Data privacy notice.

Data privacy notice when using InterCard’s website.

Version: May 2018

Thank you for visiting our website and your interest in our company.

We, InterCard AG, Mehlbeerenstraße 4, 82024 Taufkirchen, Germany, (‘InterCard’), operate this website and are therefore the “Controller” within the meaning of the General Data Protection Regulation (GDPR) in respect of the processing of the personal data of the users of this website. With this data privacy notice (“Data Privacy Notice”), we want to provide you with information on how we process your personal data in connection with your use of our website.

This Data Privacy Notice describes in more detail, which personal data we process for which purpose within the framework of the aforementioned legal provisions. We therefore ask you to carefully read the following explanations.

Our Data Privacy Notice uses the terms stipulated by the European Directive and Regulation Giver when issuing the GDPR.

1. General legal basis for the processing of personal data
We process the personal data of the users of this website only to the extent necessary to provide a functional website and our contents and services and if legally permissible, in particular as per the GDPR and the German Federal Data Protection Act (Bundesdatenschutzgesetz), as it is effective from 25 May 2018 (“BDSG 2018”). The processing of the user's personal data is, in general, only carried out with the user's consent. An exception applies in those cases where prior consent cannot be obtained for factual reasons, and the processing of the data is permitted by law.

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a GDPR serves as the legal basis.
In the event the processing of personal data is required for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6 para 1 lit. d GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.

2. General Statement on data erasure and storage time
The personal data of a user of this website will be deleted or the processing restricted, once the purpose of the processing expires. Further Processing may take place, if required by law or other regulations to which we as the Controller are subject. A deletion or restriction of the processing of data will take place, once a retention or storage period prescribed by law or other regulations to which we are subject as the Controller, expires, unless the necessity for further processing of the data is justified by the conclusion of a contract or by the performance of a contract.

3. Processing of personal data collection when using this website

3.1 Type and scope
‘Personal data’ for the purposes of this Data Privacy Notice include, for example, your name or address and contact details, if you provide this information to us via the contact form, for example.

If you phone our hotline, we process the personal data you have provided us with, e.g. your name and your telephone number.

Every time you visit our website, our system automatically collects data and information from the computer system of the calling computer, which your browser transmits to us, and which is stored in a logfile. This information is as follows:
•    The browser type and version used by you
•    The operating system used by you
•    The addresses of the last web pages you visited and which referred you to the current web page.
•    Host name of the accessing computer (IP address)
•    Date and time of the web server query

In principle, the information about the use of the website cannot in principle be connected to any specific person. However, the log files contain IP addresses or other data that enable the assignment to a user of the website . This could be the case, for example, if the link to the website from which the user accesses the relevant webpage or the link to the website to which the user switches, contains personal data.

This data is also stored in the log files of our system. This data is not stored together with other personal data of the user. We do not aggregate this data with other data sources.

The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.

3.2 Purpose of the data collection
We process your personal data as part of the weighing of interests (Art. 6 Par. 1 f GDPR) for the following purposes:
•    To show you the web pages and information you have consulted.
•    To enable you to contact us via the contact form or by email.
•    To present to you the content of our website in an as effective and interesting way as possible.
•    To identify and correct mistakes on the website, to check the utilisation of the website and, where necessary, to make any changes or improvements.
•    To secure our information technology systems, in particular to detect attacks and take countermeasures.

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this the IP address of the user must remain stored for the duration of the session.
In this context, the data is not used for marketing.

3.3 Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
To the extent data is stored in log files, it will be deleted after seven (7) days at the latest. Further storage is possible, but in this case, the IP addresses of the users are deleted or alienated, so that an assignment of the data to a particular user is no longer possible.

3.4 Objection
The collection and storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

3.5 No transfer of your personal data
We do not transfer your personal data to third parties unless it is permitted to do so in order to meet the intended purpose or for the purpose of fulfilling the contract, or when it is legally necessary or permitted, or when you have expressly consented to it.

4. Cookies, Web analysis services, and Targeting

4.1 Cookies
a. Description and scope of processing
Our website currently uses no cookies.

Cookies are text files that are stored in the Internet browser, or by the Internet browser on you computer system. If you visit a website, a cookie may be stored on your computer. This cookie contains a characteristic character string that enables a unique identification of the browser when the website is called up again.

