English Greek

Privacy Statement for the Application JCCup

25/10/2018

This Privacy Statement aims to give you information on how JCC Payment Systems Ltd collects, uses, discloses and processes your personal data through your use of the JCCup and the means by which this is done. The Privacy Statement is the means of notifying the JCCup users of their rights in accordance with local law and the EU General Data Protection Regulation (EU) 2016/679.

JCC Payment Systems Ltd is committed to protecting your privacy and developing technology that gives you the most powerful and safe online experience.

By accessing, browsing and/or using the JCCup, you consent to the data practices described in this Privacy Statement and acknowledge that you have read, understood, and agree, to be bound by these terms conditions, and notices contained herein and to comply with all applicable laws and regulations.

For the purposes of this Privacy Statement “Personal Data” refers to all data which relates to a living individual who can be identified from such data such as for instance, name, address and/or identification number. It does not include data where the identity has been removed (anonymous data).

About ‘JCC Payment Systems Ltd’



JCC Payment Systems Ltd is a limited liability company organised and existing under the laws of Cyprus with registration number HE29914 having its registered office address at 1 Stadiou Street, 2571 Industrial Area Nisou, 1500 Nicosia which is primarily engaged in the business of card-processing and acquiring.

JCCup is a mobile application offered by JCC Payment Systems Ltd to you, the customer. It offers to the customers the ability to register their cards and perform payments using the application for goods and services at merchants who accept payments using this application.

JCCup allows Users to create an account, register their eligible cards and perform payments by simply scanning the QR codes presented by the participating merchants. QR codes may printed at merchant locations or generated dynamically from a Merchant JCCup. Users will be also able to see their transaction history, manage their cards and edit their profiles.

JCC Payment Systems Ltd (referred to as ‘we’, ‘us’, ‘our’, ‘JCC Payment Systems’ or the ‘JCC’) is committed to protecting your privacy and handling your data in an open and transparent manner. The personal data that we collect, and process depends on the service requested and agreed in each case.

This privacy statement:
  • provides an overview of how JCC collects and processes your personal data and tells you about your rights under the local data protection law and the EU General Data Protection Regulation (‘GDPR’)
  • is directed to natural persons who are either current or potential customers of JCC
  • contains information about when we share your personal data with other third parties (for example, our service providers or suppliers).
In this privacy statement, your data is sometimes called “personal data” or “personal information”. We may also sometimes collectively refer to handling, collecting, protecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destructing your personal data or any such action as “processing” such personal data.

For the purposes of this statement, personal data shall mean any information relating to you which identifies or may identify you and which includes, for example, your name, address and telephone number.

1. Who we are



JCC Payment Systems Ltd is a licensed payment institution registered in Cyprus under registration number HE29914 as a private limited liability company having its registered office and head offices at 1 Stadiou Street, 2571 Industrial Area Nisou, P.O. Box 21043, 1500 Nicosia, Cyprus.

If you have any questions, or want more details about how we use your personal information, you can contact our Data Protection Officer at 1 Stadiou Street, 2571 Industrial Area Nisou, P.O.Box 21043, 1500 Nicosia, Cyprus, email: dpo@jcc.com.cy .

2. What personal data we process and where we collect it from



We collect and process different types of personal data which we receive from you during your use of the JCCup.

By using the JCCup and accepting the Terms and Conditions we collect the following Personal Data from you:
  • First Name
  • Last Name
  • Date of Birth
  • Nationality
So as to be able to proceed with execution of the service you shall also be requested to register your card numbers, CVV and Expiry date.

3. Children’s data



The use of the JCCup and the services offered thereto are not directed to children under the age of majority. For the purposes of this Privacy Statement, “children” are individuals who are under the age of sixteen (16). We do not knowingly collect information, including Personal Data, from children or other individuals who are not legally able to use the JCCup. If we obtain actual knowledge that we have collected Personal Data from a child under the age of majority, we will promptly delete it, unless we are legally obligated to retain such data. Contact us at customerservice@jcc.com.cy or on 22868000 from Cyprus or 2155205600 from Greece. If you believe that we have mistakenly or unintentionally collected information from a child under the age of majority.

