Oneytrust Personal data protection policy

This personal data protection policy (hereinafter referred to as the “Policy”) describes the commitments made by Oneytrust to ensure it protects your personal data. Via this policy, Oneytrust also wishes to inform you how your personal data is collected and processed.
Protecting your private life, as well as your fundamental freedom and rights, is vital for Oneytrust. Our commitment is not to sell your personal data to third-party companies for commercial purposes. Neither will it be communicated to third-parties without your authorisation, except in the context of our regulatory and contractual obligations necessary to supply our services to our Partners.
“Data of a personal nature” or “personal data” is defined in Article 4 of the General Data Protection Regulation as being any information liable to allow a private individual to be directly or indirectly identified. The term “Partner” used in this Policy refers to the subscriber to one or more services marketed by Oneytrust.
Oneytrust asserts its endeavour to comply with the law and regulations applicable to personal data protection and is committed to preserving its security, confidentiality and integrity.

 

I. Scope

This personal data protection Policy applies to the web sites published by Oneytrust as well as to services developed and marketed by Oneytrust.
The use of a web site published by Oneytrust and subscription to or use of services developed and marketed by Oneytrust or its Partners presuppose your acceptance of the terms of this personal data protection Policy.

 

II. Processing by Oneytrust as data controller

 

A. The service to combat fraud

When a transaction is made on a Oneytrust Partner web site (subscription to a service, online purchase), processing of the information relating to your transaction is automated by Oneytrust in order to increase the level of security of the transactions made on the Partner’s Internet site and protect the latter and its customers from identity fraud or attempted fraud phenomena.

Purpose of the processing of data

Purposes

The purpose of processing is to combat identity and payment fraud on transactions made remotely over the Internet network.

It enables Oneytrust to:

• analyse the transaction data;
• according to pre-established rules, to assign a score to each transaction made on partner platforms;
• determine the machine identifier of the computer used by a person to browse a Partner site or sites, in particular to check that the same computer has not been used to make several transactions on the basis of different identities;
• deliver an initial level of trust while browsing on a Partner site(s) to direct the end-customer’s path accordingly;
• compare the information of the transaction analysed with the information in transactions made with various Oneytrust Partners to thus detect any possible inconsistency;
• once the transaction has been validated by the customer and transmitted for analysis, indicate a transaction trust level to the partner in the form of a score between zero (0) and one hundred (100), according to the level of risk thus assessed;
• detect attempts at fraud when transactions are made over the Internet network and add customers that have carried out proven fault to a file listing people presenting a risk;
• provide additional information in order to qualify some of the transaction data (email address, phone, postal address, IP address, BIN 6);
• according to predetermined rules, reduce manual review by automatically validating transactions that could not be validated by an automatic analysis mechanism (automatic score);
• manage requests from the people concerned.

The occurrence of an unpaid item due to fraudulent use of a method of payment may lead to the data relating to the transaction associated with this unpaid item being included in a payment incident file implemented by Oneytrust. Any incorrect declaration or anomaly may also receive specific processing.

Legal basis

The legal basis for processing is Article 6 (1) f of the General Data Protection Regulation. The purpose of processing is for legitimate purposes sought by Oneytrust; that is to say, to combat identity and payment fraud on transactions made remotely over the Internet network.

The data processed

The categories of data processed are:

• Identification data, invoicing and delivery details, phone number, email address, IP address, the first 6 digits of the bank card; bank account details (RIB) in abbreviated format in the event of payment by transfer or direct debit;
• The data relating to proof of identity, bank and home address in the context of additional checks;
• The data relating to the transaction;
• Sub-elements of technical identification data validation by correlation (validity, associated identity, supplier, operator, etc.);
• Electronic identification data (IP address), a footprint calculated from the technical data collected and technical data of the terminal used (operating system, language, CPU, resolution, browser type and version, etc.).

Data source

Information is collected from the customer by the Partner, as well as from Oneytrust service providers for enriched data.

Obligatory nature of data collection

Non-transmission of data relating to your transaction prevents your transaction from being made and analysed.

