Privacy Policy

EPG | Privacy Policy

This Privacy Policy applies to the use of EPG’s Digital Services

Introduction

We, the team at EPG Financial Services Ltd, strongly value our own privacy – and therefore are committed to protect your personal data (i.e. information that identifies you as a natural person) as though it is our own.

This Privacy Policy describes our practices relating to your personal data when using EPG’s digital services (hereinafter, referred to as our ‘Digital Services’). For all our Digital Services, the data controller — the company that’s responsible for your privacy — is EPG Financial Services Ltd (‘EPG’, ‘us’, ‘we’), a limited liability company incorporated under the Laws of Malta, with its address at Level 4, The Plaza Commercial Centre, Bisazza Street, Sliema, SLM1640, Malta. EPG is licensed and regulated by the Malta Financial Services Authority (‘MFSA’) as a financial institution licensed to issue electronic money under the 3rd Schedule to the Financial Institutions Act (Chapter 376 of the Laws of Malta) (the ‘Licence’).

If you have any questions about how we protect your privacy, get in touch here: [email protected].

One of your rights under Applicable Data Protection Law, particularly Regulation [EU] 2016/679, or as it is otherwise known, the GDPR and that Data Protection Act, Chapter 586 of the Laws of Malta – is that you must be informed when your personal data – also known as personal information – is processed (collected, used, stored) by any organisation. You also have the right to know the details and purpose of that processing.

We assure you that we will only use and disclose any personal data collected from you in accordance with the manner set out in this Notice.

Information we collect

Most of the personal information which we may collect about you during the course of your use of our Digital Services is given to us only if you choose to give it to us.

Such personal information may be requested from you when you fill in a field (e.g. to create your e-money wallet account, sign up for our newsletter or fill in any other form with your questions and comments or any other form or application downloaded through or from EPG’s Digital Services). If you send us emails, then the personal data we process will depend on what you send us in the email.

We normally process the following categories of personal information:

  1. External Data, primarily information that uniquely identifies you; including your Name & Surname; date of birth; age; email address; billing address, government issued identification document and picture; your mobile phone number;
  2. Internal Data, primarily information used to authenticate your use of our Digital Services; including your username, passwords;
  3. Social Data, primarily information about your educational or professional career; including your occupation;
  4. Financial Data, primarily information the identifies your financial account and transactions, including your Card primary account number; card expiry date; CVC details (card security code); account numbers; bank and/or issuer details;
  5. Tracking Data, primarily information about a device that you use when you use our Digital Services, such as your IP address.

Check out the next sections to understand how and why we use this information.

Some other information is given to us because you accessed our Digital Services (e.g. logs, recorded through cookies). This is explained in the Cookies Notice.

How & why we use your information

We use your information in a number of different ways — what we do with it then depends on the information and the purpose for which we collected.

For some of the uses of your personal data (as described below) there is a legal basis under applicable data protection laws for us to use such personal data without having obtained your consent.

This includes, for example, where it is necessary for us to use the information to perform a contract with you or take steps at your request prior to entering into a contract with you, such as to process your order, provide customer-care and support services to you.

It also includes circumstances (such as we have described below) where we have a legitimate interest to use your data, provided that proper care is taken in relation to your rights and interests.

The relevant legal bases are set out in Article 6(1) of the GDPR, and are being replicated hereunder for ease of reference:

  • You have given consent to the processing of your personal data for one or more specific purposes;
  • The processing is necessary for the performance of a contract to you are party or in order to take steps at your request prior to entering into a contract;
  • The processing is necessary for compliance with a legal obligation to which the controller is subject;
  • The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • The processing is necessary for the purposes of the legitimate interests pursued by the controller

We will hold on to your information for no longer than is necessary keeping in mind the purpose/s (or compatible purposes) for which we first collected the data. We may also keep hold of some of your information if it becomes necessary or required to meet legal or regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions.

As a guide:

  • we will keep your personal data while your account with us is active (if you have an account) or until such time as you ask us to stop communications with you, unless we need to keep the data for longer as specified below;
  • We may retain your personal data for a period of five (5) years, unless our supervisory authority or another authority requires us to retain the relevant records for a longer period of up to ten (10) years in order to comply with our obligations under the Prevention of Money Laundering and Terrorist Financing Regulations (S.L. 373.01[1] ).
  • We will also retain your personal data relating to your transaction history for a period of up to ten (10) years in order to comply with our obligations under the Companies Act (Chapter 386 of the Laws of Malta) and tax/VAT reporting obligations.
  • Finally, we may keep your personal data to defend or initiate a legal claim until the rights to be claimed by EPG are prescribed by law.
  • In an exceptional situation, we may store your personal data for the periods ordered by a court or other competent authority.

You may obtain more information as to the retention periods or the criteria used by us to determine the retention periods by contacting us here [email protected].

