Data protection information MyAfterPay website

Data protection information on our AfterPay payment methods such as purchase on account (hereinafter "Product Data Protection Information") can be found under the following link: https://documents.myafterpay.com/privacy-statement/de_de/muster

valid from: 08/2021

1. Who is responsible for the processing of my data?

Arvato Payment Solutions GmbH, Gütersloher Straße 123, 33415 Verl ("APS") is responsible for the processing of your data. You can reach our data protection officer by post at the above address with the addition "To the data protection officer" or by e-mail at datenschutz@bertelsmann.de.

2 What data is processed for what purposes?

2.1 Access data; data processing on the website

When you use our website or AfterPay Online Services, the following data and information is automatically sent to our server: Your IP address, details about the content you requested and about your usage behaviour (e.g. which sections (FAQ's, contact form etc.) you viewed), the content you entered on the website (e.g. search words, login data, ratings, form entries, click data), date and time of access, details about the internet browser you used, the duration of your visit to the website and the page you previously visited from which you accessed our website. This data is described below as "access data" and is processed for the following purposes:

2.2 Further data and data processing for logged-in participants

With your log-in, in addition to the access data (see section 2.1), we also process data on your purchases, the payment methods you have selected (e.g. payment by instalments, payment pause, direct debit), information due to money laundering regulations and, if applicable, optional entries (e.g. entries in the chatbot, in the contact form, in the evaluation form, in the identification or signature process, in the analysis process of your bank account) for the following purposes:

3 Provision of the website and AfterPay Online Services

3.1 Provision of the website

When you use our website, we process the access data that accumulates in the process in order to be able to technically provide you with the content and functions called up. The legal basis for the associated processing of your access data is Art. 6 (1) (b) DSGVO.

3.2 AfterPay Online Services for logged-in participants

After you have logged in, all AfterPay Online Services offered by us via our website are available to you. Your login details are: Your email address. Alternatively, you can also use your email address and a password.

Your data collected during your use of the Website and the AfterPay Online Services (see section 2) will be processed in order to provide you with the AfterPay Online Services. This includes, for example:

The legal basis for processing your data to provide the AfterPay Online Services is Art. 6 (1) (b) DSGVO.

4. Guaranteeing technical security

The access data accruing when using the website is stored in the log data (hereinafter "server log files") of our servers for a short period of time. The server log files are stored separately from your other data. It is therefore not possible for us to draw any direct conclusions about you from the server log files. After seven days at the latest, the server log files are completely anonymised by shortening the IP address, so that a personal reference is permanently excluded. The aforementioned processing of access data is carried out on the basis of Art. 6 (1) f DSGVO for the necessary guarantee of technical security, in particular for the prevention of attempted attacks and fraud on our servers, as well as for troubleshooting purposes.

5. Web analysis and reach measurement

As part of our web analysis, we use so-called tracking tools to evaluate access data in order to find out how our website or our AfterPay Online Services are used (reach measurement). Our website also uses identification cookies ("cookies") for this purpose. Cookies are small text files that are stored by your internet browser. The cookies we use contain a randomly generated character string that is used by our website as an identifier during subsequent page views. This enables us to recognise whether you have already visited our website and which contents and functions you have accessed. The identification feature itself does not contain any personal information. In this way, we learn, for example, which offers and content are particularly popular, how long and at what times the website or the AfterPay Online Services are accessed particularly frequently, from which regions (down to city level) our website or offers are accessed and which browsers and devices our users use. For this purpose, we use technologies on the website to create pseudonymous user profiles in order to carry out reach measurements as well as statistical analyses and to optimise our offer and design it in line with requirements.

The legal basis for carrying out the range measurement is Art. 6 (1) (f) DSGVO, based on our legitimate interest in the statistical analysis and needs-based design of the website and the AfterPay Online Services described above.

The access data and usage profiles stored for the purposes of web analysis and reach measurement are usually deleted or anonymised by us after one year.

You can deactivate cookies that are not absolutely necessary for the operation of the website via the Consent Management Platform. In this case, your access data will no longer be used for the purposes described above in section 5 and below in section 5.2.

