Welcome to First Cash Solution GmbH, 1cs for short. You have just paid one of our customers conveniently, securely and quickly via the Hosted Payment Page. The merchant obtains this solution from us. We are a 100% subsidiary of Volksbank eG – Die Gestalterbank located in Offenburg and Villingen. In this constellation, Volksbank eG is responsible for receiving credit card data. All necessary data can be found below or also under www.gestalterbank.de/impressum.

Ihre Daten sind bei uns sicher!
Your data is safe with us! We are PCI certified again. You can view the certificate here.
If you have any questions, we will of course be happy to assist you.

Information for end customers
on the processing of personal data

The English version of the privacy policy solely serves as assistance.
Only the German version is legally binding.

Information on processing according to the payment methods

When you pay online, the payment recipient collects personal data with its virtual payment terminal. It transmits the data to the merchant’s respective payment service provider. This payment service provider and the respective payment service providers further process the data for the acceptance and settlement of the payment transactions (e.g. acquirer). This is done in particular for payment processing, to prevent card misuse, to limit the risk of payment defaults and for legally prescribed purposes, such as anti-money laundering and criminal prosecution. For these purposes, your data will also be transmitted to other responsible parties, such as your card-issuing bank. Details on the processing of your personal data can be found below.

Who is responsible for the processing of my data and whom can I contact?

Many steps are necessary for you to pay securely online. The payee is the online merchant where you pay. This works together with a payment service provider. The payee is the person responsible for processing your personal data. You will find the name and contact details of the payment recipient / online merchant and, if applicable, its data protection officer, e.g. in the online store, the payment request by e-mail or on the invoice receipt.

The payment service provider processes data on behalf of the payee. For this purpose, an agreement on commissioned data processing has been concluded between the payee and the payment service provider in accordance with Art. 28 GDPR.

When paying by debit or credit card: An acquirer is a payment service provider regulated in accordance with the German Payment Services Supervision Act (Zahlungsdienstaufsichtsgesetz, ZAG), which carries out the acceptance and settlement of payment transactions for the payee. Who the acquirer is depends on what type of card you used. The contact details of the acquirer involved in processing your payment can therefore be requested in writing from the above-mentioned payment service provider, stating the payment method, terminal ID, date and name of the payee.

Payment by electronic direct debit (ELV)

1. What data is used for payment?

• Account data: IBAN, or account number and bank code/BIC.
• Other payment data: Amount, date, time, virtual payment terminal identifier (URL, company in whose responsibility you pay).
• In case of a return debit note: Information about the non-payment of a direct debit by your card-issuing bank or the revocation of a direct debit by you, information about the outstanding debt, e.g. your name, address, bank charges, reminder fees, reason for the return debit note, customer number at your contracting party (not the content of your purchases)

2. From which sources do your data originate?

• You enter the account data in the virtual payment terminal.
• The other payment data is provided by the virtual payment terminal and, if necessary, directly by the payee.
• To the extent necessary to prevent card misuse and limit the risk of non-payment, data from the police’s KUNO system and from the network operator’s internal databases will be used.
• To the extent necessary for processing the claim arising from a returned direct debit, data will also be processed in compliance with the statutory provisions.
• Data taken from publicly accessible sources (e.g., debtor directories) or transmitted by third parties (e.g., your card-issuing bank or a credit agency) will also be processed in compliance with the statutory provisions.

3. For what purpose is your data processed and on what legal basis?

Payee

• Verification and execution of your payment to the payee, Art. 6 (1) (b) GDPR

• Document archiving in accordance with legal requirements, Art. 6 (1) (c) GDPR

• Sale of the receivable to a payment service provider by way of factoring, Art. 6 (1) (f) GDPR

Payment Service Provider

• Verification and execution of your payment to the payee, Art. 6 (1) (b) GDPR

• Prevention of card misuse and limitation of the risk of non-payment, Art. 6 (1) (c) and Art. 6 (1) (f) GDPR

• Secure transfer of your data in accordance with the legal requirements for SEPA payments, Art. 6 (1) (c) and (f) GDPR

• Avoidance of future payment defaults by transmitting return debit note data if your payment results in a return debit note, Art. 6 (1) (f) GDPR

• Debt collection (if necessary with the support of a collection service provider) after a return debit note, Art. 6 (1) (b) GDPR

4. Who receives the data?

In addition to the payee and the payment service provider, other entities require your data in order to execute the payment or to comply with legal requirements. Exclusively to this extent, your data will be passed on to the following bodies:

• Your card-issuing bank and the payment service provider of the payee
  
• The intermediary bodies set up by the German banking industry to handle the clearing and settlement of payments
  
• Law enforcement authorities in the cases provided for by law
  
• Money laundering reporting offices in the cases provided for by law
  
• In the event of a returned direct debit, to determine the address on the basis of the IBAN and BIC of the card used: the card-issuing bank or, alternatively, a credit reference agency such as SCHUFA Holding AG.
  
