Last updated: 5 July 2021
At Worldline, we take pride in security and data privacy. When you visit Worldline's web sites, you can therefore normally come and go as you would like without us being able to identify you. However, if you submit your personal data (for example your name, e-mail address or phone number) we will be able to identify you and process your personal data. Such processing is governed by certain legislation, which within the European Union mainly is the General Data Protection Regulation (the “GDPR”). Worldline naturally complies with the GDPR and any other data protection legislation that applies to Worldline. We are also keen on being transparent regarding how we process your personal data and have for these purposes drafted this document, in which you will find information on what kind of personal data we process, why we do it, what we use it for and how we may share it.
The data processing carried out on this web site is conducted by Bambora Group AB, reg. no. 556233-9423, as data controller. However, for other data processing activities, other Worldline entities may be the data controller, separately or jointly with Bambora Group AB. For specific information regarding the data controller for the processing of your personal data, please see the separate privacy notice that you received when your personal data was collected or contact us (please see contact details below).
When we collect data and what data we collect
We collect personal data when you (i) sign up for our newsletter or ask to be contacted, (ii) request support and (iii) are browsing our website. Such personal data will in general include your name, e-mail address, telephone, delivery address, payment details, company, IP address, behavior on the website and other information that you voluntarily provide us. As a payment institution with a license to provide payment services under the supervision of the Swedish Financial Supervisory Authority (Sw. Finansinspektionen), Worldline will also collect your credit/debit card information when you make a purchase at a Worldline merchant.
Why we process data, our legal basis for the processing and for how long we process the data
When processing personal data, a specific purpose and an applicable legal basis is always required. Also, the personal data may only be used for a limited period of time. Worldline will only use your personal data for the purposes set out below. We will not use your personal data for any purpose that is incompatible with the below purposes. Further, we will only use your personal data during the period as set out below. Please note that the storage periods below may not apply if Worldline is required to retain your personal data (partly or in full) under applicable mandatory law (e.g. accounting laws).
1. Processing payment transactions
If you have made a purchase online or in a store, Worldline might have received your credit card information from the seller and thus act as data controller. This is the case where Worldline acts as the seller’s acquirer, i.e. processes the seller’s payments, and transfers the money between the correct bank accounts. In such case, we will use this personal data to carry out the transaction. This includes (i) sharing necessary data with card schemes); ii, assisting in disputes/chargebacks, iii) fraud preventing; iiii) and fulfilment of legal obligations on bookkeeping and iiiii) anti-money laundry transaction monitoring. Worldline holds a permit for such processing from the Swedish Authority for Privacy Protection (Sw: Integritetsskyddsmyndigheten).
1.1. Data that Worldline collects
Worldline collects personal data of card holders in its role as acquirer when processing a payment transaction. Such personal data includes:
- Card Information (i.e. card number, expiry month, expiry year, scheme/issuer) and
- Transaction Information (i.e. usage, currency, issuer country, merchant id, transaction date, transaction amount).
1.2. Collection of the data
Personal data related to card holders is collected through the execution of payment transactions via Worldline products and services provided to a merchant.
1.3. Legal basis
The processing is necessary for our legitimate interests to be able to carry out the payment transaction that you have requested when making the purchase at the merchant.
1.4. Storage period
We store card payment authorization data for 24 months and payment transaction data for seven years in order to comply with the Swedish Bookkeeping Act (1999:1078) (Sw. Bokföringslagen).
1.5. Who we share personal data with
Worldline will share personal data with affiliates, financial institutions, payment schemes, fraud prevention entities and other entities that process payment transactions such as the acquiring processor, the cardholder’s issuing bank and the card’s scheme with the sole purpose of processing payment transactions.
Worldline will also share transaction information with the merchant and its service providers when necessary to provide information on the transaction (e.g. response code of the authorization, information to be able to complete refund), detecting and preventing fraud and proving compliance with contractual obligations.
2. Processing merchant information
Worldline processes personal data which is necessary for the performance of the contract with the merchant or in order to enter into an agreement with the merchant.
2.1. Data that Worldline collects
Worldline collects personal data of the merchant and its staff members. Such personal data may either relate
2.1.1. Boarding and KYC
to the merchant’s majority shareholders, beneficial owners, and board members for ongoing due diligence and when the merchant is boarded by Worldline. The personal data is collected by Worldline to complete KYC requirements for anti-money laundry, fraud and credit assessment purposes. Worldline holds a permit for such processing from the Swedish Authority for Privacy Protection (Sw: Integritetsskyddsmyndigheten). Such personal data includes:
- Identification Data (i.e. name, surname, personal id number)
- Contact Information (i.e. e-mail address)
- Business Information (i.e. job title, company name)
- Banking and Financial Information (i.e. bank account details, information relating to the creditworthiness of the merchant and information about Politically Exposed Person).
