DEUTSCH

Supplementary data protection information  

for payment upon invoice, payment by installments and payment by SEPA direct debit
↓ Download PDF

Content
  1. Subject of this supplementary data protection information 
  2. General information and legal basis for processing 
  3. Purposes and legal bases for the processing of personal data
    • 3.1. Assignment of receivables
    • 3.2. Service requests concerning the payment obligation
    • 3.3. Risk checks
    • 3.4. Contact addresses and further information
  4. Transmission of creditworthiness data to the Austrian CRIF GmbH
  5. Your rights
    • a. Rights as a data subject
    • b. In particular: Your right to object
    • c. Contact address for exercising your rights
    • d. Right to file a complaint with the supervisory authority
  6. Retention period and routine deletion

  1. Subject of this supplementary data protection information

In accordance with section I. of the supplementary terms of payment for payment upon invoice, payment by installment and payment by SEPA direct debit (the "Terms of Payment"; available here https://legal.paylater.payone.com/en/terms-of-payment.html), we inform you in this supplementary data protection information for payment upon invoice, payment by installment and payment by SEPA direct debit (the "Supplementary Data Protection Information") about the processing of your personal data that is required when you select one of these payment methods offered in our online shop. In this Supplementary Data Protection Information, we use terms that are defined in the Terms of Payment. Please refer to the Terms of Payment to read the definitions there if necessary.

 

This Supplementary Data Protection Information applies alongside and in addition to our general data protection information, which you can access via the website of our online shop. There you will also find, in particular, our contact details as merchant and operator of the online shop as well as details of our data protection officer or other contact options for your questions relating to data protection in the context of your order.

 

Unless otherwise stated in this Supplementary Data Protection Information, we as a merchant are the data controller for the processing of your personal data described herein within the meaning of the relevant data protection laws, such as in particular the General Data Protection Regulation (the "GDPR").
  1. General information and legal basis for processing 

Your data is processed in accordance with the provisions of the GDPR in order to be able to offer you the payment methods payment upon invoice, payment by installments and payment by SEPA direct debit. In the following, we explain in detail which of your personal data we process for which purposes and on which legal basis. In addition, we will explain what rights you have and how long your data will be retained. For the purposes of this Supplementary Data Protection Information, data means any information relating to an identified or identifiable natural person.  
  1. Purposes and legal bases for the processing of personal data

The processing of your personal data may be necessary for various purposes. In part, this is done in accordance with Art. 6 para. 1 sentence 1 lit. b) GDPR for the purpose of fulfilling a contract or for the implementation of pre-contractual measures, which are carried out at your request, in part in accordance with Art. 6 para. 1 sentence 1 lit. c) GDPR, if there is a legal obligation to process your data or also in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR, if there is a legal obligation to process your data, or also pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR, insofar as the processing is necessary due to our legitimate interests or the legitimate interests of third parties, such as our cooperation partners in particular. Detailed information on the individual processing purposes and the relevant legal basis can be found below.

3.1. Assignment of receivables 

As described in detail in section II.1. of the Terms of Payment, an assignment of the purchase price receivable (the "Receivable") to the bank VVRB takes place within the scope of our cooperation with the cooperation partners. The assignment of the Receivable takes place in two steps: First, we assign the Receivable to our payment service provider PAYONE, before PAYONE in turn assigns the Receivable to VVRB. Further information on PAYONE and VVRB and the data processing that takes place there can be found below, in the section Contact addresses and further information.

 

In connection with the assignment of the Receivables, we transmit the data provided by you in the context of the order in the Online Shop, namely your name and other contact data, payment information such as, in particular, details of your bank account as well as data concerning your order to PAYONE and from there on to VVRB. This transmission is necessary to enable PAYONE and VVRB to acquire the Receivable and, as the owner of the Receivable, to collect it from you, to take legal action to collect overdue payments on the Receivable to the extent necessary (see section II.3. of the Terms of Payment) and to enforce its rights under the assignment of the Receivable. The legal basis for the transmission of the Data to PAYONE or the VVRB is therefore Art. 6 para. 1 sentence 1 lit. b) GDPR (fulfilment of the outstanding claim from the existing purchase contract), furthermore our and our cooperation partners' legitimate interest in an attractive offer of flexible payment methods as well as the enforcement of the Receivable (Art. 6 para. 1 lit. b) and f) GDPR). Insofar as the processing of your data is based on legitimate interests, you have the right to object to this; further information on your right to object and other rights as a data subject can be found below, in the section Your rights.

