Data protection policy

Welcome to the PAYONE website. In the following, we will provide you with information about type, scope and purposes of processing your personal data and your rights.

You can rest assured that we process your personal data exclusively as mandated by statutory data protection provisions. But data protection is more than just a legal obligation for us. In fact, data protection in practice is a customer-oriented quality feature and is our highest priority at PAYONE.

Controller:
PAYONE GmbH, Lyoner Strasse 15, 60528 Frankfurt am Main
E-Mail: info@payone.com

Legal Representatives:
Management Board: Ottmar Bloching, Dr. Matthias Böcker, Roland Schaar, Corinna Valentine
Chairmanship of the Supervisory Board: Sven Korschinowski

Data Protection Officer:
The Data Protection Officer of PAYONE GmbH, Lyoner Strasse 15, 60528 Frankfurt am Main
E-Mail: privacy@payone.com

1. Categories of data which may be processed

1.1 When visiting our website and using the website functions

Data categories: Purpose of processing: Legal basis: Duration of storage:
Name, address and contact details, payment data, company information (i.e., legal form, industry), orders (products and/or services), information derived from identification documents (such as IDs, passports) as well video identification - Order processing upon request

- Contract initiation and possible conclusion of contract
Art. 6 (1) 1 lit. b) and lit c) GDPR - Max. 1 year

- In the event of a contract being concluded: Storage until the end of the contractual relationship and expiry of corresponding retention periods
Name and contact details, information about your enquiry - Contact form/getting in touch

- Sending information material upon request

- Contract initiation and possible conclusion of contract
Art. 6 (1) 1 lit. b) and f) GDPR - Max. 1 year

- In the event of a contract being concluded: Storage until the end of the contractual relationship and the expiry of corresponding retention periods
Email address - Newsletter subscription and mailing Art. 6 (1) 1 lit. a) GDPR - Until the user unsubscribes
Server log data: IP address, website usage data (log data about website access or file access, e.g. name of the file accessed, date and time of access, amount of data transferred) and device information (e.g. operating system, browser type and version), cookie information in session cookies - Network communications

- Functionality and security of the website

- Detection and elimination of faults and errors
Art. 6 (1) 1 lit. f) GDPR, § 25 (2) TDDDG

The legitimate interest in the temporary storage of the log data (server log files) and session cookie information is in our interest for the efficient and secure provision of our website.
- 7 days

- If further storage is required for evidence purposes, the data will be deleted after the incident has been conclusively clarified

- Session cookies are automatically deleted at the end of the browser session
Analysis data: IP address (partially anonymized, as described below), website usage data (cookie information) - Website analysis and optimization, marketing

- Integration of external media and third-party services

- See also the following information
Art. 6 (1) 1 lit. a) and f) GDPR, § 25 (1) TDDDG - Cookies can be deleted at any time under Point 2.5 Cookie settings and revocation within this Data Protection Policy and using the browser settings

- See also the following information relating to the erasure of the stored data
Name, email address, information about yourself or your company, type of data protection request, information about your enquiry, identification documents - Replying to queries in the PAYONE data protection web form

- Other communication relating to your data protection request
Art. 6 (1) 1 lit. c) GDPR - 4 years

- Identification documents are deleted immediately after final processing

1.2 When using the PAYONE payment link

Data categories: Purpose of processing: Legal basis: Duration of storage:
Name, reference, order overview, your selected means of payment, country - Processing of cashless payments

(Further information on data processing in the processing of cashless payments by PAYONE is available here.)
Art. 6 (1) 1 lit. b) GDPR - The payment link can be valid for up to 335 days and is automatically deleted 30 days after execution or expiry

- In the event the link is executed: Storage for processing of the payment and retention until the expiry of corresponding retention periods
Server log data: IP address, website use data (log data on website access and/or files accessed, e.g., name of file accessed, date and time of access, quantity of data transferred) and device information (e.g., operating system, browser type and version), cookie information in session cookies - Network communications

- Functionality and security of the website

- Detection and elimination of faults and errors
Art. 6 (1) 1 lit. f) GDPR, § 25 (2) TDDDG

