Data privacy notice.

Data privacy notice when using InterCard’s website.

Version: May 2018

Thank you for visiting our website and your interest in our company.

We, InterCard AG, Mehlbeerenstraße 4, 82024 Taufkirchen, Germany, (‘InterCard’), operate this website and are therefore the “Controller” within the meaning of the General Data Protection Regulation (GDPR) in respect of the processing of the personal data of the users of this website. With this data privacy notice (“Data Privacy Notice”), we want to provide you with information on how we process your personal data in connection with your use of our website.

This Data Privacy Notice describes in more detail, which personal data we process for which purpose within the framework of the aforementioned legal provisions. We therefore ask you to carefully read the following explanations.

Our Data Privacy Notice uses the terms stipulated by the European Directive and Regulation Giver when issuing the GDPR.

1. General legal basis for the processing of personal data
We process the personal data of the users of this website only to the extent necessary to provide a functional website and our contents and services and if legally permissible, in particular as per the GDPR and the German Federal Data Protection Act (Bundesdatenschutzgesetz), as it is effective from 25 May 2018 (“BDSG 2018”). The processing of the user's personal data is, in general, only carried out with the user's consent. An exception applies in those cases where prior consent cannot be obtained for factual reasons, and the processing of the data is permitted by law.

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a GDPR serves as the legal basis.
In the event the processing of personal data is required for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6 para 1 lit. d GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.

2. General Statement on data erasure and storage time
The personal data of a user of this website will be deleted or the processing restricted, once the purpose of the processing expires. Further Processing may take place, if required by law or other regulations to which we as the Controller are subject. A deletion or restriction of the processing of data will take place, once a retention or storage period prescribed by law or other regulations to which we are subject as the Controller, expires, unless the necessity for further processing of the data is justified by the conclusion of a contract or by the performance of a contract.

3. Processing of personal data collection when using this website

3.1 Type and scope
‘Personal data’ for the purposes of this Data Privacy Notice include, for example, your name or address and contact details, if you provide this information to us via the contact form, for example.

If you phone our hotline, we process the personal data you have provided us with, e.g. your name and your telephone number.

Every time you visit our website, our system automatically collects data and information from the computer system of the calling computer, which your browser transmits to us, and which is stored in a logfile. This information is as follows:
•    The browser type and version used by you
•    The operating system used by you
•    The addresses of the last web pages you visited and which referred you to the current web page.
•    Host name of the accessing computer (IP address)
•    Date and time of the web server query

In principle, the information about the use of the website cannot in principle be connected to any specific person. However, the log files contain IP addresses or other data that enable the assignment to a user of the website . This could be the case, for example, if the link to the website from which the user accesses the relevant webpage or the link to the website to which the user switches, contains personal data.

This data is also stored in the log files of our system. This data is not stored together with other personal data of the user. We do not aggregate this data with other data sources.

The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.

3.2 Purpose of the data collection
We process your personal data as part of the weighing of interests (Art. 6 Par. 1 f GDPR) for the following purposes:
•    To show you the web pages and information you have consulted.
•    To enable you to contact us via the contact form or by email.
•    To present to you the content of our website in an as effective and interesting way as possible.
•    To identify and correct mistakes on the website, to check the utilisation of the website and, where necessary, to make any changes or improvements.
•    To secure our information technology systems, in particular to detect attacks and take countermeasures.

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this the IP address of the user must remain stored for the duration of the session.
In this context, the data is not used for marketing.

3.3 Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
To the extent data is stored in log files, it will be deleted after seven (7) days at the latest. Further storage is possible, but in this case, the IP addresses of the users are deleted or alienated, so that an assignment of the data to a particular user is no longer possible.

3.4 Objection
The collection and storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

3.5 No transfer of your personal data
We do not transfer your personal data to third parties unless it is permitted to do so in order to meet the intended purpose or for the purpose of fulfilling the contract, or when it is legally necessary or permitted, or when you have expressly consented to it.

4. Cookies, Web analysis services, and Targeting

4.1 Cookies
a. Description and scope of processing
Cookies are text files that are stored in the Internet browser, or by the Internet browser on you computer system. If you visit a website, a cookie may be stored on your computer. This cookie contains a characteristic character string that enables a unique identification of the browser when the website is called up again.

4.2 Web Analysis Services

For the purpose of the needs-based design and continuous optimisation of our Internet presence, we use on the base of Art 6 1 (f) GDPR Google Analytics, a web analysis service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; https://www.google.de/intl/de/about/) - hereinafter referred to as "Google", on our website. In this context, pseudonymised user profiles are created and cookies (see section "4.1. Cookies") are used.

