This policy illustrates Treezor’s commitments, in its capacity as Data Controller in accordance with European Regulation 2016/679 of 27 April 2016 on the protection of personal data, applicable since 25 May 2018 and, more generally, the measures implemented by Treezor to ensure the lawful, fair and transparent processing of personal data.
For a better understanding of the application of this Policy, please refer to the Definitions section for the meaning of each term beginning with a capital letter.
Consequently, this Policy for the processing of personal data cannot be translated into a framework contract for payment services within the meaning of Directive 2015/2366 of 25 November 2015 on payment services.
Article 1. Definitions
ACPR: French Banking Regulator (Autorité de Contrôle Prudentiel et de Résolution), 61 Rue de Taitbout, 75009 Paris, France ;
CNIL: French Privacy Protection Regulator (Commission Nationale de l’Informatique et des Libertés), 3 Place de Fontenoy, 75334 Paris, France ;
Cookie: Cookies or “tracers” that may be deposited, in the form of files, on the User’s browsing platform (Internet Explorer, Opera, Firefox, Google Chrome, Safari, etc…);
Data Protection Officer: The natural person delegated to protect personal data within the meaning of articles 37, 38 and 39 of European Regulation 2016/679 of 27 April 2016;
Recipient: The natural or legal person, public authority, service or any other body, which receives communication of Personal Data, whether or not it is a third party. In this respect, any public authority (Autorité de contrôle prudentiel et de résolution, Commission Nationale de l’Informatique et des Libertés, Direction Générale des Finances publiques, Agence Nationale de la Sécurité des Systèmes d’Information etc.) likely to receive communication, in the context of a specific investigative mission (control in the context of the fight against money laundering and terrorist financing, control and audits of internal security systems, etc.), determined by European Union law or French national law, is not considered as a recipient, within the meaning of this definition;
Personal Data: All information of a personal nature concerning the Holder or a User, an identified natural person or one who can be identified (hereinafter “Data Subject”), directly or indirectly, by reference to an identification number or to one or more elements specific to him/her;
Person concerned: This may be the Account Holder or the User, a natural person, as defined in the framework contract for payment services, whose Personal Data collected identifies him or makes him identifiable, directly or indirectly;
Payment Services: All payment services provided for in the framework contract and which are offered by Treezor SAS;
Subcontractor: The natural or legal person, public authority, department or other body that processes personal data on behalf of the data controller;
Third party: A natural or legal person, public authority, service or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process personal data;
Processing: Any operation or set of operations, whether or not carried out using automated processes and applied to Personal Data, or a set of Personal Data. The operations may result in the collection, recording, conservation, structuring, adaptation or modification, communication, dissemination, limitation, destruction, etc. … ;
Violation of Personal Data: Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to Personal Data transmitted, stored or otherwise processed;
Article 2. Who is the Data Controller?
The Treezor simplified joint stock company, with a share capital of 3,334,962 euros, located at 33 avenue de Wagram, 75017 Paris, France. The company has been registered with the Paris Trade and Companies Registry under number 807 465 059.
TREEZOR SAS is represented by Mr. Eric LASSUS, in his capacity as Chairman.
Article 3. Collection of Personal Data
The Person concerned is solely responsible for the Personal Data that he/she communicates to Treezor and declares that all the data provided are perfectly informed and accurate.
The Personal Data is collected by the Partner (payment service agent of Treezor) for the sole purpose of performing payment services under the Master Payment Services Agreement. The Partner is acting in its capacity as a subcontractor within the meaning of Article 4 of Regulation 2016/679 of 27 April 2016.
The data controller processes the following data:
The data controller processes the following data:
- Data identifying the natural person (surname, first name, date of birth, identity card and passport number, postal and e-mail address, telephone number, tax residence and legal status)
- Data relating to the professional situation of the data subject (employment contract, pay slip, etc.)
- Data related to the patrimonial situation
- Data related to the operations and transactions that the data subject carries out using the Service (payments, transfers)
- Bank Data (IBAN, card number, balance)
- Identification and authentication data related to use
- Identification data or digital authentication linked to use (connection and usage logs, IP address, etc.).
The Data Controller does not carry out any operation to process Personal Data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as the processing of biometric or genetic data, pursuant to Article 9 of the European General Regulation 2016/679 of 27 April 2016 on data protection.
However, this prohibition may be waived, if legal or regulatory provisions would require Treezor to process the aforementioned Personal Data.
Article 5. Legal basis and purposes of the processing of Personal Data
1. The legal and regulatory obligation to process Personal Data
Treezor, in its capacity as an electronic money institution, is subject to banking laws and regulations, in particular with regard to obligations relating to the fight against money laundering and terrorist financing (pursuant to Articles L.561-2 to L561-50 of the Monetary and Financial Code), which require the controller to collect a set of Personal Data for specified purposes.