Automatic decision making

Processing does not provide for automatic decision making. On the other hand, processing may exclude a person’s contact details in respect of the benefit of a contract, even temporarily. Nonetheless, no refusal decision is taken on the basis of automated processing. Before a refusal decision is taken, additional checks will be made on the person concerned to enable them to make observations and have their situation examined further. In any event, the person concerned is entitled to request human intervention, express their point of view and contest the decision.

 

People concerned

Data processing concerns:

• private individuals and legal entities that make transactions on Oneytrust Partner sites;
• authorised Oneytrust personnel responsible for the implementation of processing.

 

Data recipients

Recipient categories

According to their respective requirements, the following are the recipients of data, in whole or in part:

• the Oneytrust Partner with which the customer has made the transaction;
• authorised Oneytrust personnel;
• Oneytrust subcontractors and service providers responsible for the hosting and provision of enriched data.

Transfer of data outside the EU

In compliance with applicable regulations in terms of personal data protection, we may transmit personal data to recipients located in countries not members of the European Union. We ensure that, in accordance with applicable regulations, data is transferred to countries whose law has been recognised as granting an adequate level of protection by the European Commission or, failing this, is covered by standard European Commission clauses that guarantee a sufficient level of protection of people’s private lives and fundamental rights and compliance with the technical standards used.

To ensure that data transferred has the benefit of an adequate level of protection we select services that provide all appropriate guarantees (use of the Privacy Shield mechanism, signature of European Commission standard contractual clauses). In particular, this is the case for data transmitted to our service providers located in the United States to enable us to provide our services;

On request, we can provide you with a list of recipients in third party countries and a copy of the special conditions agreed upon to guarantee an appropriate level of data protection. If you wish to submit a request, please write to the Oneytrust Data Protection Officer whose contact details are given below.

 

Data retention period

Data will be kept for a period of 15 months. Data relative to transactions where proven fraud has been detected will be kept in an incidents file for a period of 3 years or until the payment incident is regularised if this occurs before the 3-year period has expired.

 

B. Determination of an identifier for your terminal in the context of the service to combat fraud

If the Partner has subscribed to this function, Oneytrust may access information stored in the electronic communication terminal equipment used by you to determine the machine identifier of this terminal and check that the same terminal has not been used to make several transactions on the basis of different identities. This machine identifier data is processed on an automated level by Oneytrust to increase the level of security of transactions made on the Internet site and protect the Partner and its customers from identity fraud or attempted fraud phenomena.

 

Purpose of the processing of data

Purposes

The purpose of processing is to combat identity and payment fraud on transactions made remotely over the Internet network.
It enables Oneytrust to determine the machine identifier of the computer used by a person to browse a Partner site, in particular to check that the same computer has not been used to make several transactions on the basis of different identities.

Legal basis

The legal basis for processing is Article 6 (1) f of the General Data Protection Regulation. The purpose of processing is for legitimate purposes sought by Oneytrust; that is to say, to combat identity and payment fraud on transactions made remotely over the Internet network.

 

The data processed

The categories of data processed are:

• Electronic identification data (IP address), the footprint calculated from the technical data collected and technical data of the terminal used (operating system, language, CPU, resolution, browser type and version, etc.).

Data source

This information is collected from the customer by the Partner.

Obligatory nature of data collection

The customer is entitled to oppose the collection of data to calculate the machine identifier of their terminal and continue browsing. Terminal data is not collected in the event of opposition by the customer: this does not affect browsing and the end purpose of the transaction envisaged.

Automatic decision making

Processing does not provide for automatic decision making. On the other hand, processing may exclude a person’s data in respect of the benefit of a contract, even temporarily. Nonetheless, no refusal decision is taken on the basis of automated processing. Before a refusal decision is taken, additional checks will be made on the person concerned to enable them to make observations and have their situation examined further. In any event, the person concerned is entitled to request human intervention, express their point of view and contest the decision.

 

People concerned

Processing concerns private individuals and legal entities that make transactions on the Oneytrust Partner site.

 

Data recipients

Recipient categories

According to their respective requirements, the following are the recipients of data, in whole or in part:
• the Oneytrust Partner with which the customer has made the transaction;
• authorised Oneytrust personnel;
• Oneytrust subcontractors and service providers responsible for the hosting and provision of specific services.

