SIX Payment Services (Europe) S.A., German branch (hereinafter ‘SIX Payment Services’ or ‘we’), is an e-money institution within the meaning of the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG) and specialises in the provision of secure terminals for cashless payment transactions as well as offering additional related services. Among other things, SIX Payment Services handles card-based cashless payment transactions for the retail and service industries as part of its payment services and offers various payment procedures for this purpose.

What does SIX Payment Services do for you as a consumer and what tasks does SIX Payment Services take on for the merchant?

SIX Payment Services allows merchants to securely accept cashless payments. SIX Payment Services ensures that payments that you make by card with a merchant are credited to the merchant quickly and securely. To do so, SIX Payment Services cooperates with various banks, which in turn manage your account.

Data protection information concerning card-based payments in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR)

Personal data is required from you if you, as a consumer, pay by card. On this page, we will provide you with details relating to the processing of your personal data.

SIX Payment Services (Europe) S.A., Austrian branch (hereinafter ‘SIX Payment Services’ or ‘we’), is payment service provider within the meaning of the Payment Services Supervision Act 2018 (Zahlungsdienstegesetz 2018) and specialises in the provision of secure terminals for cashless payment transactions as well as offering additional related services. Among other things, SIX Payment Services handles card-based cashless payment transactions for the retail and service industries as part of its payment services and offers various payment procedures for this purpose.

SIX Payment Services also acts as an ‘acquirer’ and handles the secure forwarding and settlement of credit card transactions with international card companies (‘schemes’ such as Visa, Mastercard, American Express, Diners Club International, Discover Card, JCB or UnionPay).

What does SIX Payment Services do for you as a consumer and what tasks does SIX Payment Services take on for the merchant?

SIX Payment Services allows merchants to securely accept cashless payments. SIX Payment Services ensures that payments that you make by card with a merchant are credited to the merchant quickly and securely. To do so, SIX Payment Services cooperates with various banks, which in turn manage your account.

When you pay with your card, the payee collects personal data with his payment terminal.

The payment service provider processes the data for the acceptance and settlement of payment transactions (e.g. acquirer). This is done in particular for payment processing, to prevent card misuse, to limit the risk of payment defaults and for legally prescribed purposes, such as combating money laundering and criminal prosecution. For these purposes, your data will also be transmitted to other responsible parties, e.g. to your card-issuing bank.

Details on the processing of your personal data can be found in the following privacy policy:

Data protection information concerning card-based payments in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR)
Date 17/07/2020


Direct debit payments

Electronic cash (girocard)

Other payment methods by card

Which payment procedure would you like to obtain information about?

When you pay with your card, the payee collects personal data via their payment terminal. This transmits the data to the network operator.

The network operator and the respective payment service providers for payment transaction acceptance and settlement (e.g. acquirers) further process the data. In particular, this is done for the purpose of payment processing, to prevent card misuse, to limit the risk of payment defaults and for legal purposes, such as combating money laundering and criminal prosecution. For these purposes, your data will also be transmitted to other responsible parties, e.g. to your card-issuing bank.

You can find details relating to the processing of your personal data below.

When you pay with your card, the payee collects personal data via their payment terminal. This transmits the data to the network operator.

The network operator and the respective payment service providers for payment transaction acceptance and settlement (e.g. acquirers) further process the data. In particular, this is done for the purpose of payment processing, to prevent card misuse, to limit the risk of payment defaults and for legal purposes, such as combating money laundering and criminal prosecution. For these purposes, your data will also be transmitted to other responsible parties, e.g. to your card-issuing bank.

You can find details relating to the processing of your personal data below.

When you pay with your card, the payee collects personal data via their payment terminal. This transmits the data to the network operator.

The network operator and the respective payment service providers for payment transaction acceptance and settlement (e.g. acquirers) further process the data. In particular, this is done for the purpose of payment processing, to prevent card misuse, to limit the risk of payment defaults and for legal purposes, such as combating money laundering and criminal prosecution. For these purposes, your data will also be transmitted to other responsible parties, e.g. to your card-issuing bank.

