Privacy Notice
Cardlink S.M.S.A, member of Worldline Group S.A., its affiliates and Worldline subsidiaries, (together WORLDLINE or we/us/our) are committed to safeguarding your right to privacy and your personal data. This Privacy Notice aims at informing you on the Personal data we process, how we collect it, why we use it and how long we do it, who we share it with and what your rights are.
If you are one of our customers, merchants, or suppliers, our contract with you and/or the product terms that you have agreed might contain further information on how we use your data.
If you are a consumer, we recommend that you also read the privacy notice of the merchant with which you did business to understand how they process your Personal data.
The Website may contain links to other third-party websites (for instance, for registration purpose to events organized by third parties). If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal data. Please check these policies before you submit any personal data to such third-party websites.
This Privacy Notice is intended to explain our privacy practices and covers the following areas:
• Information we may collect about you;
• Uses of your personal data;
• Transmission, storage and security of your personal data;
• Your rights and how to contact us;
• Our Cookie Notice;
• Changes to this Privacy Notice and the Cookie Notice:
1. Information we collect about you
We will collect and process all or some of the following personal data about you:
• Information you provide to us personal data that you provide to us such as when you complete a form on our Website for your subscription to the newsletter or to the Services of Cardlink, member of Worldline, including but not limited to, your name, email address, phone number, country and company (and/or the industry your work in). In some cases we process information on your education and work experience in connection with a job opening at CARDLINK, member of WORLDLINE, for which you wish to be considered. In the context of performance of a contract or of performance of payments to you in relation to goods or services, you provide us with your contact details, address and bank details;
• Correspondence and other communications if you contact us by telephone, letter or by email, we will typically keep a record of that correspondence or communication;
• Survey information and feedback, also in the cases where we ask you to complete surveys that we use for research purposes or to provide feedback that we use to develop and improve our product and service offering. In such circumstances we shall collect the information provided in the completed survey/feedback request;
• Website and communication usage details of your visits to the websites and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, browser language, access time, traffic data, location data, web logs, movements on the website, referring web site addresses and other communication data. We may also collect information about the pages you view within the Website and other actions you take while visiting us. In addition, we may also use such technologies to determine whether you’ve opened an e-mail or clicked on a link contained in an e-mail. Concerning such processing, you may be informed in detail by reading the Cookie Notice which is available here.
• Information from third parties in some cases we are provided with your information from other sources, for example from our affiliate companies or select business partners in relation to business opportunities or from search engines, credit reference companies or government agencies or other public sources, such as Commercial Registry, Government Gazette and TEIRESIAS, in relation to our due diligence processes.
2. Purposes of processing
Cardlink, processes and uses the personal data that it collects or/and that you provide to us for the following legitimate purposes:
(a) To communicate effectively with you and conduct our business, including to fulfil your requests. In such context, we use your personal data in order to effectively respond to your contact request; your registration request to events organized by us; or to your appointment request with one of our experts; to respond to your request for proposal or offer if you are interested in doing business with us; or we may contact you if we are interested in doing business with you; to respond to your job application; to otherwise communicate with you; or with other internal and external parties concerning you; or to carry out our obligations arising from any agreements entered into between you and us.
(b) To provide you with access to restricted Website areas, such as in the case that you have completed a form for the creation of an online account in our websites.
(c) For marketing purposes, such as in order for us to provide you with notifications via email, newsletters, offers and invitations for our events, if you have selected to receive them, and in order for us to advertise to you our products and services, as well as products and services of our business partners.
(d) For the pursuit and protection of our legitimate interests. In such context, we conduct researches and we analyze your personal data so as to inform you on changes to our services and products and to better understand you so that we continue to develop and improve our products and services. Moreover, we monitor your queries, transactions and other activities of yours so as to ensure quality and credibility of our services, credibility of the persons with whom we have contracts, as well as the proper operation and efficient organization of our websites and relevance of their content. In case that we transfer our business or part of it or in case that we are subject to reorganization, your personal data will be transferred to the relevant third party (or its consultants) as part of any audit procedure aiming to the analysis of any proposed transfer or reorganization. Your personal data, depending on the specific case, will be transferred to the reorganized entity or to a third party after the transfer or reorganization, so that they are used in the ways described in this Policy.
