Data protection information MyAfterPay website
Data protection information on our AfterPay payment methods such as purchase on account (hereinafter "Product Data Protection Information") can be found under the following link: https://documents.myafterpay.com/privacy-statement/en_dk.
1. Who is responsible for the processing of my data?
Arvato Finance A/S, Østbanegade 55, 2. tv, DK-2100 København ("Arvato") is responsible for the processing of your data. You can reach our data protection officer by post at the above address with the addition "To the data protection officer" or by e-mail at email@example.com.
2 What data is processed for what purposes?
2.1 Access data; data processing on the website
When you use our website or AfterPay Online Services, the following data and information is automatically sent to our server: Your IP address, details about the content you requested and about your usage behaviour (e.g. which sections (FAQ's, contact form etc.) you viewed), the content you entered on the website (e.g. search words, login data, ratings, form entries, click data), date and time of access, details about the internet browser you used, the dura-tion of your visit to the website and the page you previously visited from which you accessed our website. This data is described below as "access data" and is processed for the following purposes:
- To provide the website to enable you to register online to use the AfterPay Online Services as further described in section 3.1.
- To ensure technical security, in particular to correct technical errors and to ensure that unauthorised persons have not gained access to our systems, as described in more detail in section 4.
- For web analysis in order to make the website more efficient and interesting for our users, e.g. through statistical evaluation of access data, as described in more detail in section 5.
2.2 Further data and data processing for logged-in participants
With your log-in, in addition to the access data (see section 2.1), we also process data on your purchases, the payment methods you have selected (e.g. payment by instalments, pay-ment pause, direct debit), information due to money laundering regulations and, if applica-ble, optional entries (e.g. entries in the chatbot, in the contact form, in the evaluation form, in the identification or signature process, in the analysis process of your bank account) for the following purposes:
- To provide AfterPay Online Services so that, for example, you can access your Af-terPay Account information online, as further described in section 3.2.
- For the transmission of advertising and individual offers, as described in more de-tail in section 6.
- To comply with legal requirements (e.g. from the Money Laundering Act) as well as the adjustment of your risk profile initiated by you.
3 Provision of the website and AfterPay Online Services
3.1 Provision of the website
When you use our website, we process the access data that accumulates in the process in order to be able to technically provide you with the content and functions called up. The le-gal basis for the associated processing of your access data is GDPR Art. 6 (1) (b).
3.2 AfterPay Online Services for logged-in participants
After you have logged in, all AfterPay Online Services offered by us via our website are available to you. Your login details are: Your NemID/MitID.
Your data collected during your use of the Website and the AfterPay Online Services (see section 2) will be processed in order to provide you with the AfterPay Online Services. This includes, for example:
- The "Overview" function lists all open transactions (e.g. orders, returns, payments, credit notes)
- The "History" function shows all completed transactions (e.g. orders, returns, pay-ments, credit notes).
- The "Profile" function shows your personal information (e.g. name, address), con-cluded contracts or mandates (e.g. Flex contract; direct debit mandate)
- The Flex function shows your Flex contract with the settings you have made as well as the relevant purchases
- If you use the contact form, we will process your details to deal with your request. If necessary, your details may also be passed on to third parties.
The legal basis for processing your data to provide the AfterPay Online Services is GDPR Art. 6 (1) (b).
4. Guaranteeing technical security
The access data accruing when using the website is stored in the log data (hereinafter "serv-er log files") of our servers for a short period of time. The server log files are stored sepa-rately from your other data. It is therefore not possible for us to draw any direct conclusions about you from the server log files. After seven days at the latest, the server log files are completely anonymised by shortening the IP address, so that a personal reference is perma-nently excluded. The aforementioned processing of access data is carried out on the basis of GDPR Art. 6 (1) f for the necessary guarantee of technical security, in particular for the pre-vention of attempted attacks and fraud on our servers, as well as for troubleshooting pur-poses.
5. Web analysis and reach measurement
As part of our web analysis, we use so-called tracking tools to evaluate access data in order to find out how our website or our AfterPay Online Services are used (reach measurement). Our website also uses identification cookies ("cookies") for this purpose. Cookies are small text files that are stored by your internet browser. The cookies we use contain a randomly generated character string that is used by our website as an identifier during subsequent page views. This enables us to recognise whether you have already visited our website and which contents and functions you have accessed. The identification feature itself does not contain any personal information. In this way, we learn, for example, which offers and con-tent are particularly popular, how long and at what times the website or the AfterPay Online Services are accessed particularly frequently, from which regions (down to city level) our website or offers are accessed and which browsers and devices our users use. For this pur-pose, we use technologies on the website to create pseudonymous user profiles in order to carry out reach measurements as well as statistical analyses and to optimise our offer and design it in line with requirements.
The legal basis for carrying out the range measurement is GDPR Art. 6 (1) (f), based on our legitimate interest in the statistical analysis and needs-based design of the website and the AfterPay Online Services described above.
The access data and usage profiles stored for the purposes of web analysis and reach meas-urement are usually deleted or anonymised by us after one year.
You can deactivate cookies that are not absolutely necessary for the operation of the website via the Consent Management Platform. In this case, your access data will no longer be used for the purposes described above in section 5 and below in section 5.2.
