Preamble
At Treezor, we attach great importance to the protection of your personal data and we are committed to respecting your privacy.
On this page, we make available to you a simplified version of our Data Protection Policy.
The present policy specifies Treezor’s commitments in accordance with European Regulation 2016/679 of 27 April 2016 relating to the protection of personal data, applicable from 25 May 2018 and, more generally, the measures implemented by Treezor in order to ensure a tender, loyal and transparent processing of personal data. Treezor focuses on identifying and enforcing national regulatory peculiarities.
For any questions, we invite you to contact our Data Protection Officer at dpo@treezor.com.
1. Principles of personal data protection
Treezor adheres to the following principles in the processing of personal data:
- Confidentiality, honesty and transparency: Data may not be processed by Treezor unless there is a legal basis justifying the data processing.
- Purposes Determined: The data processing is executed to meet one or more objectives determined in the present policy.
- Minimization of data processing: Only the data necessary for the successful execution of the objectives pursued will form the object of a processing.
- Time-reduced data preservation: The data processed by Treezor is preserved for a limited duration.
- Integrity and Confidentiality of Collected and Processed Data: Treezor is committed to guaranteeing the integrity and confidentiality of the data processed.
2. Legal bases of data processing
The processing of your personal data rests on one of the following legal principles:
- The processing is necessary to the performance of a contract concluded between you and Treezor;
- The processing is necessary in compliance with a legal obligation to which Treezor is subject in its capacity as an electronic money establishment;
- The processing is necessary for the purposes of pursuing the legitimate interests of Treezor;
- Treezor has obtained the consent of the concerned person for the processing of his/her data.
3. Objectives pursued by data processes
The purpose of data processing by Treezor depends on the nature of the data processed, the person concerned with the processing and the legal basis for the processing:
- If you are a candidate: Treezor processes your personal data in the capacity of Data Controller to enable the management of recruitment procedures.
- If you are a netizen on the present website : Treezor processes your personal data in the capacity of Data Controller to enable the management of cookies which have various purposes and which vary depending on the type of cookie stored. For more details on the specific purposes and types of cookies used, we invite you to consult the Cookie Management Policy at the following address: Treezor Cookie Management Policy
- If you are a prospect: Treezor processes your personal data, notably that received from the present website via the contact forms, in the capacity of Data Controller for commercial prospecting management purposes.
-
If you are a customer or user of our payment services, said “end-users”: Treezor processes your personal data for the performance of the contract and to meet legal and regulatory requirements in terms of obligations relating to combating capital laundering and the financing of terrorism (articles L.561-2 to L561-50 of the Monetary and Financial Code) which requires the collection of data for specified purposes such as:
- The identification of the Person concerned and the updating of his personal character data;
- The holding and management of accounts payable;
- The risk management, control and oversight relating to internal control to which Treezor is subject;
- The security and prevention of defaulters and fraud, recovery, litigation;
- The compliance with legal and regulatory obligations and notably, the identification of inactive accounts, the fight against money laundering and the financing of terrorism, the automatic exchange of information relating to tax accounts;
- The segmentation for regulatory purposes;
- The realization of statistical studies and data reliability for computer security purposes.
Treezor processes both your data your personal data for the performance of the contract and to meet legal and regulatory requirements in terms of obligations relating to the fight against capital laundering and the financing of terrorism (articles L.561-2 to L561-50 of the French Monetary and Financial Code) which requires the collection of data for specified purposes.
The complete list of finalities operated by Treezor is available on request from the DPO at: dpo@treezor.com
4. Nature of personal data processed by Treezor
The nature of the personal data processed depends on the ends of the processes carried out by Treezor. The processed data are as follows:
- If you are a candidate: Name, first name, postal address, e-mail address, telephone number, current position held, level of experience, field of activity and generally all personal character data present on the transmitted documents by the potential candidate.
- If you are an internet user on the present website: The IP address, browsing preferences, the nature of the terminal used (computer, tablet, phone), browsing habits, interactions with the website (for example, the pages visited, actions performed), information about the device used (such as browser type and operating system).
- If you are a prospect: Name, first name, company name, postal address, e-mail address, telephone number, function held, data relative to prospecting acts performed.
- If you are a customer: the data needed to carry out the KYC process (kbis, statutes, register of effective beneficiaries, etc…). This information will be asked of you when signing your contract with Treezor.
-
If you are a user of the products and services (“end-users”):
- your identification data: name, first name, date of birth, identity card and passport number, postal and e-mail address, telephone number, number, tax residence and judicial status);
- data related to the professional situation of the person concerned: employment contract, payslip, etc…);
- the data relating to the asset situation;
- the data relating to the operations and transactions carried out by the concerned person using the Treezor service (payments, virement);
- the banking data (IBAN, card number, balance);
- the user-related identification and authentication data;
- usage-related identification or digital authentication data (connection and usage logs, IP address, etc…).
