CAPS Payment Institution Data Protection Policy
Why we have a Data Protection Policy and how it affects you
As the data controller, we, Crédit Agricole Payment Services, process your personal data. To comply with the current regulations, our Data Protection Policy aims to provide you with clear and detailed information about how we process your personal data.
This policy affects you because:
- We process your data when you have a relationship with us through one of our clients. You might be one of our client's managers, legal representatives / directors, authorised signatories, shareholders or partners, beneficial owners or employees. You might also, more generally, be the person that our client has appointed to administrate or use one of our services on its behalf.
- We might also process personal data about you when you are a prospect, but are not a client or connected with one of our clients.
This Data Protection Policy is intended to supplement the information we provide you in your contracts with us. In the event of any inconsistency between this Data Protection Policy and those contracts, the contracts will prevail. If we process your data through one of our clients, it is the client's or its representative's responsibility to inform you how we process it, including by means of this Data Protection Policy.
Certain specific processing activities or those that only affect a small number of clients are not mentioned in this Data Protection Policy. In these cases, clients will be informed of the specific processing activities applicable to them as appropriate.
How we collect your personal data
We collect your personal data through different communication channels (by phone, by email, on Credit Agricole Payment Services websites and applications):
- directly from you when you sign a contract with us, use our services, fill in a form or reply coupon, or browse our websites, and when we record conversations by telephone or videocalls (to provide proof of transaction, for staff training or to improve the quality of our services), etc.;
- or indirectly, through our clients when you have a relationship with them;
- or indirectly through the applicable public or private external sources that allow us, pursuant to your rights and the regulations, to learn more about you (browsing on third-party sites, sponsorship activities, databases, publications made available by official authorities, etc.).
Why we process your personal data
Generally speaking, we process your personal data to promote or deliver our different products and services. We might have to collect certain data to comply with the law or to enter into or perform our contracts.
We process your personal data in the context of our relationship to:
- conduct pre-contractual activities at your request or perform our contractual obligations relating to products and services that our client has subscribed to with us;
- comply with our legal obligations;
- pursue our legitimate interests or those of third parties, with due regard for your rights,
and your consent;
- to protect the vital interests of the data subject.
We will use your personal data mainly for: managing our day-to-day relationship with clients and prospects; managing our products and services; managing receivables, monies owed, recoveries, complaints and disputes; prospecting and marketing; security; and risk assessment, prevention and management. We may also use your data, including payment transaction data, for targeting and profiling to comply with our legal and regulatory obligations, to guide our marketing activities, to develop new offers, to provide you with personalised advice and offers and a higher quality service, to provide you with everything you need to make the best decisions and to allow us to manage our risks.
How long we keep your personal data
We store and process your personal data for as long as is necessary to fulfil the purpose for which they were collected. After this, your personal data are stored in an intermediate archive (with restricted access) for the purpose of evidence management, for a maximum of the duration of the contractual or business relationship, plus the time required to settle any entitlements, the legally required periods of retention and prescription, and the exhaustion of legal remedies.
Below you can find detailed information about the retention periods for personal data associated with the different processing activities.
Your rights and how you can exercise them
You may at any time, subject to the conditions and limits laid down by law:
- access your personal data: you can obtain information about how your personal data has been processed and disclosed;
- correct your data: you can request that your personal data be corrected if it is inaccurate or incomplete;
- object to:
- your data being processed for reasons connected to your specific situation, where the legal basis for the processing is the legitimate interest of Credit Agricole Payment Services or of third parties;
- at any time and without justification, to your data being used for prospecting by Credit Agricole Payment Services or by third parties;
- request that your data be deleted: you can request that your data be deleted, in particular when the data are no longer required for the purposes for which they were collected, with the exception of any processing required to comply with a legal obligation or to establish, exercise or defend rights in court;
- request that the processing of your data be limited: you can request that the processing of your data be suspended or restricted;
- request your data in a portable format: where the processing is automated and based on consent or the performance of contractual or pre-contractual activities, you may request that your personal data be returned and/or transferred to a third party;
- provide instructions on what we should do with your personal data in the event of your death: you may instruct us to keep, delete or share your personal data after your death.
Finally, when the legal basis for the processing is consent, you may withdraw this consent to stop your data being processed; the withdrawal of consent does not affect the lawfulness of processing that happened prior to withdrawal.
If you would like to exercise any of your rights, simply write to us, indicating the right you want to exercise together with any information that will allow us to identify you (identity documents, contract number, etc.).
