Personal data – To combat fraud

The information relating to your transaction is processed on an automated level by Oneytrust as data controller to increase the level of security of transactions made on the partner’s Internet site and protect the latter and its customers from identity fraud or attempted fraud phenomena.

Purpose of the processing of data

Purposes
The purpose of processing is to combat identity and payment fraud on transactions made remotely over the Internet network.
It enables Oneytrust to:

• analyse the transaction data;
• according to pre-established rules, to assign a score to each transaction made on partner platforms;
• determine the machine identifier of the computer used by a person to browse a partner site or sites, in particular to check that the same computer has not been used to make several transactions on the basis of different identities;
• deliver an initial level of trust while browsing on (a) partner site(s) to guide the end-customer’s path accordingly;
• compare the information of the transaction analysed with the information in transactions made with various Oneytrust partners to thus detect any possible inconsistency;
• once the transaction has been validated by the customer and transmitted for analysis, indicate a transaction trust level to the partner in the form of a score between zero (0) and one hundred (100), according to the level of risk thus assessed;
• detect attempts at fraud when transactions are made over the Internet network and add customers that have carried out proven fault to a file listing people presenting a risk;
• manage requests from the people concerned.

The occurrence of an unpaid item due to fraudulent use of a method of payment may lead to the data relating to the transaction associated with this unpaid item being included in a payment incident file implemented by Oneytrust. Any incorrect declaration or anomaly may also receive specific processing.

Legal basis
Article 6 (1) f of the General Data Protection Regulation.
The purpose of processing is for legitimate purposes sought by Oneytrust; that is to say, to combat identity and payment fraud on transactions made remotely over the Internet network.

The data processed

Categories of data processed

• Identification data, invoicing and delivery details, phone number, email address, IP address, the first 6 digits of the bank card; bank account details (RIB) in abbreviated format in the event of payment by transfer or direct debit; debit card identification number (PAN) hashed;
• Data relating to proof of identity, bank and home address in the context of additional checks;
• Electronic identification data (IP address), the footprint calculated from the technical data collected and technical data of the terminal used (operating system, language, CPU, resolution, browser type and version, etc.).
• Data relating to the transaction.

Data source
Information is collected from the customer by the partner.

Obligatory nature of data collection
Non-transmission of data relating to your transaction prevents your transaction from being made and analysed.

Automatic decision making
Processing does not provide for automatic decision making. On the other hand, processing may exclude a person’s contact details in respect of the benefit of a contract, even temporarily. Nonetheless, no refusal decision is taken on the basis of automated processing. Before a refusal decision is taken, additional checks will be made on the person concerned to enable them to make observations and have their situation examined further. In any event, the person concerned is entitled to request human intervention, express their point of view and contest the decision.

People concerned

Data processing concerns:

• private individuals and legal entities that make transactions on Oneytrust partner sites;
• authorised Oneytrust personnel responsible for the implementation of processing.

Data recipients

Recipient categories
According to their respective requirements, the following are the recipients of data, in whole or in part:

• the Oneytrust Partner with which the customer has made the transaction;
• authorised Oneytrust personnel;
• Oneytrust subcontractors and service providers responsible for the hosting and provision of specific technical services.

Transfer of data outside the EU
No data is transferred outside the European Union.

Data retention period

Data will be kept for a period of 15 months. Data relative to transactions where proven fraud has been detected will be kept in an incidents file for a period of 2 years or until the payment incident is regularised if this occurs before the 2-year period has expired.

Your rights concerning your personal data

You are entitled to access and obtain copies of your personal data, oppose processing of this data, have it rectified or deleted. You are also entitled to limit the processing of your data and express specific and general directives after your death concerning the retention, deletion and communication of your data.

Exercising your rights
The Oneytrust Data Protection Officer (DPO) is your contact for any request to exercise your rights regarding processing.

• Contact the DPO by email on dpo[at]oneytrust.com* *(replace [at] with @ when sending the request)
• Contact the DPO by post
The Data Protection Officer
Oneytrust
34 avenue de Flandre
59170 Croix
FRANCE

Complaints

You can send in a complaint relating to the processing of your requests by Oneytrust by writing to the DPO. The latter will make every effort to reply to every complaint and endeavour to resolve the problem.
If, after contacting us, you consider your rights have not been respected, you can send a complaint to your local personal data protection authority or to the Oneytrust data protection authority, that is to say, the CNIL – 3 place de Fontenoy – TSA 80715 – 75334 Paris cedex 07.