Privacy Policy (United Kingdom)

eCOMM Merchant Solutions Limited

Introduction

eCOMM Merchant Solutions Limited (EMS) takes data protection very seriously. The use of the Internet pages of EMS is not possible without the provision of some personal data; however, if a Data Subjects wishes to use certain services via our website, processing of further personal data could become necessary. If the processing of personal data is necessary and there is no statutory basis for such processing, we will obtain consent from the data subject.

Personal Data processing shall always be in line with the General Data Protection Regulations (GDPR), and in accordance with the Irish Data Protection legislation applicable to EMS. By means of this Privacy Notice, we would like to inform the general public why we collect and process personal data and their Data Subject rights relating to the collection and processing of their Personal Data.

Definitions

The data Privacy Notice of EMS is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR) but for ease of understanding the following definitions apply:

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Personal data: any information relating to an identified or identifiable natural person (‘Data Subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

Data Subject: any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third Party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Restriction of processing: the marking or stored personal data with the aim of limiting their processing in the future.

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Consent: Consent of the Data Subject is any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.


Name and Address of the Controller

The Controller is:

Address: eCOMM Merchant Solutions Limited,
Fifth Floor,
Langham House,
302-308 Regent Street,
London W1B 3AT,
United Kingdom
Phone: +44 (0)20 7183 5399
Email: csr@ecomm365.com
Website: www.ecomm365.com

Name and Address of the Data Protection Officer

The Data Protection Officer of the Controller is:

Name: Sophie Brookes
Address: eCOMM Merchant Solutions Limited,
IDA Business & Technology Park,
Johnstown,
Navan,
County Meath, C15 E8KV,
Ireland.
Phone: +353 (0)46 907 6546 (IRL)
Email: DPO@ecomm365.com
Website: www.ecomm365.com

A Data Subject may contact our Data Protection Officer directly with any enquiries relating to Data Protection.


Name and Address of the Lead Supervisory Authority

The Lead Supervisory Authority overseeing the Controller is:

Name: The Information Commissioners Office
Address: Wycliff House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF,
United Kingdom
Phone: +44 (0) 303 123 1113
Email: casework@ico.org.uk
Website: www.ico.org.uk

Reasons/purposes for processing information

The following is a broad description of the way this organisation/ data controller processes personal information. To understand how your own personal information is processed you may also need to refer to any personal communications you have received.

We process personal information to enable us to promote our services, provide Merchants with e-money services, administer Merchant Accounts, manage queries, process transactions, manage complaints. We also process personal information to meet our legal and regulatory obligations including the prevention and detection of crime such as money laundering, the reporting of suspicious transactions, requirements to check our records against financial sanctions lists and meeting our legal obligations for example Consumer Protection Code.

From time to time we may request feedback from our customers in order to improve the service we offer, for example by conducting customer satisfaction surveys.

We may also use your personal data when we are testing enhancements to our IT systems or websites to help ensure that the changes we make are tested in as real an environment as possible, thereby minimizing the impact on our customers.

For customer service and quality control purposes, we may record and monitor calls in order to assess the quality our staff’s customer service, to verify your identity, to administer your policy and to improve our services to you.

Your personal data (and, if applicable, that of other people you have designated) will be gathered and processed by our staff or, where you choose to use them, our online services.

We collect information relating to the above reasons/ purposes from the following sources:

  • The data subject directly i.e. when you complete an online application form;
  • The data subject indirectly i.e. when you complete an application form with an Introducer or reseller (or other representative);
  • Publicly available registers i.e. the electoral roll;
  • Social Media;
  • Credit searches internally or with one or more credit checking or credit reference agencies;
  • refer your information to the relevant law enforcement agencies;
  • Screening agencies;
  • Government Agencies and Bodies.

We process information relating to the above reasons/ purposes. This information may include:

  • Personal details such as Full name, date of birth, nationality, email address, home address and phone number;
  • Business activities of the person whose personal information we are processing;
  • Goods and services provided;
  • Financial details such as bank account details;
  • Professional Body membership.

We also process sensitive classes of information that may include:

  • Offences and alleged offences.

We process personal information about our:

  • Customers (merchants);
  • Complainants and enquirers;
  • Suppliers;
  • Advisers and other professional experts;
  • Employees.

We sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary, we are required to comply with all aspects of the Data Protection Act (DPA), Privacy and Electronic Communications Regulation (PECR) and the EU General Data Protection Regulation (GDPR) as it applies. What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.

Where necessary or required we share information with:

  • HMRC;
  • Regulators;
  • Card Schemes;
  • Service Providers;
  • Professional Advisors;
  • Courts and those involved in legal proceedings;
  • Anyone in the future who may buy or merge with our business.

Online services

When you use our online services, we gather certain information automatically and store it in files. This information includes IP addresses, browser type, internet service provider, referring/exit pages, date timestamp and click stream path. This data does not contain any personal identifiable information and is used to analyse trends, to administer the site and to track users' movements around the website during a particular session and to gather demographic data.


Cookies

Cookies are small text files stored by your browser. They are created when your browser loads our website. Every time you visit our website, the browser you are using e.g. Internet Explorer, Firefox etc. retrieves and sends the file to our server. They help us to track information on our systems and identify categories of visitors by using information such as your IP address, domain, browser type and pages visited. If you require further information please see our cookies policy.