The tables below set this out in detail, showing what we do, and why we do it.

A. External & social data

Purpose Legal Basis (GDPR)
To provide you with our Digital Services We’ve got to do this to perform our contract with you to your best satisfaction [Art. 6(1)(b)] & to comply with our obligations arising from law [Art. 6(1)(c)].
Prevention and detection of fraud. We need to do this to comply with our legal obligations [Art. 6(1)(c)].
To provide customer service and support. We need to do this in order to perform our contract with you to your full satisfaction [Art. 6(1)(b)]
To send you service messages by text or e-mail We’ve got to do this to perform our contract with you to your best satisfaction [Art. 6(1)(b)].

B. Financial data

Purpose Legal Basis (GDPR)
To provide you with our Digital Services We’ve got to do this to perform our contract with you to your best satisfaction [Art. 6(1)(b)] & to comply with our obligations arising from law [Art. 6(1)(c)].
Prevention and detection of fraud. We need to do this to comply with our legal obligations [Art. 6(1)(c)].

C. Internal data & tracking data

Purpose Legal Basis (GDPR)
To provide you with our Digital Services We’ve got to do this to perform our contract with you to your best satisfaction [Art. 6(1)(b)] & to comply with our obligations arising from law [Art. 6(1)(c)].
To improve our website and set default options for you (such as language and currency) We need to do this to provide you with the best possible customer experience [Art. 6(1)(f)].
To protect our website We’ve got to do this to comply with our obligations arising from law [Art. 6(1)(c)].
To provide customer service and support. We need to do this in order to perform our contract with you to your full satisfaction [Art. 6(1)(b)].
To send you service messages by text or e-mail We’ve got to do this to perform our contract with you to your best satisfaction [Art. 6(1)(b)].

We also anonymise and aggregate personal information (so that it does not identify you) and use it for purposes including testing our IT systems, research, data analysis, improving our website or other platforms used to deliver our current Digital Services, and developing new products and services. We also share this anonymised information with third parties – but don’t worry, they cannot identify you.

Sharing your information

We do not, and will not, sell any of your personal data to any third party – including your name, address, email address or credit card information. It is not our business to do so – and we want to earn your trust and confidence.

However, we share your data with the following categories of companies as an essential part of being able to provide our services to you, as set out in this statement:

  1. Companies within the EuroPayment Group to help us provide our Digital Services;
  2. Companies that are involved in the process of delivering our Digital Services to your, such as hosting providers, amongst others.
  3. Professional service providers, such as advertising partners and website hosts who service us in turn to operate our business.
  4. Banks and other organisations, where we provide Digital Services through such third parties.
  5. Credit reference agencies, law enforcement and fraud prevention agencies, so we can help tackle fraud.

In most circumstances we will not disclose personal data. However there may be occasions where we might have to – e.g. with a court order, to comply with legal requirements and satisfy a legal request, for the proper administration of justice, to protect your vital interests, to fulfil your requests, to safeguard the integrity of the relevant websites and platforms used to deliver the Digital Services, whether operated by us or by such related entities or subsidiaries, or in the event of a corporate sale, merger, reorganisation, dissolution or similar event involving us and/or our subsidiaries and related entities.

When we do share data – unless required by law (see above) – we do so only with your consent and to legal entities that provide the same or equivalent protection for the processing of personal data as is provided under this Privacy Notice, and based on an agreement with those other legal entities that the data is to be used solely for the purposes we originally intended – again, we don’t want you to have any surprises. In any case, the following applies: Whenever EPG engages third parties to process personal data on its behalf, it engages only legal entities that provide the same or equivalent protection for the processing of personal data as is provided under this Privacy Notice, and the relationship is governed by a data processing agreement in accordance with the rules set forth in the GDPR.

We may also provide third parties with aggregated but anonymised information and analytics about our customers and, before we do so, we will make sure that it does not identify you. Anonymous information means it is anonymous.

If we ever have to share data with entities that are outside of the EEA, we will be sure to do so in a manner that complies with the requirements established by this Privacy Policy and by the GDPR.

If we share personal data with third parties located inside or outside the EEA, we will do so in each case in accordance with this Privacy Notice and the corresponding requirements in the applicable guidance issued by Google and/or Apple regarding your privacy.

Your rights

You enjoy several rights relating to your personal information:

1.The right to be informed about how your personal information is being used;

 

We need to be clear with you about how we process your personal data. We do this through this Privacy Policy, which we will keep as up to date as possible.

2.The right to access the personal information we hold about you;

 

You can access the personal data we hold on you by contacting us on [email protected].

 

To process your request, we will ask you to send us proof of identity so that we can be sure we are releasing your personal data to the right person.

3.The right to request the correction of inaccurate personal information we hold about you;

 

We appreciate feedback from you to ensure our records are accurate and up-to-date.

