- Who is controller and which personal data do we process?
- Purposes and legal basis for processing
- Is your data transmitted to third parties?
- Retention period
- Obligation to provide data
- Automated decision-making and profiling
- Rights of Data Subjects
Information on data processing activities under Art. 13 and 14 of the General Data Protection Regulation (GDPR).
1.1. It is an important concern for us, IXOPAY GmbH, FN 451099g, Mariahilfer Straße 77-79, 1060 Vienna (“IXOPAY”, "we") to adequately protect your personal data. Therefore, we strictly observe the applicable data protection provisions, in particular the General Data Protection Regulation ("GDPR"), the Austrian Data Protection Act ("DSG") and the Telecommunications Act ("TKG") concerning the protection, lawful processing and confidentiality of personal data as well as data security.
2. Who is controller and which personal data do we process?
Controller under Art 4 (7) GDPR is IXOPAY GmbH.
Controller of the processing in the IXOLIT ID Portal (a self-service portal for our customers and prospects) is the IXOLIT GmbH.
We process personal data that we receive from you in the course of the initiation of and performance within a business relationship. In addition, we process data that we have lawfully obtained from publicly accessible sources (e.g. commercial register, register of associations, land register, media).
Such personal data includes:
2.1. Personal particulars & contact details:
Title, name, address, mobile number, e-mail address and business contact details, date of birth, nationality.
2.2. Company information:
Company, company register data, address, VAT number.
2.3. Bank details (as far as communicated by you):
Account holder, account number, IBAN, BIC, SWIFT.
In addition, we will process order information, data in relation to the fulfillment of our contractual obligations, advertising and sales data as well as documentation data (e.g. minutes of meetings).
3. Purposes and legal basis for processing
We process your personal data in accordance with data protection law:
3.1. For the performance of a contract (Art 6 (1) lit b GDPR)
We process your personal data to provide our services to you and - generally speaking - for performing our contracts with you and to invoice our services. The purposes of the data processing depend on the respective service; we may particularly highlight (i) our Payment Orchestration Platform, where we support the provision of payment services, without entering at any time into possession of the funds to be transferred (further details are available in our Platform Features section) and (ii) the IXOLIT ID Portal, which is operated for customers and prospects for the purpose of simplifying the conclusion of contracts and the organization and management of contract information.
3.2. Based on your consent (Art 6 (1) lit a GDPR)
If you have consented to the processing of your personal data, it will only be processed for the purposes specified in the declaration of consent and to the extent agreed therein. A given consent can be withdrawn at any time by e-mail or letter to our address stated in Section 8.7. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
3.3. For the purpose of legitimate interests (Art 6 (1) lit f GDPR)
If necessary, we process your data on the basis of our legitimate interests or the legitimate interests of third parties. Legitimate interests are in particular:
- Legally permissible direct marketing advertising, marketing purposes, for customer loyalty as well as for market and opinion research;
- Transmitting for internal administrative purposes within our group of undertakings, including the processing of clients' personal data;
- Activities for purposes of business management and development of services and products;
- for the establishment, exercise or defence of legal claims.
Your data may therefore be processed on the basis of such legitimate interests in addition to an applicable legal basis such as consent (even if this has been withdrawn in accordance with Section 3.2) or performance of a contract (Section 3.1).
3.4. We will inform you in advance of processing or collecting personal data for other purposes other described in this document.
4. Is your data transmitted to third parties?
4.1. To the extent necessary, we provide your personal data to the following categories of service providers:
- Providers of tools and software solutions that support us in the performance of our services and operate on our behalt (acting as "processors").
All our processors are contractually bound to process your data only on our behalf and on the basis of our instructions.
4.2. In addition, we transmit your personal data to the extent necessary to the following recipients (acting as “controllers”):
- third parties involved in the provision of services in the course of the fulfillment of contractual obligations (e.g. banks for transaction processing , payment service providers, providers of content delivery network (CDN) and DDOS protection, marketing tools, marketing agencies, communication service providers, shipping service providers, providers of embedded content such as tutorial videos);
- other external third parties on the basis of our legitimate interests to the extent necessary (e.g. auditors and tax consultants, insurances in case of insured events, legal representatives in case of incidents);
- authorities and other public entities to the extent legally necessary (e.g. financial authorities); and
- persons who, under our direct authority are authorized to process personal data (particularly our employees).