The information generated by the cookie about your use of this site such as

  • Browser type version,
  • operating system used,
  • Referrer URL (the previously visited page),
  • Host name of the accessing computer (IP address),
  • Time of the server request,

are transferred to a Google server in the USA and stored there.

Google is certified in the EU-US Privacy Shield, which ensures an adequate level of data protection for Google data in the USA.

The information is used to evaluate the use of the website, to compile reports on website activities and to provide other services related to website and Internet use for purposes of market research and needs-based design of these Internet pages.

This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of third parties. Under no circumstances will your IP address be merged with other Google data. The IP addresses are anonymised so that an allocation is not possible (IP masking). You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of the website. You can also prevent the collection of data generated by the cookie and relating to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=en).

As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent Google Analytics from capturing data by clicking this link. An opt-out cookie is set to prevent your information from being collected in the future when you visit this site. The opt-out cookie applies only to this browser and only to our website and is placed on your device. If you delete the cookies in this browser, you will need to set the opt-out cookie again. Further information on data protection in connection with Google Analytics can be found in the Google Analytics help. (https://support.google.com/analytics/answer/6004245?hl=en).

4.3 Google (AdWords)

a. Conversion
Google AdWords is an Internet advertising service that allows advertisers to serve ads both in Google's search engine results and on the Google advertising network. Google AdWords allows an advertiser to pre-define keywords that will be used to display an ad in Google's search engine results only when the user uses the search engine to retrieve a keyword relevant search result. In the Google advertising network, the ads are distributed to topic-relevant Internet pages using an automatic algorithm and taking into account the previously defined keywords.

The operating company of the Google AdWords services is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

The purpose of Google AdWords is to promote our website by displaying advertisements of interest on third-party websites and in the search engine results of Google and by displaying third-party advertisements on our website.

If you reach one of our websites via a Google advertisement, a so-called conversion cookie is stored on your IT system by Google. A conversion cookie loses its validity after thirty days and does not serve to identify you. If the cookie has not yet expired, the conversion cookie is used to track whether certain subpages, such as the shopping cart of an online shop system, have been accessed on our website. The conversion cookie enables both we and Google to track whether a user who came to our website via an AdWords ad generated a turnover, i.e. completed or cancelled a purchase.

The data and information collected through the use of the conversion cookie is used by Google to generate visit statistics for our website. These visit statistics are in turn used by us to determine the total number of users who were referred to us via AdWords ads, i.e. to determine the success or failure of the respective AdWords ad and to optimise our AdWords ads for the future. Neither our company nor other Google AdWords advertisers receive any information from Google that could be used to identify you.

The conversion cookie is used to store personal information, such as the Internet pages you visit. Accordingly, each time you visit our website, personal data, including the IP address of the Internet connection you use, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may disclose personal data collected through this technical process to third parties.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. Such a setting of the Internet browser used would also prevent Google from setting a conversion cookie on your IT system. In addition, a cookie already set by Google AdWords can be deleted at any time via the Internet browser or other software programs.

You also have the option of opting out of receiving interest-based advertising from Google. To do this, you must call up the link www.google.de/settings/ads from your Internet browser and make the desired settings there.

Such an evaluation is carried out in particular in accordance with Art. 6 Para. 1 lit.f DSGVO on the basis of our legitimate interests in the display of personalised advertising, market research and/or the design of its website to meet requirements.

Further information and the valid data protection regulations of Google can be called up under https://www.google.de/intl/de/policies/privacy/

b. Remarketing
Our website also uses the functions of Google AdWords Remarketing. We hereby advertise this website in Google search results and on third-party websites. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). To this end, Google places a cookie in the browser of your terminal device, which automatically enables interest-based advertising using a pseudonymous cookie ID and based on the pages you visit.

Processing is based on our legitimate interest in the optimal marketing of our website in accordance with Art. 6 Para. 1 lit. f DSGVO.

Further data processing will only take place if you have agreed to Google linking your internet and app browser history to your Google account and using information from your Google account to personalise advertisements you view on the web. In this case, if you are logged into Google during your visit to our website, Google will use your information in conjunction with Google Analytics data to create and define cross-device remarketing target audience lists. Google will temporarily link your personal data to Google Analytics data in order to create target groups.

You can permanently disable the setting of cookies for ad preferences by downloading and installing the browser plug-in available from the following link: https://www.google.com/settings/ads/onweb/

Alternatively, you can contact the Digital Advertising Alliance at the Internet address www.aboutads.info to find out about the setting of cookies and configure your settings. Finally, you can set your browser so that you are informed about the setting of cookies and decide individually whether to accept them or whether to exclude the acceptance of cookies in certain cases or in general. If cookies are not accepted, the functionality of our website may be restricted.

