Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 on Data Protection ("GDPR"), Walliance Group S.p.A. (hereinafter, the "Data Controller" or "Walliance"), acting as joint controller with Mangopay S.A., provides information regarding the processing of personal data collected in the context of the Agreement relating to the provision of payment services by the authorised payment service provider Mangopay S.A. in favour of the users of the Portal (hereinafter, the "Joint Controller" or "Mangopay").
As provided for in the joint controllership agreement (an excerpt of which is available here), the Joint Controllers have agreed that Walliance shall provide Data Subjects with the information in accordance with Articles 12 et seq. of the GDPR.
This Information Notice applies to the website https://www.walliance.eu (hereinafter, the "Website") and its related subdomains, including, by way of example and not limitation, www.walliance.it, www.walliance.fr and www.walliance.es, which are owned by Walliance (hereinafter, the "Websites"), managed by the Data Controller, as well as to the Walliance application (the "App"), managed by the same Data Controller.
Any processing of personal data carried out for purposes other than those covered by the joint controllership agreement shall be performed by Walliance and Mangopay under their sole responsibility, including the processing of data transmitted and stored by Walliance for purposes other than the services provided by Mangopay.
With regard to all processing activities outside the scope of the joint controllership agreement, each data controller acts independently, and reference should be made to the relevant specific privacy notices.
Mangopay’s privacy policy is available at the following address: https://mangopay.com/privacy-and-cookie-policy.
Walliance’s privacy policy is available at the following link.
In this context, Walliance provides the following information:
1. DATA CONTROLLER, DATA PROCESSORS AND DATA PROTECTION OFFICER ("DPO")
As a result of the Agreement entered into between Walliance and Mangopay for the provision of Mangopay payment services, data relating to identified or identifiable natural persons collected through the Websites may be processed.
The identifying details of the Data Controller and manager of the Websites are as follows: Walliance Group S.p.A., with registered office at Viale della Costituzione 16, 38122 Trento (Italy), tax code and VAT number 02432640221, REA TN-224237.
Together with Walliance Group S.p.A., the wholly owned subsidiaries listed below may process data on behalf of the Data Controller in order to support Walliance Group S.p.A. in the management of its activities, respectively in France and Spain.
Walliance France SASU | 12 Quai du Commerce | 69009 Lyon, France | VAT: FR03850446915 | RCS: Lyon B 850 446 915 | Share capital: EUR 50,000.00
Walliance Spain S.L. | Calle José Ortega y Gasset 22-24 | 28006 Madrid, Spain | VAT: ESB72842677 | NIF: B72842677 | Share capital: EUR 10,000.00
The list of data processors may be requested by sending an email to the following address: privacy@walliance.eu.
The Data Controller has appointed a Data Protection Officer (hereinafter, the "DPO"), Ms. Lisa Vicenzi, who may be contacted at the following address: dpo@walliance.eu.
The identifying details of the Joint Controller are as follows: Mangopay S.A., with registered office at 2 Avenue Amélie, L-1125 Luxembourg, registered with the Luxembourg Trade and Companies Register under number B173459.
2. PURPOSES OF THE PROCESSING
Personal data shall be processed for the following purposes:
purposes related to the provision of the requested services (e.g. the opening of the so-called "Wallet" intended for users who create an account with Walliance, in order to make and receive payments in accordance with Mangopay’s terms of use);
purposes related to the provision of services supplied by Mangopay, including account opening and management; receipt and execution of payment transactions; management of customer relations and complaints; prevention of money laundering and terrorist financing.
3. PERSONAL DATA SUBJECT TO PROCESSING
Any information relating to an identified or identifiable natural person whose data are processed in the performance of the Agreement between Mangopay S.A. and Walliance Group S.p.A. may be processed, including payment data collected by Walliance Group S.p.A. through the services provided by Mangopay S.A.
4. PROVISION OF DATA AND LEGAL BASIS FOR PROCESSING
Personal data are provided by users. The legal basis for processing is the performance of a contract to which the Data Subject is a party, pursuant to Article 6(1)(b) GDPR, and the processing is necessary in order for users to benefit from Mangopay’s services. Failure to provide such data will prevent users from accessing the services of Walliance and Mangopay.
