Privacy Notice
on Data management in connection with the activities of PastPay Europe sp. z o.o. and Péntech Solutions Kft.
- Data manager and contact details
The PastPay Europe sp. z o.o. (KRS no.: 0000886016, NIP: 5472223365, REGON: 388248699) and the Péntech Solutions Kft. (seat: 1125 Budapest, Istenhegyi út 48./B, company registration number: 01-09-338535) (hereinafter together referred to as “the Data manager” or the “Companies” or separately the “Company”).
| Name of the Data manager: | PastPay Europe sp. z o.o. | Péntech Solutions Kft. |
| Seat: | ul. LEGIONÓW 33/343-300 BIELSKO-BIAŁAŚLĄSKIE | 1125 Budapest, Istenhegyi út 48./B |
| E-mail address: | [email protected] | [email protected] |
| Name of the contact person designated by the Data manager for matters relating to Data management: | Bálint Tamás Réti | dr. Réti Tamás Bálint |
| E-mail address: | [email protected] | [email protected] |
- Definitions of terms
| Data processor | the natural or legal person, public authority, agency or any other body which processes Personal data on behalf of the Data manager; |
| Data management | any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction |
| Data manager | the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the management of Personal data; where the purposes and means of the management are determined by Union or Member State law, the Data manager or the specific criteria for the designation of the Data manager may also be determined by Union or Member State law |
| Data subject | an identified or identifiable natural person |
| GDPR | REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) |
| Website: | www.pastpay.io, and www.pastpay.com |
| Infotv. | Hungarian Act CXII of 2011 on informational self-determination and freedom of information |
| Pmt. | Hungarian Act on the Prevention and Combating of Money Laundering and Terrorism Financing |
| Personal data | Any information relating to a data subject which makes it possible to identify that natural person, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or one or more factors to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
- From what sources do we obtain Personal data?
Our Company may receive Personal data from the following sources:
- From you, as a Data subject;
- From our Client, which organisation has appointed you as a contact person;
- From our client, for which debtor organisation you are the known contact person.
- From our contracted partner, whose client is a company that has designated you as a contact person;
- From our contracted partner, whose client is a company for which you are a known contact person of the debtor of the organisation;
- From our contracted partner, of which you are a customer;
- from public databases.
- The scope of the data managed, the purpose of the management, the legal basis for the management and the period for which the data are kept
The Data manager shall inform the Data subject that the Data management is carried out in accordance with the provisions of the applicable legislation, in particular the GDPR, the Personal Data Protection Act of 10 May 2018 and the Infotv.
| THE SCOPE OF THE DATA managed | PURPOSE OF DATA MANAGEMENT | LEGAL BASIS OF DATA MANAGEMENT | RETENTION PERIOD | |
| Joint data management by Péntech Solutions Kft. and PastPay Europesp. z o.o. | ||||
| Details of the legal person’s representative or contact of our client (in particular: name, e-mail address, telephone number, job title) | Contacting and maintaining contacts for business purposes | Our legitimate interest in the performance of a contract with a legal person client or partner or in maintaining a business relationship | Until the end of the business relationship with the legal person or, if earlier, until the termination of the Data subject’s legal relationship with the legal person, if the Data manager becomes aware of this. | |
| In the case of our self-employed clients, the details of the Data subject (in particular name, e-mail address) | Contacting and maintaining contacts for contracting and performance purposes | Preparation and performance of the contract with the Data subject | Until the end of the business relationship with the Data subject | |
| Contact details of our client’s debtor (in particular: name, e-mail address, telephone number, job title) | Factoring a claim based on a relationship between our client and the debtor of our client | Our legitimate interest in the performance of a contract with our customer. | Until the end of the business relationship with our client or, if earlier, until the termination of the legal relationship of the Data subject with our client’s debtor, if the Data manager becomes aware of this | |
| Data collected by cookies on the Website | Please read our Cookie information, available on the Website. | |||
| Personal data necessary to process and respond to complaints, requests and questions | The procedure that meets your request or complaint | In case of a complaint about Data management, to comply with a legal obligation under the GDPR, otherwise our legitimate interest in handling the complaint | Until the complaint handling process is completed | |
| Content of video calls, if they are recorded | The recallability of the content of the meeting, its use in case of possible legal claims | Our legitimate interest in the recallability of the content of the meeting | 5 years from the termination of the contract (civil law limitation period) | |