You can find details relating to the processing of your personal data below.

Who is responsible for processing my data and who can I contact?

What data is used for payment?

Card data (data stored on your card):

IBAN or account number and short bank sort code, card expiry date and card suffix.

Other payment data:

Amount, date, time, payment terminal identification (place, company and branch in which you are making the payment), your signature.

For a direct debit reversal:

Information concerning the non-payment of a direct debit by your card-issuing bank or the cancellation of a direct debit by you, information concerning the outstanding debt, e.g. your name, address, bank charges, reminder fees, reason for the direct debit reversal, your contract party’s customer number (not details relating to your purchases).

Card data (data stored on your card):

IBAN or account number and short bank sort code, card expiry date and card suffix.

Other payment data:

Amount, date, time, payment terminal identification (place, company and branch in which you are making the payment), test data for your card-issuing bank (‘EMV data’).

PIN:

Your PIN is cryptographically secured and checked by the card-issuing bank. The network operator provides cryptographic security and transmission here, but does not store any PINs and does not have access to encrypted PINs.

Card data (data stored on your card):

Card number, card type (e.g. Visa, Mastercard) and expiry date.

Other payment data:

Amount, date, time, payment terminal identification (place, company and branch in which you are making the payment), test data for your card-issuing bank (‘EMV data’), possibly also your signature.

PIN:

Your PIN is cryptographically secured and checked by the card-issuing bank. The network operator provides cryptographic security and transmission here, but does not store any PINs and does not have access to encrypted PINs.

Chargebacks:

If you dispute a transaction made with your card: In this case, the purchasing document and, if necessary, other information concerning you which the payee intends to use to prove his or her receivable (e.g. name and address) can be passed on to the card-issuing institution.

Which sources does your data come from?

  • Card data is read from your card by the payment terminal.
  • Other payment data is provided by the payment terminal and, if necessary, directly by the payee.
  • You provide your signature yourself.
  • If required to prevent card misuse and to limit the risk of payment defaults, data from the police’s KUNO system and from the network operator’s internal databases shall be used.
  • If required to process a receivable from a direct debit reversal, data which is taken from publicly accessible sources (e.g. debtor lists) or transmitted by third parties (e.g. your card-issuing bank or a credit agency) will also be processed in compliance with legal provisions.
  • Card data is read from your card by the payment terminal.
  • Other payment data is provided by the payment terminal and, if necessary, directly by the payee.
  • You enter your PIN yourself.
  • Card data is read from your card by the payment terminal.
  • Other payment data is provided by the payment terminal and, if necessary, directly by the payee.
  • You enter your PIN yourself and also provide your signature yourself.

For what purposes and on what legal basis do we process your data?

Payee:

  • Verification and execution of the payment to the payee, Article 6 (1) (b) of the GDPR.
  • Document archiving in accordance with statutory regulations, Article 6 (1) (c) of the GDPR.
  • Sale of the receivable to the network operator through factoring, Article 6 (1) (f) of the GDPR.


Network operator:

  • Verification and execution of the payment to the payee, Article 6 (1) (b) of the GDPR.
  • Prevention of card misuse and limitation of the risk of payment defaults, Article 6 (1) (f) of the GDPR.
  • Secure transmission of your data in accordance with the statutory provisions for SEPA payments, Article 6 (1) (c) and (f) of the GDPR.
  • Avoidance of future payment defaults by transmitting direct debit reversal data if your payment results in a direct debit reversal, Article 6 (1) (f) of the GDPR.
  • Document archiving in accordance with statutory regulations, Article 6 (1) (c) of the GDPR.
  • Receivable recovery following a direct debit reversal, Article 6 (1) (b) of the GDPR.

Payee:

  • Verification and execution of the payment to the payee, Article 6 (1) (b) of the GDPR.
  • Document archiving in accordance with statutory regulations, Article 6 (1) (c) of the GDPR.
     