4. Whether you have an obligation to provide us with your personal data



In order that we may be in a position to proceed with the service of JCCup, you must provide your personal data as required by the system and which are necessary for the required commencement and execution of the service. Kindly note that if you do not provide us with the required aforementioned data, then we will not be allowed to commence or provide the service to you.

5. Why we process your personal data and on what legal basis



As mentioned earlier we are committed to protecting your privacy and handling your data in an open and transparent manner and as such we process your personal data in accordance with the GDPR and the local data protection law for one or more of the following reasons:

i. For the provision of the service requested.

We process personal data in order to perform card payment transactions and offer payment services to our customers. The purpose of processing personal data depends on the requirements for each product or service.

ii. For compliance with a legal obligation

There are a number of legal obligations emanating from the relevant laws to which we are subject as well as statutory requirements, e.g. the Cyprus law, the Money Laundering Law, Resolution of Credit and Other Institutions Scheme, Payments Law. There are also various supervisory authorities whose laws and regulations we are subject to e.g. the European Central Bank, the European Banking Supervisory Authority, the Cyprus Central Bank and the International Card Scheme rules and regulations. Such obligations and requirements impose on us necessary personal data processing activities for credit checks, identity verification, compliance with court orders, tax law or other reporting obligations and anti-money laundering controls.

iii. For the purposes of safeguarding legitimate interests

We process personal data so as to safeguard the legitimate interests pursued by us or by a third party. A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. Examples of such processing activities include:
  • Initiating legal claims and preparing our defence in litigation procedures,
  • Means and processes we undertake to provide for JCC’s IT and system security, preventing potential crime, asset security, admittance controls and anti-trespassing measures,
  • Measures to manage business and for further developing products and services.
iv. You have provided your consent

Provided that you have given us your specific consent for processing (other than for the reasons set out hereinabove) then the lawfulness of such processing is based on that consent. You have the right to revoke consent at any time. However, any processing of personal data prior to the receipt of your revocation will not be affected.

6. Who receives your personal data



In the course of the performance of our contractual and statutory obligations your personal data may be provided to various departments within JCC. Various service providers and suppliers (sub-processors) may also receive your personal data so that we may perform our obligations. Such service providers and suppliers enter into contractual agreements with JCC by which they observe confidentiality and data protection according to the data protection law and GDPR. The list of these sub-processors can be found on our website at www.jcc.com.cy .

It must be noted that we may disclose data about you for any of the reasons set out hereinabove, or if we are legally required to do so, or if we are authorized under our contractual and statutory obligations or if you have given your consent. All data processors appointed by us to process personal data on our behalf are bound by contract to comply with the GDPR provisions.

Under the circumstances referred to above, recipients of personal data may be, for example:
  • Supervisory and other regulatory and public authorities, in as much as a statutory obligation exists. Some examples are the Central Bank of Cyprus, the European Central Bank, the VAT and the income tax authorities, criminal prosecution authorities,
  • External legal consultants,
  • Auditors and accountants,
  • Marketing operations,
  • International Card Schemes such Visa, MasterCard, Diners, etc.,
  • Fraud prevention agencies,
  • File storage companies, archiving and/or records management companies, cloud storage companies,
  • Companies who assist us with the effective provision of our services to you by offering technological expertise, solutions and support and facilitating payments.

7. Transfer of your personal data to a third country or to an international organisation



Your personal data may be transferred to third countries [i.e. countries outside of the European Economic Area] in such cases as e.g. to execute your payment or if this data transfer is required by law or you have given us your consent to do so. Processors in third countries are obligated to comply with the European data protection standards and to provide appropriate safeguards in relation to the transfer of your data in accordance with GDPR.

8. To what extent there is automated decision-making and whether profiling takes place



In establishing and carrying out a business relationship, we generally do not use any automated decision-making. We may process some of your data automatically, with the goal of assessing certain personal aspects (profiling), in order to be registered and start using the JCCup.

9. How we treat your personal data for marketing activities and whether profiling is used for such activities



We may process your personal data to tell you about products, services and offers that may be of interest to you or your business. Your consent is required in such cases.

