Last version: 04.12.2019
Number of version: 1.23
The protection of your privacy is of the utmost importance to us. This Notice explains what information we process about you and how we use it. It also informs you about your data protection rights and how to exercise them.
The service AfterPay (payment after receipt of the goods) is offered by Arvato Payment Solutions GmbH, Gütersloher Str. 123, 33415 Verl under the name AfterPay (hereinafter "AfterPay", "we", "us"). As data controller, we are responsible for the processing of your information that we collect through our websites and services.
We need to collect and process information about you to provide you with our services. The type of information will depend on the service that you are using.
You provide us with information about you when you:
This information will contain the following:
When you use our services (such as when you place an order on a merchant’s website and choose to pay with one of our payment methods), we may collect the following information about you (either directly from you or via third parties, such as credit reference agencies and merchants):
If you have consented to measures to protect against fraud and for misuse detection (see Section [4.1.2]), then we collect the following data when you visit the merchant’s website (hereinafter referred to as “Access Data”):
Each time you visit our customer portal, Access Data are automatically sent to our server. In addition, we collect the following data from you (hereinafter referred to as “Other Information”):
The information you provided to us, as well as information we have collected about goods/services and your financial information, is required to provide you with our services. The additional information we collect, e.g. Access Data and Other Information, is necessary for other purposes, as outlined below.
We use your data for the purposes specified below. Furthermore, you can see the exact period of time for which your data will be stored in the table below.
|Area||Purpose – what are we doing?||Legal basis for processing||Automated decision||Storage period|
|Identification, risk and fraud management||to assess which payment options to offer you||Consent (Article 6 Paragraph 1(a) GDPR – Consent)||Yes||3 Years|
|To identify and verify your personal and contact details||Compliance with a legal obligation (Article 6 Paragraph 1(c) GDPR)||No||3 Years|
|Risk management, fraud prevention, risk analysis||Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR)
Our legitimate interest is to protect ourselves against solvency and fraud losses due to the fact that we are buying the receivables from the merchant.
Consent, if required under the applicable law (Article 6 Paragraph 1(a) GDPR)
|Obtaining credit checks from credit reference agencies||Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR)
Our legitimate interest is to also integrate external data into the credit decision if internal data are not sufficient to decide about the credit risk.
|To prevent misuse of AfterPay services, e.g. by improving credit risk and fraud models||Compliance with a legal obligation (Article 6 Paragraph 1(c) GDPR)
Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR) Our legitimate interest is to protect ourselves against solvency and fraud losses due to the fact that we are buying the receivables from the merchant.
|Payment administration & customer management||To administer your payment, services and manage the customer relationship, customer communication||Compliance with a contractual obligation (Article 6 Paragraph 1(b) GDPR)||No||10 Years|
|To administer AfterPay services and for internal operations||Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR)
Our legitimate interest is to improve AfterPay services and operations to optimise communication with the customer and thus reduce unnecessary costs
|General AfterPay services||To comply with applicable laws, such as anti-money laundering and bookkeeping laws and regulatory capital adequacy requirements||Compliance with a legal obligation (Article 6 Paragraph 1(c) GDPR)||No||10 Years|
|Visiting the AfterPay website and using the customer portal||Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR) and compliance with a contractual obligation (Article 6 Paragraph 1(b) GDPR)||No||1 Years|
|Technical security||Protecting legitimate interests (Article 6 Paragraph 1(f) GDPR)||No||1 Years|
For more information about these purposes, see the following sections of this Privacy Notice.
As part of the ordering process on a merchant’s website, we use your contact details, information about goods/services, financial information and, if available, historical information and, if you have granted your consent, your access data in the interests of effective prevention of abuse, credit checking and payment method control (decision as to whether our payment methods will be offered to the respective user) as follows:
Once you have selected one of our payment methods as part of the ordering process on the merchant’s website, the merchant sends us your contact details (name, address, date of birth (if necessary), email address) and information about goods/services so that we can decide whether we can offer you this payment method (passive payment method control).
For this purpose, we send your name, address and, if necessary, your date of birth via informa solutions GmbH, Rheinstr. 99, 76532 Baden-Baden, Germany for the credit check to be carried out to informa solutions GmbH, Rheinstr. 99, 76532 Baden-Baden, Germany (hereinafter referred to as “ICD”), for the credit check to be carried out. Taking into account, among other things, ad-dress data and past payment experiences, ICD produces a forecast of payment probabilities (score), in particular, on the basis of mathematical-statistical processes (in particular logical re-gression and comparisons with groups of personswith similar payment behaviour in the past), and provides this score to us. Based on the information about goods/services, the score provided by ICD, your contact details (name, address and, if applicable, date of birth) and the information we have about your previous payment behaviour, we make a balanced decision as to whether we can offer you the selected payment option. The legal bases for these investigations are Article 6 Paragraph 1(b) and Article 6 Paragraph 1(f) GDPR. Before offering one of our payment methods, which all involve a credit risk, our legitimate interest is to assess as accurately as possible whether you will meet the payment commitments that you will have entered into with us. The le-gitimate interest of the merchant is to be able to offer you high-risk payment methods as well, such as payment on account or direct debit. In addition, informa Solutions GmbH uses Fraud.net Inc. 330 7th Avenue, New York City, NY 10001, USA, as another processor for fraud prevention and detection. Data processing and storage takes place in the EU.
