EURONET WORLDWIDE, INC. (“EURONET”, “Company” or “we”), mother company of INNOVATAXFREE GROUP, S.L., is a world leader in electronic payment services and transaction processing solutions and operates in approximately 160 countries. In providing our services, we store and transmit a large amount of personal data. We understand that protecting the rights and privacy of each and every individual whose personal data we handle is fundamental to trust in our business relationships. We have, therefore, committed to ensuring a high level of data protection and data security across our business. This commitment includes information relating to our customers, suppliers, vendors, money transfer agents, merchants and members of our staff.
Failure to comply with this policy may subject EURONET, its employees and staff to civil and/or criminal liability. Employees or any other members of staff who fail to comply with this policy will be subject to disciplinary action up to and including termination of employment.
The effectiveness of this policy depends largely on employees and all other members of staff. If you feel that you or someone else may have violated this policy, you should report the incident immediately to your supervisor. If you are not comfortable bringing the matter up with your immediate supervisor, or do not believe the supervisor has dealt with the matter properly, you should contact the European Data Protection Officer if you are based in Europe or the Group Privacy Officer or legal department if based outside Europe.
“Personal data” means any information relating to a natural person (known as a “data subject”) who can be identified from that information (either directly or indirectly when combined with other information in the Company’s possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behavior. Personal data includes sensitive personal data.
PRINCIPLES FOR PROCESSING PERSONAL DATA
Personal data held must be:
- Processed fairly and lawfully and in a transparent manner;
- Obtained and processed only for specified, explicit and legitimate purposes and not in a way that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary for the purpose it is processed;
- Accurate and, where necessary, kept up to date;
- Kept no longer than is necessary for the purpose it is processed;
- Processed in a manner that ensures appropriate security, using all appropriate technical or organizational measures;
- Processed in line with data subjects’ rights; and
- For personal data of Data Subjects based in Europe, not transferred to a country outside the European Economic Area (“EEA”) unless there is an adequate level of data protection in that country or unless the transfer of personal data is covered by another legal means for transferring such personal data.
PURPOSES FOR WHICH PERSONAL DATA MAY BE PROCESSED
Personal data will be processed in accordance with applicable laws where the data subject has given his/her consent for one or more specific purposes, or where the processing of personal data is necessary for:
- The performance of a contract to which the data subject is a party;
- Compliance with a legal obligation;
- The protection of the vital interests of the data subject or another natural person; or
- The processing is necessary for one or more specific purpose(s) in the legitimate business interests of the Company; or
- Any other legal basis under applicable laws.
With regard to the processing of personal data relating to the Company’s employees or other members of staff, we process such personal data based on the legitimate interest of the Company, which include, but are not limited to:
- Recruitment, pre-employment screening, promotion, training, redeployment and/or career development;
- Administration and payment of wages;
- Calculation of certain benefits including pensions;
- Disciplinary or performance management purposes;
- Performance review;
- Monitoring of employees;
- Providing security at company locations;
- Recording of communication with you and your representatives;
- Compliance with legislation;
- Provision of references to financial institutions, to facilitate entry onto educational courses and/or to assist future potential employers;
- Staffing levels and career planning; and
- In order to protect our rights, property or safety of our employees, customers or others.
The Company considers that the following personal data falls within the purposes set out above:
- Personal details including name, address, age, status and qualifications. Where specific monitoring systems are in place, ethnic origin and nationality will also be deemed as relevant;
- References and CVs;
- Emergency contact details;
- Notes on discussions between management and you;
- Appraisals and documents relating to grievance, discipline, promotion, demotion or termination of employment;
- Training records;
- Salary, benefits and bank/building society details; and
- Absence and sickness information.
Employees or potential employees, and other staff members, will be advised by the Company of the personal data which has been obtained or retained, its source, and the purposes for which the personal data may be used or to whom it will be disclosed.
The Company will regularly review the nature of the information being collected and held as required by applicable law to ensure there is a sound business reason for requiring the information to be retained.
SENSITIVE PERSONAL DATA
The Company may obtain and process sensitive personal data of employees in connection with your employment to meet applicable legal obligations. Sensitive personal data (or “special categories of personal data”) includes information relating to the following matters:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Physical or mental health or condition;
- Sex life or sexual orientation; or
- Commission or alleged commission of any offence.
To hold sensitive personal data, the Company must satisfy an additional sensitive data condition. The processing of such special categories of personal data is necessary to enable the Company to meet its legal obligations (e.g. to ensure health and safety or avoid unlawful discrimination).
