1. Who we are
We are Cornercard UK Ltd. (“Cornercard”) Company No.08542957.
We are an authorised electronic money institution authorised and regulated by the Financial Conduct Authority (Financial Register No. 900186).
2. What is this notice?
This notice sets out how we process the personal data of individuals who are customers, potential customers, users of our website, or recipients of payments by our customers (“merchants”).
3. Contact us
Please direct all questions and requests you have about privacy and data protection to our privacy department below.
Cornercard can be contacted by: (i) post – [Privacy Department], Cornercard UK Ltd., PO Box 71723, London W2 7BJ, UK; and (ii) email firstname.lastname@example.org
We can also be contacted via our web address, www.cornercard.co.uk, or by using the dedicated email for data protection queries.
Data Protection Officer
If you are unhappy with the responses of our privacy department you may contact our Data Protection Officer by: (i) post – Data Protection Officer, Cornercard UK Ltd., PO Box 71723, London W2 7BJ, UK; and (ii) email email@example.com
4. Why we process your personal data
Types of processing
The types of processing we do are:
· Processing to enable the issuing, transfer and redemption of electronic money (“e-money”), i.e. the buying, the use and the cashing out of e-money on your prepaid cards.
· Processing to facilitate a payment transaction, i.e. using the e-money on your prepaid card to buy goods or services.
· Processing to facilitate access to the services offered on our website.
· Transfer of personal data into and out of the European Economic Area (“EEA”).
· Transfer of personal data to and from third parties who perform the processing listed above on our behalf.
Services - Fulfilment of contractual obligations
Our services are:
· The issuing of electronic money.
· Payment services.
· The provision of our website for both customers and visitors.
In order to provide our services to you under a contract between us (or for us to take steps at your request with a view to entering into a contract) we must process your personal data, which is a lawful basis under which to process your personal data Article 6(1)(b) of General Data Protection Regulation (“GDPR”).
Furthermore, Cornercard UK is required by law to process your Data in order to meet our compliance and legal obligations - including Anti-Money Laundering obligations - which is a lawful basis under which to process your personal data (Article 6 (1)(c) GDPR).
Direct marketing and consent
If you are an existing customer of Cornercard or recipient of payments by our customers (“merchants”), we may process your personal data for the purposes of marketing our services by offering to you new products and features that we think could be of benefit to you and to our partners (direct marketing). Such processing activity is based on our legitimate interest which is a lawful basis under which to process your personal data (Article 6(1)(f) GDPR). You have the right to object to such processing at any time. This also applies to profiling, insofar as it is in direct connection with direct marketing. If you object to processing for the purpose of direct marketing, we will no longer process your personal data for this purpose.
In contrast, if you are only a user of our website or a potential customer or in the case that our legitimate interests are overridden by your interests or fundamental rights and freedoms, we will obtain in advance your consent to processing for marketing purposes (Article 6(1)(a) GDPR).
We will not process your personal data for the purposes of marketing the services of third parties
Categories of personal data
The categories of personal data about you we will process are:
· Residential address
· Date of birth
· Mobile number
· Landline number
· Employment status
· Business address
· Employer name and contact details
· Tax Registration
· Source of funds
· Source of wealth
5. Sharing your data
We will not share your personal data with third parties outside the Cornèr Group except for the purposes of issuing e-money, making payment transactions and the provision of our website. In this respect, we may share your personal data with our partners which provide on our behalf the Services mentioned above in Section 4.
We will share your personal data with Cornèr Banca S.A., Via Canova 16, 6901 Lugano, Switzerland (“Cornèr Banca”), a Cornèr Group company. Cornèr Banca will process your personal data on our behalf as our processor enable us to process for reasons sets out in clause 4. Your personal data will be transferred outside the EEA because Cornèr Banca is in Switzerland. The European Commission has determined that Switzerland has a data protection regime offering an adequate level of data protection, a copy of this decision can be found here eurlex.europa.eu/eli/dec/2000/518/2016-12-17.
We may share your personal data with participants of the MasterCard and Visa card scheme networks but only to the extent necessary to facilitate making your payments to and receiving your refunds from the merchants. If the merchants or their payment service providers are located outside the EEA, your personal data may be transferred outside the EEA. This would only be done for the purposes of our contractual obligations to you to facilitate making your payments to and receiving your refunds from the merchants, which is lawful basis by which to transfer personal data outside the EEA ([Paragraph 2 Schedule 4 DPA 1998][Article 49(10(b) GDPR)
6. Storage of your data
We will process and store your personal data for as long as it is necessary in order to fulfil our contractual and statutory obligations. Thus, we will store your personal data for the duration of your contractual relationship with us and for a further maximum period of six years beginning when that relationship ends. We will retain the personal information so that:
· We can allow you to redeem any e-money that you have not spent on your prepaid card.
· We can provide you with the necessary information regarding payment transactions if you wish to make a legal claim against us regarding our services.
For the establishment, exercise or defence of legal claims we may retain your personal data for the duration of the legal proceedings. Moreover, we will store your data to comply with statutory obligations we are subject to (e.g. AML storage requirements and storage requirements applicable to tax relevant documents).
