Data protection Information

Many steps are necessary so that you can safely pay with your card. That is why the merchant you pay by card works with a network operator. The merchant and the network operator are each responsible – as data controllers – for the processing of the data within their own technical area:

a) the merchant for the operation of the payment terminal at the cash desk and possibly for its internal network up to the safe transmission of the data via the Internet or by telephone line to the network operator.
You will find the name and contact details of the merchant at the cash desk or at the shop door.

b) the network operator for the central operation of the network, the processing carried out in the network, recoding, risk assessment and further transmission. Its contact details are as follows:
PAYONE GmbH, Lyoner Straße 15, 60528 Frankfurt am Main, www.payone.com
Data Protection Officer: privacy@payone.com
Competent data protection authority:
The Hesse Data Protection Commissioner, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, https://datenschutz.hessen.de/

If the merchant uses a commercial network operator other than PAYONE, the merchant will ensure that its name and contact details are available to you. You can find this information on a notice or by enquiring at the cash desk.

• Card data (data which is stored on your card): IBAN or account number and bank sort code, card expiry date and card suffix.
• Other payment data: Amount, date, time, identification of the payment terminal (location, company and branch where you are paying), your signature or (alternatively) an existing mandate ID.
• In the case of a chargeback: Information about the non-execution of a direct debit by your card-issuing bank or the revocation of a direct debit by yourself, information about the amount due, such as your name, address, bank charges, reminder fees, reason for the chargeback, customer number with your contractual partner (not the nature of your purchases).
  
  

• The payment terminal reads the card data from your card.
• The other payment data is provided by the payment terminal and in some cases directly by the merchant.
• You provide your signature yourself.
• The mandate ID (if available) comes from a SEPA mandate document previously issued and stored in a mandate management database of the network operator.
• To the extent necessary to prevent card misuse and to limit the risk of payment defaults, data is collected from the police KUNO system and from the network operator’s in-house databases.
• As far as is necessary to handle a chargeback, in compliance with the statutory provisions, data is also processed which is taken from publicly accessible sources (e.g. debtor lists) or transmitted by third parties (e.g. the bank which issued your card or a credit agency).
  
  

• Merchant:
  • Verification and execution of your payment to the merchant, Art. 6 (1) b) GDPR.
  • Archiving of records in compliance with legal obligations, in particular Sections 257 (1) no. 4 Commercial Code (HGB), Section 147 (1) no. 4 Fiscal Code (AO); Art. 6 (1) c) GDPR.
  • Sale of the amount receivable to the network operator by way of factoring, Art. 6 (1) f) GDPR.
  • Communicating an address to the network operator after a chargeback, Art. 6 (1) b) and f) GDPR.
    
    
• Network operator:
  • Verification and execution of your payment to the merchant, Art. 6 (1) b) GDPR.
  • Prevention of card misuse (Section 10 (1) no. 5 Money Laundering Act (GWG)); Art. 6 (1) (c) GDPR.
  • Limitation of the risk of non-payment, Art. 6 (1) f) GDPR.
  • Safe transmission of your data, particularly in accordance with the legal requirements for SEPA payments, Sections 25a Banking Act (KWG), 27 Payment Services Supervision Act (ZAG); Art. 6 (1) c) and f) GDPR.
  • Avoidance of future non-payment through the transmission of chargeback data, should your payment result in a chargeback, Art. 6 (1) f) GDPR.
  • Archiving of records in compliance with legal obligations, in particular Sections 257 (1) no. 4 Commercial Code (HGB), Section 147 (1) no. 4 Fiscal Code (AO); Art. 6 (1) c) GDPR.
  • Debt recovery after a chargeback, Art. 6 (1) b) and f) GDPR.
  • Reporting (exclusively masked or pseudonymised as well as with aggregated data), Art. 6 (1) f) DSGVO
    
    

Apart from the merchant and the network operator, other parties require your data in order to carry out the payment or to comply with legal obligations. Your data will only be passed on to this extent, and to the following entities:

• your card-issuing bank and the merchant’s payment service provider
• the entities acting as intermediaries on behalf of the German credit industry, which assume the clearing and settlement of payments
• judicial authorities in the cases provided for by law
• financial intelligence units in the cases provided for by law
• If the merchant belongs to a network association set up with the network operator, the mandate ID assigned by the system can be made available to other participating merchants in the same network association so that your signature can be dispensed with for payments to these merchants.

Participating merchants provide information about their membership of a network association in the checkout area using an extended, unique SEPA Direct Debit acceptance symbol:

The illustration shows an example of an acceptance sign (decal) for the PAYONE network.