Network operator:

  • Verification and execution of the payment to the payee, Article 6 (1) (b) of the GDPR.
  • Secure transmission of your data in accordance with the statutory provisions for SEPA payments and the Association of German Banks’ regulations, Article 6 (1) (c) and (f) of the GDPR.
  • Document archiving in accordance with statutory regulations, Article 6 (1) (c) of the GDPR.
  • Settlement of fees the payee owes to your card-issuing bank, Article 6 (1) (f) of the GDPR.

Payee:

  • Verification and execution of the payment to the payee, Article 6 (1) (b) of the GDPR.
  • Document archiving in accordance with statutory regulations, Article 6 (1) (c) of the GDPR.
Network operator:
  • Verification and execution of the payment to the payee, Article 6 (1) (b) of the GDPR.
  • Secure transmission of your data in accordance with the statutory provisions and credit card organisation regulations, Article 6 (1) (c) and (f) of the GDPR.

Acquirer:

  • Verification and execution of the payment to the payee, Article 6 (1) (b) of the GDPR.
  • Prevention of card misuse and limitation of the risk of payment defaults, Article 6 (1) (c) and (f) of the GDPR.
  • Secure transmission of your data in accordance with the statutory provisions and credit card organisation regulations, Article 6 (1) (c) and (f) of the GDPR.
  • Settlement of fees the payee owes to your card-issuing bank, Article 6 (1) (f) of the GDPR.
  • Document archiving, Article 6 (1) (c) of the GDPR.
  • Receivable recovery following a direct debit reversal, Article 6 (1) (f) of the GDPR.

Who receives my data?

As well as the payee and the network operator, other parties require your data in order to process the payment or to comply with statutory requirements. Your data is exclusively shared with the following parties to this extent:

  • Your card-issuing bank and the payee’s payment service provider
  • German banking industry intermediaries which handle payment clearing and settlement
  • Law enforcement authorities in the cases provided for by law
  • Financial intelligence units in the cases provided for by law
  • For direct debit reversals, to determine an address based on the account number and the bank sort code (IBAN) of the card used: the card-issuing bank or, alternatively, a credit agency such as SCHUFA Holding AG

As well as the payee and the network operator, other parties require your data in order to process the payment or to comply with statutory requirements. Your data is exclusively shared with the following parties to this extent:

  • Your card-issuing bank and the payee’s payment service provider
  • German banking industry intermediaries which handle payment clearing and settlement
  • Law enforcement authorities in the cases provided for by law
  • Financial intelligence units in the cases provided for by law

As well as the payee and the network operator, other parties require your data in order to process the payment or to comply with statutory requirements. Your data is exclusively shared with the following parties to this extent:

  • The payment card system
  • Your card-issuing bank and the acquirer’s bank
  • Credit card organisation intermediaries which handle payment clearing and settlement
  • Law enforcement authorities in the cases provided for by law
  • Financial intelligence units in the cases provided for by law

Is data sent to a third country or an international organisation?

No, such transmission does not take place.

No, such transmission does not take place.

The acquirer transmits your data to the payment card system outside the European Economic Area in accordance with the respectively agreed rules (‘binding corporate rules’, ‘standard contractual clauses’) or for the purpose of fulfilling the contract with the foreign payer) in order to authorise and execute your payment.

