This policy illustrates Treezor’s commitments, in its capacity as Data Controller in accordance with European Regulation 2016/679 of 27 April 2016 on the protection of personal data, applicable since 25 May 2018 and, more generally, the measures implemented by Treezor to ensure the lawful, fair and transparent processing of personal data.
For a better understanding of the application of this Policy, please refer to the Definitions section for the meaning of each term beginning with a capital letter.
Consequently, this Policy for the processing of personal data cannot be translated into a framework contract for payment services within the meaning of Directive 2015/2366 of 25 November 2015 on payment services.
ACPR: French Banking Regulator (Autorité de Contrôle Prudentiel et de Résolution), 61 Rue de Taitbout, 75009 Paris, France ;
CNIL: French Privacy Protection Regulator (Commission Nationale de l’Informatique et des Libertés), 3 Place de Fontenoy, 75334 Paris, France ;
Cookie: Cookies or “tracers” that may be deposited, in the form of files, on the User’s browsing platform (Internet Explorer, Opera, Firefox, Google Chrome, Safari, etc…);
Data Protection Officer: The natural person delegated to protect personal data within the meaning of articles 37, 38 and 39 of European Regulation 2016/679 of 27 April 2016;
Recipient: The natural or legal person, public authority, service or any other body, which receives communication of Personal Data, whether or not it is a third party. In this respect, any public authority (Autorité de contrôle prudentiel et de résolution, Commission Nationale de l’Informatique et des Libertés, Direction Générale des Finances publiques, Agence Nationale de la Sécurité des Systèmes d’Information etc.) likely to receive communication, in the context of a specific investigative mission (control in the context of the fight against money laundering and terrorist financing, control and audits of internal security systems, etc.), determined by European Union law or French national law, is not considered as a recipient, within the meaning of this definition;
Personal Data: All information of a personal nature concerning the Holder or a User, an identified natural person or one who can be identified (hereinafter “Data Subject”), directly or indirectly, by reference to an identification number or to one or more elements specific to him/her;
Person concerned: This may be the Account Holder or the User, a natural person, as defined in the framework contract for payment services, whose Personal Data collected identifies him or makes him identifiable, directly or indirectly;
Payment Services: All payment services provided for in the framework contract and which are offered by Treezor SAS;
Subcontractor: The natural or legal person, public authority, department or other body that processes personal data on behalf of the data controller;
Third party: A natural or legal person, public authority, service or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process personal data;
Processing: Any operation or set of operations, whether or not carried out using automated processes and applied to Personal Data, or a set of Personal Data. The operations may result in the collection, recording, conservation, structuring, adaptation or modification, communication, dissemination, limitation, destruction, etc. … ;
Violation of Personal Data: Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to Personal Data transmitted, stored or otherwise processed;
The Treezor simplified joint stock company, with a share capital of 3,200,000 euros, located at 41 rue de Prony, 75017 Paris. The company has been registered with the Paris Trade and Companies Registry under number 807 465 059.
TREEZOR SAS is represented by Mr. Eric LASSUS, in his capacity as Chairman.
The Person concerned is solely responsible for the Personal Data that he/she communicates to Treezor and declares that all the data provided are perfectly informed and accurate.
The Personal Data is collected by the Partner (payment service agent of Treezor) for the sole purpose of performing payment services under the Master Payment Services Agreement. The Partner is acting in its capacity as a subcontractor within the meaning of Article 4 of Regulation 2016/679 of 27 April 2016.
The data controller processes the following data:
The Data Controller does not carry out any operation to process Personal Data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as the processing of biometric or genetic data, pursuant to Article 9 of the European General Regulation 2016/679 of 27 April 2016 on data protection.
However, this prohibition may be waived, if legal or regulatory provisions would require Treezor to process the aforementioned Personal Data.
1. The legal and regulatory obligation to process Personal Data
Treezor, in its capacity as an electronic money institution, is subject to banking laws and regulations, in particular with regard to obligations relating to the fight against money laundering and terrorist financing (pursuant to Articles L.561-2 to L561-50 of the Monetary and Financial Code), which require the controller to collect a set of Personal Data for specified purposes.
The Controller guarantees the lawfulness of the processing, pursuant to a legal obligation, as provided for in Article 6 (1.c.) of the European General Regulation 2016/679 of 27 April 2016 on the protection of personal data, and furthermore, the Controller undertakes to process the aforementioned Personal Data (see above “Article 4. Personal Data processed by Treezor”), for the following purposes:
2. Justification of legitimate interests
The Controller also processes Personal Data (see above article 3) in order to serve its legitimate interests, pursuant to article 6 (1.f.) of the European General Regulation 2016/679 on the protection of personal data.
In addition, the purposes of the processing operation serving legitimate interests are the following:
Les finalités du traitement peuvent être modifiées ultérieurement, sous réserve de nouvelles obligations légales ou réglementaires, ainsi que l’évolution de l’activité du Responsable du traitement. Toute modification de la présente convention sera portée à la connaissance de la Personne concernée.
3. The mandatory nature of the processing of Personal Data
Refusal by the Data Subject to provide the aforementioned Personal Data will constitute an obstacle to the opening of the payment account or access to Treezor’s Services.
