INFORMATION IN COMPLIANCE WITH PERSONAL DATA PROTECTION REGULATIONS

The Management / Governing Body of Sipay Plus, S.L. (hereinafter, the Data Controller), assumes the maximum responsibility and commitment to the establishment, implementation and maintenance of this Data Protection Policy, guaranteeing the continuous improvement of the Data Controller with the aim of achieving excellence in relation to compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council,  of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU L 119/1, 04-05-2016), and the Spanish legislation on the protection of personal data (Organic Law,  sector-specific legislation and its implementing rules).

The Data Protection Policy is based on the principle of proactive responsibility, according to which the data controller is responsible for compliance with the regulatory and jurisprudential framework that governs said Policy, and is able to demonstrate this to the competent supervisory authorities.

In this regard, the data controller shall be governed by the following principles that must serve as a guide and frame of reference for all its personnel in the processing of personal data:

• Data protection by design: the controller shall apply, both at the time of determining the means of processing and at the time of the processing itself, appropriate technical and organisational measures, such as pseudonymisation, designed to effectively apply data protection principles, such as data minimisation, and to integrate the necessary safeguards into the processing.
• Data protection by default: the controller shall implement appropriate technical and organisational measures with a view to ensuring that, by default, only personal data that is necessary for each of the specific purposes of the processing is processed.
• Data protection in the information lifecycle: measures to ensure the protection of personal data will be applicable throughout the entire information lifecycle.
• Lawfulness, fairness and transparency: personal data will be processed lawfully, fairly and transparently in relation to the data subject.
• Purpose limitation: personal data will be collected for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with those purposes.
• Data minimization: personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Accuracy: personal data will be accurate and, if necessary, up-to-date; All reasonable measures shall be taken to ensure that personal data that are inaccurate with respect to the purposes for which they are processed are erased or rectified without delay.
• Limitation of the retention period: personal data will be kept in such a way as to allow the identification of the data subjects for no longer than is necessary for the purposes of the processing of the personal data.
• Integrity and confidentiality: Personal data will be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organisational measures.
• Information and training: one of the keys to guaranteeing the protection of personal data is the training and information provided to the personnel involved in the processing of these data. During the information lifecycle, all personnel with access to the data will be properly trained and informed about their obligations in relation to compliance with data protection regulations.

The Data Protection Policy of Sipay Plus, SL (hereinafter also SIPAY) is communicated to all the staff of the data controller and made available to all interested parties.

Consequently, this Data Protection Policy involves all the staff of the data controller, who must be aware of it and accept it, considering it as their own, each member being responsible for applying it and verifying the data protection regulations applicable to their activity, as well as identifying and providing the opportunities for improvement that they consider appropriate with the aim of achieving excellence in relation to their compliance.

This Policy will be reviewed by the Management / Governing Body of SIPAY, as many times as deemed necessary, in order to adapt, at all times, to the current provisions on the protection of personal data.

In Europe and in Spain there are regulations to respect your fundamental right to the protection of your personal data and that generate mandatory obligations for our entity.

Therefore, it is very important for us that you fully understand what we are going to do with the personal data you provide through the contact form available on our website.

We want to be transparent and respect your right to control your data, with plain language and clear options that allow you to decide what we do with your personal information.

Please, if you have any questions after reading this information, do not hesitate to ask us.

Thank you very much for your cooperation.

Who are we?

The person responsible for the processing of your personal data is Sipay Plus, SL (hereinafter, “SIPAY”):

Our name: Sipay Plus, SL.

Our VAT number: B60462314

Our core business: Payment methods

Our address: Calle San Rafael 1, Portal 2, 2ºC, 28108, Alcobendas, Madrid.

Our contact telephone number: 914841028

Our contact email address: administracion@sipay.es

Our website: www.sipay.es

Our Data Protection Officer, to whom you can contact for any question related to the processing of your personal data through the following channels:

Postal address: Calle San Rafael 1, Portal 2-2ºC, 28108 Alcobendas – Madrid.