The legitimate interest in the temporary storage of the log data (server log files) is in our interest for the efficient and secure provision of our website.
- 7 days

- If further storage is required for evidence purposes, the data will be deleted after the incident has been conclusively clarified

- Session cookies are automatically deleted at the end of the browser session

2. Data recipients

Personal data is transferred to the following data recipients for the purpose of providing our website services: Hosting service providers; data centre operators; email marketing and tracking service providers as well as other service providers that assist PAYONE in fulfilling our obligations and providing our services. In case of ordering products and/or services online through our website, you will be forwarded to our service provider for video identification in order to fulfil our statutory obligations according to AML laws. See below for more information.

2.1 Group wide data transfers

PAYONE is part of the globally active Worldline Group with its headquarters in Paris, France. In the context of IT services, in particular for support services, certain group entities of the Worldline Group may process personal data in their capacity as our service provider. All group entities are based within the EU/EEA. We ensure an appropriate level of data protection through contractual as well as technical and organizational measures.

2.2 Website analysis and marketing tools

  • Adform
  • Ad Up Technology
  • Facebook-Pixel
  • Facebook Lead Ads
  • Google Analytics
  • Google Analytics Audience
  • Google Ads
  • Google Tag Manager
  • Hearts & Science
  • Hotjar
  • LinkedIn-Pixel
  • Microsoft Ads
  • Microsoft Clarity
  • XING-Pixel

2.3 External media and third-party services

  • Google Fonts
  • Vimeo
  • YouTube

2.4 Technical security measures

  • Google reCAPTCHA

2.5 Cookie settings and revocation

payone.com/data-protection-settings

Note: You can also prevent cookies from being saved at any time by changing the appropriate settings in your browser software. You can also allow only certain types of cookies or delete individual or all cookies. However, we would like to point out that in this case, you may not be able to use all functions of this website to their full extent. 

3. Data transfer to third countries

☐ No

☑ Yes

Third-country recipient: Appropriate guarantees: Purpose of processing:
Amazon Web Services, Inc.
410 Terry Avenue North, Seattle WA 98109
United States
☑ EU standard contract clauses (SCC)
☑ Recognition as a safe third country by the EU Commission (adequacy decision)
☐ Officially approved Binding Corporate Rules (BCRs)
☐ Standard data protection clauses approved by the regulatory authorities
☐ Code of conduct approved by the regulatory authorities
☐ Approved certification process
☐ Statutory derogation (Art. 49 GDPR)
Website hosting
Google Inc. / Google LLC
1600 Amphitheatre Parkway, Mountain View, CA 94043
USA
☑ EU standard contract clauses (SCC)
☑ Recognition as a safe third country by the EU Commission (adequacy decision)
☐ Officially approved Binding Corporate Rules (BCRs)
☐ Standard data protection clauses approved by the regulatory authorities
☐ Code of conduct approved by the regulatory authorities
☐ Approved certification process
☐ Statutory derogation (Art. 49 GDPR)
Website analysis and optimisation, marketing
Integration of videos and fonts
LinkedIn Corporation
2029 Stierlin Court, Mountain View, CA 94043
USA
☑ EU standard contract clauses (SCC)
☑ Recognition as a safe third country by the EU Commission (adequacy decision)
☐ Officially approved Binding Corporate Rules (BCRs)
☐ Standard data protection clauses approved by the regulatory authorities
☐ Code of conduct approved by the regulatory authorities
☐ Approved certification process
☐ Statutory derogation (Art. 49 GDPR)
Website analysis and optimisation, marketing
Meta Platforms, Inc.
1601 Willow Avenue, Menlo Park, CA 94025
USA
☑ EU standard contract clauses (SCC)
☑ Recognition as a safe third country by the EU Commission (adequacy decision)
☐ Officially approved Binding Corporate Rules (BCRs)
☐ Standard data protection clauses approved by the regulatory authorities
☐ Code of conduct approved by the regulatory authorities
☐ Approved certification process
☐ Statutory derogation (Art. 49 GDPR)
Website analysis and optimisation, marketing
Microsoft Corporation
One Microsoft Way, Redmond, WA 98052-6399
USA
☑ EU standard contract clauses (SCC)
☑ Recognition as a safe third country by the EU Commission (adequacy decision)
☐ Officially approved Binding Corporate Rules (BCRs)
☐ Standard data protection clauses approved by the regulatory authorities
☐ Code of conduct approved by the regulatory authorities
☐ Approved certification process
☐ Statutory derogation (Art. 49 GDPR)
Website analysis and optimisation, marketing
Vimeo.com, Inc.
330 West 34th Street, 10th Floor,
New York, New York 10001, USA
☑ EU standard contract clauses (SCC)
☑ Recognition as a safe third country by the EU Commission (adequacy decision)
☐ Officially approved Binding Corporate Rules (BCRs)
☐ Standard data protection clauses approved by the regulatory authorities
☐ Code of conduct approved by the regulatory authorities
☐ Approved certification process
☐ Statutory derogation (Art. 49 GDPR)
Integration of videos

