Pdf
Back to content

Updated: 29/10/2018

Joint Controller Agreement

Who are the joint controllers?

The Joint Controller Agreement is made between Paysera Ltd (hereinafter — the Franchiser), its distributors, franchisees and other participants of the Paysera network (hereinafter — Other parties). A full list of Other parties is provided here. By this agreement the Franchiser and Other parties agree to jointly process personal data provided to the Franchiser and (or) Other party(s) by Data subjects when applying for and using the Paysera services (hereinafter — Personal data).

What is the purpose of this Agreement?

This Agreement is made for the purposes of ensuring compliance with the Data Protection Legislation, inter alia, Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation 2016/679) (hereinafter — GDPR). The Franchiser provides the Paysera system and its services on “as it is” basis to Other parties who jointly with the Franchiser use the Paysera system with the access to Personal data stored in the Paysera system, the Personal data is available to the Franchiser and Other parties on a regular basis to allow the proper provision of the Paysera services and proper fulfillment of obligations of the Parties determined in mutual agreements regarding the usage of the Paysera system and the provision of the Paysera services. Therefore, the Franchiser and Other parties have agreed that they are Joint controllers as defined in Article 26 of the GDPR, as the Franchiser and Other parties jointly determine the purposes and means of processing of Personal data.

Why do the Joint controllers process Personal data?

Data processing is undertaken for the purposes of the provision of the Paysera services in an efficient manner, such as:

  • Registration in the Paysera system, payment account opening;
  • “Know your customer” principle and Customer due diligence implementation;
  • Anti-money laundering and (or) terrorism financing prevention;
  • Provision of payment services;
  • Distribution of information to Paysera clients;
  • Distribution and management of payment cards;
  • Registration in the Paysera Tickets system, customer identification, collection and management of statistical information;
  • Management of the tickets procurement process;
  • Ensuring confidential data security, information integrity, assets availability and protection from breaches, data thefts, malicious software, which can have a negative effect on the company assets.
  • SMS transmission over the Internet and management of statistical information;
  • Cell phone number association with an IBAN account and provision of payment services;
  • Paysera clients support and quality assurance;
  • Direct marketing;
  • Collection and management of statistical information;
  • Association of payment cards with the Paysera mobile application.

The processing of Personal data is undertaken jointly by the Other parties and (or) the Franchiser for the purposes directly related to this purpose.

What rights do Data subjects have under this agreement?

As Data subjects have a range of rights under the GDPR and relative national laws, the Franchiser and the Other parties have agreed to the following procedures to allow the Data subjects exercise these rights:
1. The Franchiser shall provide the Data subject with a copy of personal data stored in the Paysera system as required under article 15 of the GDPR (Right of Accessing Personal Data).
2. A Data subject may request rectification of any inaccurate personal data held by the Joint controller under Article 16 of the GDPR (Right of Rectification of Personal Data Provided by Data subject). The data shall be rectified by the Franchiser.
3. A Data subject may request erasure of the Personal data held by the Joint controller under Article 17 of the GDPR (Right of Erasure of Personal Data). The Franchiser shall delete the data (with the exception of the data that must be retained due to state law to which Other parties’ are subject to) and inform all Other parties thereof.
4. The Franchiser shall administer requests to restrict processing under Article 18 of the GDPR (Right of Restriction of Processing) and, should restriction of processing proceed, the Franchiser shall inform the Other parties thereof. Where this request relates to Joint Controller Agreement processes conducted solely by the Other parties or data held solely by the Other parties, this request shall be forwarded directly to the Other parties.
5. The Franchiser shall administer any requests for data portability under Article 20 of the GDPR (Right of Data Portability). Where this request relates to processes conducted solely by the Other parties or data held solely by the Other parties, the relevant request shall be forwarded directly to the Other parties.
The Franchiser under the present Agreement acts as a mediator between the Joint controllers and the Data subjects, however, a Data subject may exercise his or her rights against each of the controllers as stated in Article 26 (3) of the GDPR.
The Franchiser and Other parties shall provide the Data subject with the information required under articles 13 and 14 of the GDPR by means of a notice on their websites.

For how long do Joint controllers store your personal data?

The Personal data of former users of the Paysera services shall be deleted or anonymized by the Other parties within:
1. the period determined by the EU or state law to which Other parties are subject or (and)
2. the period determined in agreements with the Data subjects or (and)
3. the period determined in internal rules of the Parties regarding data processing.

Under which country‘s laws is the joint data processing undertaken?

This Agreement is governed by the law of the United Kingdom and subject to the exclusive jurisdiction of courts of the United Kingdom.

Please note that this Agreement may be amended or supplemented without any prior notice to the data subjects. Therefore, we strongly encourage you to visit this page regularly in order to keep up with any possible changes.

Information required under Article 13 of the GDPR

(A) The Joint controller for the data provided by you is Paysera Ltd and any Other party of the Joint Controller Agreement.
(B) The Franchiser has an appointed Data Protection Officer (DPO). The DPO can be contacted directly via the email address dpo@paysera.com and (or) by a letter to 43 Gunnersbury Court Bollo Lane, London, United Kingdom, W3 8JN.
(C) Your data shall be processed for the purpose of maintaining and servicing the Paysera system and guaranteeing the provision of the Paysera services in an efficient manner. Additional information can be found in the Privacy policy of Paysera. If you conclude a contract with the Other party, the Franchiser shall process your data whilst providing services to the Other party. Your data shall be accessible to the Other party that provides Paysera services to you. Your information shall also be available to all of the Other parties to allow them to provide better services within the Paysera system. The legal basis for the processing is your service agreement with the Other party.
(D) The processing of your data shall take place in the offices of the Franchiser and any Other party that you enter a service agreement with.
(E) The Franchiser could transfer your Personal data to other organizations within the Paysera network. These transfers are normally required for the purpose of the provision of Paysera services to you. The exact nature and purpose of such transfers shall be listed on the Franchiser’s website.
(F) Your data may be transferred to a third country or international organization with the existence of an adequacy decision by the United Kingdom’s Information Commissioner’s Office. In case of transfers referred to Article 46 or 47, or Article 49(1) of the GDPR, the appropriate or suitable safeguards that will be undertaken shall be listed on the Franchiser’s website.

This information is required under Article 14 of the GDPR for all organizations from which the Franchiser and the Other parties have received Personal data and has not been obtained directly from the Data subject.

PURPOSE OF DATA COLLECTION: Client's identification, provision of payment services (account opening, transfers of funds, payment collection and other), or implementation of other legal obligations of the payment service provider. For this purpose, the following personal data may be processed: name, surname, personal identification number, address, date of birth, data from an identity document and a copy of the document, photo, direct video transmission (direct video broadcast) recording, citizenship, email address, phone number, payment account number, IP address, current activity, current public function, other data required by the laws on prevention of money laundering and terrorist funding.
Data providers: Credit and other financial institutions and their branches, official registers and databases for checking the data of personal documents (databases of expired documents and other international databases), authority check registers (registers of notarized authority and other databases), registers of incapacitated and disabled persons, population registers, companies consolidated debtor files, companies maintaining registers of international sanctions, other persons. The full list of subjects shall be published with the Privacy Policy of the Franchiser and the Other parties.

PURPOSE OF DATA COLLECTION: Debt management.
For this purpose, the following personal data may be processed: name, surname, personal identification number, address, date of birth, data from an identity document, email address, phone number, payment account number, IP address, payment account statements.
Data providers: Credit, financial, payment and (or) electronic money institutions, population registers, companies processing consolidated debtor files, other persons. The full list of subjects shall be published with the privacy policy of the Franchiser and Other parties.