Furthermore, in order to avoid any incorrect deliveries and payment defaults, the address data that you have specified shall be verified by means of an address check based on Article 6 Paragraph 1(f) GDPR and sent to ICD for this purpose. The data required for credit and address checking and for payment method control shall be sent via a secure interface. Any sensitive personal concerns that you have will of course be taken into account as stipulated by law. In accordance with Article 21 Paragraph 1 GDPR, you are entitled to object to the processing of your data with future effect for reasons arising from your specific situation; this also applies for any profiling carried out for the purposes specified above. Please bear in mind, however, that, in this case, we will no longer be able to offer you any of our high-risk payment methods as part of your ordering process on the merchant’s website.
You can find more detailed information about ICD as defined by Article 14 of the European Union General Data Protection regulation (GDPR), i.e. information about the business purpose, about the purpose of data storage, on the data recipients, on the right to find out what details are held about you, a right to erasure or rectification, etc. in the annex to this document or by clicking on the following link: https://finance.arvato.com/icdinfoblatt.
Consent to measures for fraud prevention and detection of misuse
If you have indicated your consent to fraud prevention and detection of misuse as part of the ordering process on the merchant’s website, you are consenting that
1. your data for the execution of the contract (e.g. purchase object, name, postal address, e-mail address, delivery address, payment method and bank details) and
2. your device data used when visiting the websites (e.g. screen resolution, operating system ver-sion , browser language, IP address ) and an anonymized device ID based on this information (optionally be cached by a cookie, if permitted by you), and based on that with a certain proba-bility further visits can be recognized,
Be transmitted from the online shop to AfterPay for purposes of fraud prevention and misuse recognition. We use this data to automatically check for any evidence of online fraud or other misuse of the online store (for example, in the form of ordering goods / services in the online shop by taking over your user account, the automated creation of fake user accounts by bots, the use of stolen identities or payment data). Insofar as there is concrete evidence of online fraud or other misuse of the online shop, AfterPay and the online shop reserve the right to interrupt the relevant order process or to offer any of the AfterPay payment methods. The fraud prevention measures also help protect your user account against fraud and misuse of your information.
I hereby confirm that I am authorised to grant this consent in respect of all devices used by me during my visit to this online shop and that I shall inform any third parties to whom I make my de-vices available of said consent and shall ensure that they are also in agreement with the measures described above, otherwise they may not visit this online shop with my devices.
The provision of personal data is required in order to conclude any contract. Should this not be provided, the online shop reserves the right to stop the purchase process.
You may revoke the above consent at any time by writing an informal letter to AfterPay with effect for the future 4.2 Developing AfterPay website services.
Your access details and other information collected when you visited the AfterPay website will be used in the provision of services on the AfterPay website. It will also be used for user identification (if you visit our customer portal) and for making AfterPay website services more personal, interactive and user-friendly. It will also be used in conjunction with your contact details in responding to your requests and questions, implementing any choices you make and performing other similar tasks.
The access data provided when using the website will be temporarily stored in the protocol data (hereinafter referred to as “server log files”) on our server. The server log files will not be stored together with your other data. This means that we cannot identify you from the server log files. The server log files are processed in order to ensure the necessary technical security, in particular to prevent against attempted attacks and attempted fraud on our server and to rectify faults. After a maximum of seven days, the server log files are fully anonymised by truncating the IP address to permanently exclude any personal connection. The processing of access data is essential in order to ensure technical security. As a result of this, you do not have a right to object.
We are subject to various legal obligations, that is, legal requirements (for example, Money Laundering Act, Banking Act, tax laws) as well as regulatory requirements (for example, the Federal Financial Supervisory Authority). The purposes of processing include, but are not limited to, creditworthiness assessment, identity and age checks, fraud and money laundering prevention, combating terrorist financing, and compliance with fiscal control and reporting requirements.
Your contact details can be used for customer communications, such as sending you notifications concerning our services and contacting you on matters related to customer service or our services. If you do not wish to receive such communications, please send an email to email@example.com.
The decision on the creditor creditworthiness, the granting of one of our payment methods in the order process (payment method control) and the fraud potential of possible orders are automated in the online ordering process.
The credit decision will use information from externally used credit bureaus as well as any available payment data (see 4.1.1.). Device tracking data may also be used in the fraud prevention process (see 4.1.2.). On the basis of mathematical-statistical procedures (in particular logistic regression or other statistical, partially automated optimization models), our existing payment information is compared both with groups of people with a similar payment history in the past and through historical analysis of fraud patterns ( e.g. by extrapolation to our target groups) creates a prognosis especially about payment probabilities and if necessary fraud risks.
