Pursuant to Article 26(2) of Regulation (EU) 2016/679 on Data Protection (“GDPR”), the essential content of the Joint Controllership Agreement for the processing of personal data collected in the performance of the Agreement between Walliance Group S.p.A. and Mangopay S.A. for the provision of payment services by the authorised payment service provider Mangopay S.A. in favour of the users of the Portal (pursuant to the joint controllership agreement, referred to as the “Partner”) is published and made available to the Data Subjects below.
Whereas:
Mangopay S.A. is a private limited liability company (société à responsabilité limitée) with registered office at Avenue Amélie 2, L-1125 Luxembourg, registered with the Luxembourg Trade and Companies Register under number B173459, authorised as an electronic money institution by the Commission de Surveillance du Secteur Financier (CSSF) and holding a “European passport” in several jurisdictions, including Italy;
Walliance Group S.p.A. is a joint-stock company (società per azioni) with registered office at Viale della Costituzione 16, 38122 Trento, Italy, registered with the Trento Companies Register under number 224237, authorised to operate as a European crowdfunding service provider pursuant to Regulation (EU) 2020/1503, by Consob Resolution no. 22878 of 08/11/2023;
the services provided by Mangopay S.A. to users are governed by Mangopay S.A.’s General Terms and Conditions, available in the footer of the website;
Mangopay S.A. has created an API (application programming interface) for online platform operators, enabling them to integrate a payment solution into their website or mobile application, through which Mangopay S.A. processes payments between users;
Walliance Group S.p.A. and Mangopay S.A. have entered into an agreement governing the conditions under which Mangopay S.A. grants Walliance Group S.p.A. the use of the API and provides payment services to users, as well as the conditions under which Walliance Group S.p.A. integrates its website with the secure electronic system under the control of Mangopay S.A., via the API, and provides technical and commercial services to Mangopay S.A. (hereinafter, the “Agreement”);
Walliance Group S.p.A. and Mangopay S.A. have agreed that the processing of personal data related to the performance of the Agreement entered into between them constitutes joint controllership between Walliance Group S.p.A. and Mangopay S.A.;
for the purposes of the joint controllership agreement between Walliance Group S.p.A. and Mangopay S.A., “personal data” means any information relating to an identified or identifiable natural person whose data are processed in the context of the Agreement between Mangopay S.A. and Walliance Group S.p.A.;
Now therefore:
Walliance Group S.p.A. and Mangopay S.A., having entered into the above-mentioned Agreement, have concluded an agreement governing the processing of personal data related to its performance, also pursuant to and for the purposes of Article 26 GDPR, which provides as set out below.
➡️ Click here to consult the full Joint Controllership Agreement.
“1. Scope and role of the Parties
MANGOPAY, within the context of the regulated services provided to the Data subjects as an electronic money institution, shall in particular process Personal Data for the following purposes: opening and managing the account; receiving and executing payment transactions; managing customer relation and claims; combating money laundering and the financing of terrorism. The Partner acknowledges that it partly determines the purposes and/or the means used to make such processing. Indeed, the Partner’s Website may be considered as a communication channel with MANGOPAY’s API and constitutes the only contact point of the Data subject for the collection of its Personal Data and the customer service. Furthermore, the Partner uses the services of MANGOPAY in order to generate on its payment page the input fields to collect payment data (card data). The purpose of this processing is determined by the Partner, as the publisher of the Website and payment page. However, MANGOPAY acknowledges that it determines on its own some of this processing’s means. Indeed, MANGOPAY’s API allows to generate the data input fields and to communicate with the “Payment service provider” selected by MANGOPAY. Thus, the Parties each intervene for the determination of either the purposes or the means of the above-mentioned processing. The Parties agree that they jointly take the responsibility for the processing, in accordance with article 26 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter “GDPR”), applicable from 25 May 2018. Each Party acknowledges that it has to respect all the provisions of the GDPR applicable to data controllers […]”
“3. Exercise of data subjects’ rights
The Parties agree that the Partner shall be the main contact point of the Data subjects concerning the requests to exercise their rights (the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability). For this purpose, the Partner shall provide to the Data subjects the modalities permitting the exercising of these rights in a clear and accessible manner. If the Partner is unable to process on its own the request of a Data subject, MANGOPAY shall cooperate with the Partner. For this purpose, the Partner shall contact MANGOPAY as soon as possible in order for the Parties to comply with the response times listed under article 12 of the GDPR.”
“6. Security of personal data
The Parties acknowledge that they shall protect the Personal Data against any unauthorised or unlawful processing and against the accidental loss, destruction or damage. Each party is responsible on its own for the implementation of appropriate technical and organisational measures in order to guarantee the integrity and confidentiality of Personal Data, in accordance with article 32 of the GDPR.”
“7. Accuracy and retention of personal data
[…] The Partner shall not store any Data transmitted exclusively for the purpose of the regulated services provided by MANGOPAY. The Parties acknowledge that the Partner may store Data transmitted for the purpose of both MANGOPAY’s activities and the Partner’s own activities (for instance the email address or information related to the identity of the Data subject). […]”