Data protection and privacy policy

Data protection and privacy policy

Cardlay A/S

Billedskærervej 17

5230 Odense M, DK

Company registration number: 37447285

This is version 1, which was last updated the 03.11.2021 14:41.

1. Introduction

1.1 This data protection and privacy policy (the “Policy”) describes how Cardlay A/S (“us”, ”we” or ”our”) Cardlay A/S and Cardlay Payments Solutions A/S (“Cardlay”, “us”, “we” or “our”) operates, among others, www.cardlay.com and www.vattax.com, and the Cardlay mobile apps offering a variety of services such as Cardlay Pay and Cardlay Card Management (together the “Services”). This privacy policy (the “Privacy Policy”) applies to all Services offered by us and it applies to all information collected via customers’ use of our Services and our websites. Cardlay has concluded this Privacy Policy to provide relevant information on how Cardlay collects, uses, discloses, protects or otherwise processes information. Cardlay will not use or share your information with anyone except at described in this Privacy Policy.

1.2 The Policy is prepared and made available to comply with the general data protection regulation (2016/679 of 27 April 2016) (the ”GDPR”) and the rules included herein on information to be provided to you.

2. Types of personal data processed

2.1 We process personal data about you when this is necessary and in accordance with the applicable legislation. Depending on the specific circumstances, the processed personal data include the following types of personal data: name, address, email, payment card details, invoicing and bookkeeping data and documentation, telephone number, password

2.2 When it is relevant, personal data is collected directly from you or from external sources. Personal data about employee card holders is collected both directly from the card holders and from the employers of the employee card holders.

2.3 If we need to collect more personal data than what is specified above, we will inform about this. Such information may be provided by our updating of this Policy.

3. Purposes for processing the personal data

3.1 We only process personal data for legitimate purposes in accordance with the GDPR. Depending on the circumstances, the personal data is processed for the following purposes: a) To deliver products or services to a user, customer or member. b) To provide service messages and information to users, customers or members. c) To prevent fraudulent behavior or misuse of the IT System. d) To prevent fraudulent behavior or misuse of our products, services and website, including the processing of personal data for the purpose of legal actions. e) To improve our products, services or website. f) To send direct marketing to users, customers or members. g) To send newsletters on e-mail. h) To facilitate a sales process. i) To give support and service messages, including answering questions and complaints and send updates about our products and services. We will not disclose any of your Personal Data to any third party except as listed below: • to fraud prevention agencies and other organizations who may use the information to prevent fraud and money laundering • to our suppliers or service providers that process data on our behalf and/or which provide products and services to us to assist us in providing our own products and services to you • to the institution which issued your prepaid card (and which is a member of the card scheme) • to anyone to whom we transfer or may transfer our rights and duties under relevant terms and conditions • as required by law or regulation • to your employer, where the card has been provided to you for use in the course of your employment • to other entities within the Cardlay group of companies

4. Legal basis for processing personal data

4.1 We only process your personal data when we have a legal basis to do so in accordance with the GDPR. Depending on the specific circumstances, the processing of personal data is done on the following legal basis:

a) If we have asked for a consent for the processing of specific personal data, the legal basis for such personal data is a consent, cf. article 6(1)(a) of the GDPR, as the consent can always be withdrawn by contacting us via the contact details provided at the end of this Policy, and, if the consent is withdrawn, the personal data processed on the basis of consent is deleted, unless it can or must be processed, for example, in order to comply with legal obligations.

b) The processing is necessary for the performance of a contract to which the data subject is party, cf. the GDPR, article 6(1)(b), the first indent.

c) The processing is necessary for compliance with applicable legislation, cf. the GDPR, article 6(1)(c).

d) The processing is necessary in order to take steps at the request of the data subject prior to entering into a contract, cf. the GDPR, article 6(1)(b), last indent.

e) The processing is necessary for the purposes of the legitimate interests where such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, cf. the GDPR, article 6(1)(f).

