Privacy and Data Protection Policy

The protection of natural persons data is an issue on the agenda, because of the legislative changes that have occurred, as well as of the relevance that the media has given to situations of disturbances that are sometimes massive in the processing of personal data. The new Data Protection Regulation is in line with the vision that Easypay has always had and has always fulfilled. Easypay, despite processing a limited set of personal data in the scope of its activities, has always devoted special care to this topic. Within the scope of the legislative changes arising from the new General Data Protection Regulation, Easypay informs its customers and partners of the rules guiding the processing of personal data in the context of the activities it pursues.

Policy Objectives

Define the terms and conditions under which Easypay processes personal data within the scope and for the purpose of providing payment services and to comply with the inherent legal obligations. Easypay processes the personal data of its customers and partners, either for contractual reasons related to the provision of its services, or for legal reasons, arising from compliance obligations imposed by the law in relation to the payment and credit intermediation services provided by Easypay, and the terms and conditions for the processing of personal data relating to the latter of personal data relating to the latter service are set out in point 3 below.

1.CONTRACTUAL OR VOLUNTARY DATA PROCESSING

Easypay processes personal data within the scope and for the purpose of providing payment services to its customers, under the following terms:

1.1. What is the purpose of this treatment?

Pre-contractual diligences, entering into and execution of a framework contract for the provision of payment services, execution of the resulting payment transactions and carrying out of occasional payment transactions. Easypay may also, under the terms of the legislation in force, in particular of paragraph e) of article 91 of the Legal Regime for Payment Services and Electronic Money (RJSPME), proceed with the computer processing of the same data for the purposes of prevention, investigation and detection of fraud. Easypay also treats the name, telephone number and email address of its customers and potential customers for the purposes of market research and the offer and promotion of new Easypay services and products, except in cases where the data subjects oppose the processing of these data for the mentioned purposes.

1.2 What categories of personal data are processed for this purpose?

1. 1. 1. Data of Easypay clients who are natural persons and individual entrepreneurship: name, tax residence, professional email address, mobile phone number, citizen card number, tax identification number, photograph and signature.
      2. data of natural persons that are representatives of legal persons, clients of Easypay: name, tax residence, position held in the client, professional email address, mobile phone number, citizen card number, tax identification number, type and percentage of social participation in the corporate client, photography and signature.
      3. data of natural persons involved in payment transactions with Easypay’ clients: name, address, tax identification number, e-mail address, mobile phone / telephone number, bank payment card details (number and expiration date and name and of the holder), IBAN (international bank account number), date of birth, gender, party or political association militant number, affiliate number, associated family number, court and case number identification and payer and beneficiary of judicial sanction, value of the payment transaction.
      4. data of Easypay employees involved in pre-contractual procedures, in the entering into and/or execution of a framework contract for the provision of payment services, or in the execution of the resulting payment transactions data of Easypay employees involved in pre-contractual procedures, in the entering into and/or execution of a framework contract for the provision of payment services, or in the execution of the resulting payment transactions

1.3. How do we receive the data we process?

The data for categories i), ii) and iv) identified above are provided, in general, by the respective data holders in printed form or through the digital channels that Easypay makes available, and the data, name, telephone number and email address may be collected by Easypay by consulting information on open networks, Easypay informing the data holder when the first contact with him occurs of the collection, treatment, purpose and other legal information. Category iii) data are provided to Easypay, as payment service provider for the payment beneficiary and client, by the payer or paying intervening parties in payment transactions when carrying out payment transactions:

• directly to Easypay by filling out the form on the Easypay platform to whose page the intervener is directed from Easypay’ customer portal,
• or are directly collected and supplied to Easypay by Easypay’ clients, in which case, Easypay is exempted from communicating its collection and processing to the data subjects, under the terms set forth in the Regulation, as it is the responsibility of Easypay’ client, who undertakes in doing so, informing the data subjects that communicated to Easypay the respective data for the purposes of executing the payment transactions in which he/she intervenes, as well as, the other information elements provided for in the Regulation.
• or are provided by payers on partner platforms or platforms used by Easypay clients (who are entities with which Easypay has collaboration agreements, e.g. Shopkit, Moloni, PHC, etc.)

Easypay assures its clients and other data subjects, that the data communicated or provided to it are processed and used exclusively for the purposes indicated in point 1.1. and in accordance with point 1.4. infra.

1.4. What is the legal or legitimacy basis for processing the data?

Easypay treats the personal data it receives on a contractual basis, as the case may be, when executing the payment service provision contract to which the data subject is a party or for pre-contractual arrangements to this service provision contract, at the request of the data subject and for the purpose of pursuing legitimate interests of Easypay and of its clients third parties, with regard to the data of those intervening in payment operations foreseen in category 1.2. iii). Data from Easypay employees indicated in category 1.2. iv) are treated in execution of the relating employment contract. The customer and/or the data subject is (are) obliged to provide the data, in order to allow the execution of a contract with Easypay or the execution of payment transactions, constituting the non-provision of the data an impediment to the establishment of a commercial relationship with Easypay or of the execution on behalf of the client of the payment transactions. Regarding data processed for the purpose of market research and the offer and promotion of new Easypay products or services, these are treated for the purpose of pursuing Easypay’ legitimate interests in the commercial promotion of its products and services, having the data holders covered by this policy the right to object at any time to the processing of their data, name, telephone and email address for these purposes, by communicating to Easypay to the addresses indicated in point 1.5.

