Personal data – To fight fraud

Information relating to your transaction is subject to automated data processing by Oneytrust, the data controller, with the aim of reinforcing the level of security of transactions recorded by the partner and protecting the partner and its customers against possible identity theft or attempted fraud.

Purpose of the processing of data

Purposes

The purpose of the processing implemented by Oneytrust is to combat identity and payment/refund fraud in respect of transactions carried out remotely via the Internet or in a physical shop using a payment method presenting a risk of fraud similar to an online transaction.
It enables Oneytrust to:

  • retrieve additional information from Oneytrust’s service providers to enrich and qualify certain transaction data (e-mail address, telephone, postal address, IP address, BIN 6 where applicable);
  • according to pre-established rules, reduce manual reviews by automatically validating transactions that could not be validated by an automatic analysis device (automatic score);
  • carry out research or experimental phases in order to improve and enhance its solutions so that they are ever more relevant and appropriate, in order to protect consumers by continually improving the system for combating fraud; to this end, the data may be reused to train AI models.

Your data may be annotated (assigned one or more characteristics) by Oneytrust in order to identify the categories of data in the dataset.

Legal basis

Article 6 (1) f of the General Data Protection Regulation.
The processing is necessary for the purposes of the legitimate interests pursued by Oneytrust; namely, the fight against identity and payment/refund fraud during remote transactions carried out via the Internet or in a physical shop with a payment method presenting a risk of fraud similar to an online transaction.

Data processed

Categories of data processed

  • Identification data: Surname, first name, company name, e-mail address, postal address, telephone number, partner’s internal reference (customer number, order reference, etc.).
  • Economic and financial information: first 6 digits of bank card number.
  • Connection data: IP address.
  • Other categories of data: Confidence index, technical sub-elements for validating identification data, IP address and BIN6 by correlation (validity, associated identity, supplier, operator, etc.).

Data source

The information is collected from the person concerned via the partner, but also from Oneytrust’s service providers for additional data and from publicly accessible databases.

Obligatory nature of data collection

The non-transmission of data relating to your transaction prevents its analysis by Oneytrust. The execution of your transaction is solely at the discretion of Oneytrust’s partner.

Automatic decision making

The processing operation provides for a decision to be taken by an automated system only if the decision is positive. The processing implemented by Oneytrust does not provide for refusal decisions based exclusively on automated analysis.

People concerned

Data processing concerns:

  • natural and legal persons who carry out transactions at physical points of sale or via distance selling with Oneytrust’s partners;
  • authorised Oneytrust personnel responsible for the implementation of processing.

Data recipients

Recipient categories

According to their respective requirements, the following are the recipients of data, in whole or in part:

  • authorised personnel of Oneytrust ;
  • Oneytrust’s partner with whom the customer has carried out the operation; the latter receives, in particular, the results of the processing carried out by Oneytrust in accordance with the present document.
  • Oneytrust’s subcontractors and service providers; in particular, those to whom Oneytrust sends all or part of the data for verification, hosting and the supply of additional data. It being understood that these service providers are contractually bound to protect the personal data transmitted to them in this context.

Transfer of data outside the EU

No data transfer outside the European Union is made.

Data retention period

Personal data will be kept for a period of 15 days.

Your rights concerning your personal data

In accordance with the applicable Regulations, you may exercise the rights set out below:

  • Right of access in order to obtain a copy of all the data processed by Oneytrust as well as information relating to the characteristics of the processing carried out on your data.
  • Right of rectification in order to update your erroneous and/or incomplete data.
  • Right to erasure if the data (i) is no longer necessary for the purposes for which it was collected, (ii) is processed unlawfully or (iii) if you exercise your right to object to the processing concerned. However, this right does not apply where the retention of your data is necessary for Oneytrust to comply with a legal obligation or for the exercise of legal claims.
  • Right to limit processing where (i) you dispute the accuracy of the data, (ii) you exercise your right to object. Oneytrust will restrict the processing of your data for such time as is necessary for Oneytrust to carry out appropriate checks.
  • Right to object to your data being used by Oneytrust for its legitimate interests. Oneytrust will then cease such processing unless it can justify that its legitimate and overriding interests take precedence over your rights and freedoms.
  • Right to define general and specific directives setting out how you wish the above rights to be exercised after your death.

Exercising your rights

The Oneytrust Data Protection Officer (DPO) is your contact for any request to exercise your rights regarding processing.

  • Contact the DPO by email on dpo[at]oneytrust.com* *(replace [at] with @ when sending the request)
  • Contact the DPO by post

The Data Protection Officer
Oneytrust
34 avenue de Flandre
59170 Croix
FRANCE

Complaints

You can send in a complaint relating to the processing of your requests by Oneytrust by writing to the DPO. The latter will make every effort to reply to every complaint and endeavour to resolve the problem.
If, after contacting us, you consider your rights have not been respected, you can send a complaint to your local personal data protection authority or to the Oneytrust data protection authority, that is to say, the CNIL – 3 place de Fontenoy – TSA 80715 – 75334 Paris cedex 07.