Data protection information for Wirecard payment methods
The merchant (hereinafter referred to as "Merchant") makes payment methods including “Wirecard invoice” and "Wirecard direct debit” available to you (hereinafter referred to as "Wirecard payment methods").
To this end, the Merchant works together with Wirecard Bank AG, Einsteinring 35 85609 Aschheim (hereinafter referred to as “Wirecard”) which, in the case of payment using a Wirecard payment method, buys the purchase price receivable from the Merchant that is due from you, provided that the risk assessment carried out by Wirecard does not oppose this.
For the purpose of risk assessment, debtor management and customer service, Wirecard works together with RatePAY GmbH, Franklinstrasse 28-29, 10587 Berlin (hereinafter referred to as "RatePAY"). In the context of the risk assessment, RatePAY supports Wirecard in determining the likelihood of correct payment. For the purpose of making the Wirecard payment methods available to its customers, the Merchant is therefore dependent on transmitting your customer data to Wirecard, which forwards your data to RatePAY to assist with the risk assessment.
Against this background, we will explain on the following pages which personal data we collect from you, transmit and process and in which form.
This data protection information shall apply as soon as you decide to use a Wirecard payment method.
Please also note the Merchant´s data privacy information as well as the data protection information of RatePAY at https://www.ratepay.com/datenschutz/#dse_en.
2. What data is concerned
For the purpose of processing the Wirecard payment methods, the following data and the results obtained in the evaluation of said data (hereinafter referred to as "customer data") is used:
- Personal data: Name (title, first name(s), last name), date of birth, address, email address and telephone number;
- Account data (Wirecard direct debit): Account holder, account number, bank sort code, credit institution, IBAN, BIC/Swift
- Order data: Data on your current, previous and/or future orders from the Merchant and other online shops that Wirecard and RatePAY cooperate with, e.g. information on the products and payment methods selected by you.
- Creditworthiness data: Data, in particular from credit agencies, which provide an indication regarding your creditworthiness, such as details of any legally enforceable receivables due from you and other creditworthiness data, as far as use is permitted in accordance with the relevant provisions of data protection law in each case.
3. The purposes your data is used for
Your customer data is collected and processed for the purposes of identity verification and assessment of your creditworthiness. Collection and use serve the additional purposes of [fraud prevention, integrity checks, money laundering prevention, risk assessment, address research]. Under paragraph 3 below, we will describe the individual measures in detail. These measures are partly carried out on the basis of automated data processing.
The legal bases are Article 6 Para. 1 lit. b and Article 6 Para. 1 lit. f of the General Data Protection Regulation (GDPR), as well as Sections 30 and 31 of the Federal Data Protection Act (BDSG). Data processing on the basis of Article 6 Para. 1 lit. f of the GDPR may only be carried out to the extent necessary for protecting legitimate interests of Wirecard or of third parties and where the data subject’s interests or fundamental rights and freedoms requiring protection of personal data do not prevail.
3a) Risk assessments for orders placed with the Merchant when a Wirecard payment method is chosen
(i) Wirecard receives your customer data from the Merchant and transmits it, where it concerns application for, commencement and termination of your contract with the Merchant, to SCHUFA Holding AG ("SCHUFA"), Infoscore Consumer Data GmbH ("ICD"), Creditreform Boniversum GmbH ("CBG") and/or Bürgel Wirtschaftsinformationen GmbH & Co. KG ("BWI") and/or Crif GmbH ("Crif") (hereinafter referred to as "credit agencies"; the respective addresses can be found below under 4). Wirecard also receives information about you from these credit agencies. Information on creditworthiness on the basis of a mathematical, statistical procedure is included in this. Address information is also incorporated into this calculation (information acquired in this way shall hereinafter be referred to as “score value”).
(ii) Wirecard also transmits your customer data to RatePAY for risk assessment purposes and RatePAY transmits your customer data, where it concerns the application for, commencement and termination of your contract with the Merchant, to the credit agencies.
Based on the information received and other customer data, Wirecard and RatePAY determine their own score values and other ratings (such as risk categories) and Wirecard, on this basis, makes a decision regarding the provision of your chosen Wirecard payment method, both for your current and future orders in the Merchant’s online shop, and transmits these decisions to the Merchant. Your address data is also included in these determinations, but only forms part of the underlying data.
3b) Risk assessments for orders placed with other online shops when a WIRECARD payment method is chosen
The risk assessments and determinations described under 3a) and the score values and other ratings ("old ratings") obtained thereby are also used by Wirecard if you visit other online shops of the Merchant or visit other companies that cooperate with Wirecard and RatePAY, and would like to pay there using a Wirecard payment method. In doing so, Wirecard fully acts in accordance with the procedures described under 3a) and the old rating is merely incorporated in the new rating to be carried out for this other online shop as one component of many.
Old ratings from previous orders made by you in online shops and with companies that cooperate with Wirecard and RatePAY are also incorporated in the determination and rating to be carried out in accordance with 3a).
