Policy notice pursuant to REGULATION (EU) 2016/679 on the protection of individuals regarding the processing of personal data and on the free movement of such data
As Data Controller, Mistral Pay Ltd (hereinafter only “Mistral”) provides you with this information regarding the processing of personal data requested, pursuant to Regulation (EU) 2016/679 relating to the protection of individuals with regarding the processing of personal data, as well as the free circulation of such data (so-called “General Data Protection Regulation”, hereinafter also only “GDPR”), for the purpose of opening and activating the Payment Account and/or other services provided from us.
Mistral, as Data Controller, makes the following information (hereinafter only “Privacy Notice”), pursuant to article 13 of the GDPR and in compliance with Chapter 586 of the Laws of Malta – Data Protection Act (came into force on Monday 28th May 2018).
This Privacy Notice also concerns the methods for collecting and processing personal data during the use of our Website, with the express exclusion of other websites that may be consulted through access through links on the Site; and was drafted in a clear and comprehensible way for the general public, as required by art. 12, par. 7, of the GDPR.
We inform you that the processing of your personal data will be based on the principles of lawfulness, fairness, and transparency and the protection of your privacy and your rights.
The owner of the data processing is Mistral Pay Ltd. with registered office in Central Business Center, Level 2, Suite 1, Mdina Road, Zebbug ZBG 9015, MALTA, and secondary office in Viale Pasteur n. 49, 00144, Rome, ITALY, website www.mistralpay.com.
DATA PROTECTION OFFICER
The “Data Protection Officer” or DPO can be contacted at the following email address: firstname.lastname@example.org
Legal basis for data processing
Your personal data are processed:
1) If it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR). We will process your data to conclude and execute contracts to open a Payment Account or any other service provided by Mistral; to fulfil the pre-contractual, contractual and fiscal obligations on our behalf or carry out all the measures and actions at the request of the interested party, as arising from all existing relationships with users, customers, collaborators, commercial partners, suppliers, and consultants; purposes strictly connected and instrumental to the management of the relationship with the customer (e.g. acquisition of information for risk assessment, checks, and evaluation on the results and on the progress of the relationships). The need to perform a contract of which Mistral and the interested party are parties represents the legal basis that legitimates the consequent treatments.
2) If it is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(b) GDPR) in order to fulfil the obligations established by the law, by a regulation, by European Community legislation, or by order of an Authority (for example relating to anti-money laundering); The need to fulfil legal obligations constitutes the legal basis that legitimates the consequent treatments;
3) If it is necessary for the purposes of the legitimate interests of Mistral to exercise or defend a right in judicial or extrajudicial proceedings (Article 6(1)(f) GDPR): we will treat personal data to pursue our legitimate interests in exercising or defending our rights in judicial or extrajudicial proceedings, even in the event of non-fulfilment of the contract or violations of the law, also using professionals and qualified entities. The need to pursue one’s own legitimate interest constitutes the legal basis that legitimizes the consequent treatment by Mistral.
4) For marketing purposes functional to the activity of Mistral, such as:
– the survey of customer satisfaction on the quality of services rendered and on the activities carried out by Mistral Pay Ltd and the development of studies, research and market statistics;
communication and/or sending, also by automated means, of informative and/or promotional material by Mistral Pay Ltd.
In this case, the legal basis that legitimises the treatment is represented by the consent of the interested party (Article 6(1)(a) GDPR) which can be freely given or not given and revoked at any time.
Categories of data processed
As a general rule, it is possible to use the Website without having to provide any personal data. If the user accesses the Site for information purposes only (and does not open an account on the Website), we will not collect any personal data, except for the data transmitted by the browser or the user’s terminal device in order to allow access to the Website.
Personal data are collected in specific sections of the Website via electronic forms, or through paper forms, only if you want to switch on a Payment Account or if you want to access to other Mistral services.
Mistral processes personal data collected directly from you, or from third parties, including but not limited to personal data (e.g. name, surname, address, date, and place of birth), information on the financial situation (e.g. financial position, credit information relating to credit requests/reports), image data (e.g. photo on identity card) and voice recordings (e.g. telephone order records) and other data related to the above categories.
Mistral could process particular data of its customers to follow up specific services and operations requested by them (e.g. the payment of membership fees to a political or trade union organization, purchases of goods or services made with credit/debit cards that determine the processing of particular data). In such cases, Mistral will ask the requesting interested party a specific consent to the possible processing of the particular data necessary to follow up on these services and/or operations (e.g. when the prepaid card issuing contracts are finalized).
Mandatory/voluntary provision of data
With regard to the purposes previously identified, we inform you that the provision of data:
– it is not mandatory by law for the processing necessary for the execution of the payment account opening contract or for the execution of any other service referred to in point 1); however, a refusal to provide them could cause impediment to the establishment of the relationship and the provision of services;
– it is optional for the treatments functional to the company’s activity referred to in point 4); any refusal to provide them does not affect the completion of the contractual relationship.
For the purposes referred to in points 2) and 3), the provision of data is not required by law, as the treatment derives from a regulatory obligation or from the pursuit of a legitimate interest. The consequences of failure to provide data are the impossibility of establishing and/or executing the contractual relationship.
