In 2016, the European Union enacted European Regulation No. 2016/679 on the protection of personal data of citizens of the European Union (the "GDPR"). It requires companies to have a compliance program in place to ensure that their customers' personal data is processed in a lawful, fair and transparent manner.
The purpose of this policy is to set out how Paymium collects and processes the personal data of Paymium's customers and prospects, including :
- The identity of the data controller and its obligations,
- The purpose of personal data processing,
- The compulsory or optional nature of the answers and the consequences of a failure to answer,
- The recipients of the data,
- Possible data transfers to countries outside the EU,
- Users’ rights concerning their data.
2. General principles of data collection and processing
In accordance with the provisions of Article 5 of the GDPR, the collection and processing of data from users of the site respect the following principles:
- Lawfulness, fairness and transparency: data are collected and processed only in lawful usecases. The user is systematically informed of the use that is made of his/her data.
- Limited purposes: data is collected and processed for one or more specific purposes.
- Minimisation of data collection and processing: only the data necessary for the proper fulfilment of the objectives pursued by Paymium are collected.
- Limitation of data retention over time: users' personal data is retained for a limited period of time. The user is always informed of this duration.Integrity and confidentiality of the data collected and processed: the data controller, Paymium, undertakes to guarantee the integrity and confidentiality of the data collected.
- Paymium is committed to respecting all of these principles as part of its compliance with the GDPR.
In accordance with the requirements of Article 6 of the RGPD, Paymium only processes personal data in one of the following cases:
- The user has given consent to the treatment,
- The processing is necessary for the proper execution of a contract between Paymium and the user,
- The processing operation meets a legal obligation,
- The processing and collection of personal data is necessary for the purposes of legitimate and private interests pursued by Paymium or a third party.
3. Data controller & related obligations
3.1 - The Data Controller
The company responsible for processing personal data is Paymium SAS, located (head office) at 73, Rue du Château 92100 Boulogne-Billancourt France, registered in the Nanterre Trade and Companies Register under the number (SIREN) 533 264 800.
Any person who would like to find out how his or her personal data is processed or who would like to exercise his or her rights may contact the company in one of the following ways:
By e-mail at [email protected]
By post: 73, rue du château - 92100 Boulogne Billancourt – France
3.2 - Obligations of the data controller
The data controller undertakes to protect personal data, not to transmit them to third parties without the user's knowledge and to respect the purposes for which the data were collected.
Furthermore, the data controller undertakes to notify the user in the event of rectification or deletion of the data, unless this would involve disproportionate formalities, costs and steps.
Finally, in the event of a violation of personal data1
presenting a risk to the rights and freedoms of individuals, Paymium undertakes to notify the incident to the CNIL as soon as possible and, in the event of a high risk, to notify the persons concerned.
3.3 - Data protection measures
Paymium has taken all useful precautions to preserve the security of personal data and, in particular, to prevent them from being distorted or damaged or from unauthorised third parties having access to them.
These measures include, in particular, the following:
- Application firewall,
- Tracking access,
- Encrypted data transmission using https/VPN technology
- Encryption of sensitive data and backups,
Furthermore, access to personal data by Paymium's internal department is done through technologies requiring strong authentication.
4. Methods of collection and processing of personal data
4.1 - Data retention period
Paymium keeps in its systems, under reasonable conditions of security, the personal data it collects for a period of 5 (five) years from the closing of the customer account. This data is kept by Paymium in order to manage its business relations and to comply with its legal obligations, in particular those concerning the fight against money laundering and the financing of terrorism.
For technical and service continuity reasons, Paymium cannot delete certain data after this period. Nevertheless, after the 5-year period, these data are completely anonymised.
4.2 - Categories of data collected
Paymium primarily stores data relating to the identity of its customers (surname, first name, address, etc.). In order to get to know its customers as well as possible, it also collects data on their professional life, their economic and financial situation, etc. Paymium collects and processes these types of data related to the knowledge of its customers in order to provide them with the most appropriate services. It also collects them in order to comply with its regulatory obligations in terms of the fight against money laundering and terrorist financing.
Secondly, Paymium processes personal data relating to the use that users make of its service (transaction history, account number, IBAN, etc.). This also includes login data (IP address, logs, login identifiers, etc.).
