Privacy Notice
Last updated: August 2024
1. WHO ARE WE?
PagoNxt Payments Services is a modern and scalable platform for end-to-end payments and messaging solutions (hereinafter we or PagoNxt). Our clients are companies and financial institutions (legal entities, hereinafter the Client or the Clients).
2. WHAT IS THE OBJECTIVE OF THIS POLICY?
The purpose of this privacy policy is to explain in a transparent, clear and simple way how we collect, process and protect your personal information and to ensure that PagoNxt does not trade in personal information and that it allows data subjects to handle it in accordance with applicable regulations.
3. TO WHOM IS THIS POLICY ADDRESSED?
This policy is aimed at data subjects who are the holders of the personal information that PagoNxt processes. Specifically, we distinguish the following types of data subjects to which we will refer throughout this document:
1. Users: These are the data subjects who browse our website.
2. Applicants: data subjects who request information through one of our contact channels.
3. Representatives: data subjects representing one of the companies or institutions that are customers of PagoNxt or are in the process of becoming so. This group includes the following:Legal representatives or representatives.Contact persons.Authorized persons. This being understood to mean those persons authorized by our clients to access the different portals that PagoNxt makes available to them such as the Developer Portal, the Quantum Portal, the Incident Portal or any others.
4. Developers: Developer Portal users.
5. Candidates: data subjects who have applied for one of PagoNxt’s job offers. The information regarding the processing of their data is collected at the end of this notice (here).
AT A GLANCE: BASIC INFORMATION
To facilitate understanding, we include the most relevant information in the table below. You can find more detailed information in the following heading and contact our Data Protection Officer (DPD) for any clarification or additional queries by writing to [email protected] or through any of our channels.
WHO IS RESPONSIBLE FOR THE PROCESSING OF YOUR DATA? |
PagoNxt Payments Services S.L.
N.I.F.: B-87959326
Address: Avenida de Cantabria 5 – Edifico Alhambra Pl 1, CP 28660, Boadilla del Monte (Madrid)
Contact DPO: [email protected]
|
HOW DO WE USE YOUR DATA? |
We process your data to; i) be able to contact you or your company if you have asked us for information, ii) to maintain commercial and legal relations with the company you represent and provide the contracted services, iii) to comply with our legal obligations, to send commercial communications to your company, iv) if you are a developer to allow you to use our APIS, v) to send you commercial communications if you have consent and vi) in the case of users of our website to, provided they have accepted its use, insert cookies with various functions. |
WHAT LEGAL BASIS DO WE USE TO PROCESS YOUR DATA? |
It depends on the processing, but the main legal bases are legitimate interest, compliance with legal obligations and consent.
|
WITH WHOM DO WE SHARE YOUR DATA? |
We can share your data with:
- Authorities and courts in the legally provided cases.
- With third parties that provide services to us, that act on our instructions and with whom we have signed a data processor agreement in accordance with the provisions of Article 28 of the GDPR.
|
WHERE DO WE GET YOUR DATA FROM? |
The data we process may have been collected directly from you, may have been given to us by a third party or confirmed by the company for which you are proxy, contact, they may be included in the information given to us by one of the companies of the Santander Group or PagoNxt of which your company is already a customer and whose communication has authorized.
|
WHAT ARE YOUR RIGHTS? |
You can always write to us at [email protected] or use any of our channels available on the private portal to exercise your rights of:
- Access: Or what is the same, let us tell you what data we have about you and provide you with a copy of it.
- Rectification: That we correct the information we hold about you if it is incorrect.
- Cancellation or deletion: That we delete your data when it is no longer necessary or when we are processing it because you have given us your consent.
- Objection: When the processing of your data is based on a legitimate interest.
- Limitation of processing: For example, when you have challenged the accuracy of themselves
- Portability: Requesting that we communicate your data to a third party in a structured, commonly used and machine-readable format, wherever possible, or to yourself.
- Right not to be subject to automated decisions.
