Table of Contents
1. General Information and Mandatory Disclosures
General Notice
The following information provides a simple overview of what happens to your personal data when you use our website. Personal data is any data with which you can be personally identified. Detailed information on the subject of data protection can be found in our privacy policy listed below this text.
Who is responsible for data collection on the website?
The responsible body is the legal person who, alone or jointly with others, decides on the purposes and means of processing personal data (e.g., names, email addresses, etc.). The data processing on this website is carried out by:
PayCenter GmbH
Clemensänger Ring 24
85356 Freising
Phone: 08161 4060-300
Email: info@PayCenter.de
Technical Implementation of the Website
The technical provision and operation of the website are carried out by petaFuel GmbH, Clemensänger Ring 24, 85356 Freising, as a service provider on behalf of PayCenter GmbH. PayCenter GmbH remains the responsible body in terms of data protection law.
How do we collect your data?
Your data is collected on the one hand when you provide it to us. This can be, for example, data that you enter during the registration process. Other data is collected automatically by our IT systems when you use the website. This is primarily technical data (e.g., website version, operating system, or timestamp of the page view). This data is collected automatically as soon as you visit the website.
What do we process your data for?
- If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, if special categories of data according to Art. 9(1) GDPR are processed. In the case of explicit consent to the transfer of personal data to third countries, data processing is also based on Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or access to information on your end device (e.g., via device fingerprinting), data processing is additionally based on § 25(1) TDDDG. The consent can be revoked at any time.
- If your data is required for the performance of a contract or for carrying out pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR.
- Furthermore, we process your data if it is necessary for the fulfillment of a legal obligation on the basis of Art. 6(1)(c) GDPR.
As an e-money institution, we are subject to various legal obligations, i.e., legal requirements (e.g., German Banking Act, Anti-Money Laundering Act, tax laws) as well as banking supervisory requirements (e.g., of the Federal Financial Supervisory Authority). The purposes of processing include, among other things, identity and age verification, fraud and money laundering prevention, the fulfillment of tax control and reporting obligations, as well as the assessment and management of risks within the company. - Data processing may also be based on our legitimate interest according to Art. 6(1)(f) GDPR.
Examples:- error-free provision of the website
- advertising, provided you have previously consented to the use of your data
- assertion of legal claims and defense in legal disputes
- ensuring IT security and IT operations
- prevention of criminal offenses
Information on the relevant legal bases in each individual case is provided in the following paragraphs of this privacy policy.
Who receives your data?
Within the company, those departments gain access to your data that need it to fulfill our contractual and legal obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they maintain banking secrecy and our written data protection instructions. These are essentially companies in the categories listed below.
With regard to the transfer of data to recipients outside the e-money institution, it should first be noted that, as an e-money institution, we are obliged to maintain secrecy about all customer-related facts and valuations of which we become aware.
We may only pass on information about you if legal provisions require it, you have given your consent, we are authorized to provide a bank reference, and/or data processors commissioned by us guarantee compliance with banking secrecy and the requirements of the EU General Data Protection Regulation/Federal Data Protection Act in the same way. Under these conditions, recipients of personal data may include, for example:
- Public bodies and institutions (e.g., Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities, Federal Central Tax Office) in the event of a legal or official obligation.
- Other credit and financial service institutions, comparable institutions, and data processors (see point 5. Data Processing Agreement) to whom we transfer personal data to conduct the business relationship with you.
In detail: processing of bank references, support/maintenance of EDP/IT applications, archiving, document processing, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, collection, payment card processing, customer management, telephony, video legitimation, website management, payment transactions.
Other data recipients may be those bodies for which you have given your consent to the data transfer or for which you have released us from banking secrecy by agreement or consent.
Data Transfer to Third Countries
A transfer of personal data to countries outside the European Union (EU) or the European Economic Area (EEA) (so-called third countries) only takes place if one of the following conditions is met:
- To fulfill your orders: This may be the case, for example, when processing payment orders.
- Due to legal obligations: This includes, for example, tax reporting obligations.
- With your explicit consent: You will be informed separately in advance about the risks of data transfer.
- As part of a data processing agreement: We use service providers based in third countries. In these cases, we ensure that appropriate guarantees in accordance with Art. 46 GDPR are in place to ensure an adequate level of data protection. This can be done through certification under the "EU-US Data Privacy Framework" (DPF) for US providers or by agreeing to Standard Contractual Clauses (SCCs), whereby we may conduct a Transfer Impact Assessment (TIA) and implement additional protective measures.
