Privacy Policy

Version 2 (November 2024) 

1. Purpose of the Policy

The company PLAG N’ PAY Payment Institution S.A. (hereinafter “PLAG N’ PAY”) is a corporation headquartered at Navarinou 21, Piraeus, Greece, with Tax Identification Number (TIN): 801669819, Tax Office: Piraeus, and General Commercial Registry (GEMI) No.: 161185207000. Its official website is https://www.plagnpay.gr. The company is licensed by the Bank of Greece to operate as a payment institution. Compliance with the legal and regulatory framework for the protection of personal data is a core priority for the company. For this purpose, it has designed and implemented this Privacy Policy, which includes the fundamental principles to ensure the lawful processing of personal data in accordance with applicable legislation.

2. Data Controller

PLAG N’ PAY Payment Institution S.A. acts as the Data Controller for all personal data it collects, processes, and stores.

3. Categories of Personal Data Processed

The personal data categories processed by PLAG N’ PAY include:

  • Personal identification data, such as name, residential and/or business address, email address, phone number, date of birth, gender, nationality, and identification numbers (e.g., national ID numbers or related documentation).
  • Transaction and financial information, such as money transfer data related to senders and recipients, bill payment details, and banking or credit-related information.

Personal data may be collected directly from customers/individuals, partners/service users, or third parties, such as money transfer senders, suppliers, agents, or collaborators.

4. Legal Basis for Data Collection and Processing

The processing of personal data is lawful only when it is based on legal grounds and necessary for conducting transactions or providing services to customers/consumers. The legal bases under which PLAG N’ PAY processes data include:

  • Execution and performance of a contract between the company and its customers or representatives.
  • Compliance with legal and regulatory obligations arising from applicable legislation.
  • Exercise of rights and fulfillment of legal obligations of both the company and its customers, representatives, or partners.
  • Consent provided by data subjects (customers, collaborators, employees). Before granting consent, data subjects are informed about the purpose of processing, the type of data involved, the Data Controller, the anticipated processing duration, and typical data recipients. Data subjects are also informed of the consequences of granting or withholding consent, as well as their right to withdraw it. Withdrawal of consent does not affect the lawfulness of prior processing based on that consent.

5. Recipients of Personal Data

Personal data processed by PLAG N’ PAY may be disclosed or transferred to third parties only when necessary to execute services or fulfill its obligations. Recipients may include:

  • Authorized employees of the company, within the scope of their job responsibilities.
  • Representatives of PLAG N’ PAY, facilitating transactions. In such cases, PLAG N’ PAY remains the Data Controller and has bound its network of representatives through Data Processing Agreements that detail processing rules, ensuring compliance with the GDPR and related national and European legislation.
  • Payment providers, banking partners, regulatory, financial, or other government authorities, public bodies, and courts, as required by law or the regulatory framework.

6. International Data Transfers

If required by the nature of a transaction, customer data or representatives’ data may be transferred to countries or organizations outside the European Economic Area (EEA). Such international transfers are based on:

  • Adequacy decisions (Article 45 GDPR).
  • In the absence of an adequacy decision, appropriate safeguards are implemented using transfer mechanisms outlined in Article 46 GDPR (e.g., Binding Corporate Rules, Standard Contractual Clauses, approved codes of conduct).

7. Data Subjects’ Rights

Data subjects can exercise the following rights concerning the processing of their data by PLAG N’ PAY:

a) Right to information and transparency: The right to know who processes their data, what data is involved, and why.

b) Right of access: Data subjects can request free access to their personal data held by PLAG N’ PAY.

c) Right to rectification: The right to request the correction of inaccurate or incomplete personal data.

d) Right to erasure (“right to be forgotten”): The right to request deletion of their personal data under certain conditions, such as when the data is no longer needed, consent has been withdrawn, or the data has been unlawfully processed.

e) Right to restrict processing: The right to request restriction of data processing in cases of contested accuracy, unlawful processing, or objection to automated processing.

f) Right to data portability: The right to request transfer of their data to another data controller.

g) Right to object: The right to object to the processing of their personal data, provided it does not conflict with public interest.

h) Right to non-automated decision-making and profiling: The right to object to decisions based solely on automated processing, including profiling, which significantly affect the individual.

8. Data Retention Period

Data retention is primarily determined by the legal and regulatory framework governing payment institutions and financial transactions.

  • Transaction data is retained for five years from the transaction date, unless extended retention is permitted or required by law (e.g., up to ten years).
  • Communication form data collected via the company website is retained until the response is sent to the inquirer.

9. Technical and Organizational Data Protection Measures

PLAG N’ PAY implements appropriate technical and organizational measures to ensure a security level proportional to risks in data processing. Key measures include:

a) Transaction monitoring tools for detecting suspicious activities and potential data inconsistencies. Access to these tools is restricted to the AML Officer.
b) Proprietary data servers located in Athens and Thessaloniki with encryption mechanisms.
c) Backup systems in Thessaloniki for redundancy.
d) IT systems utilizing Two-Factor Authentication (2FA) and data encryption for secure transactions.
e) Data Processing Agreements with all partners, agents, and collaborators, outlining required protective measures and inspection rights.

10. Data Protection Officer

For inquiries, complaints, or any data-related matters, PLAG N’ PAY has appointed a Data Protection Officer (DPO):

11. Policy Updates

This policy will be updated as necessary due to changes in data protection legislation or operational and organizational modifications at PLAG N’ PAY.