VIVA PAYMENT SERVICES SINGLE MEMBER S.A., hereinafter “VIVA” in the context of its international activities, considers as its top priority the safety and protection of your personal data, irrespectively from the capacity with which you communicate or cooperate with us, for example as potential or current customers, employees, suppliers, professionals, individuals, consumers or cooperating third parties.

Your personal data includes any information that may lead, directly or combined with other information, to your identification or tracing as a natural person. Personal data include, indicatively, details such as name and surname, tax identification number, social security number, natural/electronic addresses, phone/mobile phone numbers, credit/debit/prepaid card numbers, e-mails, transactions’ data, telephone and electronic communications data, payments data, identification details of equipment or terminal appliances, as POS, PC, smartphone, tablet, browser history (log files, cookies etc.), as well as any other piece of information that may allow your identification, in accordance with the provisions of the General Data Protection Regulation (GDPR 2016/679), the applicable laws per country of operation and the decisions of the relevant Data Protection Authority.

Please read carefully this Security and Data Protection Policy of VIVA. By using our services and by signing a relevant agreement, you unreservedly accept the practices described in this policy, which terms will govern our contractual relationship and form part of the terms of use of each of our services.

1. Object 

This Security and Personal Data Protection Policy aims to inform you on the terms of collection, processing and transfer of your personal data that we may collect as Data Controllers or Data Processors. VIVA and its trained personnel apply the Processing Principles of the GDPR 2016/679 (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability) in order to protect your Rights regarding the use of your Personal Data (information, access, rectification, erasure, restriction of processing, data portability, right to object and non-automated individual decision-making based on profiling, as specified in the legislation of each country of operation). The above apply without any distinction and to all processing activities performed and to all services provided by VIVA.

2. Forms of personal data collection

VIVA will always ask for your minimum, as stipulated by law, personal data, within the framework of our respective contractual relationship and cooperation. Such personal data may include, indicatively, name/user code, password, number, validity and expiration date of debit/credit/prepaid card, telephone number, e-mail, postal address for issuance or postage of invoice or receipt, details of your order, amount payable, payment account details as well as beneficiary details.

VIVA keeps your personal data only for as long as imposed by the contractual terms of each service, in combination with the applicable financial, banking, tax, telecommunication and other laws, based each time on the respective processing purpose, while afterwards it anonymizes or destroys them.

3. Cases of personal data collection

VIVA collects your personal data in the following cases:

• Upon the creation of your account, when you fill out an application-form in our website to buy a product and/or a service and to check your age to identify whether you may lawfully contract with us or the consent/signature of your parents/guardians is required.
• Upon using the payment initiation service, when you wish to make a payment directly from a payment account that you keep in a payment service provider.
• Upon your willful subscription to hard-copied or electronic lists so that you receive informative material or other marketing material in the form of prospectuses, electronically or by SMS or so that you renew your preferences or upon your participation in questionnaires and surveys.
• Upon your communication with our offices or the personnel of our customer care department by the recording of the content of your calls and each communication with our call center, with your comments and preferences for purchases, the products you have searched for or your comments.
• Upon your visit and browsing in our websites, where we collect with the appropriate means of data collection (e.g. cookies) information from your terminal device, such as the operating system that you use, the type and version of your browser etc.
• Upon the submission to us of documents, judicial documents, orders, reports, confiscation documents, judicial orders etc. by third parties such as supervisory, prosecution, judicial, tax authorities, banking organizations, card issuance organizations, payment institutions, credit card institutions, companies that provide information on your creditworthiness for your protection against fraud or money laundering or combat against financial and electronic crime.

4. Cookies policy

Our webpage uses small files, which are known as “cookies”, to be able to function better and to improve your experience. These files are stored on your device only if they are necessary for the website to function properly. For the rest cookies’ types, we obtain your consent through an appropriate mechanism.

To find out more about how cookies are used, please refer to our policy on cookies.

5. Processing principles 

We are committed to protecting your privacy and handling your data in a transparent manner, therefore, we process your personal data in accordance with the GDPR and each country’s data protection law for at least one of the following reasons:

I. For contract execution

We process personal data in order to complete your account registration, notifying you of pending steps regarding the account authentication process, your transactions and to offer our services based on our terms of service, but also in order to be able to complete the contracting process with prospective partners and customers.