3.2. Service requests concerning the payment obligation

For service requests regarding the payment obligation from your order (such as, in particular, questions regarding the Terms of Payment and the Receivable), you can contact the Payla service centre. The Payla service centre can be contacted by e-mail and telephone using the contact details provided in the payment information. You will receive the payment information after completing your order (see sections III to V of the Terms of Payment). 

 

Payla operates the service centre as a service provider and data processor in accordance with Art. 28 GDPR for the owner of the Receivable and controller of the data processing (which regularly is VVRB as the final owner of the Receivable, depending on the status of the assignment of the Receivable, however, this may also be PAYONE in individual cases – see section 3.1.). You can contact the service centre, for example, if from your point of view the Receivable has already been settled but you are still requested to settle the Receivable or if from your point of view a refund of the purchase price has not been made even after a reasonable period of time, although you have arranged for a lawful return (see section II.2. of the Terms of Payment). Payla receives your enquiries directly and processes your concerns on behalf of the owner of the Receivable. In the case of questions about the order that do not relate to the payment obligation, Payla refers you to us (in this respect, we as the merchant are responsible under data protection law). Further information on Payla, PAYONE and the VVRB and the data processing that takes place there can be found below, in the section Contact addresses and further information

 

Data that you transmit to the Payla service centre or that are collected and processed there (such as your contact data, enquiry data, contract data, answers from customer service) are processed by Payla as a processor for the owner of the Receivable as the responsible party for answering your enquiry on the basis of Art. 6 (1) sentence 1 lit. b) GDPR, and also on the basis of the owner’s of the Receivable legitimate interest in an effective and customer-oriented customer service (Art. 6 (1) sentence 1 lit. f) GDPR). Insofar as the processing of your data is based on legitimate interests, you have the right to object to this, which you can exercise vis-à-vis the owner of the Receivable; further information on your right to object and other rights as a data subject can be found below, in the section Your rights.

3.3. Risk checks

When selecting the payment methods payment upon invoice, payment by SEPA direct debit and payment by installments, which involve a financial risk of default, your personal data will also be processed to determine whether you are likely to be able to meet your payment obligations and to protect you, us and our receivables acquirers, PAYONE and VVRB, from fraudsters who may attempt to use the payment methods offered to commit criminal offences.

 

The risk check includes a credit check, fraud prevention check and identity check (the "Risk Check"). This involves determining the likelihood of a proper payment in connection with the selected payment method. VVRB has commissioned Payla to carry out the Risk Check. For this purpose, we as a merchant transmit your personal data to Payla. The Risk Check is carried out by Payla as an independently responsible controller on the basis of the legitimate interest of VVRB, which bears the risk of default or is also legally obliged to carry out the Risk Check. (Art. 6 para. 1 sentence 1 lit. c) and f) GDPR). The legitimate interest of the VVRB is that the VVRB, as the final owner of the Receivable, bears the financial default risk that is established with the selection of the payment methods payment upon invoice, payment by instalments or payment by SEPA direct debit. VVRB has an overriding interest in minimising its risk of payment defaults through the prior Risk Check. In addition, VVRB is also obliged by regulatory provisions (in particular the German Banking Act (Kreditwirtschaftsgesetz, KWG)) to check your creditworthiness as the future debtor of the Receivables to be purchased before purchasing a Receivable. Therefore, the further legal basis for the processing of your data within the scope of the Risk Check is Art. 6 para. 1 sentence 1 lit. c) GDPR in connection with the regulations of the German Banking Act (KWG).

 

The risk check also serves in particular your own interest in not getting into over-indebtedness due to a large number of credit and other financing transactions. If our cooperation partners process your personal data for risk check purposes, then this processing also serves your own protection. 

