuant to S. 7 and S. 8 of the AML Act an obliged entity has a statutory duty to perform the identification of its clients to the extent of personal data stated hereinafter in order to prevent the misuse of the financial system for the legalisation of proceeds of crime and financing of terrorism and also perform due diligence of clients in cases stipulated by the law pursuant to S. 9 of the AML Act.
What Personal Data We Process
- Within the meaning of Act No. 101/2000 Coll., which makes provision with respect to personal data protection, as amended (hereinafter referred to as the “Personal Data Protection Act”), and with effect from 25/5/2018 within the meaning of the GDPR we are entitled to process your personal data (hereinafter referred to as the “Personal Data”) to the following extent:
- Name, surname, degree, birth code or date of birth, place of birth, sex;
- Permanent residence or other residence and citizenship, phone number, e-mail address;
- Copies of identification documents proving your identity;
- From natural persons doing business: business name, distinguishing denomination or another designation, place of business and the person’s identification number; then
- Bank account number including the name of the account holder;
- Data about implemented and cancelled payment transactions;
- Data about any credit, debit or other payment card including PAN, expiry date and the name of the payment card holder;
- All communication that has taken place;
- Information obtained from questionnaires or similar forms that you may be asked to fill in;
- IP address and times when your device was connected;
- Data about your visits to our website, in particular operational data, localisation data, weblogs, etc., such as data about your behaviour on the Internet
(hereinafter referred to as the “Personal Data”)
for the purpose of fulfilling statutory duties of a Data Controller pursuant to S. 9 of the AML Act.
- The period of the processing of personal data is 10 years from doing business or from terminating the business relationship between you and the Data Controller (whichever is the later). You agree to the fact that as a data subject you cannot withdraw this consent.
- The Data Controller is entitled to provide the data to competent state authorities upon request and you agree to it
- If a certain case of a breach of personal data security is likely to result in a high risk to the rights and freedoms of the data subject, the Data Controller shall notify you of this breach without undue delay.
- As a data subject you acknowledge the above and you also acknowledge the following information about your rights.
Information about Your Rights
- If the data subject requests information about the processing of his or her personal data, pursuant to S. 12 of the Personal Data Protection Act the Data Controller is obliged to provide this information to him or her without undue delay. There always needs to be information about the purpose of the processing of personal data, about the personal data or categories of personal data that are processed including all available information about their source, nature of automated processing with respect to its use for decision-making if tasks or decisions are made on the basis of this processing whose content infringes upon the rights and justified interests of the data subject, the recipient or categories of recipients. The Data Controller has a right to request a reasonable payment for the provision of information that does not exceed the costs necessary to provide the information. The Data Controller’s duty to provide information to the data subject governed by S. 12 of the Personal Data Protection Act may be fulfilled for the Data Controller by the processor.
- Pursuant to S. 21 of the Personal Data Protection Act, each data subject who establishes or believes that the Data Controller or the processor processes his or her personal data that is contrary to the protection of private and personal life of data subjects or contrary to law, in particular if personal data are inaccurate, having regard to the purposes for which they are processed, he or she may a) ask the Data Controller or the processor for explanation; b) ask that the Data Controller or the processor remedy the situation; this may in particular entail blocking, rectification, completion or erasure of personal data. If the data subject’s request pursuant to the previous sentence is found justified, the Data Controller or the processor shall immediately remedy this fault. If other than material damage has occurred as a result of the processing of the data subject’s personal data, the claim shall be enforced pursuant to special legislation. If a breach of statutory duties occurred when personal data were processed by the Data Controller or by the processor, they shall be jointly and severally liable for the breach.
- You acknowledge that from the date when the GDPR comes into effect you shall have other rights that follow from Articles 15 to 23 of the GDPR besides the above rights governed by the Personal Data Protection Act, namely the right to request access from the Data Controller to personal data concerning you (including confirmation as to whether or not personal data concerning you are or are not being processed), the right to request their rectification or erasure or restriction of processing and the right to object to processing as well as the right to data portability. Furthermore, you acknowledge that you have a right to file a complaint with the supervisory authority, namely the Office for Personal Data Protection, registered office Pplk. Sochora 27, 170 00 Prague 7.
- The contact details of the Data Controller’s representative in charge of personal data protection are as follows:
-
Mr. Zbyněk Eiselt, e-mail: zbynek.eiselt@gopay.cz, GSM: +420 602 468 240.
-
- You acknowledge that the Privacy Policy contains all information provided to the data subject pursuant to Article 13 of the GDPR.
Final Provisions
- By continuing to use the functionalities of the GoPay Payment System you express your free, specific, informed and unequivocal will that you agree to the processing of your personal data pursuant to the Privacy Policy and that you have been duly acquainted with, and informed about, the processing of your personal data.
- We are entitled to unilaterally amend the Privacy Policy pursuant to valid legislation and you agree to this entitlement.
- If we amend the Privacy Policy, we are obliged to notify you of this change in advance by e-mail containing a link to the new Privacy Policy from where you may print it or download it in electronic form.
- The Privacy Policy is issued in electronic form and is available on GOPAY’s website.
- The Privacy Policy comes into effect as of March 1st, 2018.