RESPONSIBILITY FOR THE PROCESSING OF PERSONAL DATA
The Company has appointed a Data Protection Officer in Europe and other Data Protection compliance resources globally that are responsible for ensuring all personal data is controlled in
Employees, or other members of staff, who have access to personal data must comply with this Policy and adhere to the procedures laid down by the Company. Failure to comply with the Policy and procedures may result in disciplinary action up to and including summary dismissal.
USE OF PERSONAL DATA
- Personal data must only be processed for one or more of the purposes specified in this Policy or as permissible under applicable laws;
- Company documents may only be used in accordance with the statement within each document stating its intended use; and
- Provided that the identification of individual data subjects is not disclosed, aggregate or statistical information may be used to respond to any legitimate internal or external requests for data (e.g. surveys, staffing level figures).
DISCLOSURE OF PERSONAL DATA
Personal data may only be disclosed outside the Company to third parties:
- In the event that the Company sells or buys any business or assets, in which case the Company may disclose personal data to the prospective seller or buyer of such business or assets;
- If the Company or substantially all of its assets are acquired by a third party, in which case personal data will be one of the transferred assets;
- With the data subject’s written consent;
- Where disclosure is required by law;
- Where there is immediate danger to the data subject’s health; or
- On the basis of a specific purpose in the legitimate business interests of the Company as set out in this policy or as otherwise notified to the data subject.
TRANSFER OF PERSONAL DATA
If personal data is transferred from a Group company with its registered office in the EEA to a third party outside of the EEA, one of the following conditions must apply:
- The country to which the personal data is transferred ensures an adequate level of protection for the data subjects’ rights and freedoms;
- The Company and the recipient has provided appropriate safeguards to ensure that the personal data is protected and that effective legal remedies are available, i.e. standard data
protection clauses adopted by the European Commission or other relevant authority;
- The data subject has given his/her explicit consent;
- The transfer is necessary for the performance of a contract between the data subject and the Company; or
- The transfer is otherwise permitted under the GDPR.
ACCURACY OF PERSONAL DATA
The Company will review personal data regularly to ensure that it is accurate, relevant and, where necessary, up to date.
In order to ensure the Company’s files are accurate and up to date, and so that the Company is able to contact the employee or, in the case of an emergency, another designated person, employees must notify the Company as soon as possible of any change in their personal details (e.g. change of name, address, telephone, loss of driving licence where relevant, next of kin details, etc.).
The Company will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. The Company will take all reasonable steps to destroy, or erase from
our systems, all data which is no longer required in line with the “Document & Data Retention Policy”.
EUROPEAN DATA SUBJECT RIGHTS
Under the GDPR, in certain circumstances data subjects, including employees and other staff members of the Company based in Europe, have the right to:
- Request access to any data held about him/her (“Subject Access Request”);
- Ask to have inaccurate data amended;
- Request personal data held about him/her be deleted provided the data is not required by the Company to perform a contract or defend a legal claim;
- Prevent or restrict processing of personal data which is no longer required or if accuracy of data is contested and data subject opposes erasure;
- Request transfer of appropriate personal data to a third party where this is technically feasible; and
- Object to automated decision making that could affect a data subject’s rights.
In addition, where the data subject believes that the Company has not complied with its obligations under this policy or the GDPR, he/she has the right to make a complaint to the relevant supervisory authority.
If you are based in Europe and would like to exercise one or more of your data subject rights listed above, please contact Data Protection Officer via e-mail firstname.lastname@example.org, or post, Data Protection Officer, Edificio Amura, Calle Cantabria 2 , Alcobendas, 28108 Madrid, Spain.
If any employee or other staff member receives a request to exercise one or more of the above data subject rights from any data subject (including Company employees, staff members, clients, suppliers or their employees or staff members), the request must be handled in accordance with the “Data Subject Request Policy”.
The Company aims to respond to Subject Access Requests without undue delay and in any event within one month of the receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. The Company may charge a reasonable fee or refuse to act on request(s), where the request(s) are manifestly unfounded, frivolous, vexatious, excessive jeopardize the privacy of others, or for which access is not otherwise required by local law.
The Company will process all personal data it holds in accordance with our “Information Security Policy”.
The Company will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
The Company will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
- Confidentiality means that only people who have an authorized business need to use the data can access it.
- Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
- Availability means that authorized users should be able to access the data if they need it for authorized purposes.
Any personal data breach or accidental loss must be immediately reported to the local head of IT and designated security officer. Any such incident will be dealt with by the Company in line with our ”Global Incident Response Plan”.
CHANGES TO THIS POLICY
The Company reserves the right to change this policy at any time.
Where appropriate, the Company will notify data subjects of those changes by mail or email.