(e) In order for us to comply with a specific legal obligation, such as regulatory compliance imposed for taxation-related purposes, or by the payment systems, including our obligations arising from the employment and tax legislation, Law No. 2190/1920 as updated by Law No. 4548/2018, the provisions of Code of Civil Procedure, as well as the legislation on prevention and repression of money laundering and of terror financing as the relevant legal framework is specified by Law No. 4557/2018.
3. Legal bases of processing of your personal data
We use your Personal data only when we have a valid legal basis for each purpose of processing. Specifically, the legal basis of processing of your personal data will be, depending on each specific case, one of the following:
(a) the necessity of processing of your personal data in the context of performance of one of our contractual obligations; in such case, processing of your personal data will be necessary for the performance of the contract (article 6 par. 1 b’ of the GDPR);
(b) the pursuit and protection of our legitimate interests (article 6 par. 1 f’ of the GDPR);
(c) the compliance with our legal obligations (article 6 par. 1 c’ of the GDPR);
(d) your consent under the conditions provided by the legal framework (article 6 par. 1 a’ of the GDPR). When your consent is provided in the context of processing for marketing purposes, in some cases you have the possibility to provide it by selecting specific check-boxes in the forms that we use for the collection of your personal data.
4. Transmission, storage and security of your personal data
Recipients
Where necessary, or in order to fulfill your requests, we share or otherwise transfer your personal data within our group of companies such as to a shared services company located in a different region or jurisdiction to you. In addition, on a case by case basis, we transfer your data to external third parties, such as services providers, contractors, representatives, consultants, group entities, select partners, affiliates, debt collection agencies, surveillance authorities, as well as external event organizers or partner companies who are in a better position to satisfy your request.
Your personal data are also transferred to judicial or/and regulatory authorities, or law enforcement agencies, in relation with procedures or audits by such parties, wherever in the world, or when they have a relevant obligation to proceed to such processes. Where it is allowed and feasible, we will address any relevant request to you or we will notify you prior to respond, unless this would harm the prevention or detection of a crime.
We contractually require all our service providers and partners to use or disclose the personal data only as necessary to perform services on our behalf.
Security over the internet
As you will know, the transmission of information via the internet is not completely secure. We maintain commercially reasonable physical, electronic, and procedural safeguards to protect your personal data in accordance with data protection legislative requirements.
All information you provide to us is stored on our or our subcontractors’ secure servers and accessed and used subject to our security policies and standards. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential and for complying with any other security procedures that we notify you of. We ask you not to share a password with anyone.
International data transfer
Where we transfer personal data from the European Economic Area (the “EEA”) to a country outside the EEA (or a country that is NOT considered as offering an adequate level of protection as adopted by the European Commission on the basis of Article 45 of the General Data Protection Regulation 2016/679 (GDPR), we may be required to take specific additional measures to safeguard the relevant personal data and such transfer will be based on legal grounds and mechanisms ensuring adequate level of security of such transfer, such as EU Commission-approved standard contractual clauses as set out here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN, or/and any other relevant agreement which is approved and accepted as appropriate by the EU Commission.
Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal data to these jurisdictions (see the full list here https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).
This international data transfer can for example occur when your personal data are transferred to, or stored in, or accessed by our staff or suppliers in a destination outside the country in which you are located. Transfer of data to countries outside the EU takes place also in the context of support of the application by Worldline India. Despite any differences in the regional or national laws, we will, in all circumstances, safeguard the level of protection of personal data as set out in this Privacy Notice.
5. Data retention
Our retention periods for personal data are based on business needs and local legal requirements. We retain personal data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. For example, we retain the information you provided to us as long as necessary to provide you with the services you requested through our website and for as long as necessary for the establishment and pursuit of legal claims related to those services has expired, or for as long as necessary to comply with regulatory requirements regarding the retention of such data. In the cases where you provide your consent for the processing of your personal data, such data will be stored until the fulfillment of the purpose of their collection, or until withdrawal of your consent, whichever takes place first. So, if we use your personal data for more than one purpose, we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose(s) with a shorter period once that period expires.
When personal data is no longer needed, we either irreversibly anonymize the data or securely destroy the data.
6. Your rights
Your rights when we process your personal data for marketing purposes
You have the right to decide whether we can process your personal data for general marketing purposes. We will ask for your consent in advance if we intend to use your personal data for marketing purposes or if we intend to disclose your personal data to any third party for such purposes. You can withdraw a consent given for the use of your personal data for marketing purposes at any time.