Methods of processing personal data and access by third parties
The processing of personal data is achieved through the use of computer and/or paper procedures able to protect and guarantee the maximum confidentiality of the data provided, in accordance with the GDPR and to the Chapter 586 of the Laws of Malta – Data Protection Act. Specifically, processing takes place through the: collection, registration, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion, and destruction of data.
Personal Data may be communicated to other subjects whose intervention is strictly functional to the execution of the contractual relationship, such as:
– employees or collaborators of the Data Controller as persons in charge of processing under the direct authority and directives of Mistral;
– partner companies of Mistral, in Malta and abroad, in their capacity as data processors and/or system administrators that act as processors of personal data according to art. 28 of the GDPR on behalf of the Data Controller and that have offered sufficient guarantees to put in place suitable technical and organizational measures to ensure that the treatment entrusted to them meets the legal requirements;
– third-party companies or other bodies, such as, for example, credit institutions, payment institutions or other financial intermediaries, professional offices, consultants and insurance companies that perform activities on behalf of the Controller and who act like independent owners with their privacy policies, which are available to the Data Subject.
Without the need for express consent (Article 6(1)(b)(c) GDPR), the Data Controller may communicate the personal data of the interested party to Supervisory Bodies (such as FIU, Bank of Italy, OAM, IVASS, etc.), Judicial and/or police authorities, insurance companies for the provision of insurance services, as well as those subjects to whom the communication is mandatory by law. These subjects will process the data in their capacity as independent Data Controllers and the Personal Data of the interested party will not be disclosed to others by them.
The complete list of these subjects is constantly updated and is available upon request to the Data Controller.
Mistral keeps the data in a form that allows the identification of stakeholders for the time necessary to achieve the specific purposes of the processing, in compliance with contractual and/or regulatory obligations (eg in the field of anti-money laundering, investment services, tax monitoring).
In particular, the Data Controller or the controller processes and stores personal data for the minimum time necessary to fulfil the purposes indicated in the paragraph on the legal basis and purpose of the processing, and only for the time necessary to achieve archiving to the extent to which this is foreseen by the GDPR. Both the processing and the memorization, however, are established for not more than 10 years from the termination of the contractual relationship for the treatment occurred for service and no more than 12 months from the collection of data for marketing purposes. Once these retention terms have expired, personal data will be blocked, destroyed, or made anonymous in accordance with legal requirements.
Transfer of personal data to foreign countries
Data are not disseminated nor will they be transferred to non-EU countries. The management and storage of personal data will take place on servers located within the European Union. It remains regardless understood that the Data Controller, if necessary, will have the right to transfer the servers’ location within Italy and/or the European Union and/or non-EU countries. In this case, to ensure an adequate level of protection of Personal Data, the transfer of data in non-EU countries will take place by the appropriately approved decisions of the European Commission or the adoption by the Owner of the Standard Contractual Clauses prepared from the European Commission.
Access to Mistral services through the Site requires cookies to be enabled on your Internet browsing software. Cookies are processed by Mistral anonymously and may be used for the sole purpose of obtaining statistical information on the navigation of the site through which the service is provided, as well as to improve the usability of the Website.
The data subject may, at any time, prevent the setting of cookies by our website, as stated above, through the corresponding setting of the Internet browser used and thus permanently deny the setting of cookies. Furthermore, already set cookies may be deleted at any time via an Internet browser or other software programs. This is possible in all popular Internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be entirely usable.
Right of access by the data subject and other rights pursuant to EU Regulation 2016/679
We inform you that at any time you will be able to exercise the right of access to personal data and other rights, in compliance with the provisions of Articles 12-22 of the 2016/679 EU Regulation, specifically:
· right of access: the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period, and other information;
right of rectification: the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her as well the right to have incomplete personal data completed, including by providing a supplementary statement;
Right to erasure (‘right to be forgotten’): the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
– the consent on which the processing is based is withdrawn and/or there is no other legal ground for the processing
– the personal data have been unlawfully processed
– the personal data have to be erased for compliance with a legal obligation
right to object to the processing: the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her and/or for marketing purposes, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
right to restrict the processing: the right to obtain from the Data Controller the restriction of processing, in cases where the accuracy of personal data is contested (for the period necessary for the Data Controller to verify the accuracy of such personal data) if the processing is illegal and/or the interested party objected the processing;
right to data portability: the right to receive the personal data in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or a contract, and if the processing is carried out by automated means.
The Customer has the right to withdrawn at any time the consent given to specific optional activities, without prejudice to the lawfulness of the processing performed before the revocation.
The requests referred to in Articles 12-22 cited above can be made through a specific request to be submitted in writing via registered mail to Mistral Pay Ltd., Viale Pasteur n. 49, Rome.
Complaint or report to the Commissioner for the protection of personal data
Mistral Pay Ltd informs you that you have the right to lodge a complaint or make a report to the Office of the Information and Data Protection Commissioner or to appeal to the Judicial Authority. The contacts of the Information and Data Protection Commissioner can be consulted on the website https://idpc.org.mt from which you can download and use the appropriate templates for the exercise of rights.