Email: dpo@sipay.es

For your confidence and security, we inform you that we are an entity registered in the following Mercantile Registry / Public Registry: Registered in the Mercantile Registry of Madrid, Volume 26686, Section 8, Folio 196, Page No. M480942, Entry 7.

The person responsible for this website is a regulated profession, for which we provide you with the following information: José Luis Nevado Martínez.

We are at your disposal, do not hesitate to contact us.

What regulations do we comply with?

SIPAY will carry out the processing of personal data in accordance with the applicable European Union or national legislation, including Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); and any other applicable data protection regulations (collectively, the “Data Protection Regulations”). In particular, SIPAY will implement appropriate technical and organisational measures to ensure an appropriate level of security for personal data.

How do we collect your data through the website?

The data that we process at SIPAY have been obtained from you, through the different forms that you fill in while browsing the website or completed in some other format within the activities of SIPAY; by sending an enquiry e-mail or by telephone.

In the event that the personal data provided belongs to a third party, you guarantee that you have informed said third party of this Personal Data Protection Policy and have obtained their authorisation to provide your data to SIPAY for the purposes indicated below.

In addition, we inform you of the possible processing of your social network data through the corporate profiles in which SIPAY maintains an available profile, all based on the terms and conditions established in each social network.

We collect your personal information on this website through:

• The contact form on the SIPAY website.
• The form on the SIPAY Employment website.
• The SIPAY newsletter subscription form.
• The use of Cookies.
• The Whistleblowing Channel Form.
• When you exercise any of your data protection rights with us.

We specify in the following section the information regarding the data processing that we may do as a result of the collection of data in any of our forms, the personal data collected, the purpose of the processing and the legal basis for the processing of these.

What are we going to use your data for? What is the legitimate basis for this processing?

Specifically, SIPAY, in its capacity as Data Controller, collects personal data from its users, through the different forms contained on the website, for the following purposes and legal basis of the processing:

In cases other than the above, the processing will be based on the possible development of pre-contractual or contractual measures linked to our services.

SIPAY carries out the following processing of personal data not linked to the website, duly registered in its Register of Processing Activities:

• Management of personnel selection processes.
• Management of the employment relationship, management of trainees, training, payroll management, Social Security and Tax Administration, advances and expenses, travel and displacements, conciliation and equality, registration of delivery and return of corporate devices, internal chat, registration of access/exit of employees in the facilities, registrations, cancellations and accidents at work, management of insurance and policies, Flexible remuneration plan, occupational risk prevention, medical check-ups, corporate events, video surveillance in the facilities.
• Establishment and/or management (execution, development and control) of a contractual relationship with the legal entity or with the self-employed, clients and partners (potential or current).
• Claims management (litigation).
• Management of the prevention of money laundering in operations and companies of the group subject to such regulations and for the prevention of criminal risks.

We may be required to use and retain personal information for legal and compliance reasons, such as preventing, detecting or investigating crime, loss or fraud prevention, or to comply with internal and external audit requirements, our information security, crime prevention, or compliance objectives inherent in our business,  This may lead to the following being processed:

• under applicable law;
• to respond to requests from courts, law enforcement, regulators, and other authorities; and
• to protect other rights of the user or others.

Your commitment, the veracity of the data you provide us.

He declares that the personal data he provides to SIPAY in any part of the use of this website is truthful.

As a user, you should know that you are solely responsible for any damage, direct or indirect, that may be caused to SIPAY as the person responsible for this website or to a third party if you fill in any form with false or third-party data without their prior consent, causing deception, damage or harm.

In order for us to keep your data accurate and up-to-date, please inform us of any changes that may occur in the data provided.

In the event that you contact SIPAY for the services it provides for an entity (legal person) or as a sole proprietor, the processing of your personal data will be based on SIPAY’s legitimate interest (article 19 LOPD).

