This information explains the processing of your personal data when you use the Google Pay app to pay for goods and services instead of your physical card. This information only explains the processing on the part of Addiko Bank, d.d. For more information on how Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, registration number 368047 (hereinafter referred to as “Google”) processes data in order to use the Google Pay application, please refer to the information published on their website or in the Google Wallet application.
I. WHO IS THE DATA CONTROLLER AND WHERE CAN YOU GET MORE INFORMATION IN THIS REGARD?
Addiko Bank d.d. (“Addiko”, “the Bank”) with its registered office at Dunajska 117, 1000 Ljubljana, Slovenia, registration number 1319175, is the data controller and as such is responsible for ensuring that the processing is carried out in accordance with the GDPR and other relevant legislation (the “Controller”).
If you want to know more about the processing of personal data, please contact the Data Protection Officer: dpo.si@addiko.com.
II. WHAT PERSONAL DATA DOES THE BANK PROCESS?
The Bank will send the following information to the digital wallet service provider:
• name and surname of the cardholder, name and type of card, hardware ID, month and year of expiry of the card, card number, CVV (three-digit security code printed on the back of the card), contact address and phone number of your mobile device from the bank’s system;
• executed transactions (transaction amount, timestamp, type, currency, transaction category, authorisation status, number of transactions executed, transaction number, discount details or other messages from the merchant).
III. WHAT IS THE PURPOSE OF THE PROCESSING OF PERSONAL DATA AND ON WHAT LEGAL BASIS IS IT PROCESSED?
Google, as the provider of the digital wallet service, processes the data referred to in point II of this Information for the purposes of:
1. add a card to your digital wallet
2. sending data on executed transactions (providing relevant transaction data, transaction history and related financial information)
3. detecting and combating fraud
4. responding to requests from public authorities and courts
5. administrative purposes and improvement of payment services
6. preparation of performance reports
7. promotion of the payment service
8. compliance with the obligation of the digital wallet service provider to report to third parties in relation to user acquisition
9. ad Attribution Analysis
10. mapping and improving data quality
11. linking a transaction made with a digitized card to a linked physical card
Google receives the data referred to in point II of this Information through the legal entity that provides the Bank with the card digitization service: Mastercard Europe SA, 198/A, Chaussée de Tervuren, 1410 Waterloo, Belgium (hereinafter referred to as “Mastercard”) on the basis of your consent in accordance with Article 6.1a of the General Data Protection Regulation (hereinafter referred to as the “GDPR”), as the use of the digital wallet is based on a completely voluntary basis and is not covered by any existing contract, that you have with Addiko.
As your consent is the legal basis for sending data to Google, this means that you can withdraw your consent at any time with effect for the future by removing your card from your digital wallet. Addiko will then no longer send any data to Google. The withdrawal of consent does not affect the lawfulness of processing based on your consent before its withdrawal. To use your digital wallet again, you’ll need to add your card back to the Google Wallet app.
IV. FROM WHICH SOURCES IS PERSONAL DATA COLLECTED?
All data sent to Google is obtained from you, from the device on which you want to store the digitized card and from the data that the Bank already stores. For details of what information will be sent to Google, please see Section II of this document.
V. WHO ARE THE RECIPIENTS OF PERSONAL DATA?
Unlike paying for goods and services with a physical card, where Addiko sends information through Mastercard to the merchant, when using Google Pay, information is also sent to Google as described in the previous sections of this Information.
Other possible recipients of the data are, where there is a legal basis for doing so, the disclosure of personal data to certain categories of recipients, such as state authorities (police, public prosecutor’s office, investigators and courts in the case of fraud or the tax administration in the case of tax matters, courts for the defence of the Bank’s rights) or legal persons with public powers (the Bank always verifies the legality of the requests received), other banks, who are members of the Addiko banking group and have an appropriate contractual relationship with the Bank, legal entities with whom the Bank has established a business relationship on the basis of which they provide certain services or supplies of goods to the Bank.
VI. DOES THE BANK USE AUTOMATED DECISION-MAKING?
In accordance with Articles 3 and 22 of the GDPR, we inform you that the bank may use automated decision-making when the probability of fraud is detected. This is the same process as if you were paying with a physical card, where the bank protects your funds by interrupting the transaction.
VII. HOW LONG DOES A BANK KEEP PERSONAL DATA?
All data related to your current account is kept for 10 years after the termination of your contract for this current account, unless there is another factor preventing deletion, such as ongoing court proceedings or a criminal investigation.
VIII. WHAT RIGHTS DO I HAVE IN RELATION TO MY PERSONAL DATA?
The GDPR gives individuals a number of rights in relation to the processing of personal data, which are set out in its provisions from Articles 15 to 22, namely: the right to access personal data processed by the Bank (the individual will receive all data relating to him if the conditions in accordance with Article 15 of the GDPR are met), the right to rectification (e.g. incorrectly entered data or adding missing data), the right to delete your data (if the data is related to the contract itself, the bank must keep all data for 10 years after the termination of the contract, in accordance with the law governing the prevention of money laundering and terrorist financing), the right to restriction of processing, the right to data portability, the right to object and the rights related to automated individual decisions, under the conditions set out in the GDPR.
You can exercise your rights under this point by sending a request to the Bank in any way or directly to the dpo.si@addiko.com. The request will be considered, except in exceptional cases, within 30 days of receipt of the complete request.
You also have the right to file a complaint with the Information Commissioner of the Republic of Slovenia.
IX. WILL PERSONAL DATA BE TRANSFERRED TO THIRD COUNTRIES (OUTSIDE THE EU)?
In connection with the use of Google Pay, data will be sent to Google. How Google processes this data is governed by the agreement between you and Google that you confirmed when you added your Addiko card to the Google Wallet app.
In addition to the above, certain personal data may be transferred to third countries, e.g. banks that are members of the Addiko Group outside the EU. Data will only be transferred to these countries if and to the extent permitted by law or in compliance with the safeguards set out in Article 46 of the GDPR.