Download for free Axerve’s latest whitepaper on payment orchestration. Find out more

Download for free Axerve’s latest whitepaper on payment orchestration. Find out more

axerve_logo
Solutions

Our Solutions

Unique and integrated solutions to manage payments in all shapes and forms in all online channels.

Payment Orchestra™

Learn more
Features Benefits Adapters

Ecommerce Solutions

Learn more
Products and services Benefits Security Payment methods
Learn
Documentation
Corporate
Support
Login

Personal data protection policy for users of payment services

(EU Regulation 2016/679 hereinafter "Regulation")

In this document, Axerve S.p.A. (hereinafter referred to as the “Company”) informs the data subjects about the processing of personal data carried out as part of its service to enable payment authorisation, processing, and settlement services. In particular, information is provided here on:

  1. Who is the Data Controller?
  2. How can you contact the Data Protection Officer?
  3. What data are or may be processed and what are the sources of the data?
  4. On what legal grounds and for what purposes are the data processed?
  5. To whom can the data be disclosed?
  6. Can data be transferred to countries outside the European Economic Area?
  7. How long will the data be stored?
  8. What rights do data subjects have?

1. Who is the Data Controller?

The Data Controller is Axerve S.p.A. (hereinafter, the "Controller") with registered office in Biella (BI) - 13900, Piazza Gaudenzio Sella, no. 1 - Tel. +39 015 2526511.

2. How can you contact the Data Protection Officer?

The Data Protection Officer (hereinafter also referred to as the DPO) can be contacted at the following addresses:

  • postal address of Axerve S.p.A.: Piazza Gaudenzio Sella, 1 - 13900, Biella - DPO;
  • e-mail address: privacy@axerve.com

3. What data are or may be processed and what are the sources of the data?

The processing relates to the personal data of the payment services user (hereinafter, "Data Subject") carried out as part of the service to enable the authorisation, processing, and settlement payments from any payment instrument between the merchant from whom an online purchase is made (hereinafter, the Merchant) and the Data Subject who makes the purchase, enabling the Merchant to accept and collect electronic payments through third parties (hereinafter, the "Service").

In particular, the Company processes data belonging to the following categories:

  • identification and contact data (such as: name, surname, e-mail address);
  • information relating to payment transactions, such as details of the card used for payment, the purpose, the Merchant beneficiary, and the amount of the payment transaction.

The aforementioned data are personally provided to the Company by filling in specific forms to enter data for the payment transaction.

4. On what legal grounds and for what purposes are the data processed?

Personal data is processed by the Company and/or by third parties on its behalf, exclusively under one of the following legal bases and is limited to the pursuit of the related purposes:

  • performance of a contract to which the data subject is party or performance of pre-contractual measures taken at the request of the data subject, pursuant to Art. 6 section 1(b) of the Regulation, to implement the Service;
  • fulfilment of a legal obligation to which the Data Controller is subject, pursuant to Article 6 par. 1(c) of the Regulation and, in particular, to fulfil the obligations related to the Service (e.g. where applicable:  handling complaints, anti-money laundering, and anti-terrorism, etc.)
  • if the Merchant from whom the purchase is made has subscribed to the fraud prevention service, the legitimate interests of the data controller or third parties in preventing payment fraud, pursuant to Art. 6, section 1(f) of the Regulation to analyse the degree of fraud risk of transactions.

With reference to the above-mentioned purposes, the provision of data is compulsory and the consent to the processing by the Data Subjects is not required; failure to provide one or more piece of data will make it impossible to perform the Service.

Processing is carried out using manual, computerised and telematic tools. The Company employs appropriate organisational and technical measures to ensure the security and confidentiality of personal data.

5. To whom can the data be disclosed?

Personal data may be disclosed to and/or processed by the following categories of subjects for the same purposes as those set out in paragraph 4:

  • public entities within the scope of communications provided for by law (e.g. supervisory authorities);
  • independent subjects (acquirers) who handle payments with credit or debit cards belonging to national and international credit and debit schemes;
  • companies of the Sella Group, subsidiaries or associates pursuant to Article 2359 of the Italian Civil Code, in the event of detection of transactions deemed suspicious, as well as companies of the Sella Group which provide the technological infrastructure for the provision of the Service and technical assistance activities;
  • if the Merchant has subscribed to the fraud prevention service offered by Riskified Ltd., whose privacy policy can be found at the following link https://www.riskified.com/privacy/.