5.1 Consent Management Platform

We use the Consent Management Platform from Usercentrics, Sendlinger Straße 7, 80331 Munich, Germany (CMP). The CMP supports us in the transparent presentation of data processing processes and enables us to store and make retrievable for the respective data processing whether the user has consented or not. Usercentrics processes the following data for the following purposes (as contractor):

Data processing purposes

Processed data

Legal basis

Place of data processing

The storage of consent and device data takes place exclusively in the European Union, namely in Frankfurt am Main (API server) and in Belgium (consent database). We have contractually agreed these storage locations with the contractual partner Google Ireland Limited. Google LLC US has no standard access to the stored data. Google LLC US is technically involved in support actions to the hosting services used at Google Ireland. These are: Hardware Maintenance, CDN and Server Monitoring. In none of these services does Google LLC US have access to CMP information from Usercentrics.

Retention period

Evidence of the revocation of consent previously given is retained for three years from the end of the year in which the consent was revoked. The retention is based on our accountability according to Art. 5 (2) DSGVO and the regular limitation periods.

5.2 Tracking tools

We use the tracking tools of the service providers listed below for the data processing within the scope of web analysis described in section 5. Unless otherwise stated, these service providers process personal data exclusively on our behalf and not for their own purposes (so-called processors). Insofar as these service providers process your data outside the European Union, this may result in your data being transferred to a country that does not guarantee the same data protection standard as the European Union. In this case, we will ensure that the service providers guarantee an equivalent level of data protection by contract or otherwise. You can request a copy of these guarantees using the contact details mentioned in section 1.

Google Ireland Limited

AfterPay Online Services uses the Google Analytics for Firebase ("Firebase") tool. Firebase is an analysis tool of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). We use Firebase to collect access data and to create pseudonymous usage profiles. Through Firebase, we can also record in the pseudonymous usage profiles whether there are problems or crashes when using our app. Furthermore, we use Firebase to play out new designs in the app to a small part of the users with the help of so-called A/B tests. By comparing the pseudonymous user profiles, we can then see to what extent a new design affects the use of the app. The pseudonymous usage profiles created by Firebase are not merged with your other data stored by Google on our behalf.

In addition, we have agreed the EU Commission's standard contractual clauses with Google for this case.

6. Advertising and individual offers

We use your contact information to send you advertisements by post, email, MMS, SMS or via the AfterPay app about other AfterPay products, such as payment by instalments ("AfterPay Flex") or monthly billing. You will then receive advertising by email, MMS or SMS even without your express consent if we have received your email address or telephone number in connection with the use of our services and the products/services advertised by us are similar to those you have already used with us in the past. You can object to this use of your contact information for advertising purposes at any time by sending an e-mail to datenschutz@afterpay.de. This will not incur any additional costs for you, except for the transmission costs according to the base rates.

Furthermore, at the end of each e-mail, MMS or SMS, you will be given the opportunity to object to the further use of your e-mail address or telephone number by us for the aforementioned purpose (advertising of comparable goods and services) in the future.

7. Processing of your data using a Connector ID (C-ID)

We transmit your name, address and, if available, your contact details (e.g. e-mail address, telephone number) to Bertelsmann Data Services GmbH, Carl-Bertelsmann-Str. 270, 33311 Gütersloh ("BDS"). BDS processes this data to generate a unique connector ID ("C-ID"). This data is then deleted by BDS. The C-ID is a marker (identifier) which enables the Bertelsmann company involved in each case to determine in which databases of the other Bertelsmann companies involved a person present in their databases is stored.

In addition, we transmit the ID (customer ID) that we have assigned to their data record in our database to the BDS. BDS centrally records and manages the C-ID, the customer ID, information on the anonymous data catalogue and on which consents to a C-ID exist at the participating Bertelsmann companies for all participating Bertelsmann companies. The anonymous data catalogue is aggregated, non-personal information about the data stored in the customer databases of the other Bertelsmann companies ("anonymous data catalogue"). We do not ourselves transmit an anonymous data catalogue to the BDS.