1.5. Controller:

The controller for the treatment of the identified personal data is Easypay, Instituição de Pagamento, Lda., a commercial company with quotas, with a share capital of € 125,000, headquartered at Rua Soares de Passos, nº 14-B, in Lisbon, registered at Lisbon Commercial Registry Office under the identification number of legal person 505237431, which is the entity that determines the purpose and means of processing personal data and whose general contacts are as follows:correio@easypay.pt andtelephone: 213617930.

1.6. Security measures:

Easypay adopts, in the treatment of data, techniques and adequate preventive measures against its unauthorized or illicit treatment and against its accidental loss, destruction or damage, namely those provided for in articles 25 and 32 of the Regulation.

1.7. Rights of the holder. Storing period:

Easypay guarantees data subjects the rights foreseen, in those terms set out in the law, such as, the rights of access, rectification, treatment limitation, erasure, opposition to treatment and portability, ensuring particularly the data elimination or anonymization, after the expiring of the data storing periods. The data are kept, as long as, the contractual relationship between Easypay and its clients exists and remains in force, as well as up to one year after the end of the legally stipulated claim period for payment transactions carried out by or through Easypay. Easypay has not appointed a data protection officer, as it does not fulfil any of the conditions set out in the Regulation and in the guidelines of the article 29 for data protection. The exercise by the data subjects of the rights that are recognized by law can be done in writing addressed to Easypay through the email compliance@easypay.pt or by post sent to the attention of the company’s Compliance Framework and Risk Management Unit.

1.8. Data communication:

Personal data processed by Easypay are/can be communicated and transmitted to the following categories of entities for the purpose of carrying out payment transactions on behalf of Easypay’s clients and in order to comply with administrative and legal obligations: to entities acquiring and processing payment transactions, such as Finaro, Ebanx, Sibs, Millennium BCP and BBVA and to bank entities where Easypay clients have a bank account. Some of the data are communicated to the Tax Authority in compliance with tax reporting obligations and to other public entities in other cases where the law imposes such communication. Other public and private entities to whom Easypay must legally allow such access may accede to the data, namely for the purpose of complying with the legal obligation of auditing accounts.

1.9. Subcontracting:

Some of the personal data are processed on a subcontracting basis, under a service provision agreement entered with Easypay, by a processor that provides accounting services to Easypay and that guarantees security and confidentiality in the treatment of such data.

2 DATA TREATMENT FOR COMPLIANCE WITH LEGAL OBLIGATIONS:

Easypay also processes personal data for the purpose of complying with legal obligations foreseen in the Anti-Money Laundering and Terrorism Financing Law (BCFT Law) (Law No. 83/2017 and Regulation (EU) 2015/847), being therefore, simultaneously authorized and obliged to process the personal data necessary to fulfil preventive duties, in the following terms:

2.1. What is the purpose of this treatment?

Prevention of money laundering and terrorism financing.

2.2. What categories of personal data can be processed for this purpose?

Data of natural subjects:

1. 1. identification and others:
      – identification: name, date of birth, nationality, place of birth, identification document (number, expiration date and issuing entity), signature and photography;
      – contact details: address of permanent residence;- tax: tax identification number or equivalent foreign number and tax residence;- professionals: profession and employer;- qualifications;
      – professional or business activities pursued;
      – political or public positions held;
      – kinship relations, affinity, corporate, commercial, professional or relevant social relationships;
   2. financial and banking:- credit and solvency; – income and other assets.
   3. purpose and nature of the business relationship;
   4. origin and destination of funds or other assets handled in the operation;
   5. other elements that characterize the operations carried out;
   6. information on suspected criminal offenses, administrative offenses or other illegal activities- reports of suspicious transactions; – other reports to the competent authorities; – information received from the competent authorities.
   7. decisions that apply sanctions for criminal, administrative offenses or other equivalent.
   8. other supporting means necessary to verify previous data.
   9. Other data necessary to fulfill the duties provided for in the BCFT Law or in the Regulations.(of the payer: name, payment account number or unique transaction identifier, address, official document identification number, customer identification number or date and place of birth; of the payee: payment account name and number or unique transaction identifier number).

2.3. How do we receive the data we process?

The data of the identified categories are provided, in general, by the respective data holders and, in special cases, are collected from third parties, and Easypay is exempted from communicating its collection to the data holder, as the case may be, under the terms provided for in paragraphs a), c) and d) of article 14 of the Regulation.