In the event that the customer is an agent (agents and distributors of electronic money), your personal data is collected by the Treezor client (Treezor payment services agent) for the sole execution of payment services under the Contract – payment services framework. These clients can be identified on the website of the Register of financial agents: Regafi_Treezor
The customer acts in his capacity as subcontractor and Treezor acts as data controller within the meaning of article 4 of Regulation 2016/679 of April 27, 2016. Thus, Treezor controls the reuse of your data.
In the event that the customer is a non-agent (TSPD, API customer, exempt products), the customer acts in his capacity as data controller and Treezor acts as a subcontractor within the meaning of the GDPR.
Treezor does not carry out any processing of personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as the processing of biometric data or genetic data, pursuant to l ‘Article 9 of the General European Regulation 2016/679 of 27 April 2016 relating to data protection (GDPR).
However, this prohibition can be waived, if legal or regulatory provisions impose on Treezor to process the aforementioned personal data.
5. Obligatory character of processing
The refusal of a payment service user to provide the aforementioned personal data constitutes an obstacle to opening a payment account or accessing Treezor’s services.
6. Retention Period of Personal Data
Treezor undertakes to retain your data solely for the duration necessary to fulfill the purpose for which it was collected.
The main shelf life main shelf life are as follows:
- Management of Recruitment Procedures: Throughout the recruitment period.
- Cookie management : Retention periods depend on the nature of the cookies used. In principle, according to the deliberation n°2013-378 of 5 December 2013 rendered by the French data protection authority (CNIL) carrying recommendation concerning cookies and other tracers, the retention period of the latter, in case the consent was collected, cannot be older than thirteen (13) months. At the end of the first thirteen months, the consent of the person concerned must be collected again.
- Commercial prospecting management: For a maximum of 3 years from the last contact with the prospect pursuant to the French data protection authority (CNIL) referential relating to personal character data processing implemented for commercial activity management purposes.
- Purposes relating to the processing of personal data of customers and end-users: In accordance with article L.561-12 of the Monetary and Financial Code, the data is kept for the entire duration of the contract and the execution of the service by Treezor and up to 5 years after the end of the contractual relationship. The full list of retention periods is available upon request from the DPO at: dpo@treezor.com
7. Security measures
Treezor takes all physical, technical and organizational measures to guarantee the confidentiality, integrity and availability of personal data, in particular to protect against loss, accidental destruction, alteration and unauthorized access.
As a subsidiary of the Société Générale Group, Treezor undertakes to monitor and deploy security requirements definition devices prescribed by the Group and regulation.
The Treezor cybersecurity device is regularly updated in coordination with the requirements of the Société Générale Group
8. Communication of personal data
Personal data processed by Treezor may be disclosed to third parties, notably lenders or subcontractors, for the purpose of carrying out the necessary processing in accordance with the purposes stated in this policy.
The communication of data equally flows from the application of legal and regulatory requirements, notably when it comes to responding to controls by the French national bank (ACPR), the French data protection authority (CNIL), or requests arising from judicial authorities, the public prosecutor’s office, among others.
These third parties will be contractually bound to observe the same confidentiality and data security obligations as those imposed on Treezor.
These third parties will only have access to data except to the extent necessary for the performance of their services and in compliance with applicable data protection laws.
Where Treezor is deemed to be Data Controller in terms of applicable regulation, Treezor remains responsible for any use of personal data by these third parties in accordance with the terms of the present contract and applicable laws.
The exhaustive list of Treezor subcontractors can be obtained on request by contacting the Data Protection Officer (DPO) at dpo@treezor.com
9. Transfer of data outside the European Union
Personal data is hosted and processed within the European Union, but certain actions of the hosting provider may be performed from the United States.
This transfer (by remote access) of personal data to the United States is based on the American data protection framework: the EU US Data Privacy Framework, which is an adequacy decision taken by the European Commission to with respect to data recipients registered in the United States, in accordance with Article 45 of the GDPR.
Furthermore, if Treezor were to transfer Personal Data outside the European Union, Treezor guarantees that these transfers are made to States which are the subject of an adequacy decision by the European Commission, justifying a level adequate protection, in accordance with Article 45 of the GDPR.
In the absence of an adequacy decision, Treezor may transfer Personal Data to Data Controllers or Subcontractors outside the European Union, under the conditions mentioned in Article 46 of the GDPR, in particular by the drafting standard contractual clauses on data processing approved by the European Commission.
10. Cookie Use Policy
Browsing the present website is likely to trigger the installation of cookies on your terminal (computer, tablet, phone…).