If you contact SIPAY because you have used our payment methods when purchasing goods or contracting services from a SIPAY customer merchant, the processing will be based on the contract with that merchant, which originated the payment.

In cases other than the above, the processing will be based on the possible development of pre-contractual or contractual measures linked to our services and our website.

In the case of personnel selection, the processing will be based on the development of pre-contractual measures, including the signing of the contract, for the possible hiring of the candidate, in addition to compliance with legal obligations for the registration of the employee.

For the receipt of commercial and courtesy communications related to the services offered by our entity, the legitimate basis is the consent you have given us through the corresponding box. If you have not flagged it or withdraw your consent, we will not or stop sending you these communications.

Who is going to know the information we ask for?

Your personal data may be accessed by service providers that SIPAY hires or may contract and who have the status of data processor, in order to comply with the purposes described in the previous point.

Likewise, those public or private entities to which we are obliged to provide your personal data in order to comply with a law will be aware of your information. To give you an example, the Tax Law requires the Tax Agency to provide certain information on economic transactions that exceed a certain amount.

In the case of the data entered in the Whistleblowing Channel Form, they may be transferred to third parties exclusively in the case of external legal advisors and to judicial bodies and to the State Security Forces and Corps or administrative authority, when necessary and in compliance with a legal obligation (Law 2/2023,  of 20 February, regulating the protection of persons who report regulatory and anti-corruption breaches) and SIPAY’s legitimate interest in complying with the requirements for the prevention of corporate risks, especially those related to the possible criminal liability of the legal entity (Organic Law 3/2018,  of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights).

In some cases, SIPAY uses third-party tools and services to manage some of the services offered on this website. These services are owned by third parties resident in the European Economic Area.

SIPAY tries to use secure tools whose servers are preferably located in Spain, or failing that, in a member state of the European Union, or that comply with European legislation in accordance with the guidelines and recommendations of the Spanish Data Protection Agency, the European Commission and the reference community agreements on international data transfer.

In the event that the international transfer of data is necessary, the acceptance of this Privacy Policy in each of the forms in which you can provide your data will mean that as a user you expressly consent to the aforementioned transfer.

How will we protect your data?

In order to protect the personal data of users, SIPAY ensures itself, and controls its data processors, in the application of technical and organisational measures appropriate to the state of the art to protect personal data, taking into account the scope, context and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of the data subjects,  striving to be able to ensure the confidentiality, integrity, availability and resilience of treatment systems and services.

Our information security policies and procedures are regularly reviewed and updated to meet the needs of our business, technological changes and regulatory requirements.

We will protect your data with effective security measures depending on the risks involved in the use of your information.

To this end, our entity has approved a Data Protection Policy and undergoes annual controls and audits to verify the security of the processing.

Will we send your data to other countries?

SIPAY hosts the personal data subject to processing within Spain. Therefore, we do not carry out international transfers of the data processed through this website.

How long will we keep your data?

In general, personal data will be kept as long as you do not revoke your consent to the processing or request its deletion, as well as the time necessary to comply with the legal obligations that SIPAY must observe.

• In the event that you have given your consent to receive commercial communications, we will keep your contact details until you withdraw it, unsubscribing from this processing.
• If you have contacted us as a user of our payment methods, during the term of the contract between you and the merchant, as well as the limitation periods of legally applicable obligations.
• If you have contacted us as an individual who provides services in an entity with which SIPAY has a contractual relationship or may have an interest in it, while you perform such function or position and during the statute of limitations periods of legally applicable obligations.
• If you have contacted us as an individual applying for one of the job offers, your personal data related to the processing for personnel selection will be kept for a period of one year.
• In all other cases, SIPAY will keep the personal data linked to your query until it is answered and will then delete it within 1 month.
• In the case of the data entered in the Whistleblowing Channel Form, they will be kept in the Whistleblowing Channel system for the time necessary to decide on the admissibility of initiating an investigation into the reported facts and, where appropriate, while the process of investigation and resolution of the complaints submitted is carried out. and always for a maximum period of 3 months from the date of entry of the complaint.