• in the event of a chargeback, in order to find out the address by means of the account number and the bank code (IBAN) of the card used: the card-issuing bank, a credit agency such as SCHUFA Holding AG, or alternatively, the merchant, insofar as the address is known to them
• Please see section 10 for further details
  
  

No, no such transmission takes place.

PAYONE stores and processes your data for as long as is necessary for the performance of the contract and fulfilment of our contractual and statutory obligations. Where storage of the data for the performance of contractual or special statutory obligations is no longer necessary and the purpose of storage no longer applies, the data will be erased, except where its continued processing is necessary for the following reasons:

• Satisfaction of storage requirements under commercial law or fiscal law or for other mandatory reasons (e.g. accounting data must be kept for 10 years)
• Preservation of evidence within the framework of statutory limitation periods
  
  

Every data subject may assert the following data protection rights with the respective data controller (see section 1 above):

• the right to access pursuant to Article 15 GDPR
• the right to rectification pursuant to Article 16 GDPR
• the right to erasure pursuant to Article 17 GDPR
• the right to restriction of processing pursuant to Article 18 GDPR
• the right to object pursuant to Article 21 GDPR
• the right to data portability pursuant to Article 20 GDPR

The restrictions set forth in Sections 34 and 35 of the Federal Data Protection Act (BDSG) apply in respect of the right to access and the right to erasure (for GER).

Additionally, every data subject has the right to lodge a complaint with a supervisory authority for data protection (Art. 77 GDPR in conjunction with (for GER) Section 19 BDSG). You can find PAYONE’s competent supervisory authority for data protection in the context of payment processing in Section 1. Alternatively, you can contact your own local supervisory authority for data protection.

You are neither legally nor contractually obliged to supply your data. If you do not wish to supply your data, you can choose another payment method, such as paying in cash.

To prevent card misuse and to limit the risk of payment defaults, maximum amounts are fixed for payments within certain periods of time. The decision also takes into consideration whether a direct debit from your card-issuing bank was previously not honoured due to insufficient funds or revoked by you (chargeback). This information is not included in the decision if the chargeback is made in the context of a revocation declaring the assertion of rights based on the underlying transaction (e.g. due to a material defect in a purchase). This information serves to prevent future payment defaults. Upon complete settlement of outstanding debts, this data is deleted.

This information enables the network operator to make recommendations to merchants using its system as to whether or not to accept a direct debit payment. For this purpose, the network operator may

• use chargeback information of all the merchants linked to the network;
• for a short time – only a few days – evaluate payment information across multiple merchants in order to prevent card misuse;
• apart from that, only evaluate payment information received from one and the same merchant.
• Your data is not used for solvency checks. Your payment data is only used to decide whether or not to recommend payment by direct debit, with or without obtaining a signature, to the respective merchant.
  
  

You have the right to object at any time, for reasons arising from your particular situation, to the processing of data which takes place pursuant to Article 6 (1) f) GDPR, i.e. to the processing of data based on a balancing of interests.

Please direct your objection to: privacy@payone.com

If you file a justified objection, your data will no longer be processed pursuant to Article 6 (1) f) GDPR, with two exceptions:

• Your data will continue to be processed if the data controller can prove the existence of compelling reasons for the processing which are worthy of protection and which outweigh your interests, rights and freedoms, in particular, for example, in the case of legal retention obligations and for carrying out a payment which has already been started at the payment terminal but not yet completed.
• Your data will continue to be processed if this serves to assert, exercise or defend legal claims.
  
  

2nd January 2024

Many steps are necessary so that you can safely pay with your card. That is why the merchant you pay by card works with a network operator. The merchant and the network operator are each responsible – as data controllers – for the processing of the data within their own technical area:

a) the merchant for the operation of the payment terminal at the cash desk and possibly for its internal network up to the safe transmission of the data via the Internet or by telephone line to the network operator.
You will find the name and contact details of the merchant at the cash desk or at the shop door.

b) the network operator for the central operation of the network, the processing carried out in the network, recoding, risk assessment and further transmission. Its contact details are as follows:
PAYONE GmbH, Lyoner Straße 15, 60528 Frankfurt am Main, www.payone.com
Data Protection Officer: privacy@payone.com
Competent data protection authority:
The Hesse Data Protection Commissioner, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, https://datenschutz.hessen.de/

If the merchant uses a commercial network operator other than PAYONE, the merchant will ensure that its name and contact details are available to you. You can find this information on a notice or by enquiring at the cash desk.