4. Rights of data subjects

Statutory data protection law: Content: Legal basis:
Access Right to information about the processed personal data concerning you and further information relating to the data processing which concerns you (e.g. processing purposes, data recipients). Art. 15 GDPR
Rectification Right to rectify inaccurate personal data relating to you or to complete incomplete personal data. Art. 16 GDPR
Erasure (“right to be forgotten”) Right to erasure of personal data concerning you under certain conditions (e.g. cessation of purpose, revocation of consent). Art. 17 GDPR
Restrictions on processing Right to restrict the processing of personal data concerning you under certain conditions (e.g. contested accuracy of the data for the duration of the review). Art. 18 GDPR
Data portability Right to receive personal data prepared in a structured, widely used and machine-readable format in order to be able to transfer the data to another location or right to transfer the data directly to the other location, to the extent that this is technically feasible, under certain conditions. Art. 20 GDPR
Objection Right to object to the processing of your personal data under certain conditions. Art. 21 GDPR
Right of lodging a complaint with the responsible supervisory authority Right to lodge a complaint with a competent data protection supervisory authority if you believe that the processing of your personal data breaches the GDPR. For example, this may be the supervisory authority responsible for PAYONE: The Hesse Data Protection Commissioner, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, https://datenschutz.hessen.de. Art. 57 (1) f GDPR, Art. 77 GDPR
Right of withdrawal Right to withdraw your consent to the processing of your personal data at any time with future effect. Art. 7 (3) GDPR

To exercise your statutory data protection rights, please use our PAYONE Data Protection web form.

Note on the right of objection

You may object to the processing of your data under the conditions of Art. 21 GDPR at any time, provided that the data processing is based on our legitimate interests or those of a third party (data processing based on Art. 6 (1) p. 1 lit. f) GDPR). In this case, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

5. Additional information about data processing

Legal obligation to provide personal data: ☑ No
☐ Yes
Contractual obligation to provide personal data: ☐ No
☑ Yes, for the purposes specified above.
Possible consequences of non-provision: Only relevant for contact and form fields. If you do not provide your data, we will not be able to make contact as requested, forward any information material and/or send the newsletter.

It will also not be possible to process the requested order or payment.
Will an automated decision-making process take place? ☑ No
☐ Yes
What is the source of the personal data (if not collected from the data subject)? Not relevant, as none of your personal data is obtained from third-party sources.

6. Form fields/ TLS encryption

If you send us enquiries using the contact form, data such as your details on the enquiry form, including the contact details you provided, will be stored by us for the purpose of processing the enquiry and in the event of any follow-up questions. We will not pass on this data without your consent. Our website uses TLS encryption for security reasons and to protect the transmission of confidential content that you send to us. This means that data that you transfer through this website cannot be read by third parties. You can recognise an encrypted connection by the "https: //" address line of your browser and the lock symbol in the browser line. Further information about the processing and storage duration can be found in Point 1 Categories of data which may be processed.

Version
04.2024