With respect to the processing of your data by the payment card system, please refer to the respective data protection regulations:

a)    Mastercard Europe SPRL, Chaussée de Tervuren 198A, 1410 Waterloo, Belgium, for the payment brands „Mastercard“ and „Maestro“,
https://www.mastercard.de/de-de/datenschutz.html

b)    Visa Europe Services LLC, registered in Delaware USA, acting through the branch in London, 1 Sheldon Square, London W2 6TT, UK, for the payment brands „Visa“, „Visa Electron“ and „V PAY“
https://www.visa.co.uk/privacy

c)    Diners Club International Ltd., 2500 Lake Cook Road, Riverwoods, IL 60016, USA, for the payment brands “Diners”, “Diners Club” and “Discover”;
https://www.dinersclub.com/privacy-policy

d)    JCB International Co., Ltd., 5-1-22, Minami Aoyama, Minato-Ku, Tokyo, Japan, for payment brand „JCB“;
http://www.jcbeurope.eu/privacy/

e)    Union Pay International Ltd., 5F, Building B, No. 6 Dongfang Road, Poly Plaza, Pudong 200120, Shanghai P.R. China, for the payment brands „CUP ” and „UnionPay”;

How long is my data stored for?

We only store your personal data for as long as it is required to meet statutory obligations and to safeguard our rights. All data is stored for a period of up to ten years. Your transactions will be erased after 10 years.

Direct debt reversal data and receivables data is erased as soon as the receivable has been paid and this can be verified.

We only store your personal data for as long as it is required to meet statutory obligations and to safeguard our rights. All data is stored for a period of up to ten years. Your transactions will be erased after 10 years.

We only store your personal data for as long as it is required to meet statutory obligations and to safeguard our rights. All data is stored for a period of up to ten years. Your transactions will be erased after 10 years.

What data protection rights do I have?

Each data subject has the following data protection rights:

  • Right of access in accordance with Article 15 of the GDPR
  • Right to rectification in accordance with Article 16 of the GDPR
  • Right to erasure in accordance with Article 17 of the GDPR
  • Right to restriction of processing in accordance with Article 18 of the GDPR
  • Right to object in accordance with Article 21 of the GDPR
  • Right to data portability in accordance with Article 20 of the GDPR
  • Right to lodge a complaint with a competent data protection supervisory authority (Article 77 of the GDPR in connection with Section 19 of the Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG])

With respect to the right of access and the right to erasure, restrictions apply under Sections 34 and 35 of the BDSG.

Each data subject has the following data protection rights:

  • Right of access in accordance with Article 15 of the GDPR
  • Right to rectification in accordance with Article 16 of the GDPR
  • Right to erasure in accordance with Article 17 of the GDPR
  • Right to restriction of processing in accordance with Article 18 of the GDPR
  • Right to object in accordance with Article 21 of the GDPR
  • Right to data portability in accordance with Article 20 of the GDPR
  • Right to lodge a complaint with a competent data protection supervisory authority (Article 77 of the GDPR in connection with Section 19 of the Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG])

With respect to the right of access and the right to erasure, restrictions apply under Sections 34 and 35 of the BDSG.

Each data subject has the following data protection rights:

  • Right of access in accordance with Article 15 of the GDPR
  • Right to rectification in accordance with Article 16 of the GDPR
  • Right to erasure in accordance with Article 17 of the GDPR
  • Right to restriction of processing in accordance with Article 18 of the GDPR
  • Right to object in accordance with Article 21 of the GDPR
  • Right to data portability in accordance with Article 20 of the GDPR
  • Right to lodge a complaint with a competent data protection supervisory authority (Article 77 of the GDPR in connection with Section 19 of the Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG])

With respect to the right of access and the right to erasure, restrictions apply under Sections 34 and 35 of the BDSG.

Am I required to provide my data?

You are neither legally nor contractually obliged to provide your data. If you do not wish to provide your data, you can use another payment method, e.g. cash.

You are neither legally nor contractually obliged to provide your data. If you do not wish to provide your data, you can use another payment method, e.g. cash.

You are neither legally nor contractually obliged to provide your data. If you do not wish to provide your data, you can use another payment method, e.g. cash.

Will my data be used for automated decision making?