 

The identification and credit check includes the query of your data with selected credit agencies. For this purpose, Payla transmits certain personal information from you to these credit agencies, which Payla has received from us (for detailed information, please refer to Payla's data protection information, which we have linked for you under section 3.4 "Contact addresses and further information"). For the purposes of credit checks, data from previous contractual relationships, about your financial situation, your regular financial obligations and your payment behaviour in the past are queried on the part of the credit agencies. Based on mathematical-statistical procedures, the credit agencies form a profile of your person. This profile contains a forecast of how likely you are to pay the debt in question. You can find out which credit agencies receive data about you as part of the risk check in the constantly updated list here  (https://legal.paylater.payone.com/en/risk-third-parties-list.html) there you will also find contact details and links to the data protection information of the credit agencies.

 

For the purpose of fraud prevention checks, Payla additionally collects data via interfaces in the online shop on the end device used by you in the context of the order as well as its settings and configurations, on the location from which you placed the order as well as the IP address used and processes this as described below. This data will be transmitted by Payla to specialised service providers and examined for conspicuous features for the purpose of fraud prevention. Conspicuous features could be, for example, that a billing address in Germany and a delivery address abroad are given, whereby the underlying order is placed from another third country. On the one hand, VVRB (as the final owner of our Receivable from you) has a legitimate interest in detecting possible cases of fraud and identity theft in advance (Art. 6 para. 1 sentence 1 lit. f) GDPR). On the other hand, the risk check also directly serves your own interest in preventing third parties from placing orders in the online shop with your data and at your expense ("fraud prevention"). The risk assessment is thus intended to protect all parties involved from financial damage caused by identity theft on the Internet.

 

Payla produces the results of the Risk Check, including those of the credit agencies and the other service providers used by Payla to prevent fraud, to be used by the VVRB in the decision on the purchase of the Receivable. The decision to purchase the Receivable remains with the VVRB, which makes its decision based on its own risk assessments. Payla will transmit its decision and the results of the Risk Check (in categories "positive" or "negative") on behalf of VVRB to PAYONE, which will in turn make a decision on the purchase of the Receivable from us on the basis of this information. PAYONE will finally transmit its decision and the results of the Risk Check (in categories "positive" or "negative") directly to us, and we will then take a decision on whether or not we can provide you with a certain payment method, taking this information into account. 

 

The legal basis for the disclosure of the Risk Check result (in categories "positive" or "negative") by VVRB to PAYONE and by PAYONE to us is in each case the legitimate interest (Art. 6 para. 1 sentence 1 lit. f) GDPR) in minimising the risk of payment defaults through the Risk Check. Our legitimate interest in receiving the result of the Risk Check is additionally based on the fact that we, as merchants, are legally obliged to check your creditworthiness when we grant you a postponement of payment or other gratuitous financing assistance. Therefore, a further legal basis for the transmission of the result of the Risk Check for us is Art. 6 para. 1 sentence 1 lit. c) GDPR in conjunction with the corresponding provisions of the German Civil Code. 

 

Insofar as the processing of your data is carried out based on legitimate interests, you have the right to object to this; you can exercise this right of objection vis-à-vis the respectively named controller of the processing of your personal data. Further information on your right to object and other rights as a data subject can be found below, in the section Your rights or, for processing under the responsibility of PAYONE, Payla and VVRB, in the corresponding data protection information of these data controllers, which we have linked for you under section 3.4 "Contact addresses and further information".

 

For further information on the processing of your data in the context of the Risk Check, please refer to the data protection information of Payla as well as the data protection information of VVRB and PAYONE, which are linked in the section Contact addresses and further information below.