In writing, by signed letter, at the following address:
Crédit Agricole Payment Services
FAO Délégué à la Protection des données [Data Protection Officer], 38 Boulevard des Chênes - Bâtiment Alsace– BP 48 78042 Guyancourt CEDEX
Postage costs will be reimbursed upon request.
Or by email to the Data Protection Officer: dpo.caps@ca-ps.com.
Please note that if you choose to exercise some of these rights, Crédit Agricole Payment Services may be prevented from providing certain products or services.
You may also, in the event of a dispute, file a complaint with the CNIL. Website: http://www.cnil.fr; postal address: 3 Place de Fontenoy, 75007 Paris.
You can find detailed information on how we process your personal data below:
- Processing purposes
- Legal basis for processing
- How long we keep your data
- Who receives your data
- Where we get your data and what category it falls under, when the data has not been collected directly from you
- If applicable, whether we transfer your data to a non-European Union country and how we ensure they are protected in these countries (adequacy decision by the European Commission or appropriate safeguards).
Processing activities
Building a Know Your Customer (KYC) file
Purpose
Building a Know Your Customer (KYC) file
Legal basis
Legal obligation
How long we keep your data
5 years from the end of the business relationship (closure of payment account)
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
CAPS was able to obtain data from:
- Regional branches
- National or regional subsidiaries of the Crédit Agricole Group
Screening third-party lists
Purpose
Comparing the people on the third-party list to the two reference lists: International Sanctions and Politically Exposed Persons
Legal basis
Legal obligation
How long we keep your data
5 years from the end of the business relationship
Who receives your data
CAPS, CA-GIP
Data transfers to non-EU countries
No
Data obtained from third parties
CAPS was able to obtain data from:
- Regional branches
- National or regional subsidiaries of the Crédit Agricole Group
- Government bodies, market regulators, judicial or administrative authorities (including the Banque de France)
Scoring
Purpose
Calculating a prospect/client's risk score and categorizing them to meet CAPS' obligations in respect of understanding clients' financial position
Legal basis
Legal obligation
How long we keep your data
5 years from the end of the business relationship (closure of payment account)
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
No
Opening a payment account
Purpose
Opening a payment account based on the data provided by the client to allow access to the payment services offered by CAPS
Legal basis
Required for contract performance
How long we keep your data
5 years from the end of the business relationship
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
No
Payment by SEPA Direct Debit (SDD) (mandate)
Purpose
- Receiving payer data for SEPA Direct Debit payments
- Making a payment by direct debit (mandate)
Legal basis
Required for contract performance
How long we keep your data
5 years from the payment
Who receives your data
CAPS, CA-GIP, Progica
Data transfers to non-EU countries
No
Data obtained from third parties
No
Payment by SEPA Credit Transfer (SCT) (standard or instant) or SWIFT (on receipt)
Purpose
- Providing a virtual IBAN to the payer for a transfer
- Accepting a payment by SCT (standard or instant) or SWIFT
Legal basis
Required for contract performance
How long we keep your data
5 years from the payment
Who receives your data
CAPS, CA-GIP
Data transfers to non-EU countries
No
Data obtained from third parties
No
Collecting card payments
Purpose
Accepting a payment made with a bank card
Legal basis
Required for contract performance
How long we keep your data
For the duration of the contract plus 13 months from the termination or expiry of the contract
Who receives your data
CAPS
Data transfers to non-EU countries
Yes
Data obtained from third parties
No
Card payment (acquisition by a CA Group bank)
Purpose
Settling a bank card payment transaction via acquisition by the seller's bank, a CA Group entity
Legal basis
Required for contract performance
How long we keep your data
5 years from the payment
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
No
Accepting payments
Purpose
Accepting payments from the customers of our clients
Legal basis
Required for contract performance
How long we keep your data
5 years (for audit and tax purposes)
Who receives your data
CAPS, CA-GIP
Data transfers to non-EU countries
No
Data obtained from third parties
No
Transfers between payment accounts
Purpose
Transferring funds between payment accounts at the client's request
Legal basis
Required for contract performance
How long we keep your data
5 years (tax reasons)
Who receives your data
CAPS, CA-GIP
Data transfers to non-EU countries
No
Data obtained from third parties
No
Pay-out
Purpose
- Enabling clients to send a SCT or SWIFT pay-out order (via an API)
- Processing pay-outs by the Client
Legal basis
Required for contract performance
How long we keep your data
5 years from the transaction (tax reasons)
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
No
Event notifications
Purpose
Sending notifications to the client to keep them informed of the status of a transaction
