Privacy notice - Exthand’s account information services and payment initiation services General
Version 1, active July 1st 2021
This privacy notice describes how Exthand srl (“Exthand”, “we”, “our”, “us”) processes your personal data in connection with Exthand’s provision of account information services, payment initiation services and other related services (jointly “Exthand Services”).
Exthand Services are provided to you via any of our partners (“Partners”) in connection with the respective Partner providing its own services (“Partner Services”) to you. Information below describes how Exthand processes your personal data. Each Partner processes your personal data as a data controller and is responsible for its own data processing.
For more information on how a Partner processes your personal data, please consult the Partner in question directly.
Exthand is the data controller
Exthand is the data controller in relation to the processing of your personal data when providing the Exthand Services to you.
You can contact us as follows:
How do we collect your data?
Our initial collection of your personal data is done through a Partner Service where we obtain the information required for us to provide Exthand Services to you. The data refers to basic identity information (such as name, email, mobile phone). If the Exthand Service we shall provide to you is a payment initiation service, we may also (through the Partner Service) get access to some of the data needed to be able to provide the payment initiation service (for example the payee’s account number and the amount).
We also collect some information directly from you. This includes information from you that is needed for communication with the respective bank or other financial services provider, and such identity and address information that we need for the performance of the Exthand Services. We may also collect other information directly from you that is required for us to fulfil our legal obligations (for example anti-money laundering rules).
From your bank
The provision of the Exthand Services requires us to collect information from your bank regarding bank accounts, account transactions and other financial information. Please note that we do not collect this type of information without your explicit consent.
From providers of identification solutions etc.
Finally, we may collect and verify basic identity information from suppliers of digital signature solutions (for example BankID) or similar. We may also collect information necessary for us to fulfil our legal obligations (such as anti-money laundering rules) from external parties.
Which data does Exthand process about you and why?
When providing Exthand Services Exthand processes your personal data to fulfil our obligations stipulated in the agreement we have entered into with you, for the provision of Exthand Services, to be able to give you the service that you expect and, where applicable, to fulfil our legal obligations or to protect our legal interests and develop Exthand Services on the basis of our legitimate interest. We do not store your personal data longer than is necessary to fulfil this purpose.
The personal data that we process varies depending on which Exthand Service we provide to you. Below you will find a summary description of what data we process within the respective Exthand Service.
Account information serviceWhen we provide you with an account information service, both as a one-off request and when provided under a framework agreement between you and Exthand, we process data about you such as name, contact information, account information such as account number and account history, information about credits, information about purchases (amount, time, type of transaction and in some cases type of goods and/or place of purchase), other financial information derived from your accounts, data about your geographic location, and IP address. We also process data needed for communication with the respective bank.
Payment initiation serviceWhen you use our payment initiation service, we process data about you such as name, contact information, account information such as account number, information about your invoices to be paid or similar, information about the payee of the transaction you intend to initiate with our payment initiation service, data about your geographical location, and IP address. We also process data needed for communication with the respective bank. Obligations pursuant to anti-money laundering rules etc.
Some of the data is also processed for the purpose of fulfilling our legal obligations, for example to comply with anti-money laundering rules. To comply with such obligations, we may process data to determine if you should be deemed as a Politically Exposed Person (so called PEP) and also data needed to perform screening against sanction lists.
How we process your data and the legal basis for processing
Exthand processes your personal data to provide Exthand Services to you, which is done with the agreement between you and us as legal basis. This concerns all data we process about you except for the data we process to fulfil our obligations under applicable anti-money laundering rules. We also process your data to develop and customize the Exthand Services and its functionalities. The data may also form the basis for product- and customer analysis, statistics and business- and method development.
Furthermore, data may be processed for the purpose of ensuring that we have performed the Exthand Services correctly.
Processing of these data categories of data is done with our legitimate interest as legal basis.
Finally, your data may also be processed in the context of our legal obligations to comply with applicable anti-money laundering rules or for preventing fraud and to enhance security. These obligations are the legal basis for this processing.
For how long do we store your data?