You can also file a claim with the AEPD at www.aepd.es
|
ADDITIONAL INFORMATION |
You can find more detailed information in the second layer.
|
DETAILED INFORMATION ABOUT PRIVACY (SECOND LAYER)
1. DO I HAVE TO SHARE MY DATA?Yes. PagoNxt requests data from you directly, for example, when you contact us to request information or when we request data from your company, such as proxies or contact persons authorized to use different portals. Providing this data is necessary for the purposes for which it is requested and therefore mandatory.2. WHY DO WE PROCESS YOUR DATA? WHAT LEGAL BASIS DO WE USE? WHAT DATA ARE THEY AND WHERE DO THEY COME FROM?
DATA SUBJECT |
WHAT DATA DO WE PROCESS ABOUT YOU AND WHAT IS ITS ORIGIN? |
WHAT DO WE PROCESS YOUR DATA FOR? |
WHAT IS THE LEGAL BASIS OF THE PROCESSING? |
User |
We treat the information we receive through the use of cookies if you have accepted them. This information may include your IP or unique identifiers that, although they do not allow us to uniquely identify you without additional information, are considered personal data and originate from your navigation on our websites. More information can be found in our cookies policy.
|
Depending on the type of cookies you have accepted, we will use them to improve our website by analyzing your usage or personalizing it. More information can be found in our cookies policy.
|
Consent
|
Applicant |
Depending on the means you use to contact us, we may process:
- Name and surname
- Email
- Telephone
- Position in your company
The data is obtained directly from you.
|
We process the data to meet your request and to inform you about our products or services.
|
Legitimate interest in responding to your proactive and express request for information. This is expected by you and does not infringe on your rights.
|
Representative (includes proxies, contact persons, and authorized persons) |
The data that we may process includes those listed below and may have been communicated by you directly, if, for example, you signed your company’s contract with us or registered with the Developer Portal, or by your company (when you provide us with a list of authorized persons).
- Name and surname
- Professional location data (address, email, mobile, and post)
- NIF
- Any other information included in the documentation provided for client registration
- Access credentials
- IP, time, and location of the device from which the services are accessed
- Voice in case of telephone recordings (in these cases, you will be previously informed of the recording)
|
1) Register our Client and maintain the contractual and commercial relationship with it.
2) Send communications regarding the contracted services.
3) Send commercial communications (directed to your company) about products similar to those already contracted.
4) Prevent and control the use of PagoNxt for illegal or unauthorized purposes.
5) Send commercial communications of our own or of third parties for which we have requested consent.
6) Send satisfaction surveys about the service.
7) Use voice recordings to evaluate service quality and as proof of instructions received or service provided, if necessary.
|
1) Legitimate interest of both our Client and PagoNxt in maintaining a contractual and commercial relationship.
2) Legitimate interest.
3) Legitimate interest in informing our client about products similar to those contracted.
4) Legitimate interest in ensuring that PagoNxt is not used for illicit purposes and managing any illegal conduct.
5) Consent.
6) Legitimate interest in knowing the degree of customer satisfaction and seeking improvements.
7) Legitimate interest in improving service quality and exercising our rights.
|
Developers |
The data we process may have been given to us by you or the company for which you work. The types of data are:
- Name and surname
- Professional location data (address, email, mobile and post).
|
Register you and your company on the website and allow you, depending on the case, to use the APIS made available by PagoNxt in sandbox, pre or live and request support.
|
Legitimate interest in maintaining a contractual or commercial relationship with the company for which you work and with which either PagoNxt has a contract for the provision of services or a commercial relationship of another type.
|
Any data subject |
The data we process may have been given to us by you or the company for which you work. The data is processed is your email.
|
Send you commercial communications.
|
Consent
|
3. WITH WHOM CAN WE SHARE YOUR DATA?
TYPE OF INTERESTED |
WITH WHOM CAN IT BE SHARED? |
WHY CAN DATA BE SHARED? |
ON WHAT LEGAL BASIS?
|
Any interested party (users, applicants, representatives) |
1.With third parties (data processors):
PagoNxt uses third parties in the framework of its activity. Some of these third parties may access the personal information processed by PagoNxt but will always do so under a data processing agreement and under the instructions of PagoNxt. These third parties may belong to sectors such as cloud services, technology, communications, etc.