Google is certified in the EU-US Privacy Shield, which ensures compliance with EU privacy standards.

Further information and the privacy policy regarding advertising and Google can be found here: https://www.google.com/policies/technologies/ads/

5. Contact form and contact via e-mail

5.1 Description and scope of processing
There is a contact form on our website which can be used to contact us via electronic means. If you use this option, the data entered in the input mask and data and time will be transmitted to us and saved.

5.2 Legal basis
The legal basis for the processing of data transmitted in the course of using the contact form is Art. 6 para. 1 lit. f GDPR. If the e-mail contact aims at the conclusion of a contract, then additional legal basis for the processing is Art. 6 exp. 1 lit. b GDPR.

5.3 Purpose of data processing
The processing of the personal data from the input mask is only used by us for the relevant contact. In the event of contact by e-mail, this also constitutes the necessary legitimate interest in the processing of the data. The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

5.4 Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For the personal data from the input mask of the contact form and those that were sent by e-mail, this is the case when the respective conversation with the user is finished. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been finally clarified.
Insofar as your inquiry and our answers to it fall under statutory retention obligations, we will store your personal data as long as the applicable statutory retention periods require. InterCard is subject in particular to the German Commercial Code (Handelsgesetzbuch, HGB), the German Fiscal Code (Abgabenordnung, AO), the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG), the German Banking Act (Gesetz über das Kreditwesen, KWG) and the German Money Laundering Act (Geldwäschegesetz, GwG) as well as the IT Security Act (IT-Sicherheitsgesetz) with the corresponding regulation on critical infrastructures (KRITIS-VO). The retention and documentation periods specified in the AO and HGB are generally ten (10) years.

5.5 Objection and deletion
You may revoke a consent to the processing of personal data at any time. If you contact us by e-mail, you can object to the storage of your personal data at any time. In such a case, the conversation cannot be continued. All personal data stored in the course of contacting us will be deleted in this case, subject to statutory retention obligations.

6. Data security
All information that you provide us with is stored for our use on servers that are located inside the European Union.

The transmission of information over the Internet can be unsafe. We cannot decide which channels the information flows through before arriving in our systems. We cannot therefore, as a general rule, warrant for the secure transmission of the data sent to our website.

However, we take technical and organisational measures in order to safeguard our website and the other IT systems connected to it against loss, destruction, access and modifications and also to prevent the dissemination of your data by unauthorised persons. These measures include the encryption of the data transfer between your computer system and our website. The encryption makes it extremely difficult for unauthorised persons to view information transmitted between computers. It is therefore very unlikely that anyone has read this web page while it was being sent over the network.

7. Data protection and third party websites
The website may contain hyperlinks to and from third party websites. If you follow a hyperlink to one of these websites, please be advised that we cannot assume any liability or provide any warranty for third-party contents or data protection provisions.  Please check the relevant applicable data protection provisions before transmitting personal data to these websites.

Please also pay attention to our card holder information on data protection under www.intercard.de/datenschutz . In case you visit the website of our parent company, Verifone Systems, Inc., 2099 Gateway Place, Suite 600, San Jose, CA 95110, USA (www.verifone.com) please consider their data protection information (https://www.verifone.com/en/gdpr-privacy-policy).

8. Your rights as a data subject
If personal data are processed by you, you are a "data subject” within the meaning of the GDPR and you are entitled to the following rights vis-à-vis the data controller - i.e. us, InterCard - :

8.1 Right to information
You can request that the data controller confirms whether personal data concerning you will be processed by us. If such processing has taken place, you can request the following information from the data controller:
•    the purposes for which the personal data are processed;
•    the categories of personal data processed;
•    the recipients or categories of recipients to whom the personal data concerning you have been or are still being disclosed;
•    the planned duration of the storage of personal data concerning you or, if it is not possible to provide specific information, the criteria for determining the storage period;
•    the existence of a right to rectification or deletion of personal data concerning you, a right to limitation of the processing by the controller or a right to object to such processing;
•    the existence of a right of appeal to a supervisory authority;
•    any available information on the origin of the data if the personal data are not collected from the data subject;
•    the existence of automated decision-making, including profiling in accordance with Article 22(1) and (4) GDPR and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.

8.2 Right to correction
You have a right of rectification and/or completion vis-à-vis the data controller if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay.

