Aufbewahrungsfrist von personenbezogenen Daten
Introduction
Whenever in your contract with an Worldline e-Commerce Solutions legal entity or with Worldline Financial Solutions SA/NV (hereinafter referred to as “Worldline”), regarding the processing of personal data (hereinafter referred to as “Personal Data”), it is stated that you are the data controller and Worldline is your data processor, the following data retention principles will apply.
Given that Worldline offers a shared service, a default data retention period has been implemented for the processing that Worldline does as your data processor. This means that if you do not reduce this default data retention period, the Personal Data will be retained during the default data retention period and erased or anonymized at the expiration of the default data retention period. If you reduce the default data retention period via the settings in your Worldline account, the reduced data retention period will only apply to the Personal Data related to the transactions that are processed after the modification of the settings in your Worldline account. In this case, the Personal Data related to those transactions will be retained during the reduced data retention period and erased or anonymized at the expiration of the reduced data retention period.
There is one exception to the principle that Worldline has implemented a default data retention period acting as your data processor: regarding the lists that may be created by you as part of the first level of Worldline's advanced fraud prevention solution or as part of the basic fraud prevention tool (white lists, black lists or grey lists - hereinafter referred to as “the Lists”), Worldline did not implement a default data retention period and Personal Data contained in the Lists shall be erased upon your instructions.
Transactions
Personal Data processed as part of the transaction, Personal Data processed as part of the first level of Worldline’s advanced fraud prevention solution (Checklist or Scoring module) and Personal Data processed as part of the basic fraud prevention tool (except regarding the Lists)
In its quality of data processor, as default data retention period, Worldline will retain the Personal Data for a period of five hundred and forty (540) calendar days as from the date of the transaction. You can opt to reduce this default data retention period with a minimum of ninety (90) calendar days as from the date of the transaction, via de settings in your Worldline account. You will be responsible for any period selected. After this period (the default or the reduced period), without prejudice to Worldline’s back-up and subject to any contrary statutory, regulatory or contractual retention obligations which must be observed by Worldline, the Personal Data will be erased or anonymized.
If, outside the default or the reduced data retention period, you request Worldline to erase Personal Data related to a particular transaction before the expiration of ninety (90) calendar days as from the date of this transaction, those Personal Data will be erased once the period of ninety (90) calendar days as from the date of this transaction has expired. The reason why Worldline retains those Personal Data during the period of ninety (90) calendar days as from the date of the transaction is for invoicing reasons (invoicing of the transaction and track in case of dispute of the invoice). If you request Worldline to erase Personal Data related to a particular transaction after the expiration of ninety (90) calendar days as from the date of this transaction, those Personal Data will be erased immediately.
3D Secure authentication
Personal Data processed as part of 3D Secure authentication
The 3D Secure authentication data are the PAN (Primary Account Number) and the content of the PARes (Payer Authentication Response), being, the identification of the acquirer, the identification of the merchant, the reference of the transaction, the date of the transaction, the amount of the transaction and the currency of the transaction, as well as the electronic commerce indicator, the signature status and the signature value (those 3 last fields are indications regarding the fact that the 3D secure was used, and what is the result of the process).
In its quality of data processor, as default data retention period, Worldline will retain the 3D Secure authentication data for a period of five hundred and forty (540) calendar days as from the date of the transaction. You can opt to reduce this default data retention period of said 3D Secure authentication data via the settings in your Worldline account but, with regard to the 3D Secure authentication data, the minimum period will be hundred and eighty (180) calendar days as from the date of the transaction, as required by the Scheme Rules. You will be responsible for any period selected. After this period (the default or the reduced period), without prejudice to Worldline’s back-up and subject to any contrary statutory, regulatory or contractual retention obligations which must be observed by Worldline, the 3D Secure authentication data will be erased or anonymized.
Tokenisation services
Personal Data processed as part of Alias – tokenisation services
If you request Worldline to store some Personal Data such as the brand of the card, the card number, the name of the card holder as well as the expiry date of the card (hereinafter referred to as “Card Data”) and to provide you with an alias or a token for such Card Data (hereinafter referred to as an “Alias”) , then Worldline, in its quality of data processor, as default data retention period, will retain such Card Data and Alias for a period of sixty (60) months as from the date of the last usage of the Alias. You can opt to reduce the default data retention period of the Card Data and the Alias via the settings in your Worldline account. You will be responsible for any period selected.
At the end of the data retention period (the default or the reduced period) or if you request Worldline to erase a particular Alias, the Card Data and the Alias will be erased after a period of sixty (60) calendar days as from the expiration of the data retention period (the default or the reduced period) or as from the date of your request of erasure, subject to any contrary statutory, regulatory or contractual retention obligations which must be observed by Worldline. In some particular cases, only the Alias will be erased and the Card Data won’t be linked anymore to this Alias. The reason why Worldline retains those Card Data and Alias still for sixty (60) calendar days is for invoicing reasons (invoicing of the Alias and track in case of dispute of the invoice).