These persons, if the conditions are met, are appointed as Data Processors, pursuant to Article 28 of the Regulation.

6. Can data be transferred to countries outside the European Economic Area?

The Company may allow access to the data, in traced mode, to the company Sella India Software Services Private Limited, based in India, on the basis of standard contractual clauses, approved by the European Commission, to guarantee the adequacy of data protection, for technical assistance activities, aimed at investigating and resolving anomalous situations reported by customers or employees of the Company. Personal data are not stored at the foreign company, but are accessed remotely and continue to reside in the Company's information system.

In addition, if the Merchant has subscribed to the fraud prevention service, some data will be transferred outside the European Economic Area and, specifically, to Riskified Ltd in Israel for fraud risk analysis purposes. The transfer is permissible because the European Commission has recognised Israel as a third country that guarantees an adequate level of protection for personal data. Through Riskified Ltd., the data may also be transferred outside the European Economic Area in the presence of appropriate guarantees or the specific exceptions provided for by the Regulation (e.g. United States).

7. How long will the data be stored?

Personal data are processed and stored for the period of time necessary to achieve the purpose of providing the Service, without prejudice to retention periods provided for by law and for own or third party defence purposes and until the expiry of the applicable statutory limitation period. In particular, in compliance with the provisions of the Bank of Italy for the storage and availability of documents, data and information for the purpose of combating money laundering and terrorist financing, where applicable, the data relating to the performance of the Service (identification and contact data and data relating to payment transactions) are retained for 10 years from the termination of the relationship with the Merchant.

At the end of the storage period, personal data relating to Data Subjects will be stored in a form that does not allow them to be identified (e.g. irreversible anonymisation), unless their processing is necessary for one or more of the following purposes:

  • resolution of pre-litigation and/or litigation initiated before the expiry of the retention period;
  • follow up on investigations/inspections by internal control functions and/or external authorities initiated before the expiry of the retention period;
  • follow up on requests from Italian and/or foreign public authorities received by/notified to the Company before the expiry of the retention period.

8. What rights do data subjects have?

Data subjects may exercise specific data protection rights, as listed below:

  1. Right to access

    The right to obtain confirmation from the Data Controller as to whether or not personal data are being processed and, if so, to obtain access to the personal data and detailed information on the origin, purposes, categories of data processed, recipients of communication and/or transfer of the data and so on.

  2. Right to rectification

    The right to obtain from the Data Controller the rectification of inaccurate personal data without undue delay, as well as the integration of incomplete personal data, also providing a supplementary declaration.

  3. Right to erasure ("Right to be forgotten")

    The right to obtain from the Controller the erasure of personal data without undue delay in the event that:

    1. personal data are no longer necessary for the purposes of processing;

    2. the consent on which the processing is based is withdrawn and there is no other legal basis for the processing;

    3. the personal data have been unlawfully processed;

    4. personal data must be deleted in order to comply with a legal obligation.

  4. Right to restriction of processing

    Right to obtain from the Controller the restriction of processing, in cases where the accuracy of personal data is contested (for the period necessary for the Controller to verify the accuracy of such personal data), if the processing is unlawful and/or the data subject has objected to the processing.

  5. Right to object to processing

    The right to object at any time to the processing of personal data that have a legitimate interest of the Controller as their legal basis.

  6. Right to data portability

    The right to receive personal data in a structured, commonly used and machine-readable format and to transmit such data to another Data Controller, if technically feasible, only for cases where the processing is based on consent or contract and only for data processed by electronic means.

  7. Right to lodge a complaint with a Supervisory authority

    Without prejudice to any other administrative or judicial remedy, the data subject who believes that the data has been processed in violation of the Regulation have the right to lodge a complaint with the supervisory authority of the Member State in which he/she resides or habitually works or of the country in which the alleged violation occurred.

We would also like to inform you that you have the right to revoke at any time any consent you have given for specific processing operations, without prejudice to the lawfulness of the processing carried out prior to revocation.

To exercise your rights and for any information regarding the processing of your personal data, you can send a request to the following addresses:

  • postal address of Axerve S.p.A.: Piazza Gaudenzio Sella no. 1, Biella (BI) – 13900;
  • e-mail address privacy@axerve.com

The Company shall provide information about the action taken on the request without undue delay and at the latest within one month of receipt thereof.

Last update on 21/12/2022