Privacy Shield Policy
[Note to the reader in the US: This is a corporate policy enabling safe data exchange in global financial processing projects and assignments involving the US, the European Union, the United Kingdom, and Switzerland.]
DIGITAL PAYMENTS PLC (the “Company”) is a vertically integrated payments processor and program manager that specializes in prepaid solutions. Through our fully owned subsidiary, M2 Payment Solutions Inc, a US company, we are associated with a number of issuers working in Europe, North America, South America and the Middle East. Protecting consumer privacy is important to the Company. The Company and its affiliated United States subsidiaries (hereinafter collectively referred to as the “Company,” “we,” “us” or “our”) adhere to the EU-U.S. Privacy Shield Framework concerning the transfer of personal data from the European Union (“EU”), the United Kingdom (“UK”) and Switzerland to the United States of America. The Federal Trade Commission (FTC) has jurisdiction with enforcement authority over M2 Payment Solutions compliance with the Privacy Shield.
“Personal Data” or “Information” means information that (1) is transferred from the EU or Switzerland to the United States; (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked to that individual.
“Sensitive Personal Data” means Personal Data that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health.
Collection of Personal Information
We collect personal information from our customers during their acquisition and use of our services. This includes, but is not limited to, data given upon registration, transaction information, contact information, and all other personal information collected as a prerequisite to utilizing our services. The types of information we collect about you depends on your particular interaction with our services, and might include, where permitted by applicable law:
- Telephone number
- Date of birth
- Social Security Number or National Identification Numbers
- Identity validation (e.g., photograph, other information requested to verify your information)
M2 Payment Solutions serves as a service provider. In our capacity as a service provider, we will receive, store, and/or process Personal Data. In such cases, we are acting as a data processor and will process the Personal Data on behalf of and under the direction of our partners and/or agents. The information that we collect from our Individual Customers in this capacity is used for managing transactions, reporting, invoicing, renewals, other operations related to providing services to the Individual Customer, and as otherwise requested by our partner and/or agent.
M2 Payment Solutions uses Personal Data that it collects directly from its Individual Customers and for its partners indirectly in its role as a service provider for the following business purposes, without limitation:
maintaining and supporting its products, delivering and providing the requested products/services, and complying with its contractual obligations related thereto (including managing transactions, reporting, invoices, renewals, and other operations related to providing services to a Individual Customer); storing and processing data, including Personal Data, in computer databases and servers located in the United States; as requested by the Individual Customer; for other business-related purposes permitted or required under applicable local law and regulation; and as otherwise required by law.
M2 Payment Solutions shall inform an individual of the purpose for which it collects and uses the Personal Data and the types of non-agent third parties to which the Company discloses or may disclose that Information. The Company shall provide the individual with the choice and means for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to the Company, or as soon as practicable thereafter, and in any event before the Company uses or discloses the Information for a purpose other than for which it was originally collected.
M2 Payment Solutions will allow individuals whose Personal Data is collected in the EU, UK or Switzerland and transferred to the U.S. to decide, by either opt-in or opt-out, as may be required by relevant local laws, rules or regulations (including, the Privacy Shield Principles), whether your Personal Data may be (1) disclosed to a third party that is not an Agent or (2) used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by that individual, as may be identified by the Company from time to time. Upon providing us with your personal information, you consent to the transfer and storage of such information on our servers located within the United States. You may exercise your right to opt out at anytime by mailing your request to us at: Digital Payments PLC, Attn: Legal Department, 3000 Hillswood Drive, Hillswood Business Park, Chertsey, KT16 ORS, United Kingdom.
For Sensitive Personal Data, the Company will give individuals the opportunity to affirmatively and explicitly consent (opt in) to permit the Company to (1) disclose Sensitive Personal Data to a third party that is not an Agent or (2) use Sensitive Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. You may exercise your right to opt out at anytime by mailing your request to us at: Digital Payments PLC, Attn: Legal Department, 3000 Hillswood Drive, Hillswood Business Park, Chertsey, KT16 ORS, United Kingdom. In addition, M2 Payment Solutions may disclose Personal Data (i) if we are required to do so by law or legal process, (ii) to law enforcement authorities or other government officials based on an enforceable government request or as may be required under applicable law including in response to lawful requests from public authorities to meet national security or law enforcement requirements, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity.
Accountability for Onward Transfer:
We may share Personal Data with service providers we have retained to perform services on our behalf. Service providers would include: business partners, regulated institutions (e.g., financial institutions), payment and settlement networks, card vendors, and affiliated entities. We now require service providers to whom we disclose Personal Data and who are not subject to laws based on the European Union Data Protection Directive or the Swiss Federal Act on Data Protection contractually agree to provide at least the same level of protection for Personal Data as is required by the relevant Privacy Shield principles. If the third party does not comply with its privacy obligations, M2 Payment Solutions will take commercially reasonable steps to prevent or stop the use or disclosure of Personal Data. In the context of an onward transfer, M2 Payment Solutions has responsibility for the processing of Personal Data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. M2 Payment Solutions remains liable under the Principles if its agents that it engages to process such Personal Data do so in a manner inconsistent with the Principles, unless M2 Payment Solutions proves that it is not responsible for the event giving rise to the damage.
M2 Payment Solutions has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. For example, electronically stored Personal Data is stored on a secure network with firewall protection, and access to the Companies electronic information systems requires user authentication. M2 Payment Solutions also employs access restrictions, limiting the scope of employees who have access to Individual Customer Personal Data. M2 Payment Solutions uses secure encryption technology to protect certain categories of personal data and utilizes third party assessors to review the company’s compliance with industry standards. Despite these precautions, no data security safeguards guarantee 100% security all of the time.
M2 Payment Solutions shall only process Personal Data in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, the Company shall take reasonable steps to ensure that Personal Data is accurate, complete, current and reliable for its intended use.
Rights to Access, to Limit Use, and to Limit Disclosure:
M2 Payment Solutions acknowledges the individual’s right to access their personal data and shall allow an individual access to their Personal Data and allow the individual to correct or amend, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. Pursuant to the Privacy Shield Principles EU, UK and Swiss individuals also have the right to delete data that has been handled in violation of the Frameworks. In some circumstances M2 Payment Solutions personnel have limited ability to access data our customers submit to our services, if you wish to request access, to limit use, or to limit disclosure, please provide the name of the M2 Payment Solutions customer who submitted your data to our services. Requests should be mailed to: Digital Payments PLC, Attn: Legal Department, 3000 Hillswood Drive, Hillswood Business Park, Chertsey, KT16 ORS, United Kingdom. We will refer your request to that customer, and will support them as needed in responding to your request.
M2 Payment Solutions has further committed to refer unresolved privacy complaints under EU-U.S. or Swiss-U.S. Privacy Shield to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgement of your compliant, or if your compliant is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction
This Policy may be amended from time to time, consistent with the Privacy Shield Principles and applicable data protection and privacy laws and principles. We will post any revised policy on this website. We will notify Customers if we make changes that materially affect the way we handle Personal Data previously collected, and we will allow them to choose whether their Personal Data may be used in any materially different manner.
Questions, comments or complaints regarding the Company’s Privacy Shield Policy or data collection and processing practices can be mailed to:
DIGITAL PAYMENTS PLC
Attn: Legal Department
3000 Hillswood Drive
Hillswood Business Park
Chertsey, KT16 ORS, United Kingdom
Or emailed to Tina Marcus at
Effective date: March 2020