Besides, we may use your personal data for direct marketing purposes (e.g., to inform you about our products or services similar to those you have purchased from us) based on our legitimate interests. You can ask us to stop using your personal data for direct marketing purposes at any time.
Your other rights
When we process your personal data under this Privacy Notice, you have the right to require us to:
(a) provide you with further details on the use we make of your information;
(b) provide you with a copy of your personal data that we hold;
(c) update any inaccuracies in the personal data we hold;
(d) delete any personal data that we no longer have a lawful ground to use;
(e) where processing is based on consent, withdraw your consent so that we stop that particular processing;
(f) object to any processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights;
(g) restrict how we use your information whilst a complaint is being investigated;
(h) not be subject to profiling or decisions based on automated decisions that could result in adverse effects; and
(i) transfer your personal data to a legitimate party of your choice, if possible, in a readily usable format.
Please be aware that certain exceptions apply to the exercise of these rights and so you will not be able to exercise them in all situations. In addition, these might vary slightly between countries due to national specificities. For instance, in France, in addition to the rights listed above, you also have the right to define directives as to how you wish your personal data to be used after your death.
If you wish to exercise any of these rights, we will check your entitlement and respond within the applicable timescale.
If you are not satisfied with our use of your personal data or our response to any exercise of these rights, you have the right to lodge a complaint with the relevant supervisory authority of your usual place of residence or place where the alleged breach to the law occurred. In our communications with you, we will provide you with the contact details to enable you to effectively exercise your rights. For EU Member States, please click here to see the list and contact information of the EU Supervisory Authorities.
Additional country or regional specific provisions
Where WORLDLINE is subject to certain privacy requirements in the United States in the State of California, the following also applies: in accordance with the disclosure requirements under the California Consumer Privacy Act (“CCPA”), Worldline does not and will not sell your personal data.
Furthermore, you have the right:
• to request from us access to your personal data that Cardlink S.M.S.A, member of Worldline Group S.A., collects, uses, or discloses about you;
• to request that we delete personal data about you;
• to non-discriminatory treatment for exercise of any of your data protection rights;
• in case of request from us for access to your personal data, for such information to be portable, if possible, in a readily usable format that allows you to transmit this information to another recipient without hindrance.
Contacting us
If you wish to exercise your rights, set out in this Privacy Policy, or if you have other questions regarding our processing of your personal data, please contact the relevant Data Protection Officers per country, based on the information given in the Annex below.
More specifically, in Greece you may exercise your rights by completing the relevant document of application of the data subject or contact directly the Data Protection Officer by calling the telephone number: +30 210 3603000 or by sending an e-mail to dpo@cardlink.gr .
If you are not satisfied by the use of your personal data by us or by our response to any exercise of the above rights, you have the right to lodge a complaint, by using the specific web portal, to the Data Protection Authority (Athens, Kifissias Av. 1-3, 11523, tel.: +30 210 6475600), email: complaints@dpa.gr
7. Cookie Notice
We use cookies and tracking technologies on our websites. To find out more about how we use cookies, please see our Cookie Notice.
8. Changes to our Privacy Notice
We may change the content of our websites and consequently our Privacy Notice may change from time to time in the future. If we change this Privacy Notice, we will update the date it was last changed below. If these changes are material, we will indicate this clearly on our Website.
This Privacy Notice was last updated on April 27th, 2023.