We would like to point out that when using service providers in third countries that are considered unsafe in terms of data protection law, including US providers without DPF certification, a level of data protection corresponding to that of the European Union may not be guaranteed in all respects. This particularly affects state access rights to your data. However, we strive to ensure the highest possible level of protection for your data by selecting suitable providers and implementing the guarantees mentioned above.
Recipients of personal data
In the course of our business activities, we work with various external bodies. In some cases, this also requires the transfer of personal data to these external bodies. We only pass on personal data to external bodies if this is necessary for the performance of a contract, if we are legally obliged to do so (e.g., passing on data to tax authorities), if we have a legitimate interest in passing it on in accordance with Art. 6(1)(f) GDPR, or if another legal basis permits the data transfer. When using data processors, we only pass on personal data of our customers on the basis of a valid data processing agreement. In the case of joint processing, a joint processing agreement is concluded.
SSL/TLS Encryption
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from http:// to https:// and by the lock symbol in your browser line.
If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
Your Rights at a Glance
-
Revocation of your consent to data processing
Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
-
Right to object to data collection in special cases and to direct advertising (Art. 21 GDPR)
If data processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. This also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this privacy policy. If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims (objection pursuant to Art. 21(1) GDPR).
If your personal data is processed for the purpose of direct advertising, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising. This also applies to profiling, insofar as it is associated with such direct advertising. If you object, your personal data will then no longer be used for the purpose of direct advertising (objection pursuant to Art. 21(2) GDPR).
-
Right to lodge a complaint with the competent supervisory authority
In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work, or the place of the alleged violation. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.
The competent supervisory authority for data protection issues is:
Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision)
P.O. Box 1349
91504 Ansbach
Phone: 0981/180093-0
Fax: 0981/180093-800
Email: poststelle@lda.bayern.de
Website: www.lda.bayern.de -
Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done to the extent that it is technically feasible.
-
Information, correction, and deletion
Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient, and the purpose of the data processing and, if applicable, a right to correction or deletion of this data. For this purpose, as well as for further questions on the subject of personal data, you can contact us at any time.
-
Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. You can contact us at any time for this purpose. The right to restriction of processing exists in the following cases:
- If you dispute the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of the verification, you have the right to request the restriction of the processing of your personal data.
- If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of deletion.
- If we no longer need your personal data, but you need it to exercise, defend, or assert legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
- If you have lodged an objection pursuant to Art. 21(1) GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
If you have restricted the processing of your personal data, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.
2. Data Protection Officer
Legally required data protection officer
We have appointed a data protection officer for our company. For all questions on the subject of data protection, the following contact options are available to you:
PayCenter GmbHData Protection Officer
Clemensänger Ring 24
85356 Freising
Phone: 08161 4060-300
Email: datenschutz@PayCenter.de
3. Data Processing on the Website
Server Log Files
petaFuel GmbH automatically collects and stores information in so-called server log files. The following information is transmitted to us by the website:
- Operating system used
- Browser used
- URL accessed
- Date and time of the server request
- IP address
This data is not merged with other data sources.
The basis for data processing is Art. 6(1)(f) GDPR, which permits the processing of data to protect legitimate interests. We use this data both to operate and improve the website and for fraud prevention.
The data is automatically deleted after 90 days at the latest.
5. Spam Protection by Friendly Captcha
We use Friendly Captcha (hereinafter referred to as Friendly Captcha) on this website. The provider is Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany.
Friendly Captcha is intended to check whether the data entry on this website (e.g., in a contact form) is made by a human or by an automated program. For this purpose, Friendly Captcha analyzes the behavior of the website visitor based on various characteristics. For the analysis, Friendly Captcha evaluates various information (e.g., anonymized IP address, referrer, time of visit, etc.). You can find more information on this at: https://friendlycaptcha.com/legal/privacy-end-users/.
The storage and analysis of the data are based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in protecting its web offerings from abusive automated spying and from SPAM. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's end device (e.g., device fingerprinting) within the meaning of the TDDDG. The consent can be revoked at any time.