4.2 If we send you direct marketing, including by email, we will ask for your prior consent in accordance with the applicable rules such as marketing acts.

5. Disclosure and transfer of personal data

5.1 We only pass on personal data to others when the law allows it or requires it. Our organization is part of a concern/company group where personal data is shared between the group companies depending on the circumstances.

5.2 We transfer personal data to the following recipients from the EU/EEA: a) Banks (for example in connection with payments etc.) b) Data processors c) Suppliers d) Collaborators 5.3 From time to time we use external companies as suppliers to assist us in delivering our services. The external suppliers will not receive or process personal data unless the applicable law allows for such transfer and processing. Where the external parties are data processors, the processing is always performed on the basis of a data processor agreement in accordance with the requirements hereto under GDPR. Where the external parties are data controllers, the processing of personal data will be performed based on said external parties’ own data privacy policy and legal basis which the external parties are obligated to inform about unless the applicable legislation allows otherwise.

5.4 We transfer personal data to countries or international organisations outside the EU/ EEA.

5.5 We may transfer personal data outside the EEA to our commercial partners where strictly necessary to provide our Services. Such commercial partners only include banks, payment service providers and other entities that are necessary for us to share data with to provide the Services. When we transfer personal data outside the EEA, we will take all required and reasonable steps to ensure that your personal data is afforded data protection that is essentially equivalent as personal data processed within the EEA. As our potential transfers of personal data outside EU/EEA depends on our Customers' use of our Services and geographical situation, we cannot provide more details on a generic basis on our transfers. If you have any doubts as to where and on what legal basis your personal data is transferred outside EU/EEA, you are always welcome to contact us by using the information provided in the end of this Policy.

6. Erasure and retention of personal data

6.1 We ensure that the personal data is deleted when it is no longer relevant for the processing purposes as described above. We also retain personal data to the extent that it is an obligation from applicable law, as is the case with for example accounting and bookkeeping materials and records. If you have any questions about our retention of personal data, please contact the email mentioned in section 10 of this Policy.

7. Data subject rights

7.1 Data subjects have a number of rights that we can assist with. If a data subject wants to make use of his or her rights, he or she can contact us. The rights include the following:

7.1.1 The right of access: Data subjects have a right to ask for copies of the information that we process about them, including relevant additional information.

7.1.2 The right to rectification: Data subjects have a right to ask for rectification of inaccurate personal data concerning him or her.

7.1.3 The right to erasure: In certain circumstances data subjects have a right to obtain the erasure of personal data concerning him or her before the time when erasure would normally occur.

7.1.4 The right to restrict processing: Data subjects have, in certain situations, a right to have the processing of his or her personal data restricted. If a data subject has the right to have the processing of his or her personal data restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest in the European Union or of a European member state.

7.1.5 The right to object: Data subjects have, in certain situations, a right to object to the legal processing of his or her personal data. Objection can also be to the processing of personal data for the purpose of direct marketing.

7.1.6 The right to data portability: Data subjects have, in certain situations, a right to receive his or her personal data in a structured, commonly used and machinereadable format and have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data has been provided.

7.2 More information about data subject rights can be found in the guidelines of the national data protection authorities. If a data subject wishes to make use of his or her rights as described above, the data subject is asked to use the contact details provided at the end of this Policy. We strive to do everything to meet wishes regarding our processing of personal data and the rights of data subjects. If you or others despite our endeavours wish to file a complaint, this can be done by contacting the national data protection authorities.

8. Changes to this Policy

8.1 We reserve the right to update and amend this Policy. If we do, we correct the date and the version at the bottom of this Policy. In case of significant changes, we will provide notification in the form of a visible notice, for example on our website or by direct message.

9. Contact

9.1 If you have questions or comments to this Policy or if you would like to invoke one or more data subject rights, please contact us at In case you have any questions or comments to this Privacy Policy please contact us by email to legal@cardlay.com.