In accordance with current legislation on the protection of personal data, particularly Articles 13 and 14 of Regulation (EU) 2016/679 (hereafter referred to as the 'Privacy Regulations'), Nexi Central Europe a.s. (hereafter referred to as 'Nexi'), the company that owns the technological platform for accepting card payments, hereby informs you of the following:
1. Type and source of personal data subject to processing:
The personal data processed by Nexi are those provided voluntarily during the card acceptance and execution of the payment transaction when making a payment to the Merchant for purchased goods and/or services, data relating to the payment instrument used, financial data, such as card number (masked), expiration date, transaction date and time, transaction amount and other data related to a payment) that the Application may collect when you purchases, returns, exchanges goods to the Merchant. Such data is processed only in the context of the payment transaction and may be treated as personal data only if it could be used, derivatively together with a combination of other data or personal data, to identify a personIn case of a digital receipt is required by the Buyer to be shared via e-mail, then e-mail address of the Buyer is also captured by the application for the purpose of sharing the digital version of the transaction receipt.
2. Purposes and legal bases of the processing
Nexi will process the personal data collected solely for the following purposes:
- online payment management; Management of processing services necessary to process a Transaction, maintain and store Transaction and card data and to provide settlement and reconciliation information in relation to Transactions, Enable to introduce transactions into one or more Card Schemes for cardholders
- to fulfil the obligations provided for by laws, regulations and EU legislation, as well as by the instructions of authorities empowered to do so by law, and by supervisory and control bodies. Processing personal data for these purposes does not require your explicit consent; otherwise, Nexi will be unable to provide the requested service. The legal basis for this processing is therefore the fulfilment of legal obligations to which Nexi is subject, and the need to execute payment transactions. Nexi may also process personal data to prevent and monitor fraud risk. The legal basis for this processing is Nexi's legitimate interest.
3. Data processing methods
Data processing will be carried out in such a way as to ensure the security and confidentiality of personal data, and this may involve manual and electronic instruments. In particular, once the transaction amount has been entered in the SoftPOS application on the merchant’s mobile device and payment instrument is presented for executing the transaction via NFC (near field communication) by tapping the instrument (card, mobile phone of the cardholder, smart watch, etc.) to the merchant’s mobile device, transaction data will be sent via a secure connection to the authorising bodies (banks or companies that issue and/or manage payment instruments) to request the necessary authorisations. In order to protect both the purchaser and the merchant, under no circumstances will sensitive or unmasked data relating to the payment instrument be disclosed to the merchant.
4. Parties who may become aware of the data
To pursue the purposes described in paragraph 2 above, Nexi employees who have been authorised and appointed will process the personal data. Furthermore, for certain activities, Nexi needs to communicate or share personal data with third parties belonging to the following categories: These include, but are not limited to:
- other companies in the Group to which Nexi belongs, for administrative and accounting purposes;
- IT companies that support Nexi in managing the technological platform for online payments;
- payment circuits (such as Visa and Mastercard), which define the payment and acceptance rules for payment cards bearing their brands and ensure the proper functioning of their systems;
- banks and/or companies that issue and/or manage payment cards;
- Authorities such as supervisory bodies (e.g. the Bank of Italy and the UIF), judicial bodies, police forces, etc.
5. Transfer of data abroad
Data relating to payment transactions is stored by Nexi within the European Economic Area. However, Nexi reserves the right to disclose some acquired data to recipients established outside the European Economic Area to fulfil the above processing purposes, in compliance with the rights and guarantees provided by the Privacy Regulations (see Chapter V of EU Regulation 679/2016). In particular, transfers are based on an adequacy decision or Standard Contractual Clauses approved by the European Commission. Transactional data are visible to Card Schemes.
6. Data storage
The data acquired as part of the payment transaction will be kept only for the time necessary to carry out the above-mentioned activities and purposes, in compliance with the prescribed terms or any other terms established by law for storage, or for a longer period if necessary to protect Nexi's rights.
7. Rights of data subjects
You have the right to access, rectify or delete the data stored by the Company that concerns you, as well as the right to object to, or limit certain types of processing (including the right to revoke consent to the processing previously granted), as well as to be sent the personal data concerning you in a structured, commonly used format readable using an automatic device (right to data portability). Finally, you have the right to lodge a complaint with a competent Supervisory Authority. Individual Rights Requests should be referred to following email address: CE_DPO@nexigroup.com