If you are refused credit due to insufficient creditworthiness or due to a significant suspicion of fraud, the high-risk payment methods offered by AfterPay will not be offered to you as AfterPay bears the associated risk.
As a rule, we do not transfer your information outside the EU or EEA. If we do transfer your information outside the EU or EEA, we ensure that your information is protected by an adequate level of protection and appropriate safeguards. Such safeguards may include, for example, contractually agreeing on the confidentiality of your information and matters related to processing in accordance with applicable law, such as by using model contract clauses approved by the European Commission and otherwise in a manner ensuring that your information is processed in full accordance with this statement. You can obtain a copy of the safeguards implemented by us from our local data protection officer. Contact details are set in this Privacy Data statement.
Access: You can request a written copy of the information that we hold about you.
Rectification: We want to make sure that your personal information is accurate and up to date. You may ask us to rectify or remove information you think is inaccurate.
Erasure: You can request that we erase your information. We may not be able to erase your information straight away, for example if we still need it for providing you with our services. We are not permitted to erase information about you that the law requires us to keep.
Objection: You have the right to object to the processing of your information pursuant to Article 21 GDPR. Withdrawing consent: Where the processing of your information is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on your consent before its withdrawal.
Withdrawing consent: Where the processing of your information is based on your consent, you have the right to with-draw your consent at any time, without affecting the lawfulness of processing based on your con-sent before its withdrawal.
Restriction of processing: According to Article 14 of the GDPR you have the right to restrict the processing of your data.
Data portability: If your personal data is processed by automated means for the fulfilment of our contractual relationship, you have the right to request that we provide you with personal data on a machine-readable format for transmission to another data controller.
Complaints: You can lodge a complaint with us or your local data protection authority at any time: Die Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf (Tel.: 0211/38424-0, Fax: 0211/38424-10, E-Mail: firstname.lastname@example.org).
If you have a request send us an e-mail to email@example.com.
We may transfer to or share your information with selected third parties as follows:
However, we may disclose your information when requested by competent authorities or other agencies in a manner based on currently applicable legislation.
If we share your information with such selected third parties, we take all reasonable legal, technical and organisational measures to ensure that your data are treated securely and with an adequate level of protection when transferred to or shared with said third parties.
Please note that we will not sell your personal details to third parties. In addition, we do not disclose your information to any third parties for direct advertising or other forms of direct marketing, opinion polls or market surveys, unless you have given us your consent to do so.
When selecting one of our payments methods on the merchant’s website or when concluding a contract with us you must provide those personal data that are necessary in order to make a decision on approving the payment method you have selected or for the justification and implementation of a contract or such data which we are obliged to collect by law. Without these data, we will normally be unable to approve the method of payment you have selected or the conclusion of the agreement, or we will no longer be able to continue to implement a contract and may have to terminate it.
In particular, when concluding a contract, we are obliged under anti-money laundering regulations to confirm your identity through your personal ID card before justifying the business relationship and, in the process, we must collect and record your name, place of birth, date of birth, nationality and your home address. To enable us to comply with this legal obligation, you are required to provide us with the necessary information and documents as specified under Section 4 Paragraph 6 of the German Prevention of Money Laundering Act (Geldwäschegesetz) and to immediately notify us of any changes that arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be permitted to enter into or continue the business relationship you have requested.
We use the latest technology to keep your information secure. This means that we use all necessary technical and administrative security measures to protect your information against unauthorised access, transfer, erasure or any other unauthorised processing. These security measures include state-of-the-art firewalls, encryption, use of secure IT areas, proper access control, providing instruction to personnel involved in the processing of your information, and the careful selection of sub-contractors. In addition, the right to access your information is restricted to AfterPay personnel who need to access your information as part of their work.
Our websites may contain links to other websites. We are not responsible for the privacy policies or content of these websites. We recommend that you read the privacy policies and terms and conditions of these websites carefully before using them.
If you do not want cookies to be stored on your computer, you may block their use by adjusting your browser settings. Please note that accessing some of the website services may require you to allow cookies.
You may also delete cookies from your browser history. By deleting the cookies on a regular basis, you can change the identification used to create a user profile based on your browsing history. However, clearing cookies from your browser history will not fully stop the collection of data – it only deletes the profile based on your earlier browsing history.
We are continuously developing our websites and reserve the right to change this Privacy Notice by announcing changes here. Changes may also be based on amendments made to applicable legislation.
Upon request, and within a reasonable period, you are entitled to request access to data, rectify incorrect data relating to you or inform us that you no longer wish to have your personal data stored. We have a dedicated team of data protection specialists. If you have any questions regarding this Privacy Notice or data protection, please address them to the data protection officer of Arvato Payment Solutions GmbH using firstname.lastname@example.org.
This Privacy Notice was last updated on 04. December 2019.