Swiipe is a payment and ID solution. The data subject will simply login with Swiipe at the checkout and Swiipe will take care of the data subject’s payment securely storing the personal data (encrypted and completely controlled by). The individual can store multiple addresses, emails and have his/her favorite payment methods in one place. Swiipe offers an easy payment way, whether it’s a card, invoice or MobilePay.
Since the right for the protection of personal data is a fundamental right, Swiipe is aware that compliance with the EU’s General Data Protection Regulation (hereinafter GDPR) is a high-level legal requirement. Therefore, personal data protection represents a matter that is taken seriously into account.
Nature, Scope and Context
The personal data that are requested from the data subject are regular data such as: name, address, civil personal registration (CPR) number, age, bank account, shoe size, license plate number etc. No sensitive data are processed.
The volume and variety of personal data are not significant, as the processing entails only the minimum data needed to enable the data subjects to purchase goods and services. Therefore, the processing is in accordance with the minimization principle.
The extent and frequency of processing is directly connected with the activity of the data subject, which depends on how many goods and services the data subjects wish to purchase.
The number of data subjects is variable and it covers Denmark’s geographical area.
Taking into consideration the volume and variety of the personal data, the extent and frequency of the processing, the number of data subjects involved and the geographical area covered, the processing operations are not made on a large scale, for the time being.
Personal data are collected from the data subjects after they have given consent. The consent fulfills all the criteria established by Article 7 of the GDPR to be valid:
- Freely given: there are no consequences that will impact the data subjects in a negative way in case the individuals do not consent. The only consequence is that the data subjects will not be able to use the technology, fact which will not deter them from any economic or social benefit.
- Informed: the data subject is informed through Swiipe’s GDPR Policy before taking a decision. The data protection policy contains a precise and easily understandable description of the individuals’ rights and the subject matter requiring consent.
- Specific: the information provided prior to consenting is explanatory enough about the object of consent and the data subjects’ rights, so they express their agreement to the processing by a clear affirmative action (‘tick the box’).
The processing of personal data is totally foreseeable. The nature of this technology entails data processing in order to fulfill the intended purpose for the individual.
In what concerns children, only children over 16 can use Swiipe services. Therefore, since the legal ground for processing regular data is consent and there is no need for the consent to be authorized by the holder of parental responsibility over the child, the processing of personal data concerning data subjects under 18 years old and over 16 years old is lawful.
Types of personal information is divided into the following types: Non-sensitive, Sensitive, Semi-sensitive. Although according to the GDPR the classification entails regular and sensitive data, for ensuring best data protection possible Swiipe will process data according with the datatype:
- Non-sensitive data: data is characterized by being data that is common for users to expose for others, such as name, address and other common types of information. For this type no encryption, nor hash is implemented.
- Sensitive data: data which individuals do not commonly share, such as ethnicity, religion, political viewpoints etc. Swiipe does not process this type of data. However, if a data subjects shares this type of data it will be encrypted.
- Semi-sensitive: data which the data user would only expose if required for a specific purpose, such as: credit, identification, work related information, CPR number, criminal record etc. When processed, this data will be encrypted.
Only Swiipe staff has access to the personal data of the data subjects regarding the processing. As a security measure, 2-factor authentication is required for all users with access to application and data layer.
Regarding to the onboarding and offboarding process, employees will be given access to the company’s systems on their first day of work and will have their privileges removed the last day of work. Access will only be provided though security groups and never directly.
Data subjects have access to their personal data through a user portal which records the processing activities of each individual. Here data subjects can rectify their personal data. Moreover, the individuals are constantly informed about what data are being processed and the third parties to whom personal data have been transmitted.
Necessity and Proportionality
The purpose for processing personal data is to make it easier for each person to do transactions on the internet, that can be payment transactions or other registrations. The technology’s goal is an easier and user- friendly method by having one login, which does not imply typing the data every time. For reaching this scope, the data stored is diverse but regular such as: contact details, bank account, CPR no., shoe size, license plate number etc.; the regular data collected depends on what goods and services the users want to purchase.
Prior to the processing the data subjects give their consent in a freely, informed and specific manner. The intended outcome for the individuals is to create a new, user-friendly and secure technology for online payments. Data undergo processing solely for the purpose mentioned above, complying therefore with the ‘purpose limitation’ principle.
Personal data shall be further processed for statistical purposes in order to identify and prevent fraudulent actions related to the users’ transactions. This is a requirement of the Directive (EU) 2015/2366 on payment services in the internal market, hereafter PSD 2, mentioned in article 5 (1)(i), therefore the legal ground for further processing users’ data is stipulated in article 6 (1)(c) – processing for compliance with a legal obligation. Moreover, according to article 5 of the GDPR the statistical purpose shall not be considered incompatible with the initial purpose.
The purpose above mentioned entails several processing operations such as: collecting data, storing data, as well as disclosing data by transmission to the third parties to which the data subjects want to send the payment. The data subjects give their consent prior to processing operations.
The lawful basis for processing, according to Article 6 (1) lit. a of the GDPR, is the consent given by the data subject before data undergo processing. The consent fulfills all conditions pursuant to the regulation (freely given, informed and specific). Moreover, besides the subject matter requiring consent, the individuals will also be informed about the rights as data subjects.
Data minimization is ensured by collecting only the data necessary for fulfilling the purpose. The data that undergo processing are only regular data such as: name, age, address, CPR no., bank account, shoe size, license plate number etc.