The Controller guarantees the lawfulness of the processing, pursuant to a legal obligation, as provided for in Article 6 (1.c.) of the European General Regulation 2016/679 of 27 April 2016 on the protection of personal data, and furthermore, the Controller undertakes to process the aforementioned Personal Data (see above “Article 4. Personal Data processed by Treezor”), for the following purposes:
- The knowledge of the Person concerned and the updating of his/her Personal Data,
- The maintenance and management of the Payment Account(s),
- Risk management, control and monitoring related to Treezor’s internal control,
- Security and prevention of unpaid bills and fraud, collection, litigation,
- Compliance with legal and regulatory obligations and, in particular, the identification of inactive accounts, the fight against money laundering and terrorist financing, the automatic exchange of information relating to accounts in tax matters,
- Segmentation for regulatory purposes,
- Carrying out statistical studies and making data more reliable for computer security purposes,,
2. Justification of legitimate interests
The Controller also processes Personal Data (see above article 3) in order to serve its legitimate interests, pursuant to article 6 (1.f.) of the European General Regulation 2016/679 on the protection of personal data.
In addition, the purposes of the processing operation serving legitimate interests are the following:
- Keeping and management of payment accounts ;
- Prevention of the risks of fraud and abuse (including the control of abnormal transactions);
- IT management to ensure the availability, integrity and confidentiality of personal data;
- Keeping the register relating to the management of requests from Data Subjects (in particular requests relating to the rights of individuals) ;
- The segmentation of customers for regulatory purposes..
Les finalités du traitement peuvent être modifiées ultérieurement, sous réserve de nouvelles obligations légales ou réglementaires, ainsi que l’évolution de l’activité du Responsable du traitement. Toute modification de la présente convention sera portée à la connaissance de la Personne concernée.
3. The mandatory nature of the processing of Personal Data
Refusal by the Data Subject to provide the aforementioned Personal Data will constitute an obstacle to the opening of the payment account or access to Treezor’s Services.
Article 6. Communication and sharing of Personal Data
The Data Controller communicates and shares the Personal Data being collected. The Personal Data may be communicated to the following Recipients:
- Treezor’s internal management for the purposes of analysis, fraud detection, management of requests from data subjects regarding their rights;
- Subcontractors for the processing of Personal Data:
- Payment Service Providers
- The host of the site
- Payment card processor
Treezor guarantees that the various subcontractors implement the necessary and adequate security measures to ensure the security, confidentiality and integrity of the personal data processed on behalf of Treezor.
Treezor also communicates in connection with the performance of the services it subcontracts:
- Managers and manufacturers of payment cards
- Mobile payment managers
- Members of the SEPA (Single Euro Payments Area) banking network
- Checks Managers
Due to legal and regulatory requirements, particularly in the context of an audit by the ACPR, the CNIL, or a request from judicial bodies, the public prosecutor’s office, etc…
Article 7. Transfer of Personal Data outside the European Union
The processing and hosting of Personal Data is established on the territory of the European Union.
Nevertheless, if Treezor transfers Personal Data outside the territory of the European Union, Treezor guarantees that such transfers are carried out to States, which are subject to an adequacy decision by the European Commission, justifying an adequate level of protection, within the meaning of Article 45 of the European General Regulation 2016/679 of 27 April 2016 on the protection of personal data.
In the absence of an adequacy decision, Treezor may transfer Personal Data outside the European Union to Subcontractors, under the conditions provided for in Article 46 of the European General Regulation 2016/679 of 27 April 2016 on the protection of personal data, in particular by drawing up standard subcontracting clauses approved by the CNIL.
Article 8. Confidentiality and security of Personal Data processing
The Data Controller and any person under his authority have a security obligation with regard to operations involving Personal Data.
On the one hand, the Data Controller undertakes to protect Personal Data by implementing technical and organisational measures:
- the pseudonymization of Personal Data;
- the means to guarantee the constant confidentiality, integrity, availability and resilience of Personal Data processing systems and services;
- the means to restore the availability of and access to Personal Data within an appropriate timeframe in the event of a physical or technical incident;
- a procedure for regularly testing, analysing and evaluating the effectiveness of technical and organisational measures to ensure the security of the processing of Personal Data;
- any other appropriate measures to preserve the security, availability, confidentiality and integrity of such Personal Data, in particular against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access.
On the other hand, the Data Controller undertakes to ensure the confidentiality of the Personal Data, and to subject any person under its authority to comply with this obligation of confidentiality.
However, the Data Controller shall not be liable in case of collection of the Personal Data by a third party on its own behalf.