2.With the following:
- Public administrations
- Courts and courts
- State Security Forces and Corps
|
1.To provide services to PagoNxt.
2.To respond to the specific requests of the same always complying with the applicable regulations or to exercise our rights.
|
1.This communication is always supported by a processing order that will comply with the requirements of art. 28 of the General Data Protection Regulation, treating the data in charge of the processing on behalf and following the instructions of PagoNxt.
2. Compliance with legal obligations and legitimate interest in exercising our rights.
|
4. INTERNATIONAL DATA TRANSFERS
No international transfers are carried out outside the European Economic Area, except in the case of the incident portal that is located whose services are provided by a processor besieged in the United States that is certified under the Data Privacy Framework which provides it with adequate guarantees.
5. HOW LONG WILL WE KEEP PERSONAL INFORMATION?
INTERESTED |
CONSERVATION PERIOD |
User |
We treat the information we collect through the use of Cookies for the periods indicated in the cookie policy that you can review here
|
Applicant |
For the period necessary to respond to the inquiry or request for information. After that period, the data will be blocked for a period of 3 years and will be deleted. The 3 years are the maximum limitation period for actions in matters of data protection collected by the LOPDyGDD (Organic Law 3/2018).
|
Representative |
For the entire duration of the contractual relationship plus 5 years as a general rule, unless there are longer applicable limitation periods, in which the data will be kept blocked.
In cases where data is processed in order to comply with legal obligations, these will be kept for the period indicated therein.
|
6. What are my rights and how to exercise them?
You have the following rights:
· Access: in other words, we tell you what information we have about you.
· Rectification: we correct the information we hold about you if it is incorrect.
· Cancellation or deletion: we delete your data when they are no longer needed or when we are processing them because you have given us your consent.
· Opposition: when the processing of your data is based on a legitimate interest.
· Limitation of processing: for example, where you have challenged the accuracy of the data themselves.
· Portability: by requesting that we communicate your data to a third party in a structured, commonly used, machine-readable format, where possible, or to you.
· The right not to be subject to automated decisions: that we do not base a decision that has legal effect on you or significantly affects you on automated processing, with some exceptions.
You can also file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.
7. HOW CAN I EXERCISE YOUR RIGHTS?
You can exercise your rights through your private portal, by writing an email to [email protected] or by contacting us through any of our channels, indicating that this is a request to exercise your rights of GDPR. Remember if we need to confirm your identity we may ask you for some kind of documentation about it.
8. WHAT SECURITY MEASURES DO WE APPLY?
At PagoNxt we are committed to security, and we apply technical and organizational measures aimed at guaranteeing the integrity, unavailability and confidentiality of your data.For example, all persons who can access personal information are subject to a contractual obligation of confidentiality, we use Data Lost Prevention (DLP) measures, encryption of information in transit and at rest, access control, establishment of secure passwords, etc.
9. OTHER IMPORTANT INFORMATION 9.1 ON THE COMMUNICATION OF PERSONAL INFORMATION OF A THIRD PARTY
As we have already explained in some cases the personal information, we collect is not received directly from you as a data subject, but rather from another person, that represents or provides services for our Client is the one that communicates to us that information or it is information that we access in the framework of the provision of our services.
If you are that person, you declare that you have sufficient authorization both to act on behalf of our Client and to communicate such personal information that, in addition, you guarantee that it is true, accurate, complete and up to date. In addition, on behalf of the Client you will inform the interested party of the communication and indicate that you can review this document on our website or, if applicable, show a physical copy of this document.
9.2. ABOUT CHANGES TO THIS POLICY AND INQUIRIES
If it is necessary for us to change the content of this privacy policy we will inform you of the relevant aspects indicating the date from which they will be applicable. We will also publish it on our website.
10. PRIVACY NOTICE CANDIDATES
10.1. Purpose of the processing and legal basis
|
3) Management of the selection process |
Purpose |
- We will process your personal data to evaluate your suitability for the job you have requested and to manage the selection process.
