Privacy Notice
SurePay B.V. (SurePay) processes personal data. We process personal data based on various legal grounds including contractual necessity, legitimate interests and legal obligations. An example of this is performing the IBAN-Name check (INC) for your payments or accounts. We want to be as transparent and clear in informing you about this as possible. In this privacy statement we explain how SurePay handles the processing of personal data. If you have any questions regarding this privacy statement, feel free to contact us.
What is the processing of personal data?
Because we refer to processing personal data in this privacy statement, we believe that it is important to specify to you what is understood when we use terms such as ‘Personal Data’, ‘Processing’, ‘Processor’ and ‘Controller’.
Personal data
This entails data which is related directly or indirectly to your person. Examples of this are your name or IBAN (your account number). Data such as name records of a proprietorship, VOF (LLP or Limited Liability Partnership) or other partnerships is considered personal data. This does not apply to the data of a legal entity such as a private- or publicly limited company. Data of the first contact person, or of the representative of a legal entity is considered personal data on the other hand.
Processing
Anything which can be done with personal data. This includes the collecting, the sorting, the using, passing on and deleting of your data.
Processor
A Processor is a party which, acting on behalf of a Controller, processes Personal Data for specific purposes.SurePay acts as a Processor when banks or organisations instruct us to perform checks on personal data they provide to us.
Controller
A Controller is the party that determines the purposes and means of processing your Personal Data. SurePay acts as a Controller when we determine how to process personal data for our own business purposes, such as developing our services, conducting audits, or maintaining our systems.
1. Who’s personal data do we process?
We process your personal data when we receive orders from banks and organisations to perform an Account-Check, such as an IBAN-Name Check, Confirmation of Payee Check or Verification of Payee Check through our Services and we deliver a response.
2. What does SurePay expect of companies and organisations?
Does your company or organisation pass on personal data of employees or the Ultimate Beneficial Owner (UBO) to us? If so, then we expect you to inform your colleagues, board of directors or UBO about this. This Privacy Statement can be given to them. They can then themselves check how we deal with their personal data.
3. Who processes your personal data?
This Privacy Statement deals with the processing of personal data by SurePay B.V. in the European Union (EU) and United Kingdom (UK).
4. What type of personal data do we process?
We process your personal data in the following manner:
| Service | Categories of Personal Data | Why? |
|---|---|---|
|
For the Iban-Name Check (via Portal): Data which SurePay receives from banks and companies to perform the IBAN-Name Check. |
Firstname(s); surname(s); IBAN; Chamber of Commerce number, trade name(s) |
SurePay receives this personal data from banks and companies to perform the IBAN-Name Check, which matches the name which has been entered to the IBAN and checks whether or not it is different from the name known to the bank. It returns a notification when there is a deviation from the match. This way, you can check whether you are paying the right person, or the right company. For in-app bank payments there will be, for example, a name suggestion when the match is not complete. A non-match for companies will mention the company name and place of business as per Chamber of Commerce records. |
|
For the IBAN-Name Check (via Portal): Data which we provide to banks or companies in the form of a notification when the check has been completed. |
Firstname(s); surname(s); IBAN; Chamber of Commerce number, trade name(s) |
The IBAN-Name Check monitors whether the IBAN-Name combination is correct. The result is a match, mistype or non-match. A non-match for companies will mention the company name and place of business as per Chamber of Commerce records. |
|
Data relating to the use of our website |
Cookie, IP address |
Cookies for analytical purposes such as those recorded in the Cookie Statement. |
|
Data which we share with other parties. |
Data which we provide to other parties whom we use to help us in the provision of our service.
Data which we provide because we are legally obliged to do so.
|
(Sub)processors whom we use to process data on our behalf.
The police and ministries, but also intelligence services can request data from us. In that case we are legally obliged to assist in their research and provide your personal data.
|
5. How do we come into possession of your personal data?
We receive your data from banks and other financial institutions and organisations to perform the IBAN-Name Check (via Portal), Cross-Border Check, Switch Check or PayID service.
6. What do we use your personal data for?
Our processing activities and their legal bases are:
a) To provide requested verification services: legitimate interests and contract performance.
We need your personal data to perform the IBAN-Name Check (via Portal), Cross-Border Check, Switch Check or PayID service, but also because we are legally obliged to process certain data. We receive your personal data for the protection of your safety and that of the financial sector as a whole.