Annex
Country | Legal entity acting as Data Controller | Data Protection Officer / Data Protection Contact | |||
All equensWorldline SE entities | equensWorldline SE | dataprotection-WLFS@worldline.com | |||
Argentina | Worldline Argentina SA | dpo-worldline-mts@worldline.com / contato.protecaodedados@worldline.com | |||
Australia | ANZ Worldline Payment Solutions | dataprotection-ms-au@worldline.com | |||
Austria | PAYONE GmbH Austrian branch | privacy@payone.com | |||
Worldline Austria GmbH | datenschutz.worldline@worldline.com | ||||
Worldline Financial Services (Europe) S.A., Austrian Branch | dataprotection.europe@worldline.com | ||||
Belgium | Worldline e-Commerce Solutions BV / SRL | dataprotectionbe@worldline.com | |||
Worldline e-Commerce Solutions Ltd. | dataprotectionbe@worldline.com | ||||
Worldline Financial Solutions NV / SA | dataprotectionbe@worldline.com | ||||
Worldline SA/NV | dpoms@worldline.com | ||||
Brazil | Worldline Brazil Serviços Ltda | contato.protecaodedados@worldline.com | |||
Canada | Bambora Inc | dpo-bambora@worldline.com | |||
Czech Republic | Worldline Czech Republic s.r.o. | dpoms@worldline.com | |||
Denmark | Bambora Online AS | dpo-bambora@worldline.com | |||
Bambora Danmark AS | dpo-bambora@worldline.com | ||||
Estonia | Worldline Payment Estonia Oü | dataprotection-WLFS@worldline.com | |||
France | Retail International Holding SAS | dpo-worldline-france@worldline.com | |||
Santeos SA | dpo-worldline-france@worldline.com | ||||
Similo SAS | dpo-worldline-france@worldline.com | ||||
Worldline France SAS | dpo-worldline-france@worldline.com | ||||
Worldline SA Worldline MS France SA Worldline e-commerce Solutions SAS Worldline IGSA SA Worldline Business Support SASU Worldline Prepaid Service France SAS Consoprotec SAS | dpo-worldline-france@worldline.com dpo-worldline-france@worldline.com dataprotectionbe@worldline.com dpo-worldline-france@worldline.com dpo-worldline-france@worldline.com | ||||
Germany | Credit & Collections Service GmbH | datenschutz@creditcs.de | |||
Worldline Healthcare GmbH | dataprotection-whc@worldline.com | ||||
Worldline PAYONE Holding GmbH | privacy@payone.com | ||||
PAYONE GmbH | privacy@payone.com | ||||
Worldline Germany GmbH | datenschutz.worldline@worldline.com | ||||
DZ Service GmbH | mail@dzservice.de | ||||
Greece | Worldline Merchant Acquiring Greece S.A. Single-Member Societe Anonyme for the Management and Operation of Electronic Transaction Networks Cardlink | dl-dpo.gr@worldline.com | |||
India | Worldline Global Services Pvt. Limited | dpo.wgs@worldline.com | |||
Worldline e-payments India Pvt. limited | dpo.ms.india@worldline.com | ||||
Italia | Worldline Merchant Services Italia | dataprotectionofficer.italia@worldline.com | |||
Japan | Worldline Japan Limited | dpo.ms.apac@worldline.com | |||
Latvia | Worldline Latvia SIA | dataprotection-WLFS@worldline.com | |||
Lithuania | Worldline Lietuva UAB | dataprotection-WLFS@worldline.com | |||
Luxemburg | Worldline Financial Services (Europe) S.A. | dataprotection.europe@worldline.com | |||
Worldline Luxemburg SA | dpooffice-belux@worldline.com | ||||
The Netherlands | equensWorldline NV | dataprotection-WLFS@worldline.com | |||
Global Collect Services B.V. (Worldline Digital Commerce) | dataprotection.epay-ing@worldline.com | ||||
Worldline BV | dpoms@worldline.com | ||||
Singapore | Global Collect Services Asia Pacific Pte Ltd | dpo.ms.apac@worldline.com | |||
Spain | Worldline Iberia SA | dles-datospersonalesiberia@worldline.com | |||
Sweden | Bambora AB | dpo-bambora@worldline.com | |||
Bambora Device AB | dpo-bambora@worldline.com | ||||
Bambora Group AB | dpo-bambora@worldline.com | ||||
Bambora Telesales AB | dpo-bambora@worldline.com | ||||
DevCode AB | dpo-bambora@worldline.com | ||||
All Bambora entities | dpo-bambora@worldline.com | ||||
Worldline Sweden AB | Dpo.ms.sweden@worldline.com | ||||
Switzerland | Worldline Switzerland Ltd | dataprotection.switzerland@worldline.com | |||
UK & Ireland | Worldline IT Services UK Ltd., and other Worldline based UK businesses | dpo-rbub@worldline.com | |||
USA | MRL Pay. Inc | dataprotection@worldline.com | |||
Worldline Holdings US. LLC | dataprotection@worldline.com | ||||
Worldline US Inc. | dataprotection@worldline.com |