axerve_logo

Our Solutions

Unique and integrated solutions to manage payments in all shapes and forms in all online channels.

Personal data protection policy for users of payment services

(EU Regulation 2016/679 hereinafter "Regulation")

In this document, Axerve S.p.A. (hereinafter the "Company") informs the data subjects (the users of a payment service) about the processing of personal data carried out within the framework of the authorisation, processing and settlement services provided by the Company. In particular, information is provided here on:

  1. Who is the Data Controller?
  2. How can you contact the Data Protection Officer?
  3. What data are or may be processed and what are the sources of the data?
  4. On what legal grounds and for what purposes are the data processed?
  5. Why might the Company process special categories of data?
  6. To whom can the data be disclosed?
  7. Can data be transferred to countries outside the European Economic Area?
  8. How long will the data be stored?
  9. What rights do data subjects have?

1. Who is the Data Controller?

The Data Controller is Axerve S.p.A. (hereinafter, the "Controller") with registered office in Biella (BI) - 13900, Piazza Gaudenzio Sella, no. 1 - Tel. +39 015 2526511.

2. How can you contact the Data Protection Officer?

The Data Protection Officer (hereinafter also referred to as the DPO) can be contacted at the following addresses:

  • postal address of Axerve S.p.A.: Piazza Gaudenzio Sella, 1 - 13900, Biella - DPO;
  • e-mail address: privacy@axerve.com

3. What data are or may be processed and what are the sources of the data?

The processing relates to the personal data of the user of the payment services (hereinafter, "Data Subject") carried out within the scope of the payment authorisation, processing and settlement service (hereinafter, the "Service") provided by the Company in favour of the merchant from which the data subject makes an online purchase (hereinafter, the "Merchant").

In particular, the Company processes data belonging to the following categories:

  • identification and contact data (such as: name, surname, e-mail address);
  • information relating to payment transactions (such as: purpose of the transaction, details of the card used for payment, beneficiary and amount of the payment transaction).

The aforementioned data are personally provided to the Company by filling in specific forms to enter data for the payment transaction.

4. On what legal grounds and for what purposes are the data processed?

The processing of personal data is carried out exclusively on one of the following legal bases:

  • legitimate interest of the data controller or a third party to perform the Service pursuant to Art. 6 par. 1(f) of the Regulation, after having ascertained that the pursuit of its own legitimate interests or those of third parties does not compromise the fundamental rights and freedoms of the Data Subjects;
  • fulfilment of a legal obligation to which the Data Controller is subject, pursuant to Article 6 par. 1(c ) of the Regulation.

The processing, therefore, is carried out in compliance with the conditions of lawfulness provided for by the Regulation and is limited to what is necessary to carry out, by the Company and/or third parties on its behalf, the activities connected with and instrumental to:

  • the performance of the Service;
  • the fulfilment of legal obligations related to the Service (e.g. where applicable: anti-fraud, handling complaints, anti-money laundering and anti-terrorism, etc.);
  • management of judicial and extrajudicial litigation.

With reference to the above-mentioned purposes, the provision of data is compulsory and the consent to the processing by the Data Subjects is not required; failure to provide one or more piece of data will make it impossible to perform the Service.

Processing is carried out using manual, computerised and telematic tools. The Company employs appropriate organisational and technical measures to ensure the security and confidentiality of personal data.

5. Why might the Company process special categories of data?

The Company does not process data belonging to special categories (e.g. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning the person's health or sex life or sexual orientation).

If, due to the nature of the service rendered by the Merchant, the processing of this category of data is necessary for the performance of the Service (for example: transactions involving the request for payment of membership fees to political organisations/unions, payments to religious associations, etc.), in agreement with the Merchant, the Data Subjects will be asked to provide specific consent for the processing, pursuant to Article 9 par. 2(a) of the Regulation.

6. To whom can the data be disclosed?

Personal data may be disclosed to and/or processed by the following categories of subjects for the same purposes as those set out in paragraph 4:

  • public entities within the context of communications provided for by law (e.g. Bank of Italy, FIU);
  • independent parties (so-called Acquirers) who handle credit or debit card authorisations belonging to national and international credit and debit circuits;
  • companies of the Sella Group, subsidiaries or associates pursuant to Article 2359 of the Italian Civil Code, in the event of detection of transactions deemed suspicious, as well as companies of the Sella Group which provide the technological infrastructure for the provision of the Service and technical assistance activities;
  • if the Merchant has subscribed to the fraud prevention service offered by the company Riskified Ltd., whose privacy policy can be found at the following link https://www.riskified.com/privacy/.