Rights of the Data Subject

GDPR affords EU Data Subjects with rights. These rights are summarised below. In order to assert any of those rights, the Data Subject may contact the Data Protection Officer designated by eCOMM Merchant Solutions Limited or another employee at any time.

The right of Confirmation: Each data subject shall have the right to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed.

The right of Access: Each data subject shall have the right to obtain from the Controller, free information about his or her personal data stored at any time and a copy of this information. Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

Right of Rectification: Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right of Erasure (Right to be forgotten): Each data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have an obligation to erase personal data without undue delay where one of the statutory grounds applies, as long as the processing is not necessary.

Right of Restriction of Processing: Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where statutory reasons apply.

Right to Object: Each data subject shall have the right to object, on grounds relating to his or her particular situation, at any time, to the processing of personal data concerning him or her.

Automated individual decision-making, including profiling: Each data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling.

Right to Withdraw Consent: Where consent forms the basis for processing, Data Subjects shall have the right to withdraw his or her consent to the processing of his or her personal data at any time. The Data Subjects can contact the Data Protection Officer or any other employee to withdraw consent.

Right to Complain to the Supervisory Authority: Where consent forms the basis for processing, Data Subjects shall have the right to withdraw his or her consent to the processing of his or her personal data at any time. The details of the Supervisory Authority are contained at the top of this Privacy Notice.


Legal basis for the processing

We will only collect, use and share your information where we have a valid reason to do so under data protection legislation. We have three main reasons for collecting and using your information which are set out below. Often, we will need your information for more than one reason, for example, in order to perform our contractual and legal obligations.

  1. Contractual obligations – We need to process your personal details as part of the application process. Once the contract is in place, the processing of your personal information is necessary for the performance of this contract including but not limited to:
    • using your bank account details to process payments;
    • verifying the accuracy of the personal information that we receive from you and for verifying your identity;
    • underwriting your Merchant Account;
    • administering and processing your Merchant Account;
    • Managing complaints;
    • maintaining and storing records on our systems.
    If you do not provide us with your personal data for the above purposes, we may not be able to provide services to you.
  2. Legal obligations – we may need certain information from you in order to meet our legal obligations; for example, we require proof of identity (e.g. certified copy of a passport) to meet our anti-money-laundering obligations. We may also need to use your personal data for reporting to supervisory authorities.
  3. Our legitimate business interests – we strive continually to improve how we do business with you and how to develop our service to you; for example, we may undertake a survey of our Merchants to determine how we can improve our relationship with you. Furthermore, we may process your personal data for preventing fraud, for internal administrative purposes and for reporting potential criminal acts to a competent authority.
    Before using your personal data to pursue our legitimate interests, the impact of our processing activities is carefully considered against the fundamental rights and freedoms of individuals.

Security of Processing

As the Controller, eCOMM Merchant Solutions Limited has implemented technical and organisational measures to ensure personal data processed remains secure however absolute security cannot be guaranteed. Should a Data Subject have a particular concern about a particular method of data transmission, we will take reasonable steps to provide an alternative method.


Transfers

It may sometimes be necessary to transfer personal information overseas. When transfers are needed, information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the General Data Protection Regulation and in accordance with the country-specific legislation applicable to eCOMM Merchant Solutions Limited.


Personal Data Retention Periods

The criteria used to determine the retention period of personal data is the respective statutory retention periods within the State. After the expiration of that period, personal data shall be securely deleted, as long as it is no longer necessary for the fulfilment of the contract, the initiation of a contract, or in relation to other legal proceedings.


Contractual obligations of the data subject to provide the personal data and the possible consequences of failure to provide such data

For clarity, the provision of personal data is partly required by law (e.g. tax regulations) or can also result from contractual provisions. Sometimes it may be necessary for the data subject provide us with personal data which must subsequently be processed by us. The data subject is, for example, obliged to provide us with personal data when eCOMM Merchant Solutions Limited signs a contract with him or her. The non-provision of the personal data would have the consequence that eCOMM Merchant Solutions Limited would be unable to conclude the contract with the Data Subject.


Automated decision-making & Profiling

eCOMM Merchant Solutions Limited do not process personal data for automatic decision-making or profiling.


Data protection for Employment & Recruitment Procedures

The data controller shall collect and process, the personal data of applicants for the purpose of the processing of the application procedure. The processing may also be carried out electronically, this is the case if an applicant submits corresponding application documents by email to the controller. If the data controller concludes an employment contract with an applicant. The submitted data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the applicant by the Controller, the application documents shall be automatically erased two months after notification of the refusal decision, provided that no other legitimate interests of the Controller are opposed to the erasure. Other legitimate interests could be complying with the country specific legislation.


General

You may not transfer any of your rights under this privacy notice to any other person. We may transfer our rights under this privacy notice where we reasonably believe your rights will not be affected.

If any court or competent authority finds that any provision of this privacy notice (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this privacy notice will not be affected.

Unless otherwise agreed, no delay, act or omission by a party in exercising any rights or remedy will be deemed a waiver of that, or any other, right or remedy.

This notice will be governed by and interpreted according to the laws of England and Wales. All disputes arising under the notice will be subject to the exclusive jurisdiction of the English and Welsh courts.


Changes to this notice

This notice was last updated on the 24th February 2020. We may change this policy to reflect changes in the law or our privacy practices. However, we will not use your personal data in any new ways without your consent.