The Data Controller communicates and shares the Personal Data being collected. The Personal Data may be communicated to the following Recipients:
Treezor guarantees that the various subcontractors implement the necessary and adequate security measures to ensure the security, confidentiality and integrity of the personal data processed on behalf of Treezor.
Treezor also communicates in connection with the performance of the services it subcontracts:
Due to legal and regulatory requirements, particularly in the context of an audit by the ACPR, the CNIL, or a request from judicial bodies, the public prosecutor’s office, etc…
The processing and hosting of Personal Data is established on the territory of the European Union.
Nevertheless, if Treezor transfers Personal Data outside the territory of the European Union, Treezor guarantees that such transfers are carried out to States, which are subject to an adequacy decision by the European Commission, justifying an adequate level of protection, within the meaning of Article 45 of the European General Regulation 2016/679 of 27 April 2016 on the protection of personal data.
In the absence of an adequacy decision, Treezor may transfer Personal Data outside the European Union to Subcontractors, under the conditions provided for in Article 46 of the European General Regulation 2016/679 of 27 April 2016 on the protection of personal data, in particular by drawing up standard subcontracting clauses approved by the CNIL.
The Data Controller and any person under his authority have a security obligation with regard to operations involving Personal Data.
On the one hand, the Data Controller undertakes to protect Personal Data by implementing technical and organisational measures:
On the other hand, the Data Controller undertakes to ensure the confidentiality of the Personal Data, and to subject any person under its authority to comply with this obligation of confidentiality.
However, the Data Controller shall not be liable in case of collection of the Personal Data by a third party on its own behalf.
The various Cookies that may be deposited on the navigation server (Internet Explorer, Google chrome, Firefox, Safari, Opera, etc…) of the Person concerned, are:
If the Person concerned refuses to accept the deposit of cookies, he/she will not be able to access or use all the services offered on the Treezor.com website.
The Data Controller undertakes to keep the Personal Data for a period of five (5) years following the closure of the payment account of the Data Subject, pursuant to the provisions of Article L561-12 of the French Monetary and Financial Code.
You can go on our Cookies page to know more about them.
1. Request for access to Personal Data by the Data Subject
The Data Subject may obtain a copy of the data being processed in accordance with Article 15 of the European General Regulation 2016/679 of 27 April 2016 on the protection of personal data, subject to legal restrictions.
The copy of the data is transmitted free of charge to the data subject upon presentation of an official identity document by the data subject.
In the event of a request for an additional copy, the Controller is entitled to request payment of a fee, based on administrative costs.
Finally, pursuant to Article L561-45 of the French Monetary and Financial Code, any request for access to Personal Data subject to banking laws and regulations, in particular those relating to the fight against money laundering and terrorist financing, must be addressed to the CNIL.
2. Request for rectification of Personal Data
The Data Subject may require the Data Controller to amend any inaccurate or incomplete Personal Data.
In this case, the Data Controller may require additional evidence in order to rectify the Personal Data.
3. Request to object to the processing
The Data Subject may object to the processing of Personal Data, for reasons relating to his or her particular situation.
However, the Data Subject may not exercise his right with regard to processing whose legal basis is a legal obligation, in particular with regard to the obligation to combat money laundering and the financing of terrorism (V. 3. “Purposes of the processing of Personal Data”).
4. Request for limitation of processing
The Data Subject may request the limitation of the processing of Personal Data, as provided for in Article 18 of the European General Regulation 2016/679 of 27 April 2016 on the protection of personal data.
5. Exercise of the right to erasure
The Data Subject may request the deletion of Personal Data, in accordance with the provisions of Article 17 of the European General Regulation 2016/679 of 27 April 2016 on the protection of Personal Data.
However, the Data Subject may not request the deletion of Personal Data if their processing is necessary pursuant to a legal obligation, in particular regarding the obligation to combat money laundering and terrorist financing.
6. Right to data portability
The Data Subject may request that his/her Personal Data be transmitted, on a durable medium (in particular in .PDF format), to another Data Controller.
In all cases where the data are processed on the basis of a legal obligation, the Controller may refuse to carry out the portability of personal data.
In the event of a breach of personal data, the Data Controller shall ensure that the Data Subject is notified within a period not exceeding forty-eight (48) hours from the time when the Data Controller becomes aware of the breach. Such notification shall include :
Nevertheless, the Data Controller will not be obliged to notify the Data Subject of the Personal Data Violation in any of the following cases:
In order to exercise his rights, the Person concerned must send a letter, either by post or by electronic means, specifying the right or rights he wishes to exploit.
Upon receipt of the request, the Data Controller has a maximum of one month to provide a response.
However, the Data Controller must give reasons for his reply if he is unable to comply with the requests.
41 rue de Prony
In the event that the rights of the Data Subject have not been respected and after contacting the Data Controller, the Data Subject may lodge a complaint with the CNIL (French Privacy Protection Regulator):
Commission Nationale de l’Informatique et des Libertés
3 Place de Fontenoy,
Lien utile : https://www.cnil.fr/fr/webform/adresser-une-plainte