The purpose of personal data processing depends on the requirements for each service and the contractual terms and conditions provide more details about the purposes involved.

II. To comply with a legal obligation

There are certain legal obligations arising from the relevant laws applicable to us as well as regulatory / legal requirements, e.g. the Law on Money Laundering, the Tax Legislation, the Law on Payment Companies. There are also several supervisory principles that we have to apply with, such as, each country’s Banking Supervisory Authority. Such obligations and requirements require from us to execute the necessary personal data processing activities for identity verification, compliance with court decisions / warrants, fraud reporting obligations and anti-money laundering controls.

III. In order to protect legal interests

We process personal data in order to safeguard the legitimate interests pursued by us or by third parties. There is a legitimate interest when we have a business or commercial reason for using your information. But, even under this perspective, this should not be opposed to what is right and better for you. Examples of such processing activities include the following:

i. Installation of surveillance systems (CCTVs) for the prevention of criminal activities and the protection of individuals and goods.

ii. Creation of legal claims and preparation of our defense during litigation.

iii. Measures and procedures we follow in order to ensure the security of our systems and to prevent possible criminal activity.

iv. Measures and procedures for the development of new services and expansion / management of our activities

v. Communication with you on new services we provide or on surveys, including customer satisfaction surveys with regard to the services we provide to you, in order for us to be in a position to ameliorate the services we provide you, based on your comments.

vi. Technical support.

vii. VIVA’s Risk Management.

viii. For fraud detection

IV. Based on your consent

Once you have explicitly given us your consent to process your personal data (except for the reasons stated above), the legality of such processing is based on that consent. You have the right to withdraw your consent at any time. However, any processing of personal data prior to receiving your recall will not be affected.

6. Transfer to Third Parties

When you use our website and you provide us with personal information, we do not transfer nor share your information, nor even among the group companies or third parties, but only to the extent it is necessary for the completion of your order and to fulfill requests associated with our services. Such third parties may include, indicatively, telecommunications providers, international payment services providers, international card schemes (e.g. debit, credit etc.), banking institutions etc.

We choose reliable providers and we try to set contractual restrictions to third parties who receive your personal data to ensure that they use them in accordance with this policy and the applicable in Europe (GDPR 2016/679) and globally laws regarding data protection. Except that, we cannot guarantee that they will not use or disclose such data without your consent. To that end, we advise you to carefully read the personal data protection practices of any third-party providers/suppliers, whose products you buy via our websites. In addition, such third parties may contact you, if necessary, to receive additional information about a potential service.

In order to process your data, we may need to transfer them in other countries, including countries that are basically inside and only exceptionally outside the European Economic Area (EEA) based on adequacy decisions by the EU, binding corporate rules, standardized contracts and approved codes of conduct.

In any case, we take the appropriate technical and organizational measures to ensure that your personal information is transferred, stored and processed in accordance with the appropriate security standards and with the provisions of this policy and the applicable data protection laws. 

Finally, we may transfer or reveal your personal data to official, national or foreign, state and supervisory bodies (e.g., Police, Banking Supervisory Authority, international tax authorities, etc.) when we are asked to comply with the law and to prevent any unlawful actions (e.g., fraud, money laundering etc.) to our customers or our customers’ detriment.

7. Personal data security

In VIVA, we have properly trained and responsible personnel and we recognize the importance of protecting your privacy and all your personal information. For this purpose, we have proper security policies in place and we use the appropriate technical and operational tools, as anonymization, pseudonymization, data encryption, use of firewalls, setting of access rights’ levels, authorized personnel, training of personnel, periodic audits, compliance with international ISO security and business continuity standards, PCI for data and payment cards protection etc.

Any partner of us who has access to the above information, uses them to exclusively serve the above purposes. We share the information you provide to us exclusively in the manners described in this Policy and in accordance with your explicit and special consent per type of processing, which you may at any time and freely withdraw upon communication with us.

8. Targeted advertising

We may use personal data of yours together with other information we have collected with the assistance of our commercial department’s personnel, to show advertisements related to your obvious preferences in our website or in third parties’ website.

