Passing on the data

The administrator of the voucher store can access your personal data for the purpose of selective support and general technical support. We use the following service provider for this purpose:

Schmitz Marketing GmbH
Jahnstraße 7
58769 Nachrodt-Wiblingwerde

Virtual terminal

The network operator and the respective payment service providers for accepting and settling payment transactions (e.g. acquirers) process the data further. This is done in particular for payment processing, to prevent card misuse, to limit the risk of payment defaults and for statutory purposes, such as combating money laundering and criminal prosecution. For these purposes, your data will also be transmitted to other responsible parties, such as your card-issuing bank.

Many steps are necessary for you to be able to pay securely with your card. The payee where you pay by card therefore works together with a network operator and an acquirer. The payee, network operator and acquirer are each responsible for processing your data separately within their own technical sphere of influence:

1. a) Payee for the integration of the virtual terminal into the webshop/application and, if applicable, for its internal network until secure transmission via the Internet to the network operator. The name and contact details of the payee can be found in the legal notice of the webshop you are using
2. b) Network operator for central commercial network operation, processing, conversion, risk assessment and further transmission. Your commercial network operator is VR Payment GmbH.
3. c) Acquirer is a payment service provider regulated under the German Payment Services Supervision Act (Zahlungsdienstaufsichtsgesetz - ZAG) that accepts and settles payment transactions on behalf of the payee.

Who the acquirer is depends on what type of card you have used. The contact details of the acquirer involved in processing your payment can therefore be requested in writing from the above-mentioned network operator, stating the payment method, terminal ID, date and name of the payee.

What data is used for the payment?

• Card details: IBAN or account number and sort code or credit card number, card expiry date and card sequence number.
• Payment data: Amount, date, time, terminal identifier (location of the provider and company where you pay), verification data of your means of payment.
• Charge back - If you dispute a transaction that was made with your card: Proof of purchase and any other information about you that the payee wants to use to prove their claim, such as your name and address.

Where do we get your data from?

• You enter your identification data or, if applicable, 3D Secure data from your card provider yourself.
• We receive some data from payment recipients where you pay by card.
• To the extent necessary for the verification of the card payment (authorization) or for the reversal of a card payment, we also process data that we permissibly obtain from publicly accessible sources (e.g. debtor directories) or that are legitimately transmitted to us by third parties (e.g. your bank or a credit agency).

For what purpose is your data processed and on what legal basis?

Payee:

• Verification and execution of your payment to the payee, Art. 6 para. b GDPR.
• Prevention of card misuse and limiting the risk of payment defaults, Art. 6 para. 1 lit. f GDPR.
• Sale of the receivable to the network operator by way of factoring, Art. 6 para. 1 lit. f GDPR.
• Document archiving in accordance with statutory provisions, Art. 6 para. 1 lit. c GDPR.

Network operator:

• Verification and execution of your payment to the payee, Art. 6 para. 1 lit. b GDPR.
• Prevention of card misuse and limiting the risk of payment defaults, Art. 6 para. 1 lit. c and f GDPR.
• Secure transmission of your data in accordance with the legal provisions of Art. 6 para. 1 lit. c and f GDPR.
• Avoidance of future payment defaults by transmitting chargeback data if your payment results in a chargeback, Art. 6 para. 1 lit. f GDPR.
• Document archiving in accordance with statutory provisions, Art. 6 para. 1 lit. c GDPR.
• Debt collection after a return debit note, Art. 6 para. 1 lit. f GDPR.
• Settlement of fees owed by the payee to your bank, Art. 6 para. 1 lit. f GDPR.

Acquirer:

• Verification and execution of your payment to the payee, Art. 6 para. 1 lit. b GDPR.
• Prevention of card misuse and limiting the risk of payment defaults, Art. 6 para. 1 lit. c and f GDPR.
• Secure transmission of your data in accordance with the statutory provisions and the provisions of the credit card organization, Art. 6 para. 1 lit. c and f GDPR.
• Settlement of fees owed by the payee to your bank, Art. 6 para. 1 lit. f GDPR.
• Document archiving, Art. 6 para. 1 lit. c GDPR.
• Debt collection after a return debit note, Art. 6 para. 1 lit. f GDPR.