5. Purpose of the processing of personal data
The collection and processing of the above-mentioned data enables Paymium to carry out a number of operations relating to customer management.
This concerns in particular the management of contractual relations, invoicing, customer accounts, etc.
These data also enable Paymium to prevent fraud and illicit operations constituting money laundering.
The data are also used to manage the user relationship, in particular with regard to requests made by customers to exercise their rights (right of access, right of opposition, etc.).
Finally, Paymium also uses its data for prospecting purposes, in the form of games and sponsorships.
6. Legal basis of the processing operation
6.1 - A legal obligation
The processing of the service user's personal data is carried out mainly due to a legal obligation to which Paymium is subject - the fight against money laundering and terrorist financing (art. L. 561-2 and following of the Monetary and Financial Code).
6.2 - A legitimate interest
Paymium also has a legitimate interest in the processing of personal data. These interests lie in the prevention and processing of fraud and in customer management.
7. Mandatory nature of data collection and consequences for failure to provide the data
The data that the user of the service is obliged to provide is marked with an asterisk in the registration (or contact request) form. If the data is not provided, the contact request cannot be processed.
8. Recipients of the data
Within the limits of their respective needs, are recipients of all or part of the data :
- Paymium's internal departments (e.g. IT department, management, customer service, compliance, etc.),
- Paymium's subcontractors involved in customer relationship management.
- No personal data is transferred outside the European Union.
9. Data hosting
The data collected and processed by the site are exclusively hosted and processed in the countries of the European Union.
10. User rights
In accordance with the regulations on the processing of personal data (RGPD), the user has the following rights listed below.In order for Paymium to comply with the user's request, the user is obliged to provide Paymium with: his surname, first name, as well as his e-mail address and his customer account number. Paymium undertakes to reply to the user within a maximum of 30 (thirty) days.
10.1 - Rights of access, rectification and right to erasure
Any user can :Access all the information concerning him/her, To know the origin of the information concerning him, Get a copy, Require its data to be corrected, supplemented, updated or deleted, as appropriate.The user may consult, update, modify or request the deletion of data concerning him/her, in accordance with the procedure set out below.The user must send an email to the personal data controller, specifying the subject of his or her request and using the following contact email address:[email protected].
It should be noted that Paymium can : Refuse the request for access: in this case, it must give reasons for its decision and inform the applicant of the channels and deadlines for appealing against it.Not respond to requests that are manifestly abusive in particular because of their number, repetitive or systematic nature.Users are expressly informed that, for all data processed by Paymium due to a legal obligation, their rights relating to their data may be limited.The request will be processed within a maximum of 30 (thirty) days from the date of receipt. If the request is incomplete, Paymium will request additional information: the period is then suspended and runs again once these elements have been provided.
10.2 - Right to data portability
The right to data portability applies only if the data are processed automatically and on the basis of the prior consent of the data subject or the performance of the contract. Therefore, Paymium does not have to respond to a portability request concerning personal data processed in the framework of its obligation to combat money laundering and terrorist financing.The user may therefore, in certain cases, request the portability of his personal data, held by the Paymium.com site, to another site, by complying with the following procedure: the user must make a request for portability of his personal data to the data controller, by sending an email to the following address:[email protected].
Requests for portability will be considered by Paymium on a case-by-case basis.
10.3 - Right to limitation and opposition of data processing
The user has the right to request the restriction or to oppose the processing of his data by Paymium, for legitimate reasons, unless Paymium is legally obliged to do so 2
. In order to request the limitation of or to object to the processing of his data, the user must follow the following procedure: the user must make a request for the limitation of the processing of his personal data to the data controller, by sending an email to the address below.[email protected]
10.4 - Right to refer a matter to the competent supervisory authority
In the event that the data controller decides not to respond to the user's request, and the user wishes to contest this decision, or, if he or she believes that one of the rights listed above is being infringed, he or she has the right to refer the matter to the CNIL (Commission Nationale de l'Informatique et des Libertés, https://www.cnil.fr) or any competent judge.
The site editor reserves the right to modify it in order to ensure its compliance with the applicable law.
Examples: accidental or unlawful loss of availability, integrity or confidentiality of personal data.
For example: the fight against fraud or the fight against money laundering and terrorism financing.