• In the event of debt collection: claims are assigned to a payment service provider and, if necessary, to a debt collection service provider.

5. Is data transferred to a third country or to an international organization?

No, such transmission does not take place.

Payment by debit or credit card

1. What data is used for payment?

• Card data: Card number, card type (e.g. VISA, Mastercard, American Express, JCB), CVV and expiration date.

• Other payment data: Amount, date, time, virtual payment terminal identifier (URL, unique identifier).

• 3D Secure: Your 2FA entry is cryptographically verified by the card-issuing bank. The payment service provider takes over cryptographic security and transmission, but does not store a PIN and has no access to the encrypted PIN.

• Chargeback – When you dispute a transaction that was made with your card: In this case, the purchase receipt and, if applicable, other information about you that the payee wants to use to prove its claim (e.g., name and address) can be passed on to the card-issuing institution.

2. From which sources do your data originate?

• The card data is entered by you.
• The other payment data is provided by the virtual payment terminal and, if applicable, directly by the payee.

3. For what purpose is your data processed and on what legal basis?

Payee

• Verification and execution of your payment to the payee, Art. 6 (1) (b) GDPR

• Document archiving according to legal requirements, Art. 6 (1) (c) GDPR
  

Payment Service Provider

• Verification and execution of your payment to the payee, Art. 6 (1) (b) GDPR

• Secure transfer of your data in accordance with the legal requirements for SEPA payments and the regulations of the German Banking Association, Art. 6 (1) (c) and (f) GDPR

Acquirer

• Verification and execution of your payment to the payee, Art. 6 (1) (b) GDPR
• Prevention of card misuse and limitation of the risk of non-payment, Art. 6 (1) (c) and (f) GDPR
• Secure transfer of your data in accordance with legal requirements and the regulations of the credit card organization, Art. 6 (1) (c) and (f) GDPR
• Settlement of fees owed by the payee of your card-issuing institution, Art. 6 (1) (f) GDPR
• Document archiving, Art. 6 (1) (c) GDPR
• Debt collection (if necessary with the support of a collection service provider) after a return debit note, Art. 6 (1) (f) GDPR

4. Who receives the data?

In addition to the payee and the network operator, other bodies require your data in order to execute the payment or to comply with legal requirements. Only to this extent will your data be passed on to the following bodies:

• the payment card system
  
• your card-issuing institution and the acquirer’s bank
  
• the intermediaries of the credit card organizations, which handle the clearing and settlement of payments
  
• law enforcement authorities in the cases provided by law
  
• money laundering reporting offices in the cases provided by law

5. Is data transferred to a third country or to an international organization?

The acquirer forwards your data to the payment card system outside the European Economic Area in accordance with the respective agreed rules (“Binding Corporate Rules”, “Standard Contractual Clauses”) or for the purpose of fulfilling the contract with the foreign payer in order to authorize and execute your payment.

With regard to the processing of your data by the payment card system, please refer to its data protection provisions:

• Mastercard Europe SPRL, Chaussée de Tervuren 198A, 1410 Waterloo, Belgium, for the payment brands “Mastercard” and “Maestro”; www.mastercard.de/de-de/datenschutz.html
  
• Visa Europe Services LLC, registered in Delaware USA, acting through its London branch, 1 Sheldon Square, London W2 6TT, United Kingdom, for the “VISA”, “VISA Electron” and “V PAY” payment brands; www.visa.co.uk/privacy
  
• American Express Europe S.A., Frankfurt am Main Branch, Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany, for the payment brand “American Express”; www.americanexpress.de/datenschutz
  
• Diners Club International Ltd, 2500 Lake Cook Road, Riverwoods, IL 60016, USA, for the payment brands “Diners”, “Diners Club” and “Discover”; www.dinersclub.com/privacy-policy
  
• JCB International Co, Ltd, 5-1-22, Minami Aoyama, Minato-Ku, Tokyo, Japan, for the payment brand “JCB”; www.jcbeurope.eu/privacy

Payment with other payment methods (e.g. Wallets, Giropay or Sofort)

If you select neither credit card nor direct debit, but another payment method, you will be redirected to the website of the respective payment method provider. There you will also find the data protection information of the respective provider.

The acquirer forwards your data to the payment method system inside or outside the European Economic Area in accordance with the respective agreed rules or for the purpose of fulfilling the contract with the foreign payer in order to authorize and execute your payment.