 

If you think that the information we hold about you is inaccurate or incomplete please ask us to correct it by contacting us on [email protected].

4.The right to request that we delete your data;

 

You can ask us to delete your personal data; however, this is not an absolute right.

 

In spite of a request for erasure, we may be justified to keep personal data which we need to keep, e.g. (i) to comply with a legal obligation (for instance, we are required by personal data for VAT reporting purposes); and (ii) in relation to the exercise or defence of any legal claims.

 

When you ask us to delete your personal data, we assume that you do not want to hear from us again. To ensure that we do not send you any special offers in the future (for example, if we purchased your details from a third party list), we will retain just enough of your personal data solely for suppression purposes.

 

Other than as described above, we will always comply with your request and do so promptly. We would carry out our best efforts to notify any third parties with whom we have shared your personal data about your request so that they could also comply.

5.The right to stop communications in the context of direct advertising.

 

You have the right to object to the use of your personal data, including when we use it for our legitimate interests or when we use your personal data to create a profile using automated processes.

6.The right to object to certain processing based on legitimate interest;

 

You have a right to object to our use of your personal information including where we use it for our legitimate interests or where we use your personal information to carry out profiling using automated means.

7.The right to request human intervention if automated processing without human intervention is used to make decisions having legal or similar effects on you;

 

Automated processing occurs when a decision concerning your personal data is made by automated means without any human involvement.

 

For example, your data may be subject to automated processing when we onboard you as our customer or otherwise when you ask us to be provided with the services.

 

When we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision.

8.The right to withdraw consent for other consent-based processing at any time;

 

You can ask us to stop processing your personal data at any time. This is only applicable when the processing of your data is based on consent.

 

The withdrawal of your consent does not make unlawful the processing of your personal data made before the withdrawal, and does not imply the deletion of your personal data when other legal basis for processing are still in place.

 

For example, you can stop any marketing communication we send you, but we will continue to send you operational or service messages in relation to the services we continue providing to you.

9.The right to request that we transfer or port elements of your data either to you or another service provider;

 

You have the right to move, copy or transfer your personal data from one organisation to another. If you do wish to transfer your personal data we would be happy to help.

 

If you ask for a data transfer, we will give you a copy of your personal data in a structured, commonly used and machine-readable form (e.g. a CSV file format). We can provide the personal data to you directly or, if you request, to another organisation.

 

Please note that we are not required to adopt processing systems that are compatible with another organisation, so it may be that the recipient organisation cannot automatically use the personal data we provide.

 

When making a transfer request, it would be helpful if you can identify exactly what personal data you wish us to transfer.

10.The right to complain to your data protection regulator — in Malta – the Information and Data Protection Commissioner (IDPC);

You can complain about the processing by our side of your personal data, by contacting the Information and Data Protection Commissioner (IDPC) . Please, see below for more information.

If you want to exercise your rights, have a complaint, or just have questions, please contact us on [email protected].

We will carry out our best efforts to process your request within one month or, if the request is particularly complex, two months. We can provide you with a copy of your personal data in electronic format or hard copy.

If we consider the frequency of your requests as being unreasonable, we may refuse to comply with your request. In those circumstances, if you disagree, you can complain to the data protection authority – in Malta, the Information and Data Protection Commissioner

Please appreciate that the rights must be exercised within some limitation – for example, if you ask us for information we can only give you what relates to you and not what relates to other persons. When we receive requests, we may also request that you identify yourself and provide documentation or information for verification (we would not want to disclose information to the wrong person). Unreasonable requests may be subjected to a reasonable fee or refusal to respond.

Cookies

What are cookies?

A cookie is a small text file (typically numbers and letters) that is downloaded onto ‘terminal equipment’ (e.g. your computer or smartphone) when you (or someone else) access a website using that device. Cookies are then sent back to originating website on each subsequent visit – and they are useful because they allow a website to recognize a user’s device and store some information about your preferences or past actions.

Some cookies are needed for the sole purpose of carrying out the transmission of a communication over an electronic communications network – others may be necessary for the provision of a service over the internet, in which case they have to be used.

Other cookies may be desirable to improve your experience, in which case we will ask you for your consent to use them.

What cookies do we use?

We use only two (2) types of cookies:

Necessary. Those are the cookies which are necessary to provide you with the services that you have requested;

Functional. Those are the cookies that are used to recognise you and remember your preferences and settings when you return to our website. This allows us to improve your navigation experience. For instance, through functional cookies we will be able to establish your location in order to ensure that you access the homepage of our website in your preferred language.

You can configure your browser so that you are informed when a cookie is set or can block the setting of cookies altogether completely. If you disable some cookies, please be aware that some of the features of our service may not function correctly.

How do you change your cookie settings?

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.