Who receives the data?

In addition to the payee and the network operator, other parties require your data in order to process the payment or to comply with legal regulations. Your data will only be passed on to the following parties to this extent:

• Your card-issuing bank and the payment service provider of the payee, if applicable to the payment service provider for 3D Secure authorization
• the payment card system
• Your card-issuing bank and the acquirer's bank
• the intermediaries of the German Banking Industry that handle the clearing and settlement of payments
• Law enforcement authorities in the cases provided for by law
• Money laundering reporting offices in the cases provided for by law

Is data transferred to a third country or to an international organization?

No. In the case of a girocard, no such transfer takes place. Your data will only be transferred to international organizations outside the EU in the case of a Visa, Mastercard, American Express, Diners Club, JCB or Union Pay transaction.
You have consented to this transfer as part of the credit card agreement.
With regard to the processing of your data by the payment card system, we refer you to their data protection provisions:

1. a) Mastercard Europe SPRL,
   Chaussée de Tervuren 198A,
   1410 Waterloo, Belgium,
   for the payment brands "MasterCard" and "Maestro",
   https://www.mastercard.de/dede/datenschutz.html
2. b) Visa Europe Services LLC,
   registered in Delaware USA,
   acting through its London branch,
   1 Sheldon Square,
   London W2 6TT, United Kingdom,
   for the payment brands "Visa", "Visa Electron" and "V PAY"
   https://www.visa.co.uk/privacy/
3. c) Diners Club International Ltd,
   2500 Lake Cook Road,
   Riverwoods, IL 60016, USA,
   for the payment brands "Diners", "Diners Club" and "Discover".
   https://www.dinersclub.com/privacy-policy
4. d) JCB International Co,
   , 5-1-22, Minami Aoyama, Minato-Ku, Tokyo, Japan,
   for the payment brand "JCB".
   http://www.jcbeurope.eu/privacy/
5. e) Union Pay International Ltd, 5F,
   Building B, No. 6 Dongfang Road, Poly Plaza,
   Pudong 200120, Shanghai P.R. China,
   for the payment brands "CUP" and "Union Pay".

How long will my data be stored?

10 years in accordance with the statutory provisions.

What data protection rights do I have?

• the right to information in accordance with Art. 15 GDPR
• the right to rectification in accordance with Art. 16 GDPR
• the right to erasure in accordance with Art. 17 GDPR
• the right to restriction of processing in accordance with Art. 18 GDPR
• the right to object under Art. 21 GDPR
• the right to data portability under Art. 20 GDPR
• the right to lodge a complaint with a competent data protection supervisory authority (Art. 77 GDPR in conjunction with Section 19 BDSG)

The restrictions under Sections 34 and 35 BDSG apply to the right to information and the right to erasure.

Do I have to provide my data?

You are not obliged to pay by card. However, if you decide to pay by card, we are obliged by law and by contracts with the German Banking Industry, among others, to collect your data. If you do not provide your data, card payment is not possible.

Will my data be used for automated decision-making?

If you want to use your card for payment, the card payment must first be authorized. Authorization is carried out automatically using your data.
The following considerations in particular may play a role here: Payment amount, place of payment, previous payment history, payee, payment purpose. Card payment is not possible without authorization. This has no influence on other payment methods (e.g. other cards or cash).

Right to object in individual cases

You have the right to object at any time, on grounds relating to your particular situation, to the processing of data which is carried out on the basis of Art. 6 para. 1 lit. f GDPR, i.e. to the processing of data on the basis of a balancing of interests.

Please address your objection to: haendlerservice@vr-payment.de

If you lodge a justified objection, your data will no longer be processed on the basis of Art. 6 para. 1 lit. f GDPR, with two exceptions:

• Your data will continue to be processed if the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, in particular e.g. in the case of statutory retention obligations and to process a payment that has already been initiated at the payment terminal but has not yet been completed.
• Your data will be further processed if this serves the assertion, exercise or defense of legal claims.