• Card data (data which is stored on your card): IBAN or account number and bank sort code, card expiry date and card suffix.
• Other payment data: Amount, date, time, identification of the payment terminal (location, company and branch where you are paying), verification data of your card-issuing bank (“EMV data”).
• PIN: Your PIN entry is checked by the card-issuing bank after being cryptographically secured. The network operator adopts cryptographic safeguards and transmissions, but does not store the PIN and has no access to the encrypted PIN.
  
  

• The payment terminal reads the card data from your card.
• The other payment data is provided by the payment terminal and in some cases directly by the merchant.
• You enter your PIN yourself.
  
  

• Merchant
  • Verification and execution of your payment to the merchant, Art. 6 (1) b) GDPR.
  • Archiving of records in compliance with legal obligations, in particular Sections 257 (1) no. 4 Commercial Code (HGB), Section 147 (1) no. 4 Fiscal Code (AO); Art. 6 (1) c) GDPR.
    
    
• Network operator:
  • Verification and execution of your payment to the merchant, Art. 6 (1) b) GDPR.
  • Safe transmission of your data, particularly in accordance with the legal requirements for SEPA payments, Sections 25a Banking Act (KWG), 27 Payment Services Supervision Act (ZAG); and the regulations of the Association of German Banks; Art. 6 (1) c) and f) GDPR.
  • Archiving of records in compliance with legal obligations, in particular Sections 257 (1) no. 4 Commercial Code (HGB), Section 147 (1) no. 4 Fiscal Code (AO); Art. 6 (1) c) GDPR.
  • Settlement of the fees which the merchant owes your card-issuing bank, Art. 6 (1) f) GDPR.
  • Reporting (exclusively masked or pseudonymised as well as with aggregated data), Art. 6 (1) f) DSGVO.
    
    

Apart from the merchant and the network operator, other parties require your data in order to carry out the payment or to comply with legal obligations. Your data will only be passed on to this extent, and to the following entities:

• your card-issuing bank and the merchant’s payment service provider
• the entities acting as intermediaries on behalf of the German credit industry, which assume the clearing and settlement of payments
• judicial authorities in the cases provided for by law
• financial intelligence units in the cases provided for by law
  
  

No, no such transmission takes place.

PAYONE stores and processes your data for as long as is necessary for the performance of the contract and fulfilment of our contractual and statutory obligations. Where storage of the data for the performance of contractual or special statutory obligations is no longer necessary and the purpose of storage no longer applies, the data will be erased, except where its continued processing is necessary for the following reasons:

• Satisfaction of storage requirements under commercial law or fiscal law or for other mandatory reasons (e.g. accounting data must be kept for 10 years)
• Preservation of evidence within the framework of statutory limitation periods
  
  

Every data subject may assert the following data protection rights with the respective data controller (see section 1 above):

• the right to access pursuant to Article 15 GDPR
• the right to rectification pursuant to Article 16 GDPR
• the right to erasure pursuant to Article 17 GDPR
• the right to restriction of processing pursuant to Article 18 GDPR
• the right to object pursuant to Article 21 GDPR
• the right to data portability pursuant to Article 20 GDPR

The restrictions set forth in Sections 34 and 35 of the Federal Data Protection Act (BDSG) apply in respect of the right to access and the right to erasure (for GER).

Additionally, every data subject has the right to lodge a complaint with a supervisory authority for data protection (Art. 77 GDPR in conjunction with (for GER) Section 19 BDSG). You can find PAYONE’s competent supervisory authority for data protection in the context of payment processing in Section 1. Alternatively, you can contact your own local supervisory authority for data protection.

You are neither legally nor contractually obliged to supply your data. If you do not wish to supply your data, you can choose another payment method, such as paying in cash.

When you wish to use your card for payment, the card payment must first be authorised. This authorisation is given automatically on the basis of your data. The following criteria in particular can play a role: Amount of payment, place of payment, previous payment history, merchant, purpose of payment. Without authorisation, payment by card is not possible. This has no effect on other payment methods (other cards or cash, for example).

You have the right to object at any time, for reasons arising from your particular situation, to the processing of data which takes place pursuant to Article 6 (1) f) GDPR, i.e. to the processing of data based on a balancing of interests.

Please direct your objection to: privacy@payone.com

If you file a justified objection, your data will no longer be processed pursuant to Article 6 (1) f) GDPR, with two exceptions:

• Your data will continue to be processed if the data controller can prove the existence of compelling reasons for the processing which are worthy of protection and which outweigh your interests, rights and freedoms, in particular, for example, in the case of legal retention obligations and for carrying out a payment which has already been started at the payment terminal but not yet completed.
• Your data will continue to be processed if this serves to assert, exercise or defend legal claims.
  