2.1.2. Operational mailings and customer care
to the merchant representatives for customer care purposes and sharing operational mailings with you. Such personal data includes:
- Identification Data (i.e. name, surname)
- Contact Information (i.e. e-mail address, telephone number)
- Business Information (i.e. job title, company name)
2.2. Collection of the data
Personal data is mainly collected directly from the data subject during the boarding and through the various ways Worldline interacts with the merchant and/or the members of its staff: e.g. by entering into an agreement with Worldline, during interactions via physical or electronic communication (such as telephone, email or website forms), through participation in an offer or promotion.
Worldline may also collect data from third parties: e.g. when Worldline jointly offers a service with business partners or where permitted by law; or from public sources: e.g. public records and registers.
2.3. Legal basis
Worldline will mainly process personal data in order to fulfil legal obligations. Certain processing activities are however based on requirements within the payment transaction industry without being obligations originating from law, while certain processing activities are necessary in order for us to fulfil our obligations towards your company. In such case, Worldline processes the Data based on its legitimate interest to be able to conduct its business and provide you with the payment services.
2.4. Storage period
Worldline will process the personal data for as long as you or your company remains a Worldline merchant unless laws or regulations to which Worldline is subject obligate or entitles Worldline to continue the processing.
See specific boarding information, which is available here.
When you make purchases on our web site (such as of receipt rolls or terminal batteries), we will process your personal data to fulfil our contractual obligations towards you. Our purchase form specifies what information you must provide to us, in order for us to complete your purchase.
3.1. Legal basis
The processing is necessary for our performance of the contract with you (i.e. purchase agreement).
3.2. Storage period
We will process your personal data during the term of our contract (including a 24 months warranty period) and will thereafter erase your personal data with the exception for certain accounting data which will be stored for seven years in accordance with the Swedish Bookkeeping Act (1999:1078) (Sw. Bokföringslagen).
4. Contacting you
If you are interested in Worldline's products and services and ask to be contacted by us, we will process your personal data in order to be able to get in touch with you.
4.1. Legal basis
The processing is necessary for our performance of the contract with you (i.e. your request to be contacted).
4.2. Storage period
After having contacted us, we will stay in touch with you up to one year.
If you sign up for our newsletter, we will process your e-mail address for the purposes of sending you the newsletters. You may at any time unsubscribe by using the link provided in each newsletter.
5.1. Legal basis
The processing is necessary for our performance of the contract with you (i.e. your request to receive the newsletter).
5.2. Storage period
If you unsubscribe from our newsletter we will no longer process your personal data for this purpose.
When you contact us by phone, we will process the personal data you provide us with to be able to assist you with the relevant matter.
6.1. Legal basis
The processing is necessary for our performance of the contract with you (i.e. fulfilling any request made by you).
6.2. Storage period
If you are not a customer of Worldline, we will not process your personal data after the call unless we have a legitimate interest to do so. If you are a customer of Worldline, we will keep information regarding your support matter up to three years in order to improve our services and follow-up customer complaints.
7. Job applications
If you apply for a job at Worldline, we will process the data you provide us with and possibly data from publicly available sources. Our personal data processing for recruitment purposes is more closely specified on our career site.
7.1. Legal basis
See specific job application information.
7.2. Storage period
See specific candidate privacy notice which you will receive when you apply for an open position.
8. SMS surveys
If you or your company have recently boarded as a Worldline merchant or if you have been in contact with us by telephone, we may send you a simple survey by text message to the phone number you have submitted. We appreciate all feedback we receive, but it is completely optional for you to answer the survey. The only personal data that will be processed is your phone number.
8.1. Legal basis
The processing is necessary for our legitimate interests to improve our customers experience.
8.2. Storage period
We will anonymize all answers immediately, after which the answers will no longer be considered personal data.
9. Phone calls to our sales or support department
If you call Worldline's sales or support department, we might record the phone call. Worldline does not record phone calls in order to document agreements, only for internal educational purposes. We record around 10 % of the calls to our sales and support department. When you call us, you will receive information about that the call may be recorded and you may always object to us recording the phone call.
9.1. Legal basis
The processing is necessary for our legitimate interests to improve and educate the personnel answering the phone calls with the aim to provide you with a better experience next time you call us.
9.2. Storage period
Recorded calls will be retained for 90 days.
10. Identifying potential customers
10.1. Legal basis
10.2. Storage period
11. Direct marketing
If you are an existing customer, when you sign up for our newsletter, ask to be contacted by us or in any other way have been in touch with Worldline (e.g. at an event) or if we find your company interesting, we may send direct marketing to you by e-mail. In each direct marketing e-mail, you will find a link to this privacy notice and a possibility to opt-out from further direct marketing. We may also contact you by calling you, which you of course also may opt-out from.
11.1. Legal basis
The processing is necessary for our legitimate interests to maintain good customer relations.
11.2. Storage period
We will process your personal data for marketing purposes as long as you are an active customer or a potential customer that we have been in contact with during the last three years. You always have the right to opt-out from our marketing. In that case, we will no longer process your personal data for marketing purposes.