Other passive information which we collect

Apart from the information you provide us with when using our Website, other information is passively collected from you (without you actively furnishing such information) when you navigate through the website. We use various technologies and navigational data collection methods to gather such passive information for various reasons, for example to track how many visitors access our website, the date and time of their visit, the length of their stay and which pages they view. The passive information also aids us to determine which web browsers our visitors use and the address from which they accessed our website – for instance if they connect to our Website through clicking on one of our banner ads. This technology does not identify you personally.

Such passively collected information may be used and combined to improve our services to website visitors, customise the website based on your preferences, compile and analyse statistics and trends of our visitors and their use of the sites operated by us and our related entities or subsidiaries. Together with our related entities and subsidiaries we will use this information and share it with third parties to improve the content, functionality and administration of our websites, to better understand our customers and markets, and to improve our products and services.

We assure you that, unless you have consented, such passive information shall not be combined with personally identifiable information collected elsewhere by our website or respective sites operated by our related entities or subsidiaries.

In any case, we never transfer your personal data to advertising companies. You may withdraw your consent at any time by choosing needed responses within your settings.

Changes to this cookies notice

Our Digital Services are continually under review – new functions and features are periodically added and improved to interface, thus changes may be required from time to time.

We therefore encourage you to check this document on a frequent basis.

Security of your personal data

Security of your personal data is very important to us.

EPG shall implement and maintain, at all times, appropriate organizational, operational, managerial, physical and technical measures to protect your personal data and any other data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access so that all processing is in compliance with Applicable Data Protection Laws and written instructions, especially where the processing involves the transmission of data over a network. These measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation.

Technical safeguards shall include all technical security controls defined or indicated by EPG, following the recommendations as laid out in ISO/IEC 27000 series (‘Information Security Management Systems (ISMS) standards’, or equivalent). Access to Personal Data shall be limited to authorised and properly trained personnel with a well-defined “need-to-know” basis, and who are bound by appropriate confidentiality obligations.

Where it’s appropriate, our website uses HTTPS to help keep information about you secure. However, no data transmission over the internet can be guaranteed to be totally secure.

You may complete a registration process when you sign up to use parts of the Digital Services. This may include the creation of a username, password and/or other identification information. Any such details should be kept confidential by you and should not be disclosed to or shared with anyone.

Where you do disclose any of these details, you are solely responsible for all activities undertaken where they are used.

Whenever you create a password, then to protect your account you should choose a strong password, meaning it should be lengthy and include a mixture of letters and numbers with mix of CAPS.

All necessary precautions are taken to prevent loss and alteration of any data, to prevent unauthorised access to EPG’s I.T. environment, to prevent introduction of viruses to EPG’s systems, and to prevent improper access to EPG’s I.T. environment and Confidential Information. We do our best to keep the information you disclose to us secure. However, we can’t guarantee or warrant the security of any information which you send to us.

Security measures which have implemented to secure information transmitted over our website or over the platforms used to deliver our Digital Services or, otherwise, stored on our systems include the following:

  1. Use of secure network devices;
  2. Use of secure servers;
  3. Use of firewalls;
  4. Performance of ongoing vulnerability and penetration tests;
  5. Use of encryption;
  6. Restricted access at data centres only to authorised personnel;
  7. Physical access controls at data centres;
  8. Information access controls;
  9. Use of back-up systems;

Please understand, however, that no system is perfect or can guarantee that unauthorised access or theft will not occur.

Relevant supervisory authority

Given that EPG is operative in more than one European Union Member State, by virtue of the passporting of its Financial Institutions licence, EPG confirms that the place of its central administration in the European Union, and thus its main establishment, as being located within Malta. To this effect, EPG recognises the Information and Data Protection Commission (http://idpc.gov.mt) in Malta to be the supervisory authority for the main establishment as the lead authority. This notwithstanding, EPG shall, in accordance with its obligations at law, cooperate with the other authorities concerned, including the location where the Data Subject resides, is substantially affected or where a complaint has been lodged.

Links to other websites

This Privacy Police does not cover the links made available by us on our website, or, otherwise, on other platforms used to deliver the Digital Services, to other websites which are not controlled by us. We are not responsible for the collection or use of your personal information from these third-party websites.

Therefore, we encourage you to read the privacy statements on the other websites you visit.

Changes to how we protect your privacy

Our Digital Services are continually under review – new functions and features are periodically added and improved to interface, thus changes to our Privacy Policy may be required from time to time.

We therefore encourage you to check our Privacy Policy on a frequent basis.

How to contact us

We are always happy to hear from you, whether to make a suggestion but especially if you feel we can do better.

If you have any questions about this Privacy Policy, or if you wish to make a complaint about how we have handled your personal information, please contact us at:

EPG Financial Services Limited

Level 4, The Plaza Commercial Centre, Bisazza Street, Sliema, SLM1640, Malta

[email protected]

We have appointed a Data Protection Officer who may be contacted here:

[email protected].

paylado-services