For cookie management uses and modalities, we invite you to consult the Treezor Cookie Management Policy available at the following address: Treezor Cookie Management Policy
11. Communication of a personal data breach to the Persons concerned
A personal data breach refers to a breach of security involving, accidentally or illicitly, the destruction, loss, alteration, unauthorized disclosure of personally identifiable Data transmitted, stored or otherwise processed, or the unauthorized access to of such data pursuant to Article 4 of the GDPR.
In the event of a personal data breach likely to generate a high risk to the rights and freedoms of the concerned persons, Treezor undertakes to notify the concerned persons of the breach, within a period not exceeding forty-eight (48) hours from time to time where the processing officer has knowledge of the Violation.
The information will be specified as follows:
- The nature of the data breach;
- The likely consequences of a data breach;
- The contact details of the DPO or by default of another point of contact whereby additional information can be obtained;
- Measures taken or proposed to remedy the violation, including, in the event, measures to mitigate potential negative consequences.
By exception, it is possible that the persons concerned are not informed of the breach:
- When the violation in question is not likely to pose a risk to the rights and freedoms of the persons concerned;
- Where the Data Controller has taken steps to ensure that the elevated risk to the rights and freedoms of the Persons concerned is no longer likely to materialize;
- Where the Data Controller has implemented appropriate organizational and technical measures to the Personally Characterized Data affected by the Breach;
- When the information to Persons would entail disproportionate efforts. In this case, Treezor proceeds to a public communication or similar measure allowing the Persons concerned to be informed in an equally effective manner.
12. Exercise of rights by the person concerned
Pursuant to the regulation, you have the right to:
- Request access to your personal data: The exercise of this right allows you to receive a copy of your personal data that we hold and to verify that we process it in accordance with applicable law;
- Request rectification of your personal character data that we hold: The exercise of this right allows you to correct any incomplete or inaccurate information that we hold about you;
- Request erasure of your personal data : The exercise of this right allows you to ask us to delete your personal data if we do not have legitimate grounds to prosecute their processing. You also have the right to ask us to erase your personal data if you have exercised your right to object to processing (see below);
- You object to the processing of your personal data when the lawful basis of the processing is the legitimate interest of Treezor, and this for reasons specific to your situation. However, this right would not apply if Treezor justified the existence of a legitimate and imperious motive in implementing the process;
- Request limitation of the processing of your personal data : The exercise of this right allows you to ask us to suspend the processing of your personal data, for example if you dispute the accuracy of the personal data processed in order to allow us to verify and the eventful case update lesdites data ;
- The right to organize the fate of your data: you have the right to set directives relating to the storage, erasure or communication of your data, applicable after your death.
Furthermore, when the processing of personal data is based on your consent, you have the right to withdraw it at any time for this specific processing.
If you wish to exercise one of your rights, we invite you to follow up your request from the contact form available at the following address : Contact
Subject to the receipt of the request, Treezor sets a maximum timeframe of one (1) month, to file a response if it is a simple request or a maximum of three (3) months if s ‘agit a complex demand.
For more information on the response deadlines, we invite you to refer to the website of the French data protection authority (CNIL).
13. Claim to the Data Protection Authority
In case of non-response or unsatisfactory response from Treezor, you can catch up with the the Data protection authority :
FOR FRANCE :
Link :
www.cnil.fr/fr/plaintes
Postal address:
Commission Nationale de l’Informatique et des Libertés (CNIL) – Service des Plaintes
3 Place de Fontenoy – TSA 80715
75334 PARIS CEDEX 07
FRANCE
FOR SPAIN :
Link :
https://sedeagpd.gob.es/sede-electronica-web/vistas/infoSede/tramitesCiudadanoReclamaciones.jsf
Postal address:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6.
28001 – Madrid
ESPAÑA
FOR GERMANY :
Link :
https://datenschutz.hessen.de/service/beschwerde-uebermitteln
Postal address:
Landesbeauftragten für den Datenschutz Hessen
Prof. Dr. Alexandre Rossnagel
Gustav-Stresemann-Ring 1
65189 Wiesbaden
DEUTSCHLAND
14. Data Protection Officer appointment
Pursuant to the regulation, Treezor has appointed a Data Protection Officer in France, Spain and Germany.
For any questions regarding the processing of your personal data, please contact our DPO by following the channels below.
FRANCE :
Electronic address :
dpo@treezor.com
Postal address :
SAS TREEZOR,
33 avenue de Wagram
75017 Paris
FRANCE
SPAIN :
Electronic address :
dpo@treezor.com
Postal address :
TREEZOR S.A.S., SUCURSAL EN ESPAÑA
Torre Picasso – Plaza de Pablo Ruiz Picasso, NUM 1
28020 Madrid
ESPAÑA
GERMANY :
Electronic address :
dpo@treezor.com
Postal address :
Treezor SAS Zweigniederlassung
Walter-Kolb-Str.9-11
60594 Frankfurt am Main
DEUTSCHLAND