The data we collect for the provision of Exthand Services is kept as long as needed for the purposes for which the data was collected. The data is thereafter deleted or anonymized.
Many types of data are in general deleted within one year from when we have fulfilled our obligations in relation to the respective Exthand Service, however some data may be kept longer than that, for example the data that is required for a legal process or data that we under applicable anti-money laundering rules must retain for 5 years.
Identity data is retained up to one year after the agreement related to the provision of Exthand Services has been terminated. In cases where, due to other circumstances, we need to store the data longer than that, for example the data that is required for a legal process or data that we must retain under applicable anti-money laundering rules for 5 years, the identity data can be stored for a corresponding period of time.
After we have provided an account information service to you, the retrieved data is made accessible to the designated Partner. After we have made the data accessible to the Partner, the data is used by us to verify that we performed the service correctly and to conduct analysis. We retain the data up to one year after the date the service was performed.
Payment initiation service
When we provide a payment initiation service to you, we perform the service thereafter the data is made accessible to the designated Partner. After we have made the data accessible to the Partner, the data is used by us to verify that we performed the service correctly, to fulfill our legal obligations pursuant to applicable anti-money laundering rules and also to conduct analysis. For these purposes we retain the information up to five years after the date the service was performed.
Legal disputes etc.
In some cases, for example if the data is relevant in a legal dispute, we may have a need for retaining the data for longer than one year to be able to defend or assert our legal interests.
With whom do we share your data?
Your personal data is primarily shared with the Partner or Partners whose Partner Service(s) you utilize and whom you have instructed us to make the data accessible to. The data is made accessible when we provide the service to you and in connection to your request regarding the provision of the service. The data we disclose to Partners only refers to such data that is necessary to provide the Exthand Service you have requested.
Your data may also be shared with your bank when you request that we provide a Exthand Service. The login details you have shared with us is only disclosed to your bank and only when respective Service is performed. Finally, your data may be disclosed to law enforcement authorities within the scope of our obligations under applicable anti-money laundering rules. We also use software and data storage providers that may process your data. However, these providers are only allowed to process data on our behalf and in accordance with our instructions, and the data may not be disclosed to anyone other than Exthand.
Where do we process your data?
We always process your personal data within the EU/EEA, mainly in France. However, in some situations such as when we share your data with for example an IT provider with operations outside the EU/EEA, your personal data may be processed outside the EU/EEA. If and when your data is processed outside the EU/EEA, we ensure that there is an adequate level of protection and that appropriate safeguards are taken (for example, by using the EU Commission’s standard contractual clauses).
Your rights as a data subjectAs a data subject, you have certain rights in relation to the processing of your personal data. If you would like to exercise any of them, please contact us at firstname.lastname@example.org.
• Right of access: You have the right to access information about what personal data we process about you, including the purpose of and legal basis for the processing.
• Right to rectification: If you believe that we are processing inaccurate personal data about you, you can ask us to correct it.
• Right to restrict processing: You can request that we restrict the processing of your personal data. As an example, this can be relevant if we have incorrect data about you and you do not want the processing to continue until we have corrected the data.
• Right to erasure / right to be forgotten: You can request that we delete your personal data. Although we will comply with such a request to the extent required by applicable law, please note that we, despite your request, may continue to process certain data (such as data that we need to retain in order to protect our legal interests or that we are required to retain pursuant to legal obligations).
• Right to object: In connection with the processing of personal data based on our legitimate interest, you have the right to object to the processing of your personal data. If your privacy interests outweigh our interests in processing certain data, we will stop processing such data.
• Right to data portability: You may have the right to access personal data that you have provided to us, where we will provide your data in a structured, generally accepted and machine-readable format, and you may also have a right to transfer the personal data to another data controller.
Want to know more? If you have any inquiries regarding our processing of your personal data, do not hesitate to contact us via email@example.com.
If you are displeased with us
If you are dissatisfied with how we process your personal data, please contact our data protection officer at firstname.lastname@example.org. You may also contact the Belgian Data Protection Authority : https://www.dataprotectionauthority.be/
This information regarding processing of personal data is valid from 2021-08-01 until further notice.