12. Using Merchant Portal
12.1. Customer experience
When logging in and using Merchant Portal (https://reports.bambora.com) Worldline will process data related to the merchant and the user. Worldline collects information about how users use Merchant Portal and we use this data to identify product gaps and improve existing products.
12.1.1. Legal Basis
Worldline is obliged to offer authorization, clearing and settlement reports to our merchants and this is done by Merchant Portal. It is therefore necessary for the purposes of Worldline’s legitimate interest to process personal data to optimize the user experience which will have a positive impact for the merchants.
12.1.2. Storage Period
User data older than 5 years is automatically deleted on an ongoing basis.
12.2. Growth Finance
Bambora Group AB & Froda AB are jointly (as joint controllers) offering merchants based in Sweden, Finland, Denmark and Norway business credits through Growth Finance. In order to fulfill this purpose, Worldline will process data about merchants (such as organizational number) and users contact information. This data will be shared with our Growth Finance partner Froda. The data is being shared in order for Froda to calculate the merchants available credit on a regular basis.
Worldline & Froda are joint controllers for the collection, transfer and processing of personal data for the offering of the service, however Froda is the sole controller for the business credit.
12.2.1. Legal basis
It is necessary for the purposes of Worldline’s legitimate interest to offer our merchants a business credit that will be provided by Froda which will be a commercial interest for each party.
12.2.2. Storage Period
Data will be deleted after 12 months of inactivity in the Merchant Portal tool or otherwise by termination of agreement.
Who we share your personal data with
Applies to section 2-12: Only the people who need to process personal data for the purposes mentioned above have access to your personal data. We may need to share your personal data with our group companies to be able to conduct our service, defense against legal claims or conduct internal reporting and business analysis. We further may need to allow our suppliers access to your personal data when they perform services on our behalf, mainly to provide support and maintenance of IT systems and storage services.
Worldline will share personal data with affiliates and business partners with which we combine our offered services for the purposes or ensuring quality and/or the commercial interests of the parties (e.g. calculation of compensation of parties).
Worldline will disclose personal data to public authorities and government agencies (i) if it is required to do so by law or legal process, (ii), (iii) in connection with an investigation of suspected or actual fraudulent or illegal activity, or (iiii) when it is required for Worldline to defend itself against legal claims.
Transfer of data outside the EU/EEA is made in accordance with data protection laws. Our international transfers of personal data are based on the EU Commission’s standard contractual clauses unless the company resides in a country considered by the EU Commission to ensure an adequate level of protection. In addition, transfers to the U.S. may be based on the EU-U.S. Privacy Shield if the recipient is certified thereunder.
Worldline will not sell or otherwise disclose personal information it collects about you.
Rights under the GDPR
In case you have any questions regarding Worldline's processing of your personal data, please use the contact details at the bottom of this document or contact Worldline's Data Protection Officer at Dpo@bambora.com. You may also use these contact details if you would like to exercise any of your rights as a data subject under the GDPR. Please note that the rights under the GDPR are not unconditional. Therefore, an attempt to invoke any of the rights might not lead to an action. Your rights under the GDPR include the following:
- Right to access – According to article 15 of the GDPR, you are entitled to access your personal data and receive certain information about the processing. That information is provided in this document.
- Right to rectification – According to article 16 of the GDPR, you are entitled to obtain rectification of inaccurate personal data concerning you and to have incomplete personal data completed.
- Right to erasure – Under certain circumstances, you are according to article 17 of the GDPR entitled to have the personal data erased. This is the so-called “right to be forgotten”.
- Right to restriction of processing – Under certain circumstances, you are according to article 18 of the GDPR entitled to restrict the processing of the personal data that Worldline carries out.
- Right to data portability – You are according to article 20 of the GDPR entitled to receive the personal data (or have the Data directly transmitted to another data controller) in a structured, commonly used and machine-readable format from Worldline.
- Right to object – According to article 21 of the GDPR, you are entitled to object to certain processing activities conducted by Worldline on the personal data, such as all Worldline's processing of the personal data based on Worldline's legitimate interest.
Finally, you also have the right to lodge a complaint with the data protection supervisory authority, which in Sweden (the seat of Worldline) is Integritetsskyddsmyndigheten. You can contact Integritetsskyddsmyndigheten by sending an e-mail to email@example.com or by calling +468-657 61 00.
We employ appropriate technical and organizational security measures to help protect your personal data against loss and to guard against access by unauthorized persons. Appropriate security measures we have taken include implementing secure private connections, traceability, incident recovery and access limitations. We regularly review our security policies and procedures to ensure our systems are secure and protected.
General contact details
Please use the following details if you would like to contact us, or submit a request here.
Bambora Group AB
Att: Data Protection Officer
104 62 Stockholm
Telephone: +46(0) 10 10 66 000
Webform: Submit a request regarding your personal information that is processed by Worldline