3c) Assignment of receivables when a Wirecard payment method is chosen
The Merchant also transmits your customer data, in the context of an assignment of the receivables due from you, to Wirecard, and Wirecard processes and uses your customer data insofar as this is necessary for the assertion and enforcement of the assigned receivables.
3d) Further use with legal permission
We would like to draw your attention to the fact that processing and use of customer data as well as other personal data is permitted to the extent that the European General Data Protection Regulation, the Federal Data Protection Act (BDSG) or other legislation permits this.
In particular, we and the third parties commissioned by us for contract execution may use the customer data for the purpose of executing contracts with you, insofar as this is necessary.
Moreover, the Merchant and Wirecard are entitled to transmit data to the above-mentioned credit agencies regarding existing receivables due from you. This is permitted in accordance with Sections 30 and 31 of the Federal Data Protection Act (BDSG) and Art. 6 I b and f of the GDPR if you have not provided the performance owed despite it being due, if transmission is required in order to safeguard legitimate interests of the Merchant or of third parties and
- if the receivable is enforceable or you have expressly recognised the receivable or
- if, after the receivable has become due, you have been issued at least two written reminders, the Merchant or third parties commissioned by it informed you in time, although not earlier than at the time of the first reminder regarding the forthcoming transmission after at least four weeks, and you have not contested the receivable or
- if the contractual relationship from which the receivable derives can be terminated without notice by the Merchant as a result of payment arrears and the Merchant or third parties commissioned by it informed you about the forthcoming transmission.
Moreover, the Merchant and Wirecard can transmit data regarding other non-contractual behaviour (e.g. fraudulent behaviour) to the above-mentioned credit agencies. In accordance with Art. 6 I f of the GDPR, these notifications may only be made where they are necessary to safeguard legitimate interests of the Merchant or of third parties and there is no reason to assume that the data subject’s legitimate interests in excluding the transmission prevail.
The credit agencies store and use the information received. This use also includes the calculation of a probability value based on the data stock of the credit agencies for the assessment of credit risk (score). The credit agencies transmit the data received to its contractual partners within the European Economic Area and Switzerland so that this information may be given to the latter for the assessment of the creditworthiness of natural persons. The contractual partners of the credit agencies are companies that bear financial contingency risks based on services or deliveries (in particular credit institutions and credit cards and leasing companies, as well as letting, trading, telecommunications, energy supply, insurance and debt collection companies). The credit agencies only make personal data available if a legitimate interest therein has been demonstrated in the individual case and the transmission is permissible after consideration of all interests. The scope of the data provided in each case may therefore differ depending on the type of contractual partner. In addition, the credit agencies use the data to verify the identity and the age of persons when requested by their contractual partners, which offer services on the internet for example.
4. Your right to withdraw consent, of access, to rectification, to blockage and erasure
You have the right vis-à-vis Wirecard of access in accordance with Art 15 of the GDPR, the right to rectification in accordance with Art. 16 of the GDPR, the right to erasure in accordance with Art. 17 of the GDPR, the right to restriction of processing in accordance with Art. 18 of the GDPR and the right to data portability in accordance with Art. 20 of the GDPR. Moreover, there is the possibility of contacting the competent supervisory authority for Wirecard, the Bayerisches Landesamt für Datenschutzaufsicht (Bavarian Data Protection Authority).
In accordance with Art. 21, Para. 1 of the GDPR, data processing can be objected to for reasons arising from the specific situation of the data subject. The objection, for which there is no form requirement, must be sent to data.privacy[at]wirecard.com.
You also have a right of access vis-à-vis the Merchant if the Merchant refuses to activate the Wirecard payment methods based on an automated processing of your data. You are welcome to set out your position to the Merchant regarding the negative decision in this regard. In this case, the Merchant will have your objections against the decision checked by Wirecard.
Please notify your concern to the Merchant at the address given in the Impressum/Site Notice.
You can receive information regarding the data concerning you stored by the above stated credit agencies and further information about the information disclosure/score procedure of the respective credit agencies directly from the respective credit agency, which you can reach at the following addresses:
- Creditreform Boniversum GmbH, Hellersbergstr. 11, 41460 Neuss
- SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden
- Infoscore Consumer Data GmbH, Rheinstraße 99, 76532 Baden-Baden
- Bürgel Wirtschaftsinformationen GmbH & Co. KG, Postfach 500166, 22701 Hamburg
- Crif Germany: Crif GmbH, Dessauerstraße 9, 80992 München
- Crif Austria: Crif GmbH, Diefenbachgasse 35-39, 1150 Wien
- Crif Switzerland = Crif AG, Hagenholzstraße 81, 8050 Zürich
5. The storage of your data
Wirecard stores the data obtained in the course of this collection and processing for a period of three years. After this period has expired, the data is deleted or blocked unless a processing and/or use is permitted or necessary, based on legal permission, for the fulfilment of retention periods in accordance with commercial and fiscal law (10 years).