3.4. Contact addresses and further information

Contact addresses for your questions regarding data processing by Payla, the VVRB and PAYONE as well as further information regarding the processing of your data taking place there have been provided for you below: 

 

PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main ("PAYONE") is an e-money institution within the meaning of the German Payment Services Supervision Act. As a cooperation partner, PAYONE processes the personal data transmitted to it for the purposes specified in this Supplementary Data Protection Information in its own responsibility within the meaning of the GDPR. For details, please refer to the relevant data protection information of PAYONE (https://www.payone.com/DE-en/gdpr)

 

Vereinigte Volksbank Raiffeisenbank eG, Darmstädter Str. 62, 64354 Reinheim ("VVRB"), is a CRR credit institution and a cooperative bank with several branches. As a cooperation partner, VVRB processes the personal data transmitted to it for the purposes stated in this Supplementary Data Protection Information in each case, in particular for the purpose of carrying out the Risk Check, under its own responsibility within the meaning of the GDPR. For details, please refer to the relevant data protection information of VVRB (https://www.vvr-bank.de/service/rechtliche-hinweise/datenschutzhinweis-zur-website.html)

 

Payla GmbH, Kaiserplatz 2, 80803 Munich ("Payla") provides technical and organisational software-based solutions for the availability and processing of payment products from the "Buy Now, Pay Later" sector, which include solutions for the payment methods offered to you. Payla processes the personal data transmitted to it for the purpose of Risk Checks under its own responsibility within the meaning of the GDPR. For details, please refer to the relevant  data protection information of Payla (https://payla.de/en/data-privacy/)
  1. Transmission of creditworthiness data to the Austrian CRIF GmbH

Please note that payment history and address data are only transmitted to the Austrian CRIF GmbH for customers with a billing address in Austria.

We would like to point out that payment experience data, in particular on undisputed claims and claims that remain unpaid after they become due, as well as address data will be transmitted to CRIF GmbH, Rothschildplatz 3/Top 3.06.B, 1020 Vienna for lawful use within the scope of their business licenses in accordance with Section 151 (address publishers), Section 152 (credit agencies on credit relationships) and Section 153 (services in automatic data processing and information technology) of the Trade Regulation Act 1994 (Gewerbeordnung 1994). In addition, information received from CRIF GmbH is used to check your identity and creditworthiness. You can find more information at www.crif.at/datenschutz
 
Should it be necessary in the context of our business relationship to verify your identity or creditworthiness, we will transmit the data required for this purpose to CRIF GmbH, Rothschildplatz 3/Top 3.06.B, 1020 Vienna, which, as an independent controller, processes the transmitted data for its own purposes as a credit agency and address publisher, as described at www.crif.at/datenschutz
  1. Your Rights
  1. Rights as a data subject  

Pursuant to Art. 15 GDPR, you have the right, upon request and free of charge, to receive information about the personal data that has been stored about you. In accordance with Art. 16, 17 and 18 GDPR, you also have the right to correct inaccurate data and to restrict processing or delete your personal data - in each case subject to the legal requirements.

 

You also have the right, under the conditions set out in Art. 20 GDPR, to receive the personal data relating to you that has been stored in a structured, commonly used and machine-readable format and to transfer this data to another controller without being hindered by us.
  1. In particular: Your right to object

In addition, pursuant to Article 21 para. 1 of the GDPR, you are entitled to object to the processing of personal data relating to you which is carried out on the basis of Article 6 para. 1 sentence 1 lit. f) of the GDPR, including profiling, on grounds relating to your particular situation. We will comply with this objection insofar as the legal requirements for its assertion are met.

 

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your data for such marketing, including profiling, insofar as it is related to such direct marketing, in accordance with Article 21 para. 2 of the GDPR. In such a case, we will no longer use your personal data for the purposes of direct marketing. 
  1. Contact address for exercising your rights 

Any requests concerning your personal data should be addressed to the controller of the relevant processing of your data. We have set out which body is responsible for which processing of your data in this Supplementary Data Protection Information.
  1. Right to file a complaint with the supervisory authority

Every data subject also has the right to file a complaint with a competent data protection supervisory authority about the processing of their personal data by us.  
  1. Retention period and routine deletion 

Unless expressly stated otherwise in this Supplementary Data Protection Information, personal data will only be retained for the period necessary to achieve the purpose of the processing or for as long as provided for by laws or regulations to which the Controller is subject.

 

If the retention purpose ceases to apply or if a legally prescribed retention period expires, the personal data will be routinely restricted in its processing or deleted in accordance with the statutory provisions. For detailed information on the retention period of your respective data by other data controllers, please refer to the corresponding data protection information of these data controllers, which we have linked for you above under section 3.4 "Contact addresses and further information". 

Status: 01.12.2022