5.1 Consent Management Platform
We use the Consent Management Platform from Usercentrics, Sendlinger Straße 7, 80331 Munich, Germany (CMP). The CMP supports us in the transparent presentation of data pro-cessing processes and enables us to store and make retrievable for the respective data pro-cessing whether the user has consented or not. Usercentrics processes the following data for the following purposes (as contractor):
Data processing purposes
- Enable proof and documentation for the legal basis within the framework of data protection accountability according to GDPR Art. 5 (2)
- Storing and making available the user's consent profile
- Technologies used
- Local memory
- Date and time of the visit
- Device information
- Browser information
- Anonymised IP address
- Consent profile "Yes" or "No
- Randomly generated identification number for the assignment of the end device to the consent profile
- Necessity for the fulfilment of a legal obligation (GDPR Art. 6 para. 1 lit. c)
Place of data processing
The storage of consent and device data takes place exclusively in the European Union, name-ly in Frankfurt am Main (API server) and in Belgium (consent database). We have contractu-ally agreed these storage locations with the contractual partner Google Ireland Limited. Google LLC US has no standard access to the stored data. Google LLC US is technically in-volved in support actions to the hosting services used at Google Ireland. These are: Hard-ware Maintenance, CDN and Server Monitoring. In none of these services does Google LLC US have access to CMP information from Usercentrics.
Evidence of the revocation of consent previously given is retained for five years from the end of the year in which the consent was revoked. The retention is based on our accountability according to GDPR Art. 5 (2) and the regular limitation periods.
We use the tracking tools of the service providers listed below for the data processing within the scope of web analysis described in section 5. Unless otherwise stated, these service pro-viders process personal data exclusively on our behalf and not for their own purposes (so-called processors). Insofar as these service providers process your data outside the European Union, this may result in your data being transferred to a country that does not guarantee the same data protection standard as the European Union. In this case, we will ensure that the service providers guarantee an equivalent level of data protection by contract or other-wise. You can request a copy of these guarantees using the contact details mentioned in sec-tion 1.
Google Ireland Limited
AfterPay Online Services uses the Google Analytics for Firebase ("Firebase") tool. Firebase is an analysis tool of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). We use Firebase to collect access data and to create pseudonymous usage pro-files. Through Firebase, we can also record in the pseudonymous usage profiles whether there are problems or crashes when using our app. Furthermore, we use Firebase to play out new designs in the app to a small part of the users with the help of so-called A/B tests. By comparing the pseudonymous user profiles, we can then see to what extent a new design affects the use of the app. The pseudonymous usage profiles created by Firebase are not merged with your other data stored by Google on our behalf.
In addition, we have agreed the EU Commission's standard contractual clauses with Google for this case.
6. Advertising and individual offers
We use your contact information to send you advertisements by post, email, MMS, SMS or via the AfterPay app about other AfterPay products, such as payment by instalments ("After-Pay Flex") or monthly billing. You will then receive advertising by email, MMS or SMS even without your express consent if we have received your email address or telephone number in connection with the use of our services and the products/services advertised by us are similar to those you have already used with us in the past. You can object to this use of your contact information for advertising purposes at any time by sending an e-mail to firstname.lastname@example.org. This will not incur any additional costs for you, except for the transmission costs according to the base rates.
Furthermore, at the end of each e-mail, MMS or SMS, you will be given the opportunity to object to the further use of your e-mail address or telephone number by us for the afore-mentioned purpose (advertising of comparable goods and services) in the future.
7. Other service providers
Insofar as we use service providers other than those named in this data protection notice to operate this website or our After Pay Online Services (order processors, e.g. data centres, technical service providers), they will only be given access to your data to the extent and for the period of time that is necessary in each case for the provision of the respective services. If these service providers process your data outside the European Union, this may result in your data being transferred to a country that does not guarantee the same data protection standard as the European Union. In this case, we will ensure that the service providers guar-antee an equivalent level of data protection by contract or otherwise. You can request a copy of these guarantees using the contact details provided in section 1.
8. What rights do I have in relation to my personal information?
You have the right to obtain information about the personal data we hold about you at any time. If data about you is incorrect or out of date, you have the right to request that it be corrected. You also have the right to request the deletion or restriction of the processing of your data in accordance with GDPR Art. 17 or 18. You can find information on your adver-tising objection rights under section 4 and section 7 of the AfterPay data protection notices (https://documents.myafterpay.com/privacy-statement/en_dk)
You have the right to receive an electronic copy of your data (right to data portability. Insofar as we do not process the data for advertising purposes on the basis of GDPR Art. 6 (1) (f), you may object to the processing in accordance with GDPR Art. 21 (1) for rea-sons arising from your particular situation. However, we cannot always comply with this, e.g. if legal provisions oblige us to process. If you wish to exercise your rights, in particular your rights of revocation and objection, or if you have general questions about data protec-tion relating to the AfterPay Online Services, you can contact us at any time at email@example.com or our data protection officers.
You also have the right to contact a data protection authority and lodge a complaint there. Contact information of the responsible authority can be found below:
Authority name: Datatilsynet
Address: Carl Jacobsens Vej 35, 2500 Valby, Denmark
Phone: 33 193 200