Regarding the processing of your data by the payment card system, please refer to its privacy policy:

• eps PSA Payment Services Austria GmbH, Handelskai 92, Gate 2, 1200 Vienna, Austria for the eps payment market:  https://eps-uberweisung.at/de/datenschutz
• paydirekt/giropay paydirekt GmbH Stephanstraße 14-16 60313 Frankfurt am Main e-mail address: service@paydirekt.de telephone number: 069 2475 382 2001.  https://www.giropay.de/agb/index.html
• Klarna / Klarna Sofort Klarna Bank AB (publ) Sveavagen 46 111 34 Stockholm Sweden.  https://www.klarna.com/de/datenschutz/
• RatePAY Ratepay GmbH Privacy Franklinstraße 28-29 D-10587 Berlin.  https://www.ratepay.com/datenschutz/
• iDEAL Currence is the brand owner of iDEAL Gustav Mahlerplein 33, 1082 MA Amsterdam, Netherlands. https://www.ideal.nl/en/disclaimer-privacy-statement/ und https://www.currence.nl/disclaimer/
• bluecode Blue Code International AG CHE-281.323.867, Handelsregister-Amt Schwyz Schützenstrasse 7 CH-8853 Lachen SZ Switzerland.  https://bluecode.com/wp-content/uploads/2021/10/Datenschutzerkla%CC%88rung_BCI-Website_102021.pdf
• PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449, Luxembourg and PayPal Inc., 2211 North First Street, San Jose, California 95131, USA for the PayPal payment brand: https://www.paypal.com/webapps/mpp/ua/privacy-full
• ApplePay Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA für die Zahlungsmarke Apple Pay: https://www.apple.com/de/legal/privacy/de-ww/
• GooglePay Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland und Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA für die Zahlungsmarke Google Pay: https://policies.google.com/privacy
• Amazon EU SARL, Amazon Services Europe SARL, Amazon Media EU SARL in 38 Avenue J.F. Kennedy, L-1855, Luxemburg für die Zahlungsmarke amazon pay: https://pay.amazon.de/help/201212490

Additional information and your rights

1. Do I have to provide my data?

You are not required by law or contract to provide your data. If you do not want to provide your data, you can use another payment method, e.g. pay cash.

2. Will my data be used for automated decision making?

Electronic direct debit (ELV)

To prevent card misuse and limit the risk of payment defaults, maximum amounts are set for payments within certain time periods. The decision-making process also takes into account if a direct debit was previously not honored by your card-issuing bank due to insufficient funds or was revoked by you (returned direct debit). This information is not included in the decision-making process if the return debit note was issued in connection with a revocation of your declared rights arising from the underlying transaction (e.g. due to a material defect in a purchase). The use of this information serves to prevent future payment defaults. When outstanding debts are settled in full, this data is deleted.

With the help of this information, the Payment Service Provider can make recommendations to payees connected to its system as to whether they wish to accept a direct debit payment. For this purpose, the Payment Service Provider may

• use chargeback information from all payees connected to it
• evaluate payment information for a short period of time – a few days – to prevent card misuse, even across payees
• furthermore, only evaluate payment information that it has received from the same payee.
• Your data will not be used for the purpose of credit assessment. Your payment data will only be used to decide whether a direct debit payment is recommended to the respective payee.
  
  

Other procedures

If you want to use your card for payment, the card payment must first be authorized. Authorization takes place automatically using your data. In particular, the following considerations may play a role: Payment amount, place of payment, previous payment history, payee, purpose of payment. Card payment is not possible without authorization. This has no influence on other payment methods (e.g. other cards).

3. How long will my data be stored?

We process your personal data for the execution and processing of payments within the scope of our business relationship. Furthermore, we are subject to various retention and documentation obligations, which result, among other things, from the German Commercial Code, the German Fiscal Code, the German Value Added Tax Act or the German Civil Code. The retention periods defined here are up to 10 years, although individual cases may deviate from this. We will delete your data once the reasons for storage no longer apply.

Return debit data and receivables data will be deleted as soon as the receivable has been demonstrably settled.

4. What data protection rights do I have?

Every data subject has the following data protection rights:

• the right to information according to Article 15 GDPR
• the right to rectification according to Article 16 GDPR
• the right to erasure pursuant to Article 17 GDPR
• the right to restriction of processing under Article 18 GDPR
• the right to object from Article 21 GDPR
• the right to data portability from Article 20 GDPR
• the right to lodge a complaint with a competent data protection supervisory authority (Article 77 GDPRin conjunction with. § 19 BDSG

With regard to the right to information and the right to erasure, the restrictions pursuant to § 34 and 35 BDSG apply.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of data carried out on the basis of Article 6 (1)(f) GDPR, i.e. to the processing of data on the basis of a balance of interests.

If you legitimately object, your data will no longer be processed on the basis of Article 6 (1)

(f) GDPR, with two exceptions:

• Your data will continue to be processed if the controller can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, in particular, for example, in the case of statutory retention obligations and for the execution of a payment that has already begun at the payment terminal but has not yet been completed.
• Your data will be further processed if this serves the assertion, exercise or defense of legal claims.

You can assert your rights against the payee as the person responsible for processing your personal data. You will find the name and contact details of the payee at the checkout, in the electronic payment process, at the store door or on the receipt.