However, we never automatically associate data of customers of different companies of the VIVA WALLET group and its contracting entities regarding your consumer profile and your preferences with other personal information (such as your e-mail address) in order to show advertisements or to send you personalized offers based on profiling. 

In addition, we do not share your personal details with third parties so that they are enabled to send you relevant advertisements.

If you wish us to stop sending you updates or offers, you may use the hyperlink for deregistration which is placed within the relevant e-mail you received from us.

9. Hyperlinks to websites of third parties

VIVA’s websites may contain hyperlinks that lead to other websites of third, independent parties, as indicatively, commercial businesses, organizations etc. which operate and are maintained exclusively by them, and which we do not control, as previously stated.

We carry no liability for the content, the actions or the policies of such websites. Please read carefully the corresponding personal data protection policies in the websites you visit, as they may have important differences from ours.

10. Non-requested commercial communication

We do not allow the use of our website or of our services for the purpose of transfer, distribution or delivery of any mass or unwanted commercial e-mails (spam). Moreover, we do not allow the exchange of messages from and to our customers which use or contain non-valid or falsified titles, non-valid or non-existing domain names, message sender encryption techniques, false or misleading information or which violate the terms of use of each website.

We do not allow in any way the collection of e-mails or of general information of our customers and subscribers, via our website or our services. We do not allow, and we do not authorize any attempt of use of our services in any way that could harm, deactivate, burden any part of our services or to hinder anyone who wishes to use our services.

If we detect a non-authorized or improper use of any of our services, we may, without warning and upon our absolute discretion, take all appropriate measures to block messages by a specific web domain, an e-mail server or an IP address. We are entitled to immediately erase any account that uses our services and which we deem, at our absolute discretion, it transmits or is connected with the transmission of any messages that violate this policy.

11. Your data protection rights

You have the following rights regarding the personal data we preserve about you: 

I. Access to your personal data. You have the right, for example, to receive a copy of the personal information we preserve about you and verify that we process it legally.

II. Rectification of your personal data. You have the right to rectify and/or complete inaccurate and/or incomplete data we preserve about you.

III. Erasure of your personal data [also known as “right to be forgotten”]. You have the right to ask for your personal data erasure when there is no longer any valid reason to continue processing it.

IV. Object to processing of your personal data when, even though we are based on a legitimate interest, you are in a particular situation that makes you object to processing of your data for this reason. If you submit an objection, we shall no longer process your personal data, unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. Additionally, you have the right to object in cases where your personal data are processes in the framework of customer surveys or for direct marketing purposes. This also includes profiling to the extent that this is related to such direct marketing. If you object to your personal data processing for direct marketing, then we shall no longer process your personal data for such purposes.

V. Restriction of processing of your personal data. You have the right to ask from us restriction of processing, i.e., to use such data only for specific purposes, if:

i. are not accurate;

ii. processing is unlawful and you oppose the erasure of your personal data;

iii. we do not need your personal data any more, but they are required by you for the establishment, exercise or defense of legal claims;

iv. you have objected to processing, pending the verification whether our legitimate grounds override those of yours.

VI. Receive the personal data concerning you in a structured, commonly used and machine-readable format, in order to transmit these data to another organization. Also, you have the right to have your personal data transmitted directly from one controller to another that you will indicate to us [also known as right to “data portability”].

VII. Withdrawal of your consent to the processing of your personal data at any time. Please, note that, any revocation of your consent, does not affect the legality of the consent-based processing before it is withdrawn or revoked by you.

In order to exercise any of your rights or if you have any other questions regarding how we use your personal data, you may contact us by email at dpo@vivawallet.com or by regular mail at 18-20, Amaroussiou – Chalandriou street, 15125, Maroussi, Attica, Greece.

12. Right to lodge a complaint to each country’s Data Protection Authority

If you have exercised any or all of your personal data protection rights and you still feel that your concerns, about how we use your personal data, have not been adequately addressed, you have the right to lodge a complaint to each country’s Data Protection Authority.

13. Validity of Personal Data Protection Policy

This Policy was published by VIVA on 25/05/2018 and is subject to periodic improvement and review.

Any amendments to this Policy will apply on the collected information from the date on which the amended version will be published and on the existing information we keep. By using of the website after the publication of the amendments, you automatically accept such amendments.