In any case, we inform you that SIPAY has established internal data purification policies aimed at controlling the retention periods of the personal data in its possession, so that these may be cancelled when they are no longer necessary and/or adequate for the purpose for which they were collected.

What are your data protection rights?

You may exercise your rights of access, rectification, cancellation, opposition, limitation of processing and portability of data, as well as withdraw the consent given free of charge, in the cases and to the extent established by the applicable regulations at any given time.

Before handling a request to exercise any of the aforementioned rights, SIPAY must verify the identity of the interested party and the legitimacy of their request or claim. SIPAY will respond to such request or claim in accordance with the provisions of the Data Protection Regulations.

To exercise these rights, you may write to SIPAY by post at the following address:

Sipay Plus, S.L.

C/ San Rafael 1, portal 2-2ºC,

28108 – Alcobendas, Madrid.

Or alternatively to dpo@sipay.es 

If you have any questions regarding the exercise of your rights, you can contact the Data Protection Officer through the contact channels listed in the answer to the first question.

Can I withdraw my consent if I change my mind at a later time?

You can withdraw the consent given by means of the request submitted through the website or by checking the box corresponding to the sending of commercial communications if you change your mind in this regard, by sending a new form through the website in which your withdrawal of consent appears.

In case you feel that your rights have been disregarded, where can you make a claim?

In the event that you believe that your rights have been disregarded by our entity, you can file a complaint with the Spanish Data Protection Agency, through one of the following means:

• E-Office: www.agpd.es
• Postal address: Agencia Española de Protección de Datos C/ Jorge Juan, 6 28001-Madrid
• Telephone: Tel. 901 100 099 Tel. 91 266 35 17

Filing a complaint with the Spanish Data Protection Agency does not entail any cost and the assistance of a lawyer or solicitor is not necessary.

Will we build profiles based on your personal data?

SIPAY does not carry out any profiling action on the data you provide to us in order to be able to respond to the query made through the website.

What happens if I am acting on behalf of another natural person?

If you have provided information about other natural persons, you as an applicant are responsible for informing those persons of the content of this information on the protection of personal data within a maximum period of one month. You release SIPAY from any liability that may arise from your failure to comply with this paragraph.

Minors

Anyone of any age is authorized to browse this website.

However, in order to provide their personal data, the user must be over 14 years of age. Otherwise, they must be provided, where appropriate, by their father, mother or legal guardian.

SIPAY reserves the right to request a copy of your ID card or equivalent document that proves its legitimacy in the event of having well-founded suspicions about the user’s minority.

SIPAY recommends that parents, representatives or legal guardians supervise or take the appropriate precautions during minors’ browsing on the Internet, as well as establish filters on the information and content that minors may or may not access.

What happens if personal data security is breached?

In the event of a breach of personal data, unless it is unlikely that such breach of security constitutes a risk to the rights and freedoms of natural persons, SIPAY will notify the Spanish Data Protection Agency within 72 hours after it becomes aware of the incident.  describing the nature of the breach, the possible consequences that may result, and the measures taken or proposed to remedy the security breach; and, if possible, the categories and approximate number of data subjects and data affected shall be made known.

Likewise, SIPAY will notify the data subjects, as soon as possible, when it is likely that the breach of the security of personal data entails a high risk to the rights and freedoms of natural persons, describing the possible consequences that may arise and the measures adopted or proposed to remedy the security breach.

What security measures do we implement to protect personal data?

In order to protect the personal data of users, SIPAY ensures itself and controls its data processors, in the application of technical and organisational measures appropriate to the state of the art to protect personal data, taking into account the scope, context and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of the data subjects,  striving to be able to ensure the confidentiality, integrity, availability and resilience of treatment systems and services.

