SurePay B.V. (SurePay) processes personal data. We process personal data because this is necessary to perform the obligation that exists between you or us and a bank or organisation through an agreement. An example of this is performing the IBAN-Name check (INC) for your payments or accounts. We want to be as transparent and clear in informing you about this as possible. In this privacy statement we explain how SurePay handles the processing of personal data. If you have any questions regarding this privacy statement, feel free to contact us.
What is the processing of personal data?
Because we refer to processing personal data in this privacy statement, we believe that it is important to specify to you what is understood when we use terms such as ‘Personal Data’, ‘Processing’, ‘Processor’ and ‘Controller’.
This entails data which is related directly or indirectly to your person. Examples of this are your name or IBAN (your account number). Data such as name records of a proprietorship, VOF (LLP or Limited Liability Partnership) or other partnerships is considered personal data. This does not apply to the data of a legal entity such as a private- or publicly limited company. Data of the first response person, or of the representative of a legal entity is considered personal data on the other hand.
Anything which can be done with personal data. This includes the collecting, the sorting, the using, passing on and deleting of your data.
A Processor is a party which, acting on behalf of a Controller, processes Personal Data for a variety of purposes. In the case of SurePay, SurePay acts as a Processor of your Personal Data when these are provided to us to be checked in the SurePay checks.
A Controller is the party responsible for the processing of your Personal Data for the relevant purposes for which it has been collected. It is possible for a Controller to have its processing executed by Processors. In this case, the Controller will remain responsible for the processing of Personal Data. In the case of SurePay, SurePay acts as a Controller when we process your Personal Data to answer a SurePay check request. Another example of a Controller is the party which provided SurePay with your Personal Data.
1. Who’s personal data do we process?
We process your personal data when an order from banks and organisations comes in to perform a IBAN-Name Check (via Portal), Cross-Border Check, PayID or the Switch Check and we deliver a response.
2. What does SurePay expect of companies and organisations?
Does your company or organisation pass on personal data of employees or the Ultimate Beneficial Owner (UBO) to us? If so, then we expect you to inform your colleagues, board of directors or UBO about this. This Privacy Statement can be given to them. They can then themselves check how we deal with their personal data.
3. Who processes your personal data?
This Privacy Statement deals with the processing of personal data by SurePay B.V. in the Netherlands.
4. What type of personal data do we process?
5. How do we come into possession of your personal data?
We receive your data from banks and other companies to perform the IBAN-Name Check (via Portal), Cross-Border Check, Switch Check or PayID service.
6. What do we use your personal data for?
To provide a requested service for others
We need your personal data to to perform the IBAN-Name Check (via Portal), Cross-Border Check, Switch Check or PayID service, but also because we are legally obliged to process certain data. We receive your personal data for the protection of your safety and that of the financial sector as a whole.
In order to prevent fraud, we can on the behest of banks and organisations perform the IBAN-Name Check. Using this, we check whether the IBAN number that you entered during payment via online banking or mobile banking matches the name of the account holder known to us. The (IBAN/Name) data which is known by us was provided to us by banks. If the name in our system does not match the number which you entered, you will be notified about this by your bank. You, then, have the option to still submit the payment request or change the data you entered. We can also provide this IBAN-Name Check for other parties in connection with the prevention, discovery and the fighting of fraud and the abuse of payments, amongst others through the means of a Portal.
Even if you do not use the Switch Check, it is possible that we process your data. We inform banks and organisations what your new IBAN is, with that information they inform their customers. In this way, the customers of banks and organisations can directly transfer money to your new IBAN, preventing mistaken payments.
If you also use PayID through your bank, it is possible that we process your data as well. We process your mobile telephone number and send you IBAN as a response in order for payment requests to be filled out correctly. For this you must have submitted your IBAN, and agreed with your bank on this process.
Companies and organisations use our IBAN-Name Check in order to check whether the IBAN/Name combinations in their customer- and/or supplier registry match the data which is known by the bank. IN this way they know who they are paying, from whom they have to collect, and whether the IBAN and name of new customers or suppliers match.
To provide a better service and to be able to innovate, we develop and enhance products and services on a regular basis. This is done for our customers or other parties.
For the enhancement of our service, or for solving incidents, we analyse the results of our IBAN-Name Check, Switch Check and PayID check and any other future services. These analyses are then linked back to the relevant banks and organisations.
To enter into agreements with suppliers and other parties with whom we cooperate
If your job involves being in contact with SurePay, it is possible that we process your personal data. Examples of this are: to determine whether or not you are allowed to represent your company, or to be able keep in contact through email and phone calls.
To meet the requirements of regulation
Tax Authorities, the police and ministries, but also intelligence services can request data from us. Where possible, we will redirect them to your bank. However, sometimes, we have a legal obligation to cooperate with their research and as such, provide them with your personal data.
Providing data to the government
Laws and regulations can also oblige us to provide (analysed) personal data to any government authority, a tax authority or supervisor within- or outside of the Netherlands. Where possible, we will redirect them to your bank. Because we have to conform to Dutch laws and regulations, we are sometimes nevertheless obliged to disclose your personal data to a Dutch or foreign tax authority.
Audits and inquiries
We also use your data when in- or external audits are performed by third parties at SurePay. Or when we contact a third party for inquiries or research, for instance whether new regulations have been implemented well. We can also use it to map risks.