Data quality is granted by giving the data subjects the possibility to constantly monitor and rectify the data through a secured portal designed for the users. This is how access, control, accuracy and transparency are ensured. However, if further information is needed, the data subjects can always contact Swiipe and their request will be timely and adequately addressed.
The retention period of the personal data is established in accordance with the national law. Danish law states that in matter of financial information the retention period is 5 (five) years. Therefore, if a data subject wants his/her data to be deleted, the information concerning financial transactions will be retained 5 (five) more years. In this case, the processing operations are restricted to storage and transmission to public authorities when they justify their interest in requesting them.
As a controller, Swiipe shall provide information on action taken on request under Articles 15 to 20 to the data subjects without undue delay and in any event within one month of receipt of the request. However, taking into account the complexity and number of the requests, Swiipe can extend the period by two further months. The data subjects will be informed if the case of extension arises within one month of the receipt of the request and will provide justification for the delay.
Consequently, the processing is lawful, fair and transparent. Personal data are collected for a specified, explicit and legitimate purpose. The personal data requested are adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed. Inaccurate data, having regard to the purpose for which they are processed, are erased or rectified without delay. Retention period does not exceed the legal limit in matter of financial transactions.
Processing operations are made in a manner that ensures appropriate security of the personal data. By implementing measures to promote and safeguard data protection in the processing activities, Swiipe respects the principle of accountability. Therefore, processing personal data fully complies with the provision of the GDPR.
Controller – Processor – Third parties
Swiipe – Controller
The concept of controller is a functional concept, intended to allocate responsibilities where the factual influence is, and thus based on a factual rather than a formal analysis.
The controller determines the purpose and means of processing. The purpose shall be considered as “an anticipated outcome that is intended or that guides planned actions”, and the latter is considered as “how a result is obtained or an end is achieved”.
Swiipe is the entity that establishes both the purpose and means, both the essential elements and the technical and organizational aspects, as described above. Swiipe has implemented appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Azure – Processor
The internet service provider of hosting services – Azure – is the platform where all services are hosted and data is stored. Azure performs all the processing operations such as storage, encryption and transfer of personal data on behalf of the controller. All Azure’s activities are performed under the instructions of Swiipe (controller).
Spreedly – Processor
Spreedly is our processor that stores and tokenizes data. Swiipe, the controller, engages in a Data Protection Agreement with the Processor pursuant to which Spreedly sends transactions securely to third party API end points. Whenever Spreedly intends to make changes to its subporcessors Swiipe will be informed and thus Swiipe can object to those changes, keeping control of the actions of the Processor.
Third parties – independent controllers
Swiipe discloses by transmission personal data to third parties for the same purpose described above, following data subjects’ consent.
The mere fact that different subjects cooperate in processing personal data, does not entail that they are joint controllers in all cases, since an exchange of data between two parties without sharing purposes or means in a common set of operations should be considered only as a transfer of data between separate controllers.
Therefore, the third parties to which Swiipe discloses personal data so that the same purpose is fulfilled, are independent controllers. Each of the controller falls separately under the data protection obligations relating to its own processing operations.
Data subjects’ rights
As a controller, Swiipe respects the data subjects’ rights pursuant to the GDPR. At the same time, the controller has the obligation to inform the data subject about the following rights when collecting the
data directly from the data subject:
Right to access and rectification
Data subjects have the right to access their personal data that we collect through a secured user portal. There the data subjects can have an overview of their activities as a Swiipe user. At the same time data subjects can update the inaccurate data.
Right to erasure
Data subjects have the right to have their data erased when: they are no longer necessary in relation to the purpose mentioned above or when they withdraw their consent for processing.
The right to have the data deleted does not entail that the data subjects will have their data deleted automatically, but they will receive a reasoned assessment in response to their request. If the request is justified and there are no other legal provisions prohibiting this action, the data subjects will have their data deleted.
Right to restriction
Data subjects have the right to obtain restriction of processing when:
- The processing is unlawful and they oppose the erasure of personal data
- Swiipe no longer needs their personal data for the purpose mentioned above, but they require the data for the establishment, exercise or defence of legal claims
If restricted, personal data will be processed only with the data subjects’ consent (with the exception of storage). The individuals will be informed before the restriction is lifted.
Right to data portability
The right to receive the personal data which data subjects’ have provided to us in a structured, commonly used and machine-readable format and transmit those data to another controller. When requested by the data subject, Swiipe shall transmit those data directly to another controller, where technically feasible.
Right to withdraw your consent
The data subjects are granted the right to withdraw their consent at any time without providing justification and without suffering negative consequences. They can do that by sending us a written notification of withdrawal. The withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
Right to lodge a complaint
Data subjects can lodge a complaint with the Danish Data Protection Agency (Datatilsynet) if they consider that the processing operations of their personal data infringe the General Data protection Regulation.
Risks awareness and security
The possible risks have been properly assessed – by conducting a Data Protection Impact Assessment (the assessment is not publicly available because it contains sensitive information concerning the security infrastructure) – and ultimately mitigated according to the state of the art, the cost of implementation in relation to the risks and the nature, scope, context and purposes of the processing. Swiipe implemented technical and organizational measures to ensure a level of security appropriate to the risks identified.
The data that are processed are regular and minimal and the data subjects are well informed about the data protection policy prior to giving consent. Swiipe makes sure that data subjects are fully aware of how their information is used and can contact the company for assistance if necessary. This is ensured through the secured user portal which means that the data subject has control over the data and gets an accurate overview of the processing.
Following the above policy it shall be concluded that Swiipe is fully compliant with the EU’s General Data Protection Regulation.