UnionPay International Privacy Notice, Version: Sept. 2018
1. IN A NUTSHELL
This privacy notice (the "Privacy Notice" or "Notice") explains why and how UnionPay International Co. Ltd ("UPI" or "we") may process your personal data.
• What does "personal data" mean?
Personal data means any information that can be linked directly or indirectly to identified or identifiable individuals.
• Who is UPI?
UPI is a company incorporated under the laws of the People's Republic of China ("PRC") with its registered office at Floor 2-7, No.6 Dongfang Road, Pudong New District, Shanghai, PRC.
UPI is an international company established in numerous countries/regions across the world.
If you have any questions in relation to data protection matters, you can write to us at the abovementioned address or send an email to us at email@example.com.
• Why does UPI process personal data?
UPI operates a card scheme for payment services and processing payment transactions.
• What is UPI's role in relation to your personal data?
In some cases, UPI determines the purposes and means of how your personal data will be processed and this Privacy Notice is intended to explain how such personal data will be used.
• What is the key information contained in this Privacy Notice?
You will find relevant information on the personal data we process about you, the purposes and legal bases for the processing of this data and your rights.
2. THE PURPOSES OF THE PROCESSING OF YOUR PERSONAL DATA
You will find below the main purposes for which UPI processes personal data:
• providing products and services directly to individuals;
• internal research, reporting and analysis;
• compliance with applicable laws, regulations and law enforcement requests
3. THE CATEGORIES OF DATA SUBJECTS AND OF PERSONAL DATA WE PROCESS ABOUT YOU
The main types of personal data we process are the following:
• identification information (e.g. account name, nickname, industry, role, country/region)
• contact information (e.g., email address, phone number);
• electronic identification data (e.g., password, IP address).
4. THE LEGAL BASES ON WHICH WE PROCESS YOUR DATA
UPI processes personal data on the following legal bases:
• With your consent to the processing of your personal data for one or more specific purposes;
• To fulfil a contract with you or between you and a third party (in particular a UPI Member), or in order to take steps at your request before entering into a contract;
• To comply with the laws that are applicable to us worldwide;
• When we have legitimate interests in processing your data, except where such interests are overridden by your interests or fundamental rights and freedoms (example: compliance with a legal obligation under a foreign state, internal research, reporting and analysis).
5. YOUR RIGHTS
Accessing your personal information
We understand that you may like to know what personal data we hold about you. We are happy to assist you with your request. To protect your personal data, however, we require that you prove your identity to us at the time your request is made: you can contact us in writing via email or letter including your signature and a copy of a signed government issued identification document.
UPI reserves the right to decline access to your personal information under certain circumstances as permitted by law. If your personal data is not disclosed to you, you will be provided with the reasons for this non-disclosure.
You may also be entitled to:
• object to the processing of your personal data;
• opt out from processing of your personal information for direct marketing purposes;
• request the restriction of the processing of your personal data;
• request the correction and/or deletion of your personal data;
• withdraw your consent to the processing of your personal data (where UPI is processing your personal information based on your consent);
• request the receipt or transmission to another organisation, in machine-readable form, of the personal information you may have provided to UPI;
• lodge a complaint with a supervisory authority; and
Where you are given the option to share personal information with UPI, you can always choose not to do so.
If you object to the processing of your personal information, or if you have provided your consent to processing and you later choose to withdraw it, we will respect that choice.
This could mean that we will be unable to perform the actions necessary to achieve the purposes of processing data for you as described above (see article 2) and that you may be unable to use our services.
After you have chosen to withdraw your consent, UPI may be able to continue to process your personal information to the extent required or otherwise permitted by law.
If at any time you wish to exercise any of these rights, you can do so by writing to us at firstname.lastname@example.org.
6. THE RECIPIENTS OF YOUR PERSONAL DATA AND CROSS-BORDER TRANSFERS
The recipients of your personal data are:
• UPI's staff, establishments and affiliates: these are located all around the world;
• UPI's processors and other contractors, suppliers and service providers: these are located all around the world;
• UPI Members: these are located all around the world; however the UPI Members involved in a card transaction are the acquiring bank (that is the bank you are withdrawing cash from, or the bank of the merchant you are paying in exchange for goods or services) and the issuing bank (that is the bank that issued your card): this will help you determine, for each transaction, the country where your data may be transferred by UPI;
• Financial institutions: these are located all around the world.
• All other necessary parties for the network to function efficiently and to foster innovation.
Such recipients shall undertake all necessary measures to keep your personal information confidential.
Additional requirements apply when your personal data is transferred to (or accessed from) another country/region. UPI only transfers personal data to another country/region where that transfer complies with data protection law.
UPI has installed a strict security system to prevent any access to your personal data by any unauthorized persons, including the staff of UPI. We have minimized authorised and train staff for processing personal data. As such, all staff of UPI and any third party who are authorized to have access to your personal data will be required to strictly comply with the non-disclosure obligations.
Appropriate technical and organisational measures have been implemented to prevent from unauthorised or unlawful processing of your personal data and against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
9. DATA RETENTION
Your personal data will be stored for the period of time required by applicable law. This may involve retaining data following your transaction. We will delete your personal data once it is no longer required for any of the purposes described above.
In order to determine the amount of time we will store your personal data we take into consideration the role and function of the information, type of products and services, nature of the relationship between you and us and statutory requirement of retention period made by applicable laws and regulations.
10. LINKS TO OTHER WEBSITES
You may find links to access the websites of other companies on our Developer Platform or in the material we provide to you. We recommend that you read the privacy policies of these other websites, as this Privacy Notice does not apply to the processing of your personal data by them and UPI is not responsible for the processing of your personal data on external websites.
11. CHANGES IN PRIVACY NOTICE
We may update this Privacy Notice from time to time – in particular in case of change of law, of guidance from competent authorities or of UPI's internal policies. In that case, we will share with you the updated Privacy Notice through our website, and, in certain circumstances, we may seek your consent.