In order to prevent fraud, we perform IBAN-Name Checks at the request of banks and organisations. Through this service, we check whether the IBAN number that you entered during payment via online banking or mobile banking matches the name of the account holder known to us. The (IBAN/Name) data which is known by us was provided to us by banks. If the name in our system does not match the number which you entered, you will be notified about this by your bank. You, then, have the option to still submit the payment request or change the data you entered. We can also provide this IBAN-Name Check for other parties in connection with the prevention, detection and combating of fraud and payment abuse, amongst others through a Portal.
Even if you do not use the Switch Check, it is possible that we process your data. We inform banks and organisations what your new IBAN is, with that information they inform their customers. In this way, the customers of banks and organisations can directly transfer money to your new IBAN, preventing mistaken payments.
If you also use PayID through your bank, it is possible that we process your data as well. We process your mobile telephone number and provide your IBAN as a response in order for payment requests to be filled out correctly. For this you must have submitted your IBAN, and agreed with your bank on this process.
Companies and organisations use our IBAN-Name Check in order to check whether the IBAN/Name combinations in their customer- and/or supplier registers match the data which is known by the bank. This way they know who they are paying, from whom they have to collect, and whether the IBAN and name of new customers or suppliers match.
b) To develop and improve our services: legitimate interests (service improvement and innovation)
To provide a better service and to be able to innovate, we develop and enhance products and services on a regular basis. This is done for our customers or other parties.
For the enhancement of our service, or for solving incidents, we analyse the results of our IBAN-Name Check, Switch Check and PayID checks and any other future services. These analyses are then shared with the relevant banks and organisations.
c) To manage business relationships: legitimate interests (business operations) and contract performance
If your job involves being in contact with SurePay, it is possible that we process your personal data. Examples of this are: to determine whether or not you are authorized to represent your company, or to be able keep in contact through email and phone calls.
d) To comply with the legal obligations
Regulatory compliance: Tax Authorities, the police and ministries, but also supervisory authorities and intelligence services can request data from us. Where possible, we will redirect them to your bank. However, sometimes, we have a legal obligation to cooperate with their investigations and as such, provide them with your personal data.
Government reporting:Laws and regulations can also oblige us to provide (analysed) personal data to any government authority, a tax authority or supervisor within- or outside of the Netherlands. Where possible, we will redirect them to your bank. Because we have to conform to Dutch laws and regulations, we are sometimes nevertheless obliged to disclose your personal data to a Dutch or foreign government authority.
e) Audits and risk management
We also use your data when internal or external audits are performed by third parties at SurePay. Or when we contact a third party for reviews or research, for instance whether new regulations have been implemented properly. We can also use it to assess risks.
7. How long do we save your personal data?
We do not save your personal data longer than necessary for the purposes outlines above. Our specific retention periods are:
- IBAN-Name Check data: maximum 30 days after processing
- Switch Check data: maximum 30 days after processing
- PayID data: maximum 30 days after processing
- Audit and compliance data: up to 7 years as required by financial regulations
- Business contact data: until the business relationship ends.
- System logs and technical data:
These periods may be extended only when required by: legal obligations or regulatory requirements; ongoing legal proceedings or investigations; legitimate business interests (with appropriate justification).
8. Does SurePay also process special personal data, criminal records and social security numbers?
Special categories of personal data, criminal records and social security numbers are considered sensitive personal data. Special categories of personal data include for instance: data about health, genetic data, biometric data, data revealing ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning sex life or sexual orientation. SurePay does not process special categories of personal data.
9. Does SurePay take automated decisions about me?
Automated decisions are decisions being made about you by computers, and not (or no longer) by people. Our IBAN-Name checks involve automated comparison of data, but these are verification services rather than decisions that produce legal effects or significantly affect you. The final decision about whether to proceed with a payment remains with you or your bank.
If we introduce fully automated decision-making with legal effects in the future, we will inform you and provide information about your rights.
10. Who has access to your personal data?
Within SurePay, only those people that need access to your personal data based on their function can actually access your personal data. All of these people are subject to a duty of confidentiality. We implement appropriate technical and organisational measures to ensure data security, including access controls, encryption, and regulatory security assessments.
