1. Definitions
1.1. Personal data – any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person, as defined by Law no. 124/2024 “On the Protection of Personal Data.”
1.2. GDPR – Law no. 124/2024 “On the Protection of Personal Data,” as well as the by-laws issued pursuant thereto. Regulation (EU) 2016/679 of the European Parliament and of the Council, dated 27 April 2016, “On the protection of natural persons with regard to the processing of personal data and on the free movement of such data,” and repealing Directive 95/46/EC.
1.3. Data processing – any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.4. Data processor – any natural or legal person, public authority, agency, or other body that processes personal data on behalf of and in accordance with the instructions of the Data Controller, in compliance with Law no. 124/2024 “On the Protection of Personal Data.” The Data Controller, the entity that determines the purposes and means of the processing of personal data, is Paysera Albania SHPK, which manages the payment initiation and account information service, the peer-to-peer lending platform, qualified electronic identification, and other services. Pursuant to the Joint Controller Agreement No. 2018019 dated 19/09/2018, your personal data controller is the Paysera network (hereinafter referred to as Paysera, the Operator, the Data Controller, or the Company). The contact details of Paysera are published on the Paysera website. The contact details of the Data Protection Officer appointed by Paysera are: [email protected].
1.5. Data controller – Paysera Albania SHPK, tax identification number M01608007N, with its registered office at “Fadil Rada” Street, P. Donika, Building 3, Tirana, Albania, together with the other companies of the network and the coordinator Paysera Tech, acts as Joint Controller in accordance with Annex No. 16 “Network Data Governance Agreement” of the Joint Action Agreement. This agreement governs the allocation of responsibilities and ensures the protection of data within the network. Personal data are jointly processed solely to ensure network security and operational integrity, specifically: for the prevention of money laundering and terrorist financing; for the detection of fraud; for the management of security incidents; and to provide uninterrupted customer support when services are provided by another network partner.
1.6. Merchant – a client of the Paysera system who sells goods and services and uses one or more services of online payment processing and/or online payment processing by payment cards and/or payment processing via the operators indicated in the system and provided by Paysera for Merchants.
1.7. Buyer – the payer and/or the final recipient of services provided and goods sold by the Merchant using the System for the collection of payments.
1.8. System – a software solution on Paysera web pages, developed by Paysera and used for provision of Paysera services.
2. General provisions
2.1. The Personal Data Processing Agreement (hereinafter – the Agreement) regulates the process of the Personal data processing of the Buyer, mutual obligations and liability between the Merchant and Paysera. The aim of the present agreement is to ensure the protection and security of the Personal data of the Buyer, for the processing of which the Merchant uses Paysera, in accordance with applicable legislation.
2.2. The Agreement excludes Personal Data processed by Paysera acting as a data controller in accordance with the provisions of Law no. 124/2024 “On the Protection of Personal Data”, as the electronic money institution providing payment services. The processing of this Personal data is regulated by the Paysera Privacy policy.
2.3. The Agreement is an annexe to the General Payment Services Agreement and is an integral part of annexes to the agreement that are applied to the Merchant when using the services of online payment processing from buyers, online payment processing by payment cards, and payment processing via the operators provided in accordance to provisions of annexes to the General Payment Services Agreement. The Agreement comes into force automatically when the Merchant starts using the services of online payment processing and/or online payment processing by payment cards, and/or payment processing via operators.
2.4. The Merchant as the Data controller uses Paysera as the Data processor for processing the Personal data of Buyers.
2.5. Paysera as the Data processor processes the Personal data of Buyers on behalf of the Merchant on the basis of the present Agreement.
2.6. Contact details of the data protection officer appointed by Paysera: [email protected].
3. Personal data processing conditions
3.1. The Merchant, by using mutual technical integration in the Paysera System, determines which Personal data requests will be submitted to the Buyer, i.e. which Personal data of the Buyer will be collected.
3.2. Paysera, by taking into account the Personal data requests enabled by the Merchant in the Paysera system, processes the Personal data of the Buyer on behalf of the Merchant.
3.3. The Merchant may appoint Paysera to process the Personal data of the Buyer of these categories:
3.3.1. name;
3.3.2. surname;
3.3.3. personal code;
3.3.4. email address;
3.3.5. address (country, state, city, street, house number, apartment number);
3.3.6. language;
3.3.7. IP address;
3.3.8. bank account number;
3.3.9. payment purpose information;
3.3.10. phone number.
3.4. The Merchant appoints Paysera to perform the collection of the Personal data of the Buyer, transferring it to the Merchant and storing it.
3.5. The retention period for personal data is 10 (ten) years after the termination of the business relationship with the client. Personal data are retained for 5 (five) years in accordance with Law no. 9917, dated 19.05.2008 “On the Prevention of Money Laundering and Financing of Terrorism,” as amended, and the subordinate acts issued pursuant thereto. After the expiration of this period, the data may be retained for an additional period when necessary for the protection of Paysera’s legitimate interests, for the exercise or defense of legal rights, as well as in accordance with the limitation periods provided by the applicable Albanian legislation.
