In this document, Axerve S.p.A. (hereinafter the "Company") informs the data subjects (the users of a payment service) about the processing of personal data carried out within the framework of the authorisation, processing and settlement services provided by the Company. In particular, information is provided here on:
The Data Controller is Axerve S.p.A. (hereinafter, the "Controller") with registered office in Biella (BI) - 13900, Piazza Gaudenzio Sella, no. 1 - Tel. +39 015 2526511.
The Data Protection Officer (hereinafter also referred to as the DPO) can be contacted at the following addresses:
The processing relates to the personal data of the user of the payment services (hereinafter, "Data Subject") carried out within the scope of the payment authorisation, processing and settlement service (hereinafter, the "Service") provided by the Company in favour of the merchant from which the data subject makes an online purchase (hereinafter, the "Merchant").
In particular, the Company processes data belonging to the following categories:
The aforementioned data are personally provided to the Company by filling in specific forms to enter data for the payment transaction.
The processing of personal data is carried out exclusively on one of the following legal bases:
The processing, therefore, is carried out in compliance with the conditions of lawfulness provided for by the Regulation and is limited to what is necessary to carry out, by the Company and/or third parties on its behalf, the activities connected with and instrumental to:
With reference to the above-mentioned purposes, the provision of data is compulsory and the consent to the processing by the Data Subjects is not required; failure to provide one or more piece of data will make it impossible to perform the Service.
Processing is carried out using manual, computerised and telematic tools. The Company employs appropriate organisational and technical measures to ensure the security and confidentiality of personal data.
The Company does not process data belonging to special categories (e.g. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning the person's health or sex life or sexual orientation).
If, due to the nature of the service rendered by the Merchant, the processing of this category of data is necessary for the performance of the Service (for example: transactions involving the request for payment of membership fees to political organisations/unions, payments to religious associations, etc.), in agreement with the Merchant, the Data Subjects will be asked to provide specific consent for the processing, pursuant to Article 9 par. 2(a) of the Regulation.
Personal data may be disclosed to and/or processed by the following categories of subjects for the same purposes as those set out in paragraph 4:
These persons, if the conditions are met, are appointed as Data Processors, pursuant to Article 28 of the Regulation.
The Company may allow access to the data, in traced mode, to the company Sella India Software Services Pvt Ltd., based in India, on the basis of standard contractual clauses, approved by the European Commission, to guarantee the adequacy of data protection, for technical assistance activities, aimed at investigating and resolving anomalous situations reported by customers or employees of the Company. Personal data are not stored at the foreign company, but are accessed remotely and continue to reside in the Company's information system.
In addition, if the Merchant has subscribed to the fraud prevention service, some data will be transferred outside the European Economic Area and, specifically, to the company Riskified Ltd in Israel for transaction verification activities for fraud prevention purposes. The transfer is permissible because the European Commission has recognised Israel as a third country that guarantees an adequate level of protection for personal data. Through the company Riskified Ltd., the data may also be transferred outside the European Economic Area in the presence of appropriate guarantees or the specific exceptions provided for by the Regulation (e.g. United States, Switzerland, United Kingdom).
Lastly, if necessary, the Company reserves the right to further transfer personal data to countries outside the European Union, guaranteeing that the transfer will only take place to countries for which the European Commission has recognised that they guarantee an adequate level of protection, or in the presence of adequate guarantees or the specific exceptions provided for by the Regulations.
Personal data are processed and stored for the period of time necessary to achieve the purpose of providing the Service, without prejudice to retention periods provided for by law and for own or third party defence purposes and until the expiry of the applicable statutory limitation period. In particular, in compliance with the provisions of the Bank of Italy for the storage and availability of documents, data and information for the purpose of combating money laundering and terrorist financing, the data relating to the performance of the Service (identification and contact data and data relating to payment transactions) are retained for 10 years from the termination of the relationship with the Merchant.
At the end of the storage period, personal data relating to Data Subjects will be stored in a form that does not allow them to be identified (e.g. irreversible anonymisation), unless their processing is necessary for one or more of the following purposes:
Data subjects may exercise specific data protection rights, as listed below:
The right to obtain confirmation from the Data Controller as to whether or not personal data are being processed and, if so, to obtain access to the personal data and detailed information on the origin, purposes, categories of data processed, recipients of communication and/or transfer of the data and so on.
The right to obtain from the Data Controller the rectification of inaccurate personal data without undue delay, as well as the integration of incomplete personal data, also providing a supplementary declaration.
The right to obtain from the Controller the erasure of personal data without undue delay in the event that:
personal data are no longer necessary for the purposes of processing;
the consent on which the processing is based is withdrawn and there is no other legal basis for the processing;
the personal data have been unlawfully processed;
personal data must be deleted in order to comply with a legal obligation.
Right to obtain from the Controller the restriction of processing, in cases where the accuracy of personal data is contested (for the period necessary for the Controller to verify the accuracy of such personal data), if the processing is unlawful and/or the data subject has objected to the processing.
The right to object at any time to the processing of personal data that have a legitimate interest of the Controller as their legal basis.
The right to receive personal data in a structured, commonly used and machine-readable format and to transmit such data to another Data Controller, if technically feasible, only for cases where the processing is based on consent or contract and only for data processed by electronic means.
Without prejudice to any other administrative or judicial remedy, the data subject who believes that the data has been processed in violation of the Regulation have the right to lodge a complaint with the supervisory authority of the Member State in which he/she resides or habitually works or of the country in which the alleged violation occurred.
We would also like to inform you that you have the right to revoke at any time any consent you have given for specific processing operations, without prejudice to the lawfulness of the processing carried out prior to revocation.
To exercise your rights and for any information regarding the processing of your personal data, you can send a request to the following addresses:
The Company shall provide information about the action taken on the request without undue delay and at the latest within one month of receipt thereof.