8.3 Right to restriction of processing
Under the following conditions, you may request that the processing of personal data concerning you be restricted:
•    if you dispute the accuracy of the personal data concerning you for a period of time that enables the person responsible to verify the accuracy of the personal data;
•    the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
•    the data controller no longer needs the personal data for the purposes of the processing, but you need them to assert, exercise or defend legal claims, or
•    if you have filed an objection to the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh your reasons.
If the processing of personal data concerning you has been restricted, such data may only be processed - apart from being stored - with your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State.
If the processing restriction has been restricted in accordance with the above conditions, you will be informed by the person responsible before the restriction is lifted.

8.4 Right to cancellation
a) Duty to delete
You may request the data controller to delete the personal data relating to you without delay and the controller is obliged to delete this data without delay if one of the following reasons applies:
•    The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
•    You revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and there is no other legal basis for the processing.
•    You file an objection against the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing pursuant to Art. 21 para. 2 GDPR.
•    The personal data concerning you have been processed unlawfully.
•    The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject.
•    The personal data concerning you have been collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.

b) Information to third parties
If the data controller has made the personal data concerning you public and is obliged to delete it pursuant to Art. 17 para. 1 GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.

c) Exceptions
The right to cancellation does not exist insofar as the processing is necessary
•    to exercise the right of freedom of expression and information;
•    for the performance of a legal obligation required for processing under the law of the Union or of the Member States to which the controller is subject or for the performance of a task in the public interest or in the exercise of official authority conferred on the controller;
•    for reasons of public interest in the field of public health in accordance with Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
•    for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the law referred to under a) is likely to render impossible or seriously impair the attainment of the objectives of such processing, or
•    to assert, exercise or defend legal claims.

8.5 Right to information
If you have exercised your right to have the data controller correct, delete or limit the processing, he/she is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.
Vis-à-vis the data controller, you have the right to be informed of such recipients.

8.6 Right to Data Transferability
You have the right to receive the personal data concerning you that you have provided to the data controller in a structured, common and machine-readable format. In addition, you have the right to pass this data on to another person in charge without obstruction by the person in charge to whom the personal data was provided, provided that
•    the processing is based on a consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
•    the processing is carried out using automated methods.
In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this. The right to transferability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.

8.7 Right of objection
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you under Article 6 para 1 lit. e or lit f GDPR; this also applies to profiling based on these provisions.
The data controller may then no longer process the personal data concerning you, unless he can prove reasons for the processing that are compelling and worthy of protection and which outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.
If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct marketing.
If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You may exercise your right of objection in connection with the use of Information Society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.

You may send your objection, without any specific form being required, to the following address, stating your name, your address and, if applicable, your IP or e-mail address used:
InterCard AG
"Data Privacy – Objection”
Mehlbeerenstraße 4
82024 Taufkirchen
Germany

8.8 Right to revoke the data protection declaration of consent
You may at any time revoke your consent to the processing of your data. The right of revocation also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before 25 May 2018. Please note that the revocation will only take effect with respect to future processing. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.

8.9 Automated decision in individual cases including profiling
You have the right not to be subject to a decision based exclusively on automated processing - including profiling - that has legal effect against you or significantly impairs you in a similar manner. This does not apply if the decision
•    is necessary for the conclusion or performance of a contract between you and the data controller,
•    is, pursuant to the legislation of the Union or of the Member States to which the data controller is subject, admissible and that legislation contains appropriate measures to safeguard your rights, freedoms and legitimate interests; or
•    with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or lit. g GDPR apply, and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.
In the cases referred to in Bullet 1 and 3 above, the data controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the data controller, to state his own position and to challenge the decision.

8.10. Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or suspect of infringement, if you believe that the processing of personal data concerning you is contrary to the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

8.11 General notice on making use of your rights
Whenever you request us to disclose or delete personal data, we may only follow these requests with respect to your own data. Therefore, please understand that in the interest of other privacy of of other users, we may require appropriate proof of your identity from you. Also, as we usually collect only a very limited set of data in connection with this website, most of which is discarded very soon and which may be only be linked to a specific person – like you – with a lot of effort, we reserve the right to require you to provide additional information that allows us to identify the relevant data about you that is covered by your request.

9. Amendments to this data protection declaration
We reserve the right to amend this data protection declaration at any time with future effect. The latest version of the statement is available on the website and applies to all access taking place as of publication of the version. Please visit the website regularly and read the applicable data protection declaration.

Translations into other languages are only for convenience use. In case of differences and deviations, only the German language text is valid.


Contact the data protection officer:
E-mail: datenschutz@intercard.de

By postal mail:
InterCard AG
Data Protection Officer

Mehlbeerenstraße 4
82024 Taufkirchen
Germany

Data Protection Officer

F: +49 89 61445 - 888
E: datenschutz@intercard.de