7. Your data rights
You have the following data rights:
· The right of access.
· The right to rectification (correction).
· The right to erasure (i.e. the right to be forgotten).
· The right to restriction of processing.
· The right to data portability.
· The right to object
In order to process your request to exercise your data rights we will require you provide us with such information or documents we request in order to verify your identify before we can process your access request. Your request will be deemed to be received on the date we verify your identity.
We will respond to requests within one month of our receipt of your request. If your requests are complex or numerous, we will inform you within the initial one-month response period that we will require a further two months in which to respond, i.e. we will respond within three months of our receipt of your request.
You may request to exercise your data rights by email, or by post (please see chapter 3 for contact details). Where you make a request electronically we will respond electronically by email.
Right of access
You may request the following information:
· confirmation that your personal data is being processed;
· a copy of the personal data held about you excluding any personal data that is prohibited from providing such as data that would adversely affect the rights or freedoms of others; and
· a copy of this privacy notice.
The information will be provided free of charge except where:
· the request is manifestly unfounded or excessive, particularly if it is repetitive;
· the request is for further copies of the same information.
In these cases we will charge a fee of £25 which will cover our administrative cost for providing you with the information.
Please note that if we find your access request to be manifestly unfounded or excessive, we may refuse to provide the requested information. In this case we will inform you why we are not providing you with the information set out above, that you have the right to complain to our supervisory authority for data protection purposes, the Information Commissioner’s Office (“ICO”), and that you have a right to file a case with the courts.
Right to rectification (correction)
You have the right to have any personal data corrected if it is inaccurate or incomplete. We will require you to provide documents or information to demonstrate that the personal data is inaccurate or incomplete.
If we have disclosed such personal data to third parties, we will contact each third party and inform them of the correction unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.
If we refuse to comply with your request, we will inform you why we are not making the corrections, that you have the right to complain to the ICO and that you have a right to file a case with the courts.
Right to erasure
The right to erasure only applies when:
· the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
· you withdraw consent for the processing of personal data where consent is the sole legal basis of the processing;
· you object to the processing and there is no overriding legitimate interest for continuing the processing;
· the personal data is being unlawfully processed;
· the personal data has to be erased in order to comply with a legal obligation;
· the personal data is processed in relation to the offer of information society services to a child.
We may refuse to erased the personal data if the following conditions apply:
· the personal data is processed to comply with a legal obligation for the performance of a public interest task or exercise of official authority; or
· the personal data is processed for the exercise or defence of legal claims.
If we have disclosed personal data that is to be erased to third parties, we will contact each third party and inform them of the erasure unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.
Right to restriction of processing
We will restrict the processing of personal data in the following circumstances:
- Where you contest the accuracy of the personal data, we will restrict the processing until we have verified the accuracy of the personal data.
- Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override your interest, rights and freedoms.
- When processing is unlawful and you oppose erasure and request restriction instead.
- If we no longer need the personal data but you require the data to establish, exercise or defend a legal claim.
If we have disclosed personal data that is to be subject to restriction to third parties, we will contact each third party and inform them of the restriction unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.
We will inform you if we decide to lift the restriction on processing.
Right to data portability
The right to data portability only applies:
- to personal data that you have provided to us;
- where the processing is based on your consent or for the performance of a contract; and
- when the processing is carried out by automated means.
We will provide you with this personal data in form of a .CSV file or another file format that is agreed upon in advance and presents the personal data in a structured, commonly used and machine readable form.
We will provide this information free of charge. If you so request, we transmit the information directly to another information if this is technically feasible.
If we refuse to comply with your request, we will inform you why we are not providing the information, that you have the right to complain to the ICO and that you have a right to file a case with the courts.
Right to object
You have the right to object to our processing of your personal data based on our legitimate interests on grounds relating to your particular situation except:
· where we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
· the processing is for the establishment, exercise or defence of legal claims.
You have the right to object to our processing of your personal data for direct marketing purposes.
We will comply with your objections unless an exception applies.
8. Complaining to the ICO
You have the right to contact the ICO to complain about our processing of personal data.
The ICO can be contacted by: (i) live chat (Monday to Friday, 9am to 5pm) – ico.org.uk/global/contact-us/live-chat; (ii) email – firstname.lastname@example.org; (iii) web form – ico.org.uk/global/contact-us/email/; (iv) phone – 0303 123 1113 (calls from within the UK) or +44 1625 545 700 (calls from outside the UK) and (v) post – Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK.
9. Source of personal data
We will collect personal data from:
· Programme Managers or Partners
· credit reference agencies;
· third party databases for the know your customer (“KYC”) purposes;
10. Automated processing
We will make decisions solely on the basis of automated process when deciding whether to enter into a contract with you to provide you with a prepaid card. This decision will be based on the information collected from the sources list in clause 9 and risk factors assigned to each piece of relevant information.
You may challenge our decision by contacting us and asking us to reconsider your application using a manual process involving an individual to make the decision.
Version dated 25.05.2018