To prevent card misuse and to limit the risk of payment defaults, maximum amounts are set for payments within certain periods. The decision-making process also takes into consideration whether a direct debit from your card-issuing bank has not been paid due to insufficient funds or whether it has been cancelled by you (direct debit reversal). This information is not included in the decision-making process if the direct debit reversal takes place in connection with a cancellation, asserting rights from the underlying transaction (e.g. due to a material defect with respect to the purchase). The use of this information serves to prevent future payment defaults. This data will be erased once outstanding receivables have been settled in full.

Using this information, the network operator can make recommendations to payees connected to its system with respect to their decision of whether or not to accept a direct debit payment. For this purpose, the network operator is able to:

  • use all direct debit reversal information from all connected payees;
  • evaluate payment information, including across payees for a short amount of time—a few days—to prevent card misuse; and
  • also evaluate such payment information it has received from the same payee.

Your data will not be used for credit checks. Your payment data will be used exclusively for the purpose of deciding whether payment by direct debit is recommended to the respective payee.

If you want to use your card to pay, card payment must first be authorised. Authorisation is automatic and uses your data. Here, the following considerations may, in particular, play a part: payment amount, place of payment, previous payment history, payee, purpose of payment. Card payment is not possible without authorisation. This does not affect other payment methods (e.g. other cards or cash).

If you want to use your card to pay, card payment must first be authorised. Authorisation is automatic and uses your data. Here, the following considerations may, in particular, play a part: payment amount, place of payment, previous payment history, payee, purpose of payment. Card payment is not possible without authorisation. This does not affect other payment methods (e.g. other cards or cash).

Right to object on a case-by-case basis

On grounds relating to your particular situation, you have the right to object at any time to the processing of data carried out on the basis of Article 6 (1)(f) of the GDPR, i.e. to object to the processing of data on the basis of balancing interests.

Please send your objection to: dataprotection.germany@six-payment-services.com

If you lodge a justified objection, your data will no longer be processed on the basis of Article 6 (1) (f) of the GDPR, with two exceptions:

  • Your data will be further processed if the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, with particular reference to statutory retention requirements and to make a payment that has already commenced on a payment terminal but has not yet been completed, for example.
  • Your data will be further processed for the establishment, exercise or defence of legal claims.

On grounds relating to your particular situation, you have the right to object at any time to the processing of data carried out on the basis of Article 6 (1)(f) of the GDPR, i.e. to object to the processing of data on the basis of balancing interests.

Please send your objection to: dataprotection.germany@six-payment-services.com

If you lodge a justified objection, your data will no longer be processed on the basis of Article 6 (1) (f) of the GDPR, with two exceptions:

  • Your data will be further processed if the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, with particular reference to statutory retention requirements and to make a payment that has already commenced on a payment terminal but has not yet been completed, for example.
  • Your data will be further processed for the establishment, exercise or defence of legal claims.

On grounds relating to your particular situation, you have the right to object at any time to the processing of data carried out on the basis of Article 6 (1)(f) of the GDPR, i.e. to object to the processing of data on the basis of balancing interests.

Please send your objection to: dataprotection.germany@six-payment-services.com

If you lodge a justified objection, your data will no longer be processed on the basis of Article 6 (1) (f) of the GDPR, with two exceptions:

  • Your data will be further processed if the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, with particular reference to statutory retention requirements and to make a payment that has already commenced on a payment terminal but has not yet been completed, for example.
  • Your data will be further processed for the establishment, exercise or defence of legal claims.

Date

16/12/2019

Right to object on a case-by-case basis

On grounds relating to your particular situation, you have the right to object at any time to the processing of data carried out on the basis of Article 6 (1)(f) of the GDPR, i.e. to object to the processing of data on the basis of balancing interests.

Please send your objection to: dataprotection.austria@six-payment-services.com

If you lodge a justified objection, your data will no longer be processed on the basis of Article 6 (1) (f) of the GDPR, with two exceptions:

  • Your data will be further processed if the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, with particular reference to statutory retention requirements and to make a payment that has already commenced on a payment terminal but has not yet been completed, for example.
  • Your data will be further processed for the establishment, exercise or defence of legal claims.