The data processing described above is carried out to protect our legitimate interests on the basis of Article 6 (1) (f) DSGVO. This is initially done so that we can assess, through a request to the BDS, which Bertelsmann companies involved have the same C-ID and what potential the Anonymous Data Catalogue of the other Bertelsmann company offers for a data transfer to us.

Insofar as you have consented to this vis-à-vis another Bertelsmann company involved, this company may transmit further data about you to us using the C-ID. We will then use this data for our risk and fraud management or for advertising purposes, as described in more detail in section 4 of the product data protection information (https://documents.myafterpay.com/privacy-statement/de_de/muster). Please note that we ourselves do not transmit any data about your person to other Bertelsmann companies involved, but are exclusively data recipients in this context.

The Bertelsmann companies currently involved can be found at https://dataservices.bertelsmann.de/participatingcompanies/ or requested by post or e-mail at datenschutz@bertelsmann.de.

We and the BDS are joint data protection controllers for the data processing involved in generating the C-ID. In this respect, we and the BDS have stipulated in a joint agreement pursuant to Art. 26 DSGVO which of us fulfils which obligations under the DSGVO. This relates in particular to the exercise of the rights of the data subjects and the fulfilment of the information obligations pursuant to Articles 13 and 14 of the GDPR.

This agreement is necessary because personal data is processed in different process sections when generating the C-ID, which are either operated by us, the BDS or jointly. Even if there is joint responsibility, the parties fulfill the data protection obligations in accordance with their respective responsibilities for the individual process sections as follows:

a) We are responsible for the process of transferring the above data to the BDS.

b) We and the BDS are jointly responsible for the generation of the C-ID.

c) The BDS is responsible for the administration of the C-ID as well as for the deletion described above of the data transmitted to the BDS for the generation of the C-ID.

You can assert your data protection rights both with us (see section 1) and with Bertelsmann Data Services GmbH, Corporate Data Protection, Carl-Bertelsmann-Str. 270, 33311 Gütersloh, Germany, or by e-mail at datenschutz@bertelsmann.de. As a rule, you will receive the information from the office where you assert your rights.

You can object to the use of your data for the data processing described in this clause 7 at any time, as described in clause 9. Your data will then no longer be used for these purposes in the future.

8. Other service providers

Insofar as we use service providers other than those named in this data protection notice to operate this website or our After Pay Online Services (order processors, e.g. data centres, technical service providers), they will only be given access to your data to the extent and for the period of time that is necessary in each case for the provision of the respective services. If these service providers process your data outside the European Union, this may result in your data being transferred to a country that does not guarantee the same data protection standard as the European Union. In this case, we will ensure that the service providers guarantee an equivalent level of data protection by contract or otherwise. You can request a copy of these guarantees using the contact details provided in section 1.

9. What rights do I have in relation to my personal information?

You have the right to obtain information about the personal data we hold about you at any time. If data about you is incorrect or out of date, you have the right to request that it be corrected. You also have the right to request the deletion or restriction of the processing of your data in accordance with Art. 17 or 18 DSGVO. You can find information on your advertising objection rights under section 4 and section 7 of the AfterPay data protection notices (https://documents.myafterpay.com/privacy-statement/de_de/muster). You have the right to receive an electronic copy of your data (right to data portability. Insofar as we do not process the data for advertising purposes on the basis of Art. 6 (1) (f) DSGVO, you may object to the processing in accordance with Art. 21 (1) DSGVO for reasons arising from your particular situation. However, we cannot always comply with this, e.g. if legal provisions oblige us to process. If you wish to exercise your rights, in particular your rights of revocation and objection, or if you have general questions about data protection relating to the AfterPay Online Services, you can contact us at any time at kundenservice@afterpay.de or our data protection officers (see section 1).

You also have the right to contact a data protection authority and lodge a complaint there. The authority responsible for us is The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Postfach 20 04 44, 40102 Düsseldorf (Tel.: 0211/38424-0, Fax: 0211/38424-10, E-Mail: poststelle@ldi.nrw.de). You can also contact the data protection authority responsible for your place of residence, which will then forward your request.