Terms and Definitions
Personal data – Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing – Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Controller – The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal data.
Data subject – An individual (natural person) who is the subject of Personal data; the website visitor.
Register – The register of Personal data processing’s of Payreto Group.
1. What information do we collect via the Payreto website?
Different categories of personal data are collected via Payreto website. Personal data is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Examples of collected Personal Data: Name, Surname, Birth date, Email Address, Company Name and Website, Telephone/mobile number, IP address, CV, GPS localization, etc.
2. What do we do with the collected Personal data (processing)?
Personal data processing is any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, indispensable from the method used ( paper or electronic collection, processing and storage.
3. Payreto as Controller and/or Processor of Personal data
The Controller is the one who is responsible that the collection and processing of Personal data is compliant with the GDPR. The Controller can use third-parties (suppliers, outsourcing companies, consultants) which processes or have access to the collected by the Controller Personal data. These third-parties are referred to as « Processors ».
4. Principles of Processing Personal Data
4.1. Fairness and Lawfulness of the Personal data collection
Fairness and Lawfulness of the Personal data collection:
- The vital interest of the individual
- The public interest
- Contractual necessity
- Compliance with legal obligations
- Unambiguous consent of the individual
- Legitimate interest of the data controller
Payreto does not process any Personal data which is not collected based on one of the above-stated reasons.4.2. Purpose limitation
4.2. Purpose limitation
Payreto collects and process Personal data only if this is absolutely necessary to attend a specific purpose. Payreto does not collect or process any Personal data for purposes different than the one declared to the Data subjects. If the Personal data is to be reused for a purpose different from the one declared at the time of its collection, the Data subjects should be informed and their consent taken, if necessary.
4.3. Data minimization
Payreto does not collects and process Personal data which is not necessary in relation to the purpose for which they are processed.
4.4. Storage limitation
Payreto does not conserve Personal data longer than it is necessary for the particular purpose for which they are collected. Personal data that is no longer needed after the expiration of legal or business process-related periods is deleted.
Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps are taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented, or updated.
4.7. Integrity and confidentiality
Personal data is subject to data secrecy. It is treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction. Personal data is made accessible only to the departments and employees of Payreto that are responsible for its processing.
5. Technical and security measures
5.1. Control of access to premises / equipment
- In the data centers: Multi-factor authentication, video surveillance by data center operator.
- In offices: Key allocation, door safety through keycards/biometric access
5.2. Control of access to systems
- Password policies (e.g. special characters, minimum length, routine password change)
- Automatic locking (e.g. password or pause activation)
- Remote access only via secured connections, token, password authentication; additional system authentication with public / private key or password
5.3. Control of access authorization
- Differentiated permissions (profiles, roles, transactions and objects)
- Analyses (central logging)
5.4. Control of data transfer
- Encryption / tunneling (VPN)
- Transfer securing (data encryption during transfer on all media)
5.5. Control Retroactive input control
5.6. Control of compliant processing
- Formalized order placements (written contracts)
- Criteria for contractor selection
- Criteria for contractor selection
5.7. Availability control
- Backup servers
- Separated storage
- Virus protection / firewall
- Emergency procedures
5.8. Control of separation of data
- Logical separation of data through IDs
- Function separation of productive and test systems
The aforementioned measures are subject to technical improvement and further development. The Data importer may implement alternative measures, if these at least maintain the security level of the agreed measures.
5.9. Data protection officer
The Data importer has appointed Data protection officer who is responsible for the compliance with the respective Personal data protection regulations. Contacts: email@example.com
6. Rights of the Data subject
Right to be informed
The Data subject (website visitor) has the right to be informed about the fact that its Personal data are processed, including for the purpose of the processing, the categories of Personal data processed, the source of the Personal data and with whom i twill be shared, the retention period and possible transfers to other countries.
Right of access
The Data subject has the right to access the Personal data collected about him/her. Access requests shall be send to firstname.lastname@example.org and will be handled no later than one month.