6. Data Processing Agreement
We occasionally commission other companies to provide services on our behalf to a limited extent and within the scope of the business purpose. These companies may only process the personal data that is necessary for the provision of the respective service. These companies undertake to treat the data confidentially. The companies are expressly prohibited from using the information for other purposes. We have concluded a data processing agreement with the following companies and pass on personal data to the extent necessary:
- petaFuel GmbH (Mastercard Processor, Technical Service Provider): petaFuel GmbH, Clemensänger-Ring 24, 85356 Freising
7. Data Collection upon Contact
Contact by email, contact form, telephone, fax
If you contact us by email, contact form, telephone, or fax, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of processing your request. We do not pass on this data without your consent.
The processing of this data is based on Art. 6(1)(b) GDPR, if your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if this has been requested; the consent can be revoked at any time.
The data you send to us via contact requests will remain with us until you request us to delete it, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory legal provisions - in particular statutory retention periods - remain unaffected.
Basic automatic deletion periods:
- Tickets from non-customers: 6 months
- Tickets from customers: 1 year
- Tickets with data protection relevance: 3 years
8. We Say Hello
To be reminded by us of all future "We Say Hello" appointments, you have the option of providing us with your mobile phone number. We will then send you a notification by SMS before each appointment.
The legal basis for the storage and processing of your data is Art. 6(1)(a) GDPR (consent of the data subject). Your personal data will remain with us until you request us to delete it, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., if there are no more "We Say Hello" appointments). You have the right at any time to receive information free of charge about the origin, recipient, and purpose of your stored personal data. You also have a right to object, to data portability, and a right to lodge a complaint with the competent supervisory authority. Furthermore, you can request the correction, deletion and, under certain circumstances, the restriction of the processing of your personal data.
For the We-Say-Hello meeting, we use Jitsi Meet. You can find more information about this under Audio and Video Conferences
9. Audio and Video Conferences
Data processing
For communication with our customers, we use online conference tools, among others. The tools we use in detail are listed below. If you communicate with us via video or audio conference via the internet, your personal data will be collected and processed by us and the provider of the respective conference tool.
The conference tools collect all data that you provide/use to use the tools (email address and/or your phone number). Furthermore, the conference tools process the duration of the conference, start and end (time) of participation in the conference, number of participants, and other "context information" in connection with the communication process (metadata).
Furthermore, the provider of the tool processes all technical data that is necessary for handling the online communication. This includes in particular IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker, and the type of connection.
If content is exchanged, uploaded, or otherwise made available within the tool, it is also stored on the servers of the tool providers. Such content includes in particular cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards, and other information shared while using the service.
Please note that we do not have full control over the data processing operations of the tools used. Our options are largely determined by the corporate policy of the respective provider. For further information on data processing by the conference tools, please refer to the privacy policies of the respective tools used, which we have listed below this text.
Purpose and legal bases
The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6(1)(b) GDPR). Furthermore, the use of the tools serves to generally simplify and accelerate communication with us or our company (legitimate interest within the meaning of Art. 6(1)(f) GDPR). If consent has been requested, the use of the relevant tools is based on this consent; the consent can be revoked at any time with effect for the future.
Storage duration
The data collected directly by us via the video and conference tools will be deleted from our systems as soon as you request us to delete it, revoke your consent to storage, or the purpose for data storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory statutory retention periods remain unaffected.
We have no influence on the storage period of your data, which is stored by the operators of the conference tools for their own purposes. for details, please inform yourself directly from the operators of the conference tools.
Conference tools used
We use the following conference tools:
Microsoft Teams
We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. For details on data processing, please refer to the Microsoft Teams privacy policy: https://privacy.microsoft.com/en-us/privacystatement.
The company is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. You can obtain further information from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000KzNaAAK&status=Active.
Data Processing Agreement
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.
Jitsi Meet
We use Jitsi Meet. If you communicate with us via Jitsi Meet, all data associated with this communication process will be processed exclusively on our servers (On Premise).
Webex
We use Webex. The provider of this service is Webex Communications Deutschland GmbH, Hansaallee 249 c/o Cisco Systems GmbH, 40549 Düsseldorf, Germany.
It cannot be ruled out that the data processed with WebEx will be transferred to third countries (e.g., the USA). Webex has Binding Corporate Rules (BCR) that have been approved by Dutch, Polish, Spanish, and other relevant European data protection regulatory authorities. These are binding corporate internal rules that legitimize the internal corporate data transfer to third countries outside the EU and the EEA. Details can be found here: https://www.cisco.com/c/en_uk/about/trust-center/data-protection-and-privacy-policy.html and https://konferenzen.telekom.de/fileadmin/Redaktion/conference/cisco-webex/Webex_Compliance_Deutsch_V1.0.pdf.