5. COLLECTION, METHODS, SECURITY AND DURATION OF PROCESSING
The Website constitutes a communication channel with Mangopay’s API and represents the Data Subject’s point of contact for the collection of their personal data.
Personal data are processed by the Data Controller – or by third parties carefully selected for their reliability and competence and duly appointed as data processors – exclusively for the purposes specified above, mainly using automated tools but also in paper form, for the time strictly necessary to achieve the purposes for which they were collected and, in any event, no longer than ten years from the termination of any relationship with the Data Controller.
Specific security measures are implemented to prevent data loss, unlawful or improper use and unauthorised access, in full compliance with applicable regulations.
6. DISCLOSURE AND COMMUNICATION OF DATA
Without prejudice to communications required to comply with legal and contractual obligations, the collected and processed data may be shared, exclusively for the purposes indicated above, with the Joint Controller or with data processors appointed pursuant to Article 28 GDPR.
Personal data may be made available to employees or collaborators of the Data Controller belonging to administrative, commercial, legal, accounting or IT system administration functions, depending on the processing activity, who operate under the direct authority of the Data Controller, are appointed as authorised persons or data processors pursuant to Articles 28 and 29 GDPR, and receive appropriate operational instructions.
Personal data may be communicated to third parties external to the Data Controller whose activities are necessary and functional to the provision of the Websites’ features.
Personal data may be communicated to third parties such as individuals, companies or professional firms providing assistance and consultancy services to the Data Controller, duly appointed as data processors; entities, bodies or authorities to which disclosure is mandatory pursuant to legal provisions or orders of competent authorities; parties delegated and/or appointed by the Data Controller to carry out activities strictly related to the purposes indicated above (including technical maintenance of systems), duly appointed as data processors; as well as commercial partners and service providers functional to software development and the provision of services related to the Website.
Where required, the Data Controller reserves the right to obtain the Data Subject’s specific consent.
Personal data shall not be disclosed by the Data Controller without the Data Subject’s express and specific consent. Data may be transferred abroad, to countries within the European Union or to countries outside the European Union that are subject to an adequacy decision by the European Commission, or to countries without such decision, in compliance with and within the limits set forth in Articles 44–49 GDPR.
7. DATA RETENTION AND PLACE OF PROCESSING
Personal data are stored and processed using IT systems owned by the Data Controller and managed by the Data Controller itself or by third-party technical service providers. Data are processed exclusively by specifically authorised personnel, including personnel responsible for extraordinary maintenance activities.
Data shall be retained for the time strictly necessary for the contractual or legal purposes for which they were provided and, in any event, no longer than ten years from the termination of any relationship with the Data Controller.
Processing activities are carried out primarily within the territory of the European Union. Where, for operational reasons, it is necessary to transfer personal data outside the European Union, such transfers shall take place to countries subject to an adequacy decision or in compliance with Articles 44–49 GDPR.
8. RIGHTS OF THE DATA SUBJECT
At any time, Data Subjects may exercise their rights pursuant to Articles 15 to 22 GDPR, including the right:
to obtain confirmation as to whether or not personal data concerning them are being processed;
to obtain information regarding the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed and, where possible, the period for which the personal data will be stored;
to obtain the rectification or erasure of personal data;
to obtain the restriction of processing;
to obtain data portability, that is, to receive the personal data from the data controller in a structured, commonly used and machine-readable format and to transmit those data to another data controller without hindrance;
to object to the processing at any time, including where personal data are processed for direct marketing purposes;
to object to automated decision-making concerning natural persons, including profiling;
to request from the data controller access to personal data and the rectification or erasure of such data or restriction of processing concerning them, or to object to such processing, as well as the right to data portability;
to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
to lodge a complaint with the supervisory authority (Italian Data Protection Authority – www.garanteprivacy.it).
Requests may be submitted by sending an email to the following address: privacy@walliance.eu, which serves as the contact point for Data Subjects with regard to requests to exercise their rights.
9. AMENDMENTS
This privacy notice may be amended to reflect legislative or technological changes, changes in data collection and use, or to allow us to introduce new features or services. In the event of any amendments, Walliance will inform you: (i) by means of a pop-up alert published on the main page of the Website and/or (ii) by taking any other action that the Data Controller deems appropriate. Any amendments made shall take effect as of their publication, and continued browsing of the Website after such time shall constitute acceptance of those amendments.