Fraud Detect Privacy Statement
Effective Date: April 30, 2021
First Data Corporation and its subsidiaries and affiliates (collectively, First Data or “we”) provide the Fraud Detect service (the Service) to subscribing merchants to help identify and reduce fraud in card-not-present transactions and in account registrations performed through the merchant’s mobile application and website; however, merchants are not required to use all aspects of the Service. This “Privacy Statement” explains how we collect, use, disclose, and otherwise process personal information about cardholders and merchants in connection with the Service. This Privacy Statement does not apply to First Data’s privacy practices outside of the context of the Service, such as its payment card acceptance services.
First Data’s processing of personal information in connection with the Service is governed by this Privacy Statement and our agreement with the merchant for this Service (Service Agreement). In the event of any conflict between this Privacy Statement and a Service Agreement, the Service Agreement will control to the extent permitted by applicable law.
We provide important information here for individuals located within Member States of the European Union, countries in the European Economic Area, the United Kingdom, and Switzerland (collectively, “Europe” or “European”). We also describe European data protection rights, including a right to object to some of the processing which First Data carries out. More information about your rights, and how to exercise them, is set out in the “Your rights and choices” section.
This Privacy Statement is not a substitute for any privacy notice that merchants are required to provide to their customers or end-users.
Table of Contents
We collect information about the merchant that subscribes to use the Service upon registration and when consumer transactions are processed. This information may include:
Information we collect about individuals
We collect information about the following categories of individuals in connection with the Service (e.g., when an individual places an order for physical or digital goods or services or registers for an account with a merchant). In many instances, these will be the same person:
Merchants may provide us with a variety of information about individuals, such as:
We may obtain a variety of information about transactions performed via the merchant’s website or mobile application. This information is associated with an individual. This type of information includes:
Merchants are free to submit additional information to us in connection with payment transactions, account registrations, and our performance of the Service. Such information may include, without limitation:
We collect information automatically about end-users’ computers or mobile devices in connection with account registrations or transactions. This information varies depending on whether the relevant transaction or interaction was performed via a web browser or mobile application. We may use service providers to facilitate our collection of computer or device data, including through the use of third-party cookies when the Service is implemented on a website. If we are unable to collect information about an end-user’s computer or mobile device in connection with a transaction or registration, we may be unable to provide the Service for that transaction or registration; and, as a result, a merchant may choose whether to reject or accept that transaction or registration.
The specific information we collect via mobile applications may vary depending on whether an Android or Apple device is used and the version of the operating system installed on the end-user’s device. In addition, our ability to collect certain information may depend on whether the end-user has granted the merchant’s app certain permissions. Typically, the information we collect includes:
We use the information we collect about individuals, transactions, and devices for the purposes described in this Privacy Statement and otherwise in our Service Agreement.
We use the information we collect to provide and improve the Service, which includes:
We may send merchants who have subscribed to the Service marketing communications as permitted by law. Our marketing communications may be targeted based on aggregated information about a merchant’s use of the Service – such as transaction volume, velocity, amounts, and types of goods or services sold, and chargeback ratios. Merchants will have the ability to opt out of such communications. We do not use the data that we collect in connection with the Service to send marketing emails to the end-users or consumers of merchants that use the Service.
For product development, analytics, and other legitimate business purposes
We use the information we collect for our own legitimate business purposes, which include:
In some circumstances, we may need consent of the data subject in the performance of our Service. Merchants are responsible for ensuring data subject consent is obtained for the performance of our Service.
We may create anonymous data from the personal information we collect. We make personal information into anonymous data by excluding information that makes the data personally identifiable, and use that anonymous data for our lawful business purposes.
In addition, we may also use personal information as we believe necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Service; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
With our professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.We may also share personal information with government, law enforcement officials or private parties as required by law, when we believe such disclosure is necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Service; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
We may sell, transfer or otherwise share some or all of First Data’s business or assets, including personal information, in connection with a business deal (or potential business deal) such as a merger, consolidation, acquisition, reorganization or sale of assets or in the event of bankruptcy.
In connection with the Service, First Data may transfer personal information to countries outside of the country where the data was initially collected, including to the United States. Please see the Service Agreement for additional information regarding how First Data safeguards the personal information it transfers across borders. Additional information is provided in the section titled “Information of Relevance to European Data Subjects.”
First Data is made up of different legal entities. The controller is the member of the First Data group that signs the Service Agreement, or which is otherwise identified as the controller in the Service Agreement. If you would like more information about which First Data entity is the controller in respect of your information, you can contact us for this.
