Data Privacy Statement business customers TWINT Acquiring AG

Depending on your activity, we process the following personal data about you:

1.1 Opening of business customer account and maintenance of business relationship

In order for you to be able to offer your customers TWINT as a payment method, we process the following personal data for the opening of a business customer account:

• Company information (company name, address, type of company)
• Personal information: User (title, first and last name, correspondence language), login data (e-mail address, telephone number)
• Bank account details
• Commercial register entry (if available)
• Any other documents that we request separately during the process of opening a business account.

Furthermore, this data is used to maintain the business relationship with you or your employer/client, in particular to inform you about significant businessrelated matters such as the availability of our services or new products, for (voluntary) surveys, for combating fraud, for invoicing and generally to provide our services.

1.2 Transaction processing

For the processing of transactions and in the event of related questions or complaints, the following personal data related to you will be processed:

• Company information (company name, address, type of company)
• Personal information (title, first and last name, correspondence language)
• E-mail address if applicable.

Generally, we collect personal data directly from you (e.g. via forms in the business customer portal, during communication with us, in connection with contracts, etc.).

Provided this is not unlawful, we also collect data from publicly accessible sources (e.g. debt en-forcement register, commercial register), or receive personal data from other companies within our Group, from authorities and from other third parties (e.g. credit bureaus, contractual partners, media or the internet, etc.).

The categories of personal data that we receive about you from third parties include, in particular, information from public registers, information we learn in connection with official and legal proceed-ings, information in connection with your professional functions and activities (so that we can, for ex-ample, conclude and process transactions with your employer/client with your help), information about you in correspondence and meetings with third parties, information about you that people asso-ciated with you (advisors, legal representatives, etc.) give us so that we can conclude or process contracts with you or involving you (e.g. your address for deliveries, powers of attorney, information from banks, etc.) and information about your creditworthiness (query to CRIF AG).

We can analyse some of your personal characteristics automatically (“profiling”) to identify the risk of misuse and security risks, to make statistical assessments or for operational planning purposes.

We shall store your personal data on secure servers in Switzerland or in the European Union.

We process your personal data for as long as our processing purposes, statutory retention periods and our legitimate interests in processing for documentation and evidence purposes require or as long as storage is necessary from a technical perspective. If there are no legal or contractual obligations to the contrary, we delete or anonymise your data after the storage or processing period has expired.

The foregoing does not apply, however, to personal data that must be stored for longer by law, such as contract data. Other retention obligations are based on accounting regulations and tax regulations. In accordance with these regulations, business communications, concluded contracts and accounting documents are stored for up to ten years. Pursuant to money laundering legislation, certain (personal) data is also stored for up to ten years after termination of the business relationship.

Documentation and evidence purposes include, in particular, our interest in documenting processes, interactions and other facts in the event of legal claims, discrepancies, IT and infrastructure security purposes and evidence of good corporate governance and compliance. Storage may be necessary from a technical perspective if certain personal data cannot be separated with reasonable effort and expense from other data and we therefore need to store it together with this data (e.g. in the case of backups or document management systems).

In relation to the use of TWINT as a payment method, we disclose your personal data to the following categories of recipients:

• • • TWINT AG Within the framework of intra-Group services, we can disclose your personal data within the Group to TWINT AG.
    • Service providers:We work together with other service providers from Switzerland and abroad who process per-sonal data pertaining to you as joint controllers with us or receive personal data from us pertaining to you as independent controllers (e.g. IT providers, shipping companies, QR code sticker suppliers, login service providers, banks, insurance companies, debt collection agencies, credit reference agencies or address checking services).
      We disclose to these service providers the personal data necessary for the provision of their services, which may also concern you. Our service providers may also process personal data about how their services are used and other data arising from the use of their service as independent data controllers for their own legitimate interests (e.g. for statistical assessments or for preparing statements). Service providers provide information about their data pro-cessing practices in their own data privacy statements.
    • Authorities: We may disclose personal data to offices, courts and other authorities in Switzerland and abroad if we are legally obliged or entitled to do so, or if this appears necessary to protect our interests. The authorities process data received from us about you as independent controllers.

All these categories of recipients may engage third parties, meaning that your personal data may also be made accessible to these parties. We can limit processing by certain third parties (e.g. IT providers), but not others (e.g. authorities, banks, etc.).

As explained in section 6, we also disclose data to third parties. These parties are not located exclusively in Switzerland. Your personal data may, therefore, also be processed in the European Union (specifically in Germany); but in exceptional cases in any country in the world.

If a recipient is located in a country without an adequate level of statutory data protection, we contrac-tually oblige the recipient to comply with applicable data protection legislation (we use the revised Standard Contractual Clauses of the European Commission, which can be accessed hier), provided the recipient is not already subject to a legally recognised regulatory framework to ensure data protection and we cannot rely on a derogation. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract requires such disclosure, if you have consented or if it concerns personal data that you have made generally accessible and you have not objected to its processing.

Please also be aware that personal data exchanged over the internet is often transmitted via third countries. Your personal data may, therefore, also be transmitted abroad, even if the senders and the recipient are located in the same country.

We take appropriate technical and organisational security measures to protect your personal data stored with us against manipulation, partial or complete loss and unauthorised access by third par-ties. Our security measures are continuously improved in line with technological developments.

We also take internal data protection very seriously. Our employees and the service providers en-gaged by us have been obliged by us to maintain confidentiality and to comply with data protection provisions and receive regular training in this regard.

As a data subject, you have the following rights:

Right to information: You have the right to request access to your personal data stored by us at any time and free of charge when we are processing it. This gives you the opportunity to check what personal data pertaining to you we are processing and to ensure that we are using it in accordance with applicable data protection regulations.

Right to rectification: You have the right to have incorrect or incomplete personal data rectified and to be notified of the rectification. In this case, we will inform the recipients of the personal data concerned of the amendments made, unless this is impossible or involves disproportionate effort.

Right to erasure: You have the right to have your personal data deleted under certain circumstances. In individual cases, the right to erasure may be excluded.

Right to data transmission: Under certain circumstances, you have the right to obtain from us free of charge in a machinereadable format the personal data you have provided to us.

Right of revocation: If data processing is based on consent, you have the right to revoke your consent at any time with effect for the future. Processing activities performed in the past based on your consent do not become unlawful as a result of your revocation.

If you wish to assert your rights, please contact us in writing. The contact details are provided in section 10 below.

If you have any questions about TWINT’s data protection, would like information or would like to have your data deleted, please contact us by sending an e-mail to [email protected].

If you wish to contact us via letter, please direct your concerns to the following address:

TWINT Acquiring AG
Data protection
Stauffacherstrasse 41
8004 Zurich, Switzerland

This data privacy statement does not form part of any contract with you. We may amend this data privacy statement at any time. The version published on this website is the most recent version.