4. Liabilities of the Parties
4.1. The Merchant (Data controller) under the present Agreement undertakes:
4.1.1. to ensure that Personal data processing is based on legal purposes and grounds, and, if applicable, that the appropriate request of the Buyer is received regarding the processing of personal data;
4.1.2. to process Personal Data in accordance with the principles relating to the processing of Personal Data as set forth in Law no. 124/2024 “On the Protection of Personal Data” and in the requirements of legal acts;
4.1.3. to establish appropriate conditions enabling the Buyer to exercise all data subject rights and to respond directly to the Buyer’s requests regarding the exercise of data subject rights as provided in Law no. 124/2024 “On the Protection of Personal Data”;
4.1.4. to approve internal data processing rules where the following must be indicated:
4.1.4.1. when it is required according to applicable legal acts, name and surname (legal name) and contact details of the representative of the data processor and data protection officer;
4.1.4.2. categories of the performed data processing;
4.1.4.3. if applicable, transfers of personal data to a third country or international organisation by also specifying that third country or international organisation, documents of appropriate means of protection;
4.1.4.4. description of technical and organisational means of security.
4.2. Paysera (Data processor) under the present Agreement undertakes:
4.2.1. to process the Personal data of Buyers only within the scope and for purposes determined by the Merchant;
4.2.2. not to modify, edit, or amend the Personal data, not to disclose and prevent disclosure of the Personal data to any third person, unless it is required for the proper performance of contractual obligations with the Merchant;
4.2.3. to implement appropriate technical and organisational means to ensure a security level corresponding to the threat;
4.2.4. within the scope of the Buyer’s processed Personal Data, to assist the Merchant, as Data Controller, in responding to data subject requests regarding the exercise of data subject rights as set forth in Law no. 124/2024 “On the Protection of Personal Data”;
4.2.5. in case of a Personal data breach, notify the Merchant immediately so that they could fulfil the duty of the Personal data controller and report the Personal data breach in accordance with legal acts regulating the protection of data;
4.2.6. take appropriate measures to ensure the reliability of any employee, intermediary or contractor, sub-processor or other third person who has access to the Personal data, and that in every case this access would be restricted and provided to those persons to whom it is necessary by also ensuring that confidentiality agreements are concluded with these persons or that they are subject to a confidentiality obligation.
5. Personal data sub-processing
5.1. The Merchant agrees that Paysera without a separate prior agreement uses other processors (sub-processors) for the Personal data processing or can deliver this data to the third parties if such operation corresponds with the provisions of the Agreement.
5.2. Paysera, when transferring the Personal data to the third parties and using sub-processors undertakes to conclude the Personal Data Processing Agreement ensuring standards equivalent to the Personal data protection standards established in the present Agreement.
5.3. Upon the Buyer’s request, Paysera undertakes to provide a relevant list of Personal data sub-processors.
6. Personal data transfer to third countries
6.1. The Merchant agrees that Paysera without a prior consent delivers Personal data to subjects outside the European Union or the European Economic Area if such transfer corresponds to the provisions of the Agreement.
6.2. when Paysera transfers Personal Data to entities outside the European Union or the European Economic Area, it undertakes to conclude personal data processing agreements that correspond to the requirements of Law no. 124/2024 “On the Protection of Personal Data” for such agreements, and to ensure equivalent standards of Personal Data protection as specified in this Agreement.
6.3. Upon the Merchant’s request, Paysera undertakes to provide a relevant list of recipients of Personal data outside the European Union or the European Economic Area to whom Personal data of Buyers is transferred.
7. End of personal data processing
7.1. Upon the ending of the Personal data processing established in clause 3.5 of the Agreement, Paysera undertakes to delete all Personal data stored and all its possible copies.
8. Other conditions
8.1. The Parties agree that, when performing this Agreement, information received from another party to the Agreement is confidential. During the validity of the Agreement and at the end of the Agreement neither of the parties without the prior written consent of the other party shall have a right to disclose such information to any other third person, except for mandatory cases when such information has to be disclosed according to the laws of the Republic of Lithuania. Obligations of parties regarding non-disclosure of information shall be of unlimited duration. The party who has breached the obligation to store confidential information and not to disclose it must reimburse all the losses to the other party.
8.2. All disputes arising from this Agreement shall be resolved through negotiations, and in the event of failure, the disputes shall be resolved in accordance with the procedure established by Law 124/2024 of the Republic of Albania.
8.3. In case discrepancies between conditions of this Agreement and other agreements regulating the protection of personal data concluded between these parties, the following provisions of the present Agreement will apply.
9. Validity term, amendments
9.1. The Agreement comes into effect when the Merchant starts using online payment processing, and/or online payment processing by payment cards, and/or Payment processing through operators and is valid while the Merchant is using these services.
9.2. The Agreement is an integral part of the General Payment Services Agreement and can be modified according to the procedure provided therein.