This Privacy Notice sets out how VIVA PAYMENTS (“Viva”, “we”, “us”) processes the personal data of website visitors and app users, our customers, suppliers/ partners and their staff and any other contacts (together, “you”). This Privacy Notice includes a description of your data protection rights.
For the purposes of this notice, personal data shall mean any information relating to you which identifies or may identify you and which includes, for example, your name, address, identification number. Please read this Privacy Notice carefully.
1. Types of personal data we collect
We collect, use and otherwise process:
- Information you provide to us (e.g. when you create an account with us, submit information via forms on our website or app, use our services or apps, provide your preferences for receiving information and marketing information in hard-copy and electronically (such as post, email and SMS), take part in surveys, questionnaires and other market research activities and contact us);
- Information we create about you (e.g. in our customer and supplier management systems) and
- Website and app usage information [such as information about the device you use to access the website or app, the operating system you use, the type and version of your browser, connection information (such as IP addresses), and information about your use of the website and apps (such as the links that you click, how long you remain on the website, and any errors that may occur on the website or app)]. We collect this information using cookies and other technologies – see section 3 below.
- Where we need to collect your personal data to comply with our legal obligations, or to perform a contract we have with you, this is mandatory and we will not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our products or services) and we may have to terminate the provision of products or services, decline the requested performance of a task or we may be prevented from complying with our legal obligations to you or third parties without this information.
- Identification information, including data we collect during the remote onboarding process or in the context of due diligence and anti-money laundering processes (such as name, copies of identification documents, tax identification number, proof of address, business documentation and information, biometric data contained or extracted from video or image);
- Contact information (e.g. postal address, telephone number, email address);
- Financial and transaction information (e.g. amount of funds owned, details of the products and services you receive from us, number, validity and expiration date of debit/credit/prepaid card, transaction information, details of your order, amount payable, payment account details as well as beneficiary details, information for the safeguarding against criminal activities, fraud or money laundering or combat against financial and electronic crime, confiscation documents);
- Marketing and communications data (e.g. your preferences in receiving marketing from us, your communication preferences, call recordings).
2. Third party sources
We receive personal data about you from third parties as set out below:
i. Our social media, when you are connected as a user
ii. Our applications, when you are making use of them
iii. Payment service providers you use to transfer money to us
iv. Banking institutions, where your account is linked to the account you have created with us
v. Providers of information to ensure the legitimacy and accuracy of the respective data, such as credit reference checks
vi. Other data providers, which ensure as well the legitimacy and accuracy of the data provided to us.
3. Cookies
We use cookies and similar technologies in relation to our website and app. To find out more about how these technologies are used, please refer to our policy on cookies.
4. How we use personal data and our lawful basis
We are committed to protecting your privacy and handling your data in a transparent manner. We process your personal data for the purposes and lawful bases set out below:
I. To comply with legal and regulatory obligations applicable to us
We collect and process personal data and information necessary to provide our services and to comply with certain legal and regulatory requirements we are subject to as a Data Controller and supervised entity and obligations arising from the laws applicable to us. These include:
i. using your personal information to validate and authenticate your identity
ii. using personal information needed to comply with legal and regulatory duties related to anti-money laundering and counter-terrorism financing
iii. detecting, preventing, reporting and prosecuting fraud or theft, as well as preventing illegitimate or prohibited use of our services or other illegal or wrongful activity
iv. keeping records of information we hold about you in line with legal and regulatory requirements
v. making legally required disclosures to regulatory, prosecuting, tax or governmental authorities, courts or other tribunals
vi. communicating with you when required by applicable laws and regulations
vii. adhering to laws and regulations applicable to payment service providers, including where need to disclose customer details with regulators, tax or governmental authorities, law enforcement and courts or other third parties.
II. In order to pursue our and third-party legitimate interests where these interests are not overridden by your data protection rights
We process personal data as necessary for the legitimate interests pursued by us or by third parties. There is a legitimate interest when we have a business or commercial reason for using your information. This includes:
i. to provide the website and app and the functionalities on the website and app;
ii. to handle and respond to queries, comments, complaints and other communications you send us;
iii. in order to protect and enforce the rights, property or safety of us, our business, our clients or others, i.e. concerning our premises;
iv. in relation to the establishment, exercise or defence legal claims and proceedings, including among others, to meet obligations and disclosure requirements or requests of any regulatory, prosecuting, tax or governmental authorities, courts or other tribunals as is deemed appropriate or in respect of any laws applicable in other jurisdictions;
v. to ensure and maintain the security of our website and app, products, services and systems;
vi. for system administration, operation, testing and technical support;
vii. to prevent possible criminal activity and to prevent and detect fraud;
viii. to understand how visitors engage with our website and app, products and services, to monitor, improve and optimise the performance of our website and app, products and services and to inform the development and expansion of our products, services and business activities;
ix. to send you marketing information about our products and services that we think may be of interest to you and market research and surveys (except where we require consent for this);
x. to carry out market research and surveys;
xi. to identify and manage financial, regulatory and reputational risk;
xii. to monitor and record calls and electronic communications with you or our clients (for quality, training, investigation and fraud prevention purposes and for dealing with complaints).
III. Based on your consent
If you give us your consent to process your personal data, our processing is based on that consent. We obtain your consent:
i. to send you direct marketing about our products and services and to invite you to participate in market research and surveys, where we are legally required to and
ii. when we use cookies or similar technologies for the purposes explained in our policy on cookies.
You have the right to withdraw your consent at any time. However, any processing of personal data prior your withdrawal will not be affected.