| Personal data required for economic profiling for our self-employed clients | Assessing the financial reliability and capacity of our existing and prospective clients, the debtors of our existing and prospective clients, the clients of our contracted partners and the debtors of these entities | Preparation and performance of the contract with the Data subject | Until the contract is concluded | |
| Details of our legal person client’s representative, contact person (in particular: name, e-mail address, telephone number, job title) | To contact and engage with you for business purposes through our website or other channels | Our legitimate interest in answering your questions or requests | Until the question or request is answered | |
| In the case of our self-employed clients, the details of the Data subject (in particular name, e-mail address) | ||||
| E-mail address; business entity or self-employed status represented | Subscribe to a marketing newsletter | Explicit consent of the Data subject | Until consent is withdrawn | |
| Personal data required to participate in the professional event | Contacts related to the event | For self-employed participants, the fulfilment of the contract for the event, for participants representing a legal person, our legitimate interest in the conduct of the event | Until the end of the event | |
| Personal data required to participate in the prize draws | Organisation of the prize draw and related contacts with participants | For sole proprietor participants, the performance of the contract for participation in the prize draw, for participants representing a legal person, our legitimate interest in the running of the prize draw | Until the prize draw closes | |
| All Personal data mentioned in rows 1-11 | Enforcing legal claims | Our legitimate interest in enforcing a claim | 5 years from the termination of the contract (civil limitation period) | |
In connection with the above Data management, we draw your attention to the fact that the provision of the Data subject’s data that are managed on the basis of a legal obligation or legitimate interest in the preparation or performance of a contract or business relationship with a Company is mandatory for the conclusion of a factoring framework contract or for certain obligations arising from the legal relationship. Without providing the necessary data, the Companies are unable to fulfil their obligations in connection with factoring or as required by law, and in some cases failure to provide the data may result in our inability to accept or fulfil an order for services.
With regard to data managed on the basis of legitimate interest, please note that you have the right to object to the Data management.
- Recipients of Personal data, categories of recipients
Joint Data manager:
The Companies are considered to be joint managers of each other in relation to the Data management referred to in Chapter 4, lines 1-12 of this Notice.
Data processor:
| Name/category of Data processor | Category of Personal data transferred to the Data processor | Activity involving a Data processor |
| Accountant | Personal data for accounting purposes | Accounting services |
| PastPay Europesp. z o.o. in relation to its independent data management, the Péntech Solutions Kft. | Personal data listed in Chapter 4, line 13 | Customer identification / customer due diligence |
| Service providers providing the IT operations of the Companies (in particular server and domain service providers, mobile phone operating system service providers), customer management service providers, so-called CRM system service providers | Personal data stored on IT servers | IT infrastructure in the office. |
The Data manager shall inform the Data subject that no Personal data will be transferred to a country or international organisation outside the European Economic Area.
- Special Personal data:
No special Personal data will be managed in the course of the Data management.
- Rights of the Data subject:
The Data subject may request the Data manager to access, rectify or erase Personal data relating to them, in certain cases to restrict the management of the data and to object to the management of Personal data. The Data subject shall also have the right to data portability and the right to submit a complaint to the supervisory authority and to a judicial remedy.
In the case of management based on consent, the Data subject also has the right to withdraw consent at any time, without prejudice to the lawfulness of the management carried out on the basis of consent prior to the withdrawal.
- Right to access
At any time, the Data subject has the right to request information on whether and how their Personal data are managed by the Data manager, including the purposes of the management, the recipients to whom their data have been disclosed or the source from which the data were obtained by the Data manager, the retention period, any rights they have in relation to the management, as well as information on automated decision-making, profiling and, in the case of transfers to third countries or international organisations, information on the guarantees relating thereto. In exercising the right to access, the Data subject shall also have the right to request a copy of the data and, in the event of an electronic request, the Data manager shall provide the requested information electronically, unless the Data subject requests otherwise. Where the Data subject’s right to access negatively affects the rights and freedoms of others, in particular the trade secrets or intellectual property of others, the Data manager shall be entitled to refuse to comply with the Data subject’s request to the extent necessary and proportionate.