Article 9. Cookie Usage Policy
The various Cookies that may be deposited on the navigation server (Internet Explorer, Google chrome, Firefox, Safari, Opera, etc…) of the Person concerned, are:
- User session cookies that make it possible to keep the information filled in all the forms made available by the Data Controller;
- Cookies for user authentication that trace information relating to the identifiers of the Person concerned;
- Personalization cookies which are intended to adapt the presentation of the site according to the preferences of the Person concerned;
- Security cookies which are intended to implement security measures (logging out after a period of time);
- Statistics cookies make it possible to know the use and performance of the site of the Data Controller, in particular in order to improve its content;
- Social network cookies, which are used to publish a link to the Treezor.com site, using online platform operators (Facebook, Twitter, Linkedin, etc.).
If the Person concerned refuses to accept the deposit of cookies, he/she will not be able to access or use all the services offered on the Treezor.com website.
Article 10. Storage period of Personal Data
The Data Controller undertakes to keep the Personal Data for a period of five (5) years following the closure of the payment account of the Data Subject, pursuant to the provisions of Article L561-12 of the French Monetary and Financial Code.
You can go on our Cookies page to know more about them.
Article 11. Exercise of rights by the Person concerned
1. Request for access to Personal Data by the Data Subject
The Data Subject may obtain a copy of the data being processed in accordance with Article 15 of the European General Regulation 2016/679 of 27 April 2016 on the protection of personal data, subject to legal restrictions.
The copy of the data is transmitted free of charge to the data subject upon presentation of an official identity document by the data subject.
In the event of a request for an additional copy, the Controller is entitled to request payment of a fee, based on administrative costs.
Finally, pursuant to Article L561-45 of the French Monetary and Financial Code, any request for access to Personal Data subject to banking laws and regulations, in particular those relating to the fight against money laundering and terrorist financing, must be addressed to the CNIL.
2. Request for rectification of Personal Data
The Data Subject may require the Data Controller to amend any inaccurate or incomplete Personal Data.
In this case, the Data Controller may require additional evidence in order to rectify the Personal Data.
3. Request to object to the processing
The Data Subject may object to the processing of Personal Data, for reasons relating to his or her particular situation.
However, the Data Subject may not exercise his right with regard to processing whose legal basis is a legal obligation, in particular with regard to the obligation to combat money laundering and the financing of terrorism (V. 3. “Purposes of the processing of Personal Data”).
4. Request for limitation of processing
The Data Subject may request the limitation of the processing of Personal Data, as provided for in Article 18 of the European General Regulation 2016/679 of 27 April 2016 on the protection of personal data.
5. Exercise of the right to erasure
The Data Subject may request the deletion of Personal Data, in accordance with the provisions of Article 17 of the European General Regulation 2016/679 of 27 April 2016 on the protection of Personal Data.
However, the Data Subject may not request the deletion of Personal Data if their processing is necessary pursuant to a legal obligation, in particular regarding the obligation to combat money laundering and terrorist financing.
6. Right to data portability
The Data Subject may request that his/her Personal Data be transmitted, on a durable medium (in particular in .PDF format), to another Data Controller.
In all cases where the data are processed on the basis of a legal obligation, the Controller may refuse to carry out the portability of personal data.
Article 12. Communication of a Personal Data Violation to Data Subjects
In the event of a breach of personal data, the Data Controller shall ensure that the Data Subject is notified within a period not exceeding forty-eight (48) hours from the time when the Data Controller becomes aware of the breach. Such notification shall include :
- The nature of the Violation affecting the Personal Data ;
- The contact details of the Personal Data Protection Officer (DPO) ;
- The likely consequences of the Personal Data Violation;
- The measures taken by the Data Controller.
Nevertheless, the Data Controller will not be obliged to notify the Data Subject of the Personal Data Violation in any of the following cases:
- The implementation of technical and organizational measures that make Personal Data for which a person is not authorized to have access to it inaccessible and incomprehensible, such as encryption, anonymization, pseudonymization, etc… ;
- The implementation of technical and organizational measures that ensure that the risk to the rights and freedoms of the Persons concerned is no longer likely to materialize ;
- The notification of the violation would involve disproportionate efforts, in particular in the case where the Personal Data have not been collected directly from the Data Subject. On this condition, the Data Controller may make a public communication without specifically targeting the Data Subject.
Article 13. Contact details of the Data Controller and Data Protection Officer
In order to exercise his rights, the Person concerned must send a letter, either by post or by electronic means, specifying the right or rights he wishes to exploit.
Upon receipt of the request, the Data Controller has a maximum of one month to provide a response.
However, the Data Controller must give reasons for his reply if he is unable to comply with the requests.
33 avenue de Wagram
Article 14. Complaint to the National Commission for Data Processing and Liberties (CNIL)
In the event that the rights of the Data Subject have not been respected and after contacting the Data Controller, the Data Subject may lodge a complaint with the CNIL (French Privacy Protection Regulator):
Commission Nationale de l’Informatique et des Libertés
3 Place de Fontenoy,
Lien utile : https://www.cnil.fr/fr/webform/adresser-une-plainte