  

2nd January 2024

Many steps are necessary so that you can safely pay with your card. That is why the merchant you pay by card works with a network operator. The merchant and the network operator are each responsible – as data controllers – for the processing of the data within their own technical area:

a) the merchant for the operation of the payment terminal at the cash desk and possibly for its internal network up to the safe transmission of the data via the Internet or by telephone line to the network operator. You will find the name and contact details of the merchant at the cash desk or at the shop door.

b) the network operator for the central operation of the network, the processing carried out in the network, recoding, risk assessment and further transmission. Its contact details are as follows:
PAYONE GmbH, Lyoner Straße 15, 60528 Frankfurt am Main, www.payone.com
Data Protection Officer: privacy@payone.com
Competent data protection authority:
The Hesse Data Protection Commissioner, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, https://datenschutz.hessen.de/

c) The acquirer is a payment service provider regulated under the Payment Services Supervision Act (ZAG) which performs the acceptance and settlement of payments on behalf of the merchant.

Who the acquirer is depends on the card which you used. The merchant will ensure that the acquirer’s contact details and those of the data protection authority responsible for the acquirer are available to you. You can find this information on a notice or by enquiring at the cash desk.

Where PAYONE is responsible for acquiring, the contact details already provided shall apply:

PAYONE GmbH, Lyoner Straße 15, 60528 Frankfurt am Main, www.payone.com
Data Protection Officer: privacy@payone.com
Competent data protection authority: The Hesse Data Protection Commissioner, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, https://datenschutz.hessen.de/

• Card data (data which is stored on your card): Card number, type of card (e.g. VISA, Mastercard, American Express) and expiry date.
• Other payment data: Amount, date, time, identification of the payment terminal (location, company and branch where you are paying), verification data of your card-issuing institution (“EMV data”), in some cases your signature.
• PIN: Your PIN entry is checked by the card-issuing institution after being cryptographically secured. The network operator adopts cryptographic safeguards and transmissions, but does not store the PIN and has no access to the encrypted PIN.
• Chargeback: If you are disputing a transaction performed with your card: In this case, the sales receipt and any other information about you with which the merchant wishes to prove the debt you owe (e.g. name and address) can be forwarded to the card-issuing institution.
  
  

• The payment terminal reads the card data from your card.
• The other payment data is provided by the payment terminal and in some cases directly by the merchant.
• You enter your PIN yourself; you provide your signature yourself.
  
  

• Merchant
  • Verification and execution of your payment to the merchant, Art. 6 (1) b) GDPR.
  • Archiving of records in compliance with legal obligations, in particular Sections 257 (1) no. 4 Commercial Code (HGB), Section 147 (1) no. 4 Fiscal Code (AO); Art. 6 (1) c) GDPR.
    
    
• Network operator:
  • Verification and execution of your payment to the merchant, Art. 6 (1) b) GDPR.
  • Safe transmission of your data, particularly in accordance with the legal requirements, Sections 25a Banking Act (KWG), 27 Payment Services Supervision Act (ZAG), and the regulations of the credit card organisations; Art. 6 (1) c) and f) GDPR.
    
    
• Acquirer
  • Verification and execution of your payment to the merchant, Art. 6 (1) b) GDPR.
  • Prevention of card misuse (Section 10 (1) no. 5 Money Laundering Act (GWG)); Art. 6 (1) (c) GDPR.
  • Limitation of the risk of non-payment, Art. 6 (1) f) GDPR.
  • Safe transmission of your data, particularly in accordance with the legal requirements, Sections 25a Banking Act (KWG), 27 Payment Services Supervision Act (ZAG), and the regulations of the credit card organisations; Art. 6 (1) c) and f) GDPR.
  • Settlement of the fees which the merchant owes your card-issuing institution, Art. 6 (1) f) GDPR.
  • Archiving of records, in particular in accordance with Sections 257 (1) no. 4 Commercial Code (HGB), Section 147 (1) no. 4 Fiscal Code (AO); Art. 6 (1) c) GDPR.
  • Debt recovery after a chargeback, Art. 6 (1) b) and f) GDPR.
  • Reporting (exclusively masked or pseudonymised as well as with aggregated data), Art. 6 (1) f) DSGVO.
    