- Right to correction
The Data manager shall correct or complete Personal data relating to the Data subject at the Data subject’s request. Where the Personal data concerned by this right has been communicated by the Data manager to another party (i.e. an addressee such as a Data processor), the Data manager shall inform such parties without undue delay after the correction of the data, provided that this is not impossible or involves a disproportionate effort on the part of the Data manager. The Data subject shall be informed of these recipients by the Data manager upon request.
- Right to erase (“right to be forgotten”)
If the Data subject requests the erasure of any or all of their Personal data, the Data manager shall erase the Personal data without undue delay if:
- the Data manager no longer needs the Personal data for the purposes for which it was collected or otherwise managed;
- Data management that was based on the Data subject’s consent, but the consent has been withdrawn by the Data subject and there is no other legal basis for the Data management;
- the Data subject objected to Data management based on a legitimate interest of the Data manager or a third party, and
- there are no overriding legitimate reasons for the Data management;
- the Data manager has unlawfully managed the Personal data; or
- necessary to fulfil a legal obligation to delete Personal sata.
Where the Personal data concerned by this right have been communicated by the Data manager to another party (i.e. an addressee such as a Data processor), the Data manager shall inform such parties without undue delay after erasure, provided that this is not impossible or involves a disproportionate effort on the part of the Data manager. The Data subject shall be informed by the manager of these recipients upon request. The Data manager is not always obliged to erase Personal data, in particular where, for example, the processing is necessary for the establishment, exercise or defence of legal claims.
- Right to limitation of Data management
The Data subject may request the limitation of the Data managemnt of their Personal data in the following cases:
- the Data subject questions the accuracy of the Personal data – in which case the limitation applies for the period of time that allows the Data manager to verify the accuracy of the Personal data;
- the Data management is unlawful, but the Data subject opposes the erasure of the data and instead requests the limitation of their use;
- the Data manager no longer needs the Personal data for the purposes of the Data management, but the Data manager requires them for the establishment, exercise or defence of legal claims; or
- the Data subject has objected to the Data management – in this case, the limitation applies for the period until it is established whether the legitimate reasons of the Data manager override the legitimate reasons of the Data subject.
Limitation of Data management means that the Data manager does not manage the Personal data subject to the limitation, except for storage, or only to the extent to which the Data subject has consented, or, in the absence of such consent, the Data manager may manage the data necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State of the European Union. The Data manager shall inform the Data subject in advance of the un-limiting of the Data management. Where the Personal data covered by this right have been disclosed by the Data manager to another party (i.e. an addressee such as a Data processor), the Data manager shall inform such parties of the limitation of Data management, provided that this is not impossible or involves a disproportionate effort on the part of the Data manager. The Data subject shall be informed by the Data manager of these recipients upon request.
- The right to object
If the legal basis for the Data management relating to the Data subject is the legitimate interest of the Data manager or a third party, the Data subject has the right to object to the Data management. The Data manager shall not be obliged to uphold the objection if the Data manager proves that
- Data management is justified by compelling legitimate reasons which override the interests, rights and freedoms of the Data subject, or
- Data management relates to the establishment, exercise or defence of legal claims by the Data manager.
- Right to complain, right to legal remedies
If the Data subject considers that the Data manager’s management of their Personal data breaches the provisions of the applicable data protection legislation, in particular the GDPR, they have the right to submit a complaint to the competent data protection supervisory authority in the Member State where they have their habitual residence, place of work or place of the alleged breach. In Poland, a complaint can be lodged with the Urząd Ochrony Danych Osobowych (“UODO”). The contact details of the UODO are:
Website: https://uodo.gov.pl/en
Address: ul. Stawki 2, 00-193 Warszawa
Phone number: 22 531-03-00
E-mail address: [email protected]
Regardless of their right to submit a complaint, the Data subject may also take legal action in the event of a breach of the above rights. The Data subject also has the right to appeal to the courts against a final decision of the supervisory authority concerning them. The Data subject also has the right to judicial remedy in accordance with the relevant legal provisions and in the relevant way.
- Automated decision-making, profiling
The Companies use economic profiling (i.e., the automated combination and evaluation of Personal data) in the selection of their customers, in which process Personal data is processed only in relation to sole proprietors. In particular, the Companies will analyse the individual entrepreneur’s cash book, tax flow account. Profiling is carried out by a natural person and does not involve automated decision-making.
Last updated: 15 November 2023.