4.3. Processing of your data or using services of third parties in a so-called third country - i.e. outside the European Union (EU), respectively the European Economic Area (EEA) - is only carried out to the extent necessary and in accordance with the GDPR. Therefore, your personal data may be transferred to third countries in particular if there is an adequate level of data protection in the third country, the data is protected by appropriate safeguards, you have consented to the data transfer or the transfer is necessary for the performance of a contract or due to a legal obligation. We have implemented appropriate safeguards for any transfer of your data to a third country (e.g. by concluding so called "EU-Standard Contractual Clauses"). Upon request, we will provide you with a copy of those appropriate safeguards, provided processing activities are carried out in third countries.
5. Retention period
5.1. We store your personal data only as long as necessary for the purposes for which they are processed, in particular for the duration of the entire business relationship (from initiation to performance up to termination of a contract). Beyond that, we might be obligated to keep your data in accordance to statutory retention periods.
5.2. Specifically, we store your data in connection with your enquiries, business letters and contract documents in accordance with statutory retention periods (inter alia § 212 BAO, §212 UGB) for a time period of seven years.
5.3. If we collect access data and log files as a part of our services, such data is stored for a maximum time period of 500 days and are erased subsequently.
5.4. We store data in connection with your registration and your user account (e.g. for our Payment Orchestration Platform service) until the end of your client relationship with us or, moreover, until the expiry of statutory retention periods (cf Section 5.2).
5.5. In specific cases, we store your personal data beyond the above-mentioned retention periods for as long as necessary for the establishment, exercise or defence of legal claims out of our legal relationship.
6. Obligation to provide data
6.1. Within our business relationship, you must provide us with personal data required for the performance of our contractual obligations towards you and for voluntary services and performances, as well as data that we are legally obliged to collect (e.g. name, company, VAT number, address, telephone number, bank details). Data to be provided by is marked with (*) or by other clear indication as a mandatory field. If you do not provide such data, we will generally have to refuse to enter into a contract or accept the order, or we will no longer be able to perform an existing contract and will therefore have to terminate it. The conclusion of an IXOPAY "Starter" or "Growth" contract is not possible without signing up for the IXOLIT ID Portal.
6.2. You are not obliged to consent to data processing with regard to data which is not relevant for the fulfilment of the contract or which is not legally required.
7. Automated decision-making and profiling
We do not use automated decision-making pursuant to Art 22 GDPR in order to reach a decision on the establishment and performance of the business relationship or other decisions that would significantly affect you.
8. Rights of Data Subjects
We try to answer your questions and concerns as soon as possible. However, our answer can take up to a month. If we need more time, we will let you know beforehand.
8.1. You have the right to access your personal data that is being processed by us (Art 15 GDPR). Apart from that, you have the right to rectification of inaccurate or incomplete data (Art 16 GDPR).
8.2. You have a right to erasure (Art 17 GDPR) if (i) your personal data is no longer necessary for the purposes for which we have collected it, (ii) you withdraw your consent and there is no other legal basis for processing by us (cf. Section 3), (iii) you object to the processing and there are no overriding legitimate grounds for the processing (except in the case of processing for direct marketing purposes), (iv) your personal data has been unlawfully processed or (v) for compliance with our legal obligations.
8.3. You have the right to restrict the processing (Art 18 GDPR) if (i) you contest the accuracy of your personal data, for a period enabling us to verify the accuracy, (ii) the processing is unlawful and you oppose the erasure of the data and request the restriction of its use instead, (iii) your personal data is no longer necessary for the purposes of the processing, but required by you for the establishment, exercise or defence of legal claims or if (iv) you have objected to processing pending the verification whether our interests override.
8.4. Subject to the terms of Art 20 GDPR you have the right to receive personal data that you have provided to us in a structured, transferable format (right to data portability).
8.5. Additionally, you have the right to withdraw your consent free of charge at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
8.6. Finally, you have the right to lodge a complaint with the competent supervisory authority (Art 77 GDPR), for Austria: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna.
8.7. If you have questions regarding this policy or any other data protection related questions, feel free to contact us:
Mariahilfer Straße 77-79, 1060 Vienna, Austria
8.8. Right to object
We may process your data on the basis of legitimate interests (cf Section 3.3) in which case you have the right to object to the processing of your data. In the case of an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing of this data which override your interests, rights and freedoms (balance of interests) or for the establishment, exercise or defence of legal claims.
In particular, you may object at any time to the processing of your data for the purposes of direct marketing by us. In the case of such an objection, we will no longer process your personal data for these purposes (no balancing of interests).
Version: 24 Mar 2023