11. Do we pass on your personal data to others and to other countries outside the EU?
Your personal data can also be shared with other parties outside of SurePay if we have a legal obligation to do so, if we have to fulfill an agreement or contract, or because we engage a service provider. This could mean that your personal data is transmitted to recipients in countries that do not have the same level of protection as the European Union when it comes to personal data. When your personal data is processed in a country with a different level of protection this can lead to your personal data being accessed by government authorities where your personal data is being held.We share your personal data with the following categories of recipient:
- Banks and financial institutions (for service provision)
- Government authorities and supervisory bodies (when legally required)
- Service providers (such as AWS Cloud Services for hosting)
- Auditors and professional advisors (when necessary for business operations)
Sometimes we use other parties/business partners who process personal data on our behalf. For instance, SurePay uses AWS Cloud Services. These parties first have to be deemed sufficiently trustworthy by SurePay. We can only engage other parties when this serves the purpose for which we process, or have processed, your personal data. Additionally, this other party can only receive and process our data whencertain agreements between them and SurePay are in place. This means that demonstrable and suitable security measures are in place, as well as a guarantee of confidentiality.
International transfers: If we transfer your personal data to parties outside the European Union (EU)/European Economic Area (EEA) we implement appropriate safeguards to protect that personal data. We use the following transfer mechanisms:
- European Commission adequacy decisions (where available)
- Standard Contract Clauses approved by the the European Commission
- Other appropriate safeguards as recognized under GDPR
12. What rights do you have?
You have the following rights under the GDPR:
a. The right to be informed
Through this Privacy Statement we inform you about how we handle and use your personal data.
b. The right of access and rectification
You can ask us what personal data we process about you. Do you think that your personal data is being processed incorrectly or incompletely? In that case you can ask us to correct the personal data, or supplement it (rectification). Note that your bank also processes your data. You can request access and rectification from them as well. For this, check the Privacy Statement of your bank.
c. The right to erasure (‘right to be forgotten’)
You can request us to delete your personal data that we process. However, this right is limited by our legal obligations and legitimate interests. Your bank also processes your data. You can ask your bank for the deletion of your data from the data they process.For this, check the Privacy Statement of your bank.
d. The right to restriction of processing
You can ask us to temporarily restrict the processing of your personal data that we process. Your bank also processes your data. You can ask your bank for the restriction of the processing of your data. For this, check the Privacy Statement of your bank.
e. The right to objection to the processing of your personal data
When we process your data on the basis of a legitimate interest, you can object to the processing of your personal data. We will conduct a balancing test to determine whether or not we can continue to process your personal data in this manner. We will stop processing your personal data when your interest and rights outweighs our legitimate interest. We will inform you of our reasoning for the outcome of the balancing test.
F. Data Portability
G. Automated decision-making
13. How can you exercise your rights?
If you have a request, it can be made by contacting us at privacy@surepay.nl. To protect your privacy, we may need to verify your identity before processing your request.
We will respond to your request within one month of receipt. In complex cases, we may extend this period by up to two additional months, and we will inform you of any such extension within the first months, and we will inform you of any such extension within the first month.
We may not be able to fulfill your request in the following circumstances:
- when the data is processed by your bank rather than by us
- when fulfilling the request would harm the rights of others
- when we are legally prohibited from doing so
- when our legitimate interest override your request (following a balancing test)
If we cannot fulfill your request, we will explain why and inform you of your right to complain to the supervisory authority.
When we make changes to your data based on your request, we will inform you and, where possible, notify other recipients of your data about these changes.
There is the possibility that, regarding your request, we may refer you to the respective Data Provider. This means that we believe the bank or organisation that provided your data to us is better places to handle your request. In that case, we will inform you of your rights, how we use your data, and who provided your data to us to the best of our abilities. In the case that the Data Provider cannot help you with your request, we will reassess the possibilities we have as SurePay.
14. Do you have a complaint with regards to the processing of your personal data?
We would like our data subjects to be satisfied with our service provision, however, we understand that this might not always be the case. We apologize if a such situation occurs.lease feel free to contact us and inform us of your complaint, we will try to find a solution together.
If you are not satisfied with your response, you have the right to lodge a complaint with: Authoriteit Persoonsgegevens (The Dutch Data Protection Authority). You may also contact the supervisory authority in your country of residence.
15. For what reasons can I approach the Privacy Officer?
If you are unsatisfied about the way in which your request or complaint has been handled by SurePay, or if you have any remaining questions regarding the processing of your personal data by SurePay after reading the Privacy Statement, please feel free to contact us at privacy(at)surepay.nl .
16 . Can we make changes to this Privacy Statement?
Yes, our Privacy Statement can change from time to time. This can occur when new forms of data processing is included in our services, and when this processing is of importance to you. Of course, we will notify you if it is. The most actual version of our Privacy Statement can always be found on: https://www.surepay.eu