2.4. What is the legitimacy or lawfulness for data processing?

Easypay treats the personal data it receives on a legal basis, in compliance with legal obligations to which Easypay is subject, under the terms provided for in the BCFT Law and in the Regulation, the data holder being obliged to provide the data, in order to allow compliance by Easypay of the said legal obligations. Failure to provide the data will prevent the establishment of a commercial relationship between Easypay and the data holder.

2.5. Responsible for the treatment:

The person responsible for the treatment of the identified personal data is Easypay, Instituição de Pagamento, Lda., a private limited liability company, with a share capital of € 125,000, headquartered at Rua Soares de Passos, nº 14-B, in Lisbon, registered at Lisbon Commercial Registry Office under the legal person identification number 505237431, which is the entity that, under the Law, determines the purpose and means of processing personal data and whose general contacts are as follows: correio@easypay.pt and telephone: 213 617 930.

2.6. Security measures:

Easypay adopts the treatment of technical data and adequate preventive measures against its unauthorized or illicit treatment and against its accidental loss, destruction or damage, namely those provided for in articles 25 and 32 of the Regulation.

2.7. Rights of the holder. Storage period:

The rights of access and rectification of data processing must be exercised by the data holders, under the terms of the Law, through the National Data Protection Commission, without prejudice to other rights, such as the limitation of processing and erasure in cases permitted by law, ensuring Easypay the elimination or anonymization of data, after the expiring of the data storage periods provided for in the Law. Easypay has not appointed a data protection officer, as it does not fulfill any of the conditions set out in the Regulation and in the guidelines of the <a “href=https://dre.pt/application/file/ a/108016630”>article 29 for data protection. The exercise by the data subjects of the rights that are recognized by law can be done in writing addressed to Easypay through the email compliance@easypay.pt or by post sent to the attention of the company’s Compliance Framework and Risk Management Unit.

2.8. Data communication:

Personal data processed by Easypay under the Law can be communicated and transmitted to the entities provided for in article 61 of the BCFT Law and can also be interconnected under the terms of the same legal standard.

3 Specific terms and conditions for data processing related to credit intermediation activity:

Easypay, better identified in point 1.5 above, collects and treats as the data controller, the name, mobile phone number and email address of the persons requesting credit proposals in the context of the credit product, whose lending entity is Santander Consumer Finance – Branch Office in Portugal (hereinafter SCF) or Universo, IME, SA (hereinafter identified individually as the selected lending entity) and, also the data that make up the so-called shopping cart (type of item, merchant and amount) for the exclusive purposes of pre-contractual due diligence, execution and processing of said credit requests, their referral to the selected lender and contacts with the applicant for the management of the contractual relationship of credit intermediation, as well as for requesting information about the transaction that motivated the credit application. This data is provided by the applicant by filling in the respective area of the Easypay payment platform, collected by Easypay on a contractual basis and for the purpose of pursuing Easypay’s legitimate interests and failure to provide it prevents the applicant from accessing the entity’s credit product of the selected lender. Easypay also processes said data for the purpose of offering and promoting new Easypay services and products, except in cases where the customer objects to the processing of this data for the aforementioned purpose. The data provided by the applicant may be communicated by Easypay to the selected lender, in the event of a credit request, to the strictest extent necessary for the purpose of evaluating the same and eventual conclusion with the selected lender of a credit agreement with the applicant, as well as of the execution of this. The data collected and processed by Easypay are kept by Easypay for up to four years after the end of any credit relationship established with the selected lending entity or up to four years after the lender’s eventual refusal to grant credit, unless another longer legal period is required by legal norm. The rules contained in points 1 and 2 above apply to this treatment in everything that is not exempted by the provisions of this point 3.

4 Google Data

As part of our Services and additional features, you may authorize Easypay – Payment Institution, Lda, to access data available within your Google accounts. It is your responsibility to ensure that any information collected and used from your Google account, including through Google Sheets or other Google applications you utilize, complies with local laws and particularly adheres to regulations concerning the collection, usage, distribution, and storage of Personal Data. We only transfer the minimum necessary data elements required to facilitate payments with your selected payment provider and update the payment status on your Google documents. The following data will be accessed by the Add-On Installer:

• Email address and locale
• Google Form submitter’s Email address (used to send payment requests)
• Google Form ID, Title, and Description Attributes (used to provide information on the checkout pages)
• Google Form submission fields (only euro amounts used to calculate the amount due)

The following access rights will be utilized:

• Google Sheet READ/WRITE Access (solely for adding and updating corresponding payment fields)
• Google Forms READ/WRITE Access (to assist with form setup and trigger payment request responses)
• Google Data will not be shared with any third party, except for providing customer service, facilitating the Services, and working with the payment provider you have chosen and consented to connect with for payment facilitation.

Easypay – Instituição de Pagamento, Lda will use and transfer information obtained from Google APIs to other applications in accordance with Google API Services User Data Policy, including the Limited Use requirements. Last update: 08/08/2023