IV. In order to fulfil a contract, or take steps linked to a contract where we have a contract with you
We process personal data in order to complete your account registration, notify you of pending steps regarding the account authentication process, to deliver products and services to our clients and to otherwise perform our obligations under our contract with you.
5. Sharing with third parties
In the course of the performance of our contractual and statutory obligations, your personal data may be provided to various departments within VIVA.COM but also to other companies of the VIVA group. Your personal data will be shared with various service providers and suppliers in order to perform our obligations and provide our services.
Additionally, we may disclose data about you if we are legally required to do so, or if we are authorized under our contractual and statutory obligations if it is necessary for the purposes of the legitimate interests pursued by us or if you have given your consent.
All data processors appointed by us to process personal data on our behalf are bound by contract to comply with the provisions of the General Data Protection Regulation and the applicable laws.
Recipients of personal data may be, for example:
I. Viva group entities and subsidiaries;
II. Official, national or foreign, government, state, law enforcement, regulatory and supervisory bodies or authorities (e.g. the police, supervisory authorities and international tax authorities) when we are required by law, when requested and in order to prevent any unlawful actions (e.g. fraud or money laundering);
III. Business partners, professional advisers, suppliers and sub-contractors for the performance of any contract we enter into with them or you. Including for example:
- Identity verification and KYC service providers
- Analytics providers and search engine providers
- Contact Center service providers
- Card manufacturing and delivery companies
- Banking and financial services partners and payments networks, including Visa and Mastercard
- IT, data hosting and storage providers, cloud services (including cloud storage companies) and software providers, file storage companies
- Lawyers and Legal advisors
- Consultancy firms
- Insurers, Accounting providers, Certified Accountants, financial advisors, auditing firms or external auditors for executing audit functions
- Data reporting providers
- Cyber security and fraud prevention providers
- Advertising and marketing support providers
- Social media companies
- Credit Reference Agencies.
IV. In the event that we sell any of our business or assets or combine with another organisation, in which case we may disclose your personal data to the prospective buyer of such business or assets or prospective organisation with which our business or assets may be combined.
V. Any other third parties to the extent such disclosure is required under law or where this is necessary in order to provide you with services.
We have concluded agreements with our service providers to protect your personal data. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We will make sure that anyone acting on our behalf only uses your personal data in line with our instructions and that they keep the data safe. We won’t share or give your personal information to external companies for their own marketing purposes.
We may transfer your personal data to countries outside the EEA or UK based on one of the following criteria
I. EU adequacy decisions for data transfers,
II. UK adequacy regulations and decisions for data transfers,
III. binding corporate rules,
IV. EU SCC’s (Standard Contractual Clauses) for data transfers
V. the International Data Transfer Agreement or Addendum to the EU Commission standard contractual clauses issued by the Information Commissioner,
VI. approved codes of conduct.
If we transfer your personal data to another country that does not offer a standard of data protection equivalent to the United Kingdom or EEA, we will make sure that your personal data is sufficiently protected and that strict data protection safeguards is in place before we transfer your personal data.
6. Hyperlinks to websites of third parties
VIVA’s websites and apps may contain hyperlinks that lead to other websites of third parties that we do not control.
We have no responsibility for the content, activities or the policies of such websites. Please carefully read the privacy notices of the websites you visit.
7. Data retention
We will retain your personal data only for as long as is necessary to fulfil the purposes for which we collected it. Retention periods are determined based on the type of record, the nature of the activity, product or service and the applicable legal or regulatory requirements.
Therefore, your personal data is retained for at least five years from the end of your relationship with us, unless such retention period is exceeded, as necessary, in order to:
- comply with our legal and regulatory obligations including anti-money laundering and e-money laws.
- establish, exercise or support our legal claims.
8. Information on automated decision-making
We may process your data based on automated decision making, including profiling. This means that we may use technology that can evaluate your personal circumstances and other factors to predict risks or outcomes. We do this for the efficient running of our services and to ensure decisions are fair, consistent and based on the right information.
For example, we may make automated decisions about you that relate to due diligence and anti-money laundering processes and checks, as well as monitoring your account to detect fraud and financial crime.
We will retain your personal data only for as long as is necessary to fulfil the purposes for which we collected it. Retention periods are determined based on the type of record, the nature of the activity, product or service and the applicable local legal or regulatory requirements.
9. Your data protection rights
You have the following rights in relation to the personal data we process about you:
I. Access to your personal data;
II. Rectify or correct your personal data;
III. Erasure of your personal data (also known as “right to be forgotten”);
IV. Object to the processing of your personal data in some circumstances (in particular, where we do not have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing purposes);
V. Restrict the processing of your personal data and
VI. Obtain the personal data you provide to us for a contract or with your consent in a structured, machine-readable format and to ask us to share (port) this data to another party (known as right to “data portability”).
The above rights may be limited, for example if fulfilling your request would reveal personal data about another person, where they would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in data protection laws. We will inform you of relevant exemptions we rely upon when responding to any request you make.
You also have the right to withdraw your consent to the processing of your personal data at any time where we have asked for your consent. Any withdrawal of consent does not affect the legality of the consent-based processing before it was withdrawn by you.
In order to exercise any of your rights or if you have any other questions regarding how we use your personal data, you may contact us by email at dpo@viva.com or by mail at Viale Giulio Richard, 3A, 20143, Milano.
10. Right to lodge a complaint
We hope we can address any queries or issues you have in respect of your personal data. If you have any unresolved concerns, you have the right to lodge a complaint to the Hellenic Data Protection Authority.
11. Updates to this Privacy Notice
This Privacy Notice is subject to updates and such updates will be published on this website / app. We may also notify you in other ways from time to time about the processing of your personal data.
Last update 31 January 2024