Legal basis
Legitimate interest
How long we keep your data
2 months
Who receives your data
CAPS Client
Data transfers to non-EU countries
No
Data obtained from third parties
No
Activity monitoring
Purpose
Monitoring and detecting suspicious or risky behaviour
Legal basis
Legal obligation
How long we keep your data
5 years (tax reasons)
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
No
Amending the IBAN for pay-out
Purpose
Amending the IBAN provided by the merchant via the marketplace for pay-out
Legal basis
Required for contract performance
How long we keep your data
5 years (tax reasons)
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
No
Cancelling a payment transaction
Purpose
Cancelling a payment transaction made by the payer and not yet cleared
Legal basis
Required for contract performance
How long we keep your data
5 years (tax reasons)
Who receives your data
CAPS, CA-GIP
Data transfers to non-EU countries
No
Data obtained from third parties
No
Refunding payments
Purpose
Refunding transactions undertaken using different payment methods that have already been collected, on the instructions of the client
Legal basis
Required for contract performance
How long we keep your data
For the duration of the contract plus 13 months from the termination or expiry of the contract
Who receives your data
CAPS and VERIFONE
Data transfers to non-EU countries
Yes
Data obtained from third parties
No
Refunding payments to payers
Purpose
Refunding payment transactions to payers on the instructions of the client
Legal basis
Required for contract performance
How long we keep your data
5 years (tax reasons)
Who receives your data
CAPS, CA-GIP
Data transfers to non-EU countries
No
Data obtained from third parties
No
Outstanding card payments (acquisition via a bank in the Crédit Agricole group)
Purpose
Processing outstanding payments following payment by bank card and reporting this information to the client
Legal basis
Required for contract performance
How long we keep your data
5 years from the payment
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
CAPS was able to obtain data from:
- Regional branches
- National or regional subsidiaries of the Crédit Agricole Group
Reporting
Purpose
Generating a list of all transactions undertaken and recorded and sending it to the client
Legal basis
Required for contract performance
How long we keep your data
2 months
Who receives your data
CAPS Client
Data transfers to non-EU countries
No
Data obtained from third parties
No
Invoicing CAPS Payment Institution to the client or vendor
Purpose
Generating invoices to be paid by the client or vendor
Legal basis
Legal obligation
How long we keep your data
5 years (tax reasons)
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
No
Monthly FICOBA [bank and similar account registry] declaration to the DGFIP [French Treasury Department]
Purpose
Sending a declaration of accounts opened, amended and closed in the past month
Legal basis
Legal obligation
How long we keep your data
5 years (tax reasons)
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
No
Customer service
Purpose
Providing customer service and responding to customer requests
Legal basis
Required for contract performance
How long we keep your data
1 month
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
No
Initiating payments
Purpose
Offering end customers a transfer form with the necessary information already filled in
Legal basis
Required for contract performance
How long we keep your data
5 years from the payment
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
No
Client portal
Purpose
Allowing authorised users to access all management and administration services provided to the client
Legal basis
Required for contract performance
How long we keep your data
5 years
Who receives your data
CAPS Client
Data transfers to non-EU countries
No
Data obtained from third parties
No
Further information
*Data relating to strong authentication are kept for 6 months.
Balancing bank accounts provided as part of the AgoraPay service
Purpose
Balancing bank accounts provided as part of the AgoraPay service, to credit the funds to the client's payment accounts
Legal basis
Required for contract performance
How long we keep your data
5 years (tax reasons)
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
CAPS was able to obtain data from:
- Regional branches
- National or regional subsidiaries of the Crédit Agricole Group
Commercial prospection
Purpose
Subscription, commercial communication, offer and services proposals and CRM database update.
Legal basis
Client or prospect consent for electronic means (email, text, call center) or legitimate interest, in particular for communications by mail or telephone, or communications by electronic means relating to products and services similar to those already subscribed. Construction of a CRM database.
How long we keep your data
3 years starting from :
- End of commercial relationship for the clients
- Last communication for the prospects
Who receives your data
CAPS
Data transfers to non-EU countries
No
Data obtained from third parties
CAPS was able to obtain data from:
- Regional branches
- National or regional subsidiaries of the Crédit Agricole Group
- State, market organizations, judicial or administrative authority (including the "Banque de France")