The personal data that we process for this purpose consists of information you provide to us and data we collect and/or infer when you use our services, such as information on your transactions. We study all such information to form a view on what we think you may need or what may interest you. In some cases, profiling is used, i.e. we process your data automatically with the aim of evaluating certain personal aspects in order to provide you with targeted marketing information on products.

We can only use your personal data to promote our products and services to you if we have your explicit consent to do so or, in certain cases, if we consider that it is in our legitimate interest to do so.

You have the right to object at any time to the processing of your personal data for marketing purposes, which includes profiling, by contacting JCC at any time in person or in writing at the email: dpo@jcc.com.cy .

10. Cookies and other identifiers



Cookies are small text files that are automatically stored or read out from the visitor’s device (including a PC, tablet or smartphone) whenever you visit a website. The information obtained by a cookie regarding your use of our Portals, your IP address/ID of the device you use, can be transferred to a secure server in use by us or a third party.

In general, this information is collected and analysed for the following purposes:
  • to generate general statistics and to obtain information on our Clients’ usage of our Portals and to improve the user-friendliness of the Portals (analytics cookies); and
  • to enable functionalities of the Portals (functionally required cookies).
For the abovementioned purposes we make use of Analytics cookies. Google Analytics collects information on how you navigate on our applications. We have concluded a data processing agreement with Google and we have implemented other measures to safeguard your privacy. For instance, we have de-activated the standard setting in Google Analytics for sharing your personal data with Google. Additionally, and Google is committed to adhering to multiple self-regulation frameworks, including the EUUS Privacy Shield Framework. Visit the Privacy Shield Website for more information on the EU-US Privacy Shield Framework and to review Google’s certification. Also read the privacy statement from Google (which is subject to change) to see what they do with your personal data, which they collect via these cookies.

11. How long we keep your personal information



We will keep your personal data for as long as the service is required by you.

Once the service is ended, we may keep your data for up to ten (10) years in accordance with the directive of the Data Protection Commissioner (http://www.dataprotection.gov.cy ).

We may keep your data for longer than 10 years if we cannot delete it for legal, regulatory or technical reasons.

12. Your data protection rights



You have the following rights in terms of your personal data we hold about you:
  • Receive access to your personal data. This enables you to e.g. receive a copy of the personal data we hold about you and to check that we are lawfully processing it. In order to receive such a copy you can contact us at the email: dpo@jcc.com.cy .
  • Request correction [rectification] of the personal data we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to erase your personal data [known as the ‘right to be forgotten’] where there is no good reason for us continuing to process it.
  • Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.
  • Request the restriction of processing of your personal data. This enables you to ask us to restrict the processing of your personal data if:
    • it is not accurate,
    • it has been used unlawfully but you do not wish for us to delete it,
    • it is not relevant any more, but you want us to keep it for use in possible legal claims,
    • you have already asked us to stop using your personal data but you are waiting us to confirm if we have legitimate grounds to use your data.
  • Request to receive a copy of the personal data concerning you in a format that is structured and commonly used and transmit such data to other organisations. You also have the right to have your personal data transmitted directly by ourselves to other organisations you will name [known as the right to data portability].
  • Withdraw the consent that you gave us with regard to the processing of your personal data at any time. Note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you.
To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact our Data Protection Officer at the email: dpo@jcc.com.cy . We endeavour to address all of your requests promptly.

13. Right to lodge a complaint



If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to complain by sending an email to our Data Protection Officer at email: dpo@jcc.com.cy . You also have the right to complain to the Office of the Commissioner for Personal Data Protection.You can find out on their website how to submit a complaint (http://www.dataprotection.gov.cy ).

14. Changes to this privacy statement



We may modify or amend this privacy statement from time to time.

We will notify you appropriately when we make changes to this privacy statement and we will amend the revision date at the top of this page. We do however encourage you to review this statement periodically so as to be always informed about how we are processing and protecting your personal information.

15. Frequently asked questions



To help you understand the basic principles of data privacy law and address some of the common questions that arise with regard to the protection of your personal data, please refer to the Frequently Asked Questions at www.jcc.com.cy