Transfer of data outside the EU

No data is transferred outside the European Union in the context of this processing.

 

Data retention period

Data will be kept for a period of 12 months (6 months for the IP address, technical footprint identifier and footprint).

 

C. Processing of the management and monitoring of the relationship with partners and prospects

Replies to the contact form on the Oneytrust site are subjected to automated data processing by Oneytrust to manage your requests and monitor relationships with Partners and prospects.

 

Purpose of the processing of data

Purposes

The purpose of processing is to manage and monitor Partner and prospect relations and prospect for business.
It enables Oneytrust to:

• manage requests from its prospects and Partners;
• manage information activities for its Partners;
• prospect for business;
• organise events (conferences, etc.);
• respond to requests for information, advice and action;
• steer its activities (invoicing, production of activity statistics, etc.).

Legal basis

The legal basis for processing is Article 6 (1) c of the General Data Protection Regulation. Processing is necessary for execution of a contract to which the person concerned is a party or the execution of pre-contractual measures at the latter’s request;

 

The data processed

The categories of data processed are:

• Identification data;
• Professional contact details.

Data source

Information is collected from the Partner or prospect, as well as from the following organisms:

o L’Annuaire de l’Enseigne directory (http://lannuairedelenseigne.com)
o C radar (https://www.c-radar.com)
o Events
o Linkedin
o Google Form (contact form) https://docs.google.com/forms/d/e/1FAIpQLSdYfMw897bWaIPiZPoPvpEgUcsJPqV3zVaJXPNAUdSebRCfLg/viewform

Obligatory nature of data collection

Unless otherwise specified, the input form covers compulsory collection of the data required to process the request or subscribe to the service required.

Automatic decision making

Processing does not provide for automatic decision making.

 

People concerned

Data processing concerns:

• private individual or legal entity prospects or Partners of Oneytrust;
• legal representatives of legal entity prospects or Partners of Oneytrust;
• private individuals designated as representatives of legal entity prospects or Partners of Oneytrust;
• authorised Oneytrust personnel responsible for the implementation of processing.

 

Data recipients

Recipient categories

According to their respective requirements, the following are the recipients of data, in whole or in part:

• authorised Oneytrust personnel;
• Oneytrust subcontractors and service providers responsible for the hosting and provision of specific services or the organisation of action on behalf of Partners and prospects.

Transfer of data outside the EU

No data is transferred outside the European Union in the context of this processing.

 

Data retention period

Data will be kept in an active base for a period of 10 years from the end of the business relationship for a Partner and for 5 years from the time of the last contact for a prospect.

 

III. Oneytrust commitments as data controller

As data controller, Oneytrust wishes to give you the elements to understand the guarantees implemented to ensure the personal data processed is protected. Thus, Oneytrust will:

• limit the collection of data to that strictly required to deliver its services to its Partners.
• not use data collected for purposes other than that for which it has been collected.
• retain personal data for a limited, proportional period;
• not transfer this data to third parties other than the service providers involved in the execution of Oneytrust services. Within the framework of these transfers, by means of appropriate guarantees in compliance with the personal data protection regulations applicable to ensure that once the data has been transferred it will have the benefit of an adequate level of protection, some data may be transferred outside the European Union.
• take appropriate technical and organisation measures to guarantee a high level of security.

 

IV. Oneytrust commitments as a subcontractor, in relation to its partners

In its capacity as a subcontractor, Oneytrust will, in particular:

• process personal data solely for the purpose of correct provision of its services; Oneytrust will never process data for other purposes (marketing, etc.);
• not transfer data outside the EU or to countries recognised by the European Commission as not providing appropriate guarantees in compliance with applicable data protection protection regulations;
• inform you of any recourse to subcontractors that might process your personal data;
• apply high security standards in order to provide a high level of security for your data;
• notify you immediately if your data has been breached;
• help you to comply with your regulatory obligations by providing adequate documentation of its services.

 

V. Data security

Our concern is to preserve the quality and integrity of your personal data. The security technology and policies applied by Oneytrust enable us to protect your personal data from any unauthorised access or unlawful use.