Right of rectification
The data subject has the right to have inaccurate Personal data rectified or completed if it is incomplete. The requests for rectification shall be send to email@example.com and shall be responded no later than one month. The decision not to have the personal data rectified shall be justified.
Right of erasure
The Data subject has the right to have his/her Personal data erased (also known as « right to be forgotten »). This right is not absolute and applies only in certain circumstances. The requests shall be sent to firstname.lastname@example.org and shall be responded no later than one month.
Right to restrict processing
The Data subject has the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. The requests shall be sent to email@example.com and shall be responded no later than one month.
Right to data portability
The Data subject has the right to obtain and reuse their personal data for their own purposes across different services. This right applies only to information which the data subject provided directly to the Controller. The requests shall be sent to firstname.lastname@example.org and shall be replied as soon as technically feasible.
Right to object
The Data subject has the right to object to the processing of their personal data in certain circumstances. This right is not absolute (except concerning the right to stop the Personal data being used for direct marketing purposes). The requests shall be sent to email@example.com and shall be responded no later than one month.
What is a Cookie?
A cookie is a small text file that a website stores on your computer or mobile device when you visit Payreto website.
First party cookies are cookies set by the website you are visiting. Only that website can read them. In addition, a website might potentially use external services, which also set their own cookies, known as third-party cookies.
Persistent cookies are cookies saved on your computer and that are not deleted automatically when you quit your browser, unlike a session cookie, which is deleted when you quit your browser.
The purpose is to enable the site to remember your preferences (such as user name, language, etc.) for a certain period of time.
That way, you do not have to re-enter them when browsing around the site during the same visit.
Cookies can also be used to establish anonymised statistics about the browsing experience on our sites.
However, to view some of our pages, you will have to accept cookies from external organisations.
The 3 types of first-party cookie we use are to:
- Site visitor preferences
- Make our websites operational
- Gather analytics data (about user behaviour)
1. Visitor preferences
These are set by us and only we can read them. They remember:
- if you have already replied to our survey pop-up (about how helpful the site content was) – so you will not be asked again.
Visitor preferences cookies are:
Visitor preferences cookies are:
- Purpose: Stores your cookie preferences (so you will not be asked again)
- Cookie type and duration: First-party session cookie deleted after you quit your browser
2. Operational cookies
There are some cookies that we have to include in order for certain web pages to function. For this reason, they do not require your consent. In particular: authentication cookies, technical cookies.
3. Analytics cookies
We use these purely for internal research on how we can improve the service we provide for all our users.
The cookies simply assess how you interact with our website – as an anonymous user (they data gathered does not identify you personally).
Also, this data is not shared with any third parties or used for any other purpose. The anonymised statistics could be shared with contractors working on communication projects under contractual agreement with Payreto.
However, you are free to refuse these types of cookies – via the cookie banner you will see.
Analytics cookies are:
- Purpose: Recognises website visitors (anonymously – no personal information is collected on the user)
- Cookie type and duration: First-party persistent cookie, 13 months
Some of our pages display content from external providers, e.g. LinkedIn, Facebook and Youtube.
To view this third-party content, you first have to accept their specific terms and conditions. This includes their cookie policies, which we have no control over.
But if you do not view this content, no third-party cookies are installed on your device. Below are the third-party providers on Payreto websites:
- Google Maps
How can you manage cookies?
You can manage/delete cookies as you wish.
Removing cookies from your device.
You can delete all cookies that are already on your device by clearing the browsing history of your browser. This will remove all cookies from all websites you have visited. Be aware though that you may also lose some saved information (e.g. saved login details, site preferences).
Managing site-specific cookies
For more detailed control over site-specific cookies, check the privacy and cookie settings in your preferred browser.
You can set most modern browsers to prevent any cookies being placed on your device, but you may then have to manually adjust some preferences every time you visit a site/page. And some services and functionalities may not work properly at all (e.g. profile logging-in).