4.2 Web Analysis Services
Our website currently uses no web analysis services.

5. Contact form and contact via e-mail

5.1 Description and scope of processing
There is a contact form on our website which can be used to contact us via electronic means. If you use this option, the data entered in the input mask and data and time will be transmitted to us and saved.

5.2 Legal basis
The legal basis for the processing of data transmitted in the course of using the contact form is Art. 6 para. 1 lit. f GDPR. If the e-mail contact aims at the conclusion of a contract, then additional legal basis for the processing is Art. 6 exp. 1 lit. b GDPR.

5.3 Purpose of data processing
The processing of the personal data from the input mask is only used by us for the relevant contact. In the event of contact by e-mail, this also constitutes the necessary legitimate interest in the processing of the data. The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

5.4 Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For the personal data from the input mask of the contact form and those that were sent by e-mail, this is the case when the respective conversation with the user is finished. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been finally clarified.
Insofar as your inquiry and our answers to it fall under statutory retention obligations, we will store your personal data as long as the applicable statutory retention periods require. InterCard is subject in particular to the German Commercial Code (Handelsgesetzbuch, HGB), the German Fiscal Code (Abgabenordnung, AO), the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG), the German Banking Act (Gesetz über das Kreditwesen, KWG) and the German Money Laundering Act (Geldwäschegesetz, GwG) as well as the IT Security Act (IT-Sicherheitsgesetz) with the corresponding regulation on critical infrastructures (KRITIS-VO). The retention and documentation periods specified in the AO and HGB are generally ten (10) years.

5.5 Objection and deletion
You may revoke a consent to the processing of personal data at any time. If you contact us by e-mail, you can object to the storage of your personal data at any time. In such a case, the conversation cannot be continued. All personal data stored in the course of contacting us will be deleted in this case, subject to statutory retention obligations.

6. Data security
All information that you provide us with is stored for our use on servers that are located inside the European Union.

The transmission of information over the Internet can be unsafe. We cannot decide which channels the information flows through before arriving in our systems. We cannot therefore, as a general rule, warrant for the secure transmission of the data sent to our website.

However, we take technical and organisational measures in order to safeguard our website and the other IT systems connected to it against loss, destruction, access and modifications and also to prevent the dissemination of your data by unauthorised persons. These measures include the encryption of the data transfer between your computer system and our website. The encryption makes it extremely difficult for unauthorised persons to view information transmitted between computers. It is therefore very unlikely that anyone has read this web page while it was being sent over the network.

7. Data protection and third party websites
The website may contain hyperlinks to and from third party websites. If you follow a hyperlink to one of these websites, please be advised that we cannot assume any liability or provide any warranty for third-party contents or data protection provisions.  Please check the relevant applicable data protection provisions before transmitting personal data to these websites.

Please consider also our other information on data protection under www.intercard.de/datenschutz . In cased you visit the website of our parent company, Verifone Systems, Inc., 2099 Gateway Place, Suite 600, San Jose, CA 95110, USA (www.verifone.de and www.verifone.com) please consider also their data protection information ( https://www.verifone.com/en/gdpr-privacy-policy).

8. Your rights as a data subject
If personal data are processed by you, you are a "data subject” within the meaning of the GDPR and you are entitled to the following rights vis-à-vis the data controller - i.e. us, InterCard - :

8.1 Right to information
You can request that the data controller confirms whether personal data concerning you will be processed by us. If such processing has taken place, you can request the following information from the data controller:
•    the purposes for which the personal data are processed;
•    the categories of personal data processed;
•    the recipients or categories of recipients to whom the personal data concerning you have been or are still being disclosed;
•    the planned duration of the storage of personal data concerning you or, if it is not possible to provide specific information, the criteria for determining the storage period;
•    the existence of a right to rectification or deletion of personal data concerning you, a right to limitation of the processing by the controller or a right to object to such processing;
•    the existence of a right of appeal to a supervisory authority;
•    any available information on the origin of the data if the personal data are not collected from the data subject;
•    the existence of automated decision-making, including profiling in accordance with Article 22(1) and (4) GDPR and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.

8.2 Right to correction
You have a right of rectification and/or completion vis-à-vis the data controller if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay.

8.3 Right to restriction of processing
Under the following conditions, you may request that the processing of personal data concerning you be restricted:
•    if you dispute the accuracy of the personal data concerning you for a period of time that enables the person responsible to verify the accuracy of the personal data;
•    the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
•    the data controller no longer needs the personal data for the purposes of the processing, but you need them to assert, exercise or defend legal claims, or
•    if you have filed an objection to the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh your reasons.
If the processing of personal data concerning you has been restricted, such data may only be processed - apart from being stored - with your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State.
If the processing restriction has been restricted in accordance with the above conditions, you will be informed by the person responsible before the restriction is lifted.

