In this document, Axerve S.p.A. (hereinafter referred to as the “Company”) informs the data subjects about the processing of personal data carried out as part of its service to enable payment authorisation, processing, and settlement services. In particular, information is provided here on:
The Data Controller is Axerve S.p.A. (hereinafter, the "Controller") with registered office in Biella (BI) - 13900, Piazza Gaudenzio Sella, no. 1 - Tel. +39 015 2526511.
The Data Protection Officer (hereinafter also referred to as the DPO) can be contacted at the following addresses:
The processing relates to the personal data of the payment services user (hereinafter, "Data Subject") carried out as part of the service to enable the authorisation, processing, and settlement payments from any payment instrument between the merchant from whom an online purchase is made (hereinafter, the Merchant) and the Data Subject who makes the purchase, enabling the Merchant to accept and collect electronic payments through third parties (hereinafter, the "Service").
In particular, the Company processes data belonging to the following categories:
The aforementioned data are personally provided to the Company by filling in specific forms to enter data for the payment transaction.
Personal data is processed by the Company and/or by third parties on its behalf, exclusively under one of the following legal bases and is limited to the pursuit of the related purposes:
With reference to the above-mentioned purposes, the provision of data is compulsory and the consent to the processing by the Data Subjects is not required; failure to provide one or more piece of data will make it impossible to perform the Service.
Processing is carried out using manual, computerised and telematic tools. The Company employs appropriate organisational and technical measures to ensure the security and confidentiality of personal data.
Personal data may be disclosed to and/or processed by the following categories of subjects for the same purposes as those set out in paragraph 4:
These persons, if the conditions are met, are appointed as Data Processors, pursuant to Article 28 of the Regulation.
The Company may allow access to the data, in traced mode, to the company Sella India Software Services Private Limited, based in India, on the basis of standard contractual clauses, approved by the European Commission, to guarantee the adequacy of data protection, for technical assistance activities, aimed at investigating and resolving anomalous situations reported by customers or employees of the Company. Personal data are not stored at the foreign company, but are accessed remotely and continue to reside in the Company's information system.
In addition, if the Merchant has subscribed to the fraud prevention service, some data will be transferred outside the European Economic Area and, specifically, to Riskified Ltd in Israel for fraud risk analysis purposes. The transfer is permissible because the European Commission has recognised Israel as a third country that guarantees an adequate level of protection for personal data. Through Riskified Ltd., the data may also be transferred outside the European Economic Area in the presence of appropriate guarantees or the specific exceptions provided for by the Regulation (e.g. United States).
Personal data are processed and stored for the period of time necessary to achieve the purpose of providing the Service, without prejudice to retention periods provided for by law and for own or third party defence purposes and until the expiry of the applicable statutory limitation period. In particular, in compliance with the provisions of the Bank of Italy for the storage and availability of documents, data and information for the purpose of combating money laundering and terrorist financing, where applicable, the data relating to the performance of the Service (identification and contact data and data relating to payment transactions) are retained for 10 years from the termination of the relationship with the Merchant.
At the end of the storage period, personal data relating to Data Subjects will be stored in a form that does not allow them to be identified (e.g. irreversible anonymisation), unless their processing is necessary for one or more of the following purposes:
Data subjects may exercise specific data protection rights, as listed below:
The right to obtain confirmation from the Data Controller as to whether or not personal data are being processed and, if so, to obtain access to the personal data and detailed information on the origin, purposes, categories of data processed, recipients of communication and/or transfer of the data and so on.
The right to obtain from the Data Controller the rectification of inaccurate personal data without undue delay, as well as the integration of incomplete personal data, also providing a supplementary declaration.
The right to obtain from the Controller the erasure of personal data without undue delay in the event that:
personal data are no longer necessary for the purposes of processing;
the consent on which the processing is based is withdrawn and there is no other legal basis for the processing;
the personal data have been unlawfully processed;
personal data must be deleted in order to comply with a legal obligation.
Right to obtain from the Controller the restriction of processing, in cases where the accuracy of personal data is contested (for the period necessary for the Controller to verify the accuracy of such personal data), if the processing is unlawful and/or the data subject has objected to the processing.
The right to object at any time to the processing of personal data that have a legitimate interest of the Controller as their legal basis.
The right to receive personal data in a structured, commonly used and machine-readable format and to transmit such data to another Data Controller, if technically feasible, only for cases where the processing is based on consent or contract and only for data processed by electronic means.
Without prejudice to any other administrative or judicial remedy, the data subject who believes that the data has been processed in violation of the Regulation have the right to lodge a complaint with the supervisory authority of the Member State in which he/she resides or habitually works or of the country in which the alleged violation occurred.
We would also like to inform you that you have the right to revoke at any time any consent you have given for specific processing operations, without prejudice to the lawfulness of the processing carried out prior to revocation.
To exercise your rights and for any information regarding the processing of your personal data, you can send a request to the following addresses:
The Company shall provide information about the action taken on the request without undue delay and at the latest within one month of receipt thereof.