These persons, if the conditions are met, are appointed as Data Processors, pursuant to Article 28 of the Regulation.

7. Can data be transferred to countries outside the European Economic Area?

The Company may allow access to the data, in traced mode, to the company Sella India Software Services Pvt Ltd., based in India, on the basis of standard contractual clauses, approved by the European Commission, to guarantee the adequacy of data protection, for technical assistance activities, aimed at investigating and resolving anomalous situations reported by customers or employees of the Company. Personal data are not stored at the foreign company, but are accessed remotely and continue to reside in the Company's information system.

In addition, if the Merchant has subscribed to the fraud prevention service, some data will be transferred outside the European Economic Area and, specifically, to the company Riskified Ltd in Israel for transaction verification activities for fraud prevention purposes. The transfer is permissible because the European Commission has recognised Israel as a third country that guarantees an adequate level of protection for personal data. Through the company Riskified Ltd., the data may also be transferred outside the European Economic Area in the presence of appropriate guarantees or the specific exceptions provided for by the Regulation (e.g. United States, Switzerland, United Kingdom).

Lastly, if necessary, the Company reserves the right to further transfer personal data to countries outside the European Union, guaranteeing that the transfer will only take place to countries for which the European Commission has recognised that they guarantee an adequate level of protection, or in the presence of adequate guarantees or the specific exceptions provided for by the Regulations.

8. How long will the data be stored?

Personal data are processed and stored for the period of time necessary to achieve the purpose of providing the Service, without prejudice to retention periods provided for by law and for own or third party defence purposes and until the expiry of the applicable statutory limitation period. In particular, in compliance with the provisions of the Bank of Italy for the storage and availability of documents, data and information for the purpose of combating money laundering and terrorist financing, the data relating to the performance of the Service (identification and contact data and data relating to payment transactions) are retained for 10 years from the termination of the relationship with the Merchant.

At the end of the storage period, personal data relating to Data Subjects will be stored in a form that does not allow them to be identified (e.g. irreversible anonymisation), unless their processing is necessary for one or more of the following purposes:

  • resolution of pre-litigation and/or litigation initiated before the expiry of the retention period;
  • follow up on investigations/inspections by internal control functions and/or external authorities initiated before the expiry of the retention period;
  • follow up on requests from Italian and/or foreign public authorities received by/notified to the Company before the expiry of the retention period.

9. What rights do data subjects have?

Data subjects may exercise specific data protection rights, as listed below:

  1. Right to access

    The right to obtain confirmation from the Data Controller as to whether or not personal data are being processed and, if so, to obtain access to the personal data and detailed information on the origin, purposes, categories of data processed, recipients of communication and/or transfer of the data and so on.

  2. Right to rectification

    The right to obtain from the Data Controller the rectification of inaccurate personal data without undue delay, as well as the integration of incomplete personal data, also providing a supplementary declaration.

  3. Right to erasure ("Right to be forgotten")

    The right to obtain from the Controller the erasure of personal data without undue delay in the event that:

    1. personal data are no longer necessary for the purposes of processing;

    2. the consent on which the processing is based is withdrawn and there is no other legal basis for the processing;

    3. the personal data have been unlawfully processed;

    4. personal data must be deleted in order to comply with a legal obligation.

  4. Right to restriction of processing

    Right to obtain from the Controller the restriction of processing, in cases where the accuracy of personal data is contested (for the period necessary for the Controller to verify the accuracy of such personal data), if the processing is unlawful and/or the data subject has objected to the processing.

  5. Right to object to processing

    The right to object at any time to the processing of personal data that have a legitimate interest of the Controller as their legal basis.

  6. Right to data portability

    The right to receive personal data in a structured, commonly used and machine-readable format and to transmit such data to another Data Controller, if technically feasible, only for cases where the processing is based on consent or contract and only for data processed by electronic means.

  7. Right to lodge a complaint with a Supervisory authority

    Without prejudice to any other administrative or judicial remedy, the data subject who believes that the data has been processed in violation of the Regulation have the right to lodge a complaint with the supervisory authority of the Member State in which he/she resides or habitually works or of the country in which the alleged violation occurred.

We would also like to inform you that you have the right to revoke at any time any consent you have given for specific processing operations, without prejudice to the lawfulness of the processing carried out prior to revocation.

To exercise your rights and for any information regarding the processing of your personal data, you can send a request to the following addresses:

  • postal address of Axerve S.p.A.: Piazza Gaudenzio Sella no. 1, Biella (BI) – 13900;
  • e-mail address: privacy@axerve.com

The Company shall provide information about the action taken on the request without undue delay and at the latest within one month of receipt thereof.

Last update on 28/04/2022