Oneytrust has taken appropriate physical, logic and organisational measures to guard against the loss, improper use, unauthorised access or diffusion, alteration or possible destruction of this personal data. However, despite our efforts to protect your personal data, Oneytrust cannot guarantee the infallibility of this protection due to the unavoidable risks that may occur during the transmission of personal data.

Since all personal data is confidential, access is limited to those Oneytrust employees and service providers that require it for the execution of their missions. Everyone with access to personal data is bound by a confidentiality obligation and is exposed to disciplinary action and/or other sanctions if these obligations are not respected.

 

VI. Cookies

When our oneytrust.com site is accessed, information may be recorded in the “Cookies” files on your computer, tablet or mobile phone. This section is to enable you to understand what a Cookie is, what it is used for and how its parameters can be set.

What is a cookie?

A cookie is a text file deposited in a dedicated space on your terminal hard disk (computer, tablet or mobile phone) when content or advertising is viewed. This Cookie file can only be read by its issuer. It enables the terminal where it is recorded to be identified for a validity period limited to 13 months.

Cookies used on our Internet site and their purpose

Oneytrust uses two types of Cookies that can be recorded on your terminal when you visit our oneytrust.com web site. These cookies are issued by third parties and are subject to policies to protect the private lives of these third parties. These cookies are not essential for browsing our site.

– “Google Analytics” audience measurement cookie

This cookie is issued by Google Inc. to measure the audience of various content and sections of our site in order to assess them, improve how they are organised and, if necessary, detect browsing problems to make our services more user-friendly.
This cookie only produces anonymous statistics and audience volumes, to the exclusion of any individual information.
The lifetime of an audience measurement cookie does not exceed 13 months.

– “Addthis” social network cookie

This cookie is used to display social network icons to enable you to share our site on your networks if you wish, share the content of our site with other people or inform them about your viewing or opinion of the content of the site.
Please view the private life protection policies of these social networks to obtain information on the purposes of use, the advertising and browsing information they can collect thanks to these app buttons, in particular.
For information on the private life protection policy of the social networks concerned, please click on the name of the social network of your choice:

o Facebook
o Twitter
o LinkedIn

The lifetime of this cookie does not exceed 13 months.

By continuing to use the Internet site in view of the information given above, you expressly agree to the use of this type of cookie by Oneytrust.

Controlling and deleting cookies

To control these cookies, most browsers enable you to accept or reject any cookie, only accept certain types of cookies or ask you the question each time a site wishes to record a cookie. It is also easy to delete cookies saved onto your computer by a browser.
You can oppose the installation of cookies on your computer by configuring your Internet browser as follows:

For Internet Explorer: click on the link
For Safari: click on the link
For Chrome: click on the link
For Firefox: click on the link
For Opera: click on the link

 

VII. Your rights concerning your personal data

You are entitled to access your personal data, oppose processing of this data, have it rectified or deleted. You are also entitled to limit the processing of your data – you have the right to portability of your data for processing the management and monitoring of relations with partners and prospects, as well as the right to express specific and general directives after your death concerning the retention, deletion and communication of your data.

We will answer you within a maximum period of one (1) month of the date of receipt of your request.

Exercising your rights

The Oneytrust Data Protection Officer (DPO) is your contact for any request to exercise your rights regarding Oneytrust processing as the data controller.

• Contact the DPO by email on dpo[at]oneytrust.com*
*(replace [at] with @ when you send the request)

• Contact the DPO by post
The Data Protection Officer
Oneytrust
34 avenue de Flandre
59170 Croix
FRANCE

Complaints

You can send in a complaint relating to the processing of your requests by Oneytrust by writing to the DPO. The latter will make every effort to reply to every complaint and endeavour to resolve the problem.
If, after contacting us, you consider your rights have not been respected, you can send a complaint to your local personal data protection authority or to the Oneytrust data protection authority, that is to say, the CNIL – 3 place de Fontenoy – TSA 80715 – 75334 Paris cedex 07.

 

VIII. Revision and updating of the Policy

This Policy will be updated whenever necessary to comply with the requirements of applicable data protection regulations or according to Oneytrust needs.

Date of latest update: 03/07/2018