In particular, SIPAY has implemented an encryption and authentication protocol that guarantees that the personal data consulted by us is transmitted to our servers via a secure SSL connection (“Secure-Socket-Layer”) SHA-256 with RSA encryption ( 1.2.840.113549.1.1.11 ), in order to protect it from third parties.

The Security Policy (PCIDSS) and information security procedures are regularly reviewed and updated in order to meet business needs, technological changes and regulatory requirements:

• Technical and organizational measures are put in place to store and transfer information securely to protect against accidental attack or loss, as well as unauthorized access, use, destruction, or disclosure.
• SIPAY has a privacy and security risk assessment strategy, as well as a disaster recovery and business continuity plan designed to safeguard the continuity of our services and to protect your staff.
• Appropriate restrictions apply on access to personal information.
• SIPAY requires its processing providers to provide accreditation of the security controls appropriate to the processing of personal data that, in each case, they carry out.
• SIPAY requires its employees and contractors to continuously train in the area of information security, as well as in other pertinent areas, as they have access to personal information and other sensitive data.

SIPAY states that it is able to act quickly and effectively to restore the availability and access to personal data in the event of identifying the occurrence of a physical or technical incident, maintaining an internal record of incidents, as well as the necessary management and control activities of backups that guarantee the recovery of information in the event of a possible security incident.

SIPAY declares to store users’ personal data on secure servers, protected against the most common types of attacks and located in Spain.

Use of cookies

SIPAY uses cookies (small information files that are downloaded to a user’s device or terminal equipment when accessing a website, in order to store data that can be updated and retrieved by the person responsible for its installation) and other tracking technologies to carry out certain functions that are considered essential for the correct functioning and display of the website and,  in some cases, to store and manage user preferences, enable content, and collect analytics and usage data.

To obtain these analyses, this website may store certain information in the server logs automatically through the use of cookies or other mechanisms (such as local or browser session storage) that collect non-personal usage and browsing data relating to the use of this website by the User. These logs typically include information such as browser type, browser language, date and time of access request, URL, computer or device model, operating system version, and data about the mobile network used to access and browse this website.

What happens if I am acting on behalf of another natural person?

If you have provided information about other natural persons, you as an applicant are responsible for informing those persons of the content of this information on the protection of personal data within a maximum period of one month. You release SIPAY from any liability that may arise from your failure to comply with this paragraph.

What is the applicable law and jurisdiction?

SIPAY is based in Spain, so the content of this Data Protection Policy has been drafted in accordance with Spanish law and applicable European Union regulations.

The User accepts that any claims or complaints against SIPAY arising from or related to the use of this website and more specifically to the processing of their personal data will be resolved by the court of competent jurisdiction located in Madrid (Spain).

If SIPAY has to make any type of claim, it will do so before the competent court of the user’s domicile or in Madrid (Spain) in the case of legal persons or non-consumer professionals.

If you access this site from a location outside of Spain, you are responsible for complying with all applicable local and international laws.

Reservation of the right to modify the Data Protection Policy

SIPAY may modify this Data Protection Policy at any time, taking into account the evolution of this website and the contents offered therein, if it deems it necessary, either for legal reasons, for technical reasons, or due to changes in the nature or layout of the website, without there being any obligation to notify or inform the User of such modifications.  It is understood that its publication on the website itself is sufficient.

Any modification will be effective with respect to users who use this website after such modification. Your continued use of this site following the posting of any changes will be deemed acceptance of the changes. That is why, at the end of this Data Protection Policy, the last date of its update will always be published, so the changes introduced will be effective from that date.

In the event that the User does not agree with the updates to our Data Protection Policy, he/she may waive them by not entering his/her personal data in the contact forms on the website or by exercising his/her rights as specified above. If your rights are not satisfied, you can lodge a complaint with the supervisory authority.

Last Updated by DPO: 04/15/24