8.4 Right to cancellation
a) Duty to delete
You may request the data controller to delete the personal data relating to you without delay and the controller is obliged to delete this data without delay if one of the following reasons applies:
•    The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
•    You revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and there is no other legal basis for the processing.
•    You file an objection against the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing pursuant to Art. 21 para. 2 GDPR.
•    The personal data concerning you have been processed unlawfully.
•    The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject.
•    The personal data concerning you have been collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.

b) Information to third parties
If the data controller has made the personal data concerning you public and is obliged to delete it pursuant to Art. 17 para. 1 GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.

c) Exceptions
The right to cancellation does not exist insofar as the processing is necessary
•    to exercise the right of freedom of expression and information;
•    for the performance of a legal obligation required for processing under the law of the Union or of the Member States to which the controller is subject or for the performance of a task in the public interest or in the exercise of official authority conferred on the controller;
•    for reasons of public interest in the field of public health in accordance with Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
•    for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the law referred to under a) is likely to render impossible or seriously impair the attainment of the objectives of such processing, or
•    to assert, exercise or defend legal claims.

8.5 Right to information
If you have exercised your right to have the data controller correct, delete or limit the processing, he/she is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.
Vis-à-vis the data controller, you have the right to be informed of such recipients.

8.6 Right to Data Transferability
You have the right to receive the personal data concerning you that you have provided to the data controller in a structured, common and machine-readable format. In addition, you have the right to pass this data on to another person in charge without obstruction by the person in charge to whom the personal data was provided, provided that
•    the processing is based on a consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
•    the processing is carried out using automated methods.
In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this. The right to transferability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.

8.7 Right of objection
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you under Article 6 para 1 lit. e or lit f GDPR; this also applies to profiling based on these provisions.
The data controller may then no longer process the personal data concerning you, unless he can prove reasons for the processing that are compelling and worthy of protection and which outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.
If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct marketing.
If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You may exercise your right of objection in connection with the use of Information Society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.

You may send your objection, without any specific form being required, to the following address, stating your name, your address and, if applicable, your IP or e-mail address used:
InterCard AG
"Data Privacy – Objection”
Mehlbeerenstraße 4
82024 Taufkirchen
Germany

8.8 Right to revoke the data protection declaration of consent
You may at any time revoke your consent to the processing of your data. The right of revocation also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before 25 May 2018. Please note that the revocation will only take effect with respect to future processing. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.

8.9 Automated decision in individual cases including profiling
You have the right not to be subject to a decision based exclusively on automated processing - including profiling - that has legal effect against you or significantly impairs you in a similar manner. This does not apply if the decision
•    is necessary for the conclusion or performance of a contract between you and the data controller,
•    is, pursuant to the legislation of the Union or of the Member States to which the data controller is subject, admissible and that legislation contains appropriate measures to safeguard your rights, freedoms and legitimate interests; or
•    with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or lit. g GDPR apply, and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.
In the cases referred to in Bullet 1 and 3 above, the data controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the data controller, to state his own position and to challenge the decision.

8.10. Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or suspect of infringement, if you believe that the processing of personal data concerning you is contrary to the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

8.11 General notice on making use of your rights
Whenever you request us to disclose or delete personal data, we may only follow these requests with respect to your own data. Therefore, please understand that in the interest of other privacy of of other users, we may require appropriate proof of your identity from you. Also, as we usually collect only a very limited set of data in connection with this website, most of which is discarded very soon and which may be only be linked to a specific person – like you – with a lot of effort, we reserve the right to require you to provide additional information that allows us to identify the relevant data about you that is covered by your request.

9. Amendments to this data protection declaration
We reserve the right to amend this data protection declaration at any time with future effect. The latest version of the statement is available on the website and applies to all access taking place as of publication of the version. Please visit the website regularly and read the applicable data protection declaration.

Translations into other languages are only for convenience use. In case of differences and deviations, only the German language text is valid.


The data protection officer of the controller is:

Mr. Nicolas Adolph
E-mail: datenschutz@intercard.de

By postal mail:
InterCard AG
Data Protection Officer
Mr. Nicolas Adolph
Mehlbeerenstraße 4
82024 Taufkirchen
Germany