For details on data processing, please refer to the Webex privacy policy: https://www.cisco.com/c/en_uk/about/legal/privacy-full.html.
Data Processing Agreement
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.
11. Special Information for Parents
Although our website is generally not directed at children under 16, we strictly adhere to applicable laws regarding obtaining the consent of parents or legal guardians before collecting, using, or disclosing information from children. We strongly recommend that parents take an active role in monitoring their children's online activities. If you believe that we have collected personal data from a person under the age of 16, please inform us at datenschutz@petafuel.de.
12. Changes to the Privacy Policy
We reserve the right to change this privacy policy at any time within the bounds of the law. The current version can be accessed on the website under "Privacy."
10. Social Media
We maintain publicly accessible profiles on social networks. The social networks we use in detail can be found below.
Social networks such as Facebook, X, etc. can generally analyze your user behavior comprehensively when you visit their website or a website with integrated social media content (e.g., like buttons or advertising banners). Visiting our social media presences triggers numerous data protection-relevant processing operations. In detail:
If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected under certain circumstances if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by collecting your IP address.
With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are or were logged in.
Please also note that we cannot track all processing on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and privacy policies of the respective social media portals.
Legal basis
Our social media presences are intended to ensure the most comprehensive possible presence on the internet. This is a legitimate interest within the meaning of Art. 6(1)(f) GDPR. The analysis processes initiated by the social networks may be based on different legal bases, which are to be specified by the operators of the social networks (e.g., consent within the meaning of Art. 6(1)(a) GDPR).
Controller and assertion of rights
If you visit one of our social media presences (e.g., Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can assert your rights (information, correction, deletion, restriction of processing, data portability, and complaint) both against us and against the operator of the respective social media portal (e.g., against Facebook).
Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.
Storage duration
The data collected directly by us via the social media presence will be deleted from our systems as soon as you request us to delete it, revoke your consent to storage, or the purpose for data storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory legal provisions - in particular retention periods - remain unaffected.
We have no influence on the storage period of your data, which is stored by the operators of the social networks for their own purposes. For details, please inform yourself directly from the operators of the social networks (e.g., in their privacy policy, see below).
Your rights
You have the right at any time to receive information free of charge about the origin, recipient, and purpose of your stored personal data. You also have a right to object, to data portability, and a right to lodge a complaint with the competent supervisory authority. Furthermore, you can request the correction, blocking, deletion, and, under certain circumstances, the restriction of the processing of your personal data.
Social networks in detail
Facebook
We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter Meta). According to Meta, the collected data is also transferred to the USA and other third countries.
We have concluded a joint processing agreement (Controller Addendum) with Meta. This agreement specifies for which data processing operations we or Meta is responsible when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.
You can adjust your advertising settings independently in your user account. To do this, click on the following link and log in: https://www.facebook.com/settings?tab=ads.
The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://en-gb.facebook.com/help/566994660333381.
For details, please refer to the Facebook privacy policy: https://www.facebook.com/about/privacy/.
The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. You can obtain further information from the provider at the following link: https://www.dataprivacyframework.gov/participant/4452
X (formerly Twitter)
We use the short message service X (formerly Twitter). The provider is the parent company X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The branch Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland is responsible for data processing of persons living outside the USA.
You can adjust your X privacy settings independently in your user account. To do this, click on the following link and log in: https://x.com/settings/account/personalization.
The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://gdpr.x.com/en/controller-to-controller-transfers.html.
For details, please refer to the privacy policy of X (formerly Twitter): https://x.com/en/privacy.
Instagram
We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://en-gb.facebook.com/help/566994660333381.
For details on their handling of your personal data, please refer to the Instagram privacy policy: https://privacycenter.instagram.com/policy/.
The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. You can obtain further information from the provider at the following link: https://www.dataprivacyframework.gov/participant/4452
YouTube
We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on their handling of your personal data, please refer to the YouTube privacy policy: https://policies.google.com/privacy?hl=en.
The company is certified under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. You can obtain further information from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780
TikTok
We have a profile on TikTok. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. For details on their handling of your personal data, please refer to the TikTok privacy policy: https://www.tiktok.com/legal/privacy-policy?lang=en.
The data transfer to non-secure third countries is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.tiktok.com/legal/privacy-policy?lang=en.