- Linked to this processing and in the event that you turn out to be the candidat@ selected, we may carry out a series of pre-hiring checks that may include:
- We request information related to your working life issued by official bodies in order to carry out the necessary checks before hiring.
- We carry out an analysis to verify the reliability, integrity and honesty of the canditat@ and to be able to comply with the legal requirements that may apply to us and with the internal policies of the PagoNxt Group.
|
Lawfulness |
- The legal basis for this processing is the execution of the contract or the application of pre-contractual measures.
- If we ask you for the working life issued by official bodies, the processing will be based on our legitimate interest in verifying the truthfulness and experience that you reflect in your request.
- The legal basis for integrity analysis, reliability and honesty of the candidat@ will be the legitimate interest of PagoNxt that is specified in that PagoNxt for the type of activity it carries out and for the fact of being part of a financial group must guarantee that the people who occupy certain positions and perform certain functions are the ones suitable considering the risks associated with these functions, this being expected by the candidates, without imbalancing their rights.
|
Types of data processed |
- Contact and identification data (name, surname, address, telephone numbers); date of birth, gender, work and educational history, and any other information contained in your CV.
- Data derived from participation in tests during the selection process (group dynamics, interviews, language tests, etc.).
- The legal basis for integrity analysis, reliability and honesty of the candidat@ will be the legitimate interest of PagoNxt that is specified in that PagoNxt for the type of activity it carries out and for the fact of being part of a financial group must guarantee that the people who occupy certain positions and perform certain functions are the ones suitable considering the risks associated with these functions, this being expected by the candidates, without imbalancing their rights.
- Working life.
- Data publicly communicated by you in your social media profiles.
|
|
3 (b) Resolution and management of consultations |
Purpose |
- Answer the queries you can make during the selection process and after it.
|
Lawfulness |
- Our legitimate interest in answering any questions that may arise during the selection process or subsequently.
|
Types of data processed |
- Identification and contact data (name, surname, email, telephone).
- Any data that may be included in the consultation.
|
|
3 (c) Candidate Examination |
Purpose |
- For the purpose of confirming the suitability of the job seeker, the data of the candidate selected for checking that do not appear on the official sanctions lists (in particular in accordance with EU Regulations 2580/2001, 881/2002, 753/2011) are processed.
- This verification is done through the "Worldcheck" tool before making a firm offer to the selected candidate. For this purpose, personal data is verified only once.
|
Lawfulness |
- Depending on the entity that carries out the processing, or the fulfillment of legal obligations or the legitimate interest in fulfilling the obligations of due diligence and avoiding the possible damages (including possible fines) that may arise from the hiring of sanctioned persons.
|
Types of data processed |
- Name and surname
- Date of birth
- Nationality
|
10.2. Data communications
We can share your data with:
1. With service providers
We may share your personal information with companies that provide services to us and with whom we have entered into a data processing agreement in accordance with applicable law. They will process your data on our behalf and following our instructions.
2. International data transfers Your data is not transferred directly outside the EU. However, we utilise the services of the company Workday, which provides 24/7 incident support. This could lead to a limited and specific access to your personal data from the United States in exceptional circumstances. It should be noted that the USA does not offer the same level of data protection as the EU. In these instances, we have implemented robust safeguards in line with data protection regulations and have put in place additional measures to ensure the security of your data. Should you require further information, please do not hesitate to contact the relevant DPO.
10.3. How long do we keep your data?
We will process your personal data for the duration of the selection process and, where appropriate, for the time necessary to handle any enquiries that may arise. Once the process is complete, we will retain your information for a maximum period of one year in case there are future opportunities that you may be interested in, unless you indicate otherwise (right of objection). After the aforementioned period, unless you expressly authorise us to retain the information for a longer period, we will proceed to block the information and delete it after the expiry of the period of action (five years).
10.4. Exercise of rights
You can exercise your rights of access, rectification, erasure, limitation of processing, portability, opposition and the right not to be subject to automated individual decisions including profiling, sending an email to mailbox [email protected] as well as filing a claim with the Spanish Data Protection Agency at www.aepd.es