The contact information for First Data’s Data Protection Officer is:
Data Protection Officer, First Data
Email address: firstname.lastname@example.org
Postal address: Floor 29
1 Canada Square
London E14 5AB
Our legal bases for the processing of personal information are as follows:
Processing purpose (click link for details)
Providing our products and services
If you are a subscribing merchant, processing is necessary to perform the contract governing our provision of the products or services or to take steps that you request prior to signing up for the Services.
Otherwise, the processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
· Research, development and analytics
· Creating anonymous data
· Compliance, fraud prevention, and safety
These processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Compliance, fraud prevention, and safety (where we have a legal obligation)
Processing is necessary to comply with our legal obligations
Direct marketing (where consent is required)
Processing is based on your consent. Where we rely on your consent you have the right to withdraw it anytime in the manner indicated at the time we collect your information or by contacting us at email@example.com.
When we transfer personal data outside of Europe to countries not deemed to provide an adequate level of protection for personal data, we make the transfer as follows:
· When transferring personal data to a company in the First Data group, the transfer is made based on our Binding Corporate Rules, a copy of which can be found here.
· When transferring personal data to third parties, the transfer will be made pursuant to:
o A contract approved by the European Commission (sometimes called “Model Clauses” or “Standard Contractual Clauses”);
o Privacy Shield arrangements between the US and each of the EU, Switzerland and the UK;
o The recipient’s Binding Corporate Rules;
o The consent of the individual to whom the personal data relates; or
o Other mechanisms or legal grounds as may be permitted under applicable European law.
Data subjects may contact us with questions about our transfer mechanism.
The Service may involve automated decision-making subject to Article 22 of the GDPR. Decisions are made by matching the data provided to us by merchants with patterns indicative of fraud. Depending on the Service selected by the merchant, where the Service identifies a suspected fraudulent account registration or purchase that is consistent with the merchant’s pre-established thresholds for blocking registrations or transactions, First Data will block the registration or transaction in an automated manner. Where a registration or transaction is blocked, certain unique identifiers associated with the registration or purchase will subsequently be blocked with that merchant.
To the extent that decisions are made based solely on automated processing that produce legal or similarly significant effects, such decisions will be made where (a) they are necessary for entering into, or performing, a contract between the data subject and a data controller; (b) as authorized by applicable law; or (c) based on the data subject’s explicit consent. The merchant's privacy notice will set out more information about your rights relating to automated individual decisions – in particular, your right to obtain human intervention, to express your point of view and to contest the decision.
First Data retains personal information for as long as necessary to (a) provide the Service; (b) comply with legal obligations; (c) resolve disputes; and (d) enforce the terms of the Service Agreement. Merchants may contact us for additional information about our data retention practices in connection with the Service.
Merchants are data controllers of the personal information that they provide to First Data or enable First Data to collect via the Service about their consumers or end-users. First Data is a data controller for personal information that it processes in order to offer its services to merchants in general and to develop and improve these services. Because merchants have a direct relationship with consumers or end-users, we ask merchants which use our services to provide all necessary privacy notices to data subjects, including information about First Data's processing of personal data for the Service. Merchants will also be responsible for dealing with data subject requests to exercise any rights afforded to them under applicable data protection law which relate to the transaction with the merchant. If the data subject request relates to personal data which First Data processes to provide services to merchants in general, then First Data will be responsible for dealing with the request. First Data and the merchants who receive services from us will assist each other in responding to such requests.
Under certain circumstances, data subjects in Europe have certain rights relating to their personal data, which include the rights to request from the controller (a) access to the data subject’s personal data; (b) correction of incomplete or inaccurate personal data; (c) erasure of personal data; (d) restriction of processing concerning the data subject; and (e) that the controller provide a copy of the data subject’s personal data that the data subject provided to the controller in a structured, commonly used and machine-readable format. Data subjects may also object to a controller’s processing of personal data under certain circumstances. Where processing is based on a data subject’s consent, the data subject has the right to withdraw consent at any time; however, the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
Data subjects may also file a complaint with a supervisory authority that is located where you live, work or where you believe the breach has occurred.
We reserve the right to modify this Privacy Statement at any time. We will notify our merchants of updates by updating the date of this Privacy Statement and posting the updated Privacy Statement to our website and through such other manner as may be stated in our Service Agreement.
Merchants with questions about this Privacy Statement may contact the Fraud Detect support team at FraudDetectSupport@firstdata.com. Both merchants and data subjects may contact our Privacy Office at firstname.lastname@example.org.