The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The Data Protection Act 2018 (“DPA 2018”) sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998 and came into effect on 25 May 2018.
It sits alongside the GDPR, and tailors how the GDPR applies in the UK - for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defense, and sets out the Information Commissioner’s functions and powers.
Corso Italia 8
Company Email: email@example.com
You have the right to lodge a complaint with any Supervisory Authority. See our Supervisory Authority contact details below.
Garante per la protezione dei dati personali
Piazza di Monte Citorio, 121
We would, however, appreciate the chance to deal with your concerns before you approach the Garante per la protezione dei dati personali so please contact us in the first instance.
This version was last updated on January 27, 2021 and historic versions can be obtained by contacting us.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.
The personal data we collect depends on whether you just visit our website or use our services. If you visit our website, you do not need to provide us with any personal data. However, your browser transmits some data automatically, such as the date and time of retrieval of one of our web pages, your browser type and settings, your operating system, the last web page you visited, the data transmitted and the access status, and your IP address.
If you use our services, personal data is required to fulfil the requirements of a contractual or service relationship, which may exist between you and our organisation.
• Residential Address
• Email Address
• Date of Birth
• Credit / Debit Card Details
• Postal Code
• Historical Behaviour on Platform
• Associated Behaviour on Platform
• National ID Number
• Mobile Phone Number
• Photo Identity Document
• Online Identifiers
• Business Owner Email Address
• Business Owner Name
• Business Owner Date of Birth
• Business Owner Residential Address
• Business Owner Mobile Phone Number
• Business Owner Photo Identity Document
We process personal data only for the purpose for which they are collected. The purpose is dependent on whether you use only our website, or additionally, our services. If you use our services, you are required to register, and we collect your personal data. We use this personal data for the provision of the service or the performance of the contract. We may use your personal data for other similar purposes, including marketing and communications, but that will only occur in the case we have your consent or another legal justification for doing so.
From our Customer we process and retain personal data for the following purposes and periods, with the applicable legal basis.
Some of our external third parties are based outside the European Economic Area (**EEA**) so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
• Where we use providers based in the US, we may transfer data to them if we have an adequacy legal contract with them commonly know as Model clauses or Standard Contract Clauses
We may share your personal data with the categories of recipients listed below, for the below purposes. Exactly which recipients we share your personal data with, and for which purposes, will depend on which Services you use. In doing so, we take all reasonable contractual, legal, technical, and organisational measures to ensure that your personal data is treated with an adequate level of protection.
Scalapay S.R.L. may share personal data with suppliers and subcontractors that we use in order to provide the Services to you. Suppliers and subcontractors are companies who are only entitled to process the personal data they receive from Scalapay S.R.L. on Scalapay S.R.L.’s behalf. Examples of such suppliers and subcontractors are software- and data storage providers, payment processing services, and business consultants.
Scalapay S.R.L. shares personal data with the store / merchant you visit or make a purchase from. This is done in order to allow the store to administer your purchase and your relationship with the store, send you the goods, manage disputes, and to profile its customers into categories such as age groups or gender, and also to prevent fraud. The personal data shared with a store will be subject to the store’s privacy policies and practices.
PSPs provide stores with online services for accepting electronic payments through a variety of payment methods including credit card, bank-based payments such as direct debit, etc.
If you apply for Scalapay S.R.L. credit service or Scalapay card, your personal data may be shared with credit reference agencies (“CRA's”), for the following purposes: To assess your credit score in connection with your application for one of Scalapay S.R.L payment methods, to confirm your identity- and address information, and protect you and other customers from fraud. Your telephone number and address may also be shared with the CRA, in order for the CRA to send you a notification that it has done a credit assessment of you.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. A copy of our Data Retention Schedule is available upon request.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Our company uses systems to automatically make decisions which may have an effect on your order. For further details, please check the following:
1: Approval of loans to customers
When the customer selects the Scalapay payment method we use an automated system that take into consideration the customers history on the platform as well as other fraud/risk signals to determine the maximum loan amount. If the customer’s order is approved the payment is transferred to the retailer. If the customer's order is rejected, then they are redirected back to the retailers website
We use this process to limit the amount of loans we provide to potentially fraudulent customers or to customers that we believe are at risk of not being able to repay the loan.
Customers may be denied the approval of the loan
You have the right to challenge such decisions, to express your point of view or to request an explanation of any decisions reached. For further details or queries on automated processing, you may contact us directly.
We limit the amount of personal data collected only to what is fit for the purpose, as described above. We restrict, secure, and control all our information assets against unauthorised access, damage, loss, or destruction; whether physical or electronic. We retain personal data only for as long as is described above, to respond to your requests, or longer if required by law. If we retain your personal data for historical or statistical purposes, we ensure that the personal data cannot be used further. While in our possession, together with your assistance, we try to maintain the accuracy of your personal data.
Under certain circumstances, you have rights under data protection laws in relation to your personal data. We set out below a brief description of such rights:
(commonly known as a “data subject access request”)**: This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms
This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; or (b) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it
We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
where we are relying on consent to process your personal data**: However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent
If you would like to make a request to see what personal data of yours we might hold, you may make a request from our company website or here.
Where you have previously given your consent to process your personal data, you also have the right to request that we port or transfer your personal data to a different service provider or to yourself, if you so wish.
Where it may have been necessary to get your consent to use your personal data, at any moment, you have the right to withdraw that consent. If you withdraw your consent, we will cease using your personal data without affecting the lawfulness of processing based on consent before your withdrawal.