7. How long do we save your personal data?
We do not save your personal data any longer than the term agreed upon with the banks and organisations on behalf of which we process your personal data, and which is necessary for the performance of our services. We adhere to a retention policy. In this policy, it is determined how long we can save data. In general, we adhere to the rule that the data shall not be saved for longer than 30 days. On occasion this term is longer than 30 days, it could also be shorter.
8. Does SurePay also process special personal data, criminal records and social security numbers?
Special personal data, criminal records and social security numbers are considered sensitive personal data. Special personal data includes for instance: data about personal health, biometric data, ethnic data or data considering race. SurePay does not process special personal data.
9. Does SurePay take automated decisions about me?
Automated decisions are decisions being made about you by computers, and not (or no longer) by people. SurePay is legally allowed to use automated decision making, including profiling. However, there are special rules attached to this. At this moment SurePay does not use fully automated decision making. If, in the future, we decide to do so, you will be informed about this.
10. Who has access to your personal data?
Within SurePay, only those people that need access to your personal data based on their function can actually access your personal data. All of these people are subject to a duty of confidentiality.
11. Do we pass on your personal data to others and to other countries outside the EU?
Your personal data can also be passed on to other parties outside of SurePay if we have a legal obligation to do so, if we have to fulfill an agreement with you, or because we decide to use a different service provider. This could mean that your personal data is transmitted to other parties in countries that do not have the same level of protection as the European Union when it comes to personal data. Is your personal data processed in a country with a different level of protection? Then this can lead to your personal data being researched by certified national authorities of the countries where your personal data is being held.
Sometimes we utilise other parties/business partners who process personal data on our behalf. For instance, SurePay utilises AWS Cloud Services. These parties first have to be deemed sufficiently trustworthy by SurePay. We can only utilise other parties when this first the purpose for which we process, or have processed, your personal data. Besides that, this other party can only receive our request for processing when certain agreements between them and SurePay are in order. This means that demonstrable and suitable security measures are in place, as well as a guarantee of confidentiality. If we transfer your personal data to parties outside the European Union (EU)/European Economic Area (EEA) ourselves, we will take extra measures to protect that personal data. Not all countries outside of the EU have the same rules and regulations to protect your personal data to the extent that countries within the EU have. Is the third party we use outside the EU/EEA, and does the country where this party is located not have a sufficient level of protection when processing personal data according to the European Commission? Then we only transfer personal data when there are sufficient guarantees, such as European Commission approved contractual obligations.
12. What rights do you have?
a. The right to information
With this Privacy Statement we inform you about how we handle and use your personal data.
b. The right to review and rectification
You can ask us which aspects of your personal data we process. Do you think that your personal data is being processed incorrectly or incompletely? In that case you can ask us to change the personal data, or supplement it (rectification). Your bank also processes your data. You can request review and rectification from them as well. For this, check the Privacy Statement of your bank.
c. The right to data deletion
You can request us to delete your personal data that we process. Your bank also processes your data. You can ask your bank for the deletion of your data from the data they process.For this, check the Privacy Statement of your bank.
d. The right to limitation
You can ask to temporarily limit your personal data that we process. Your bank also processes your data. You can ask your bank for the limitation of the processing of your data. For this, check the Privacy Statement of your bank.
e. The right to objection to the processing of your personal data
Do we process your data because we have a justifiable interest in doing so? If so you can object the processing of your personal data. We will make a new tradeoff to determine whether or not we can process your data in this manner. We will cease processing your personal data when your interest outweighs our interest. We will inform you of our decision, including our motivation for the outcome of the tradeoff.
13. How can you exercise your rights?
If you have a request, it can be made digitally to [email protected]. Have you made your request, and does this entail your personal data that we process? If so, we will reply within one month after we have received your request. We can ask you to specify your request for review. In highly specific circumstances, we can extend the term we have to review and reply to your request to a maximum of three months. In that case, we will keep you informed on the progress of your request. It is possible that we cannot cater to your request. For example, due to content mentioned in your being processed by your own bank, due to harm done to the rights of others, or because we are not allowed to do so by law (including police, ministries and any other government authority). It could also be because we made a tradeoff where the interest of SurePay or others to process the data outweighs your interest. If so, we will inform you of this. If we rectify or delete data based on your request, we will inform you of this as well. Where possible, we will also inform the ultimate recipients of your data about this.
There is the possibility that, regarding your request, we refer you to the respective Data Provider. This means that we believe we cannot answer your request, but we believe that the bank or organisation which delivers your data to us could. In that case, we will inform you of your rights, how we use your data, and who delivers your data to us to the best of our abilities. In the case that the Data Provider cannot help you with your request, we will once again assess the possibilities we have as SurePay.
14. Do you have a complaint with regards to the processing of your personal data?
We would like our data subjects to be satisfied with our service provision, however, we understand that this might not always be the case. We are sorry for when such a situation occurs. Please feel free to contact us and inform us of your complaint, we will try to find a solution to your complaint together.
15. For what reasons can I approach the Privacy Officer?
If you are unsatisfied about the way in which your request or complaint has been handled by SuprePay, or if you have any remaining questions regarding the processing of your personal data by SurePay after reading the Privacy Statement, please feel free to contact the Privacy Officer. Of course you are always free to direct your questions to, or submit a formal complaint at, Autoriteit Persoonsgegevens (a Dutch government body).
16 . Can we make changes to this Privacy Statement?
Yes, our Privacy Statement can change from time to time. This can occur when new forms of data processing is included in our services, and when this processing is of importance to you. Of course, we will notify you if it is. The most actual version of our Privacy Statement can always be found on: http://www.surepay.nl