    

Apart from the merchant and the network operator, other parties require your data in order to carry out the payment or to comply with legal obligations. Your data will only be passed on to this extent, and to the following entities:

• the payment card system
• your card-issuing institution and the acquirer's bank
• the entities acting as intermediaries on behalf of the credit card organisations, which assume the clearing and settlement of payments
• judicial authorities in the cases provided for by law
• financial intelligence units in the cases provided for by law
  
  

The acquirer forwards your data to the payment card system outside of the European Economic Area in accordance with the respectively agreed rules (e.g. binding corporate rules, standard contractual clauses) or for the purpose of fulfilling the contract with the foreign payer in order to authorise and carry out your payment.

With regard to the processing of your data by the payment card system, please consult its data privacy provisions:

a) Mastercard Europe SPRL, Chaussée de Tervuren 198A, 1410 Waterloo, Belgium, for the payment brands “Mastercard” and “Maestro”,
https://www.mastercard.de/de-de/datenschutz.html

b) Visa Europe Services LLC, registered in Delaware USA, acting through its branch office in London, 1 Sheldon Square, London W2 6TT, UK, for the payment brands “Visa”, “Visa Electron” and “V PAY”
https://www.visa.co.uk/privacy/

c) American Express Payment Services Ltd., Branch Office Frankfurt am Main, Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, for the payment brand “American Express”; https://www.americanexpress.de/datenschutz

d) Diners Club International Ltd., 2500 Lake Cook Road, Riverwoods, IL 60016, USA, for the payment brands “Diners”, “Diners Club” and “Discover”;
https://www.dinersclub.com/privacy-policy

e) JCB International Co., Ltd., 5-1-22, Minami Aoyama, Minato-Ku, Tokyo, Japan, for the payment brand “JCB”; https://www.jcbeurope.eu/privacy/

f) Union Pay International Co., Ltd., German Branch, An der Welle 4, 60322 Frankfurt, for the payment brands “CUP” and “Union Pay”
https://www.unionpayintl.com/en/aboutUs/companyProfile/contactUs/Europe/Europe2/?currentPath=%2FglobalCard%2Fen%2Fglobal_7%2F10050072

PAYONE stores and processes your data for as long as is necessary for the performance of the contract and fulfilment of our contractual and statutory obligations. Where storage of the data for the performance of contractual or special statutory obligations is no longer necessary and the purpose of storage no longer applies, the data will be erased, except where its continued processing is necessary for the following reasons:

• Satisfaction of storage requirements under commercial law or fiscal law or for other mandatory reasons (e.g. accounting data must be kept for 10 years)
• Preservation of evidence within the framework of statutory limitation periods
  
  

Every data subject may assert the following data protection rights with the respective data controller (see section 1 above):

• the right to access pursuant to Article 15 GDPR
• the right to rectification pursuant to Article 16 GDPR
• the right to erasure pursuant to Article 17 GDPR
• the right to restriction of processing pursuant to Article 18 GDPR
• the right to object pursuant to Article 21 GDPR
• the right to data portability pursuant to Article 20 GDPR

The restrictions set forth in Sections 34 and 35 of the Federal Data Protection Act (BDSG) apply in respect of the right to access and the right to erasure (for GER).

Additionally, every data subject has the right to lodge a complaint with a supervisory authority for data protection (Art. 77 GDPR in conjunction with (for GER) Section 19 BDSG). You can find PAYONE’s competent supervisory authority for data protection in the context of payment processing in Section 1. Alternatively, you can contact your own local supervisory authority for data protection.

You are neither legally nor contractually obliged to supply your data. If you do not wish to supply your data, you can choose another payment method, such as paying in cash.

When you wish to use your card for payment, the card payment must first be authorised. This authorisation is given automatically on the basis of your data. The following criteria in particular can play a role: Amount of payment, place of payment, previous payment history, merchant, purpose of payment. Without authorisation, payment by card is not possible. This has no effect on other payment methods (other cards or cash, for example).

You have the right to object at any time, for reasons arising from your particular situation, to the processing of data which takes place pursuant to Article 6 (1) f) GDPR, i.e. to the processing of data based on a balancing of interests.

Please direct your objection to: privacy@payone.com

If you file a justified objection, your data will no longer be processed pursuant to Article 6 (1) f) GDPR, with two exceptions:

• Your data will continue to be processed if the data controller can prove the existence of compelling reasons for the processing which are worthy of protection and which outweigh your interests, rights and freedoms, in particular, for example, in the case of legal retention obligations and for carrying out a payment which has already been started at the payment terminal but not yet completed.
• Your data will continue to be processed if this serves to assert, exercise or defend legal claims.
  
  

2nd January 2024