Privacy Policy for givve® Card Users

Version 1.8 (06/07/2024) 

Through this website, we’d like to inform you, as the end user of a givve® Card, about the collection and processing of your personal data by PL Gutscheinsysteme GmbH (Ainmillerstrasse 11, 80801 Munich, Germany; hereinafter also referred to as “givve®”, “we” or “us”) related to the set up and use of your givve® Card.

The European General Data Protection Regulation (hereinafter abbreviated as GDPR) and the Federal Data Protection Act (hereinafter abbreviated as BDSG) serve, among other things, to ensure that every person affected by data processing (the “data subject”) is aware of the extent to which their personal data is being processed.

Personal data is data that relates to you or allows conclusions to be drawn about you (e.g. your name, date of birth or your presence, your salary or your vacation plans). Hereinafter, we will use the abbreviation “data”, which shall generally mean personal data. Also hereinafter, the term “data processing” shall refer to any collection, storage and other use of Data. With respect to your Data, we are happy to comply with the transparency requirements stipulated by the GDPR and BDSG.

 

1. Name and address of the data controller
 

PL Gutscheinsysteme GmbH
Ainmillerstrasse 11
80801 Munich
Germany

CEOs: Patrick Loeffler, Alexander Klaiber | Companies Registration Office: 188665 | VAT ID: DE815242749 E-mail: datenschutz@givve.com www.givve.com

 

2. Data protection officer’s (DPO) contact data:
 

To contact the DPO at givve®, please use the contact details listed in section 1 and the delivery suffix “FAO DPO”. You can use these contact details to contact the DPO directly if you would like to discuss a confidential or sensitive matter. Please send all general requests or information in relation to data protection at givve® to the address and email listed under Section 1 without stating the mentioned delivery addendum.

 

3. Data we process and collect from you
 

As part of the setup and use of your givve® MasterCard® Card, we collect and process data about you. Below you find an overview on the data we process, for what purpose and on what legal basis we do so, and for how long we retain your data.
 

3.1. Data we process for the purpose of fulfilling the agreement concluded with you regarding the use of your givve® Card
 

You entered into an agreement with your employer regarding the provision and use of your givve® Card (hereinafter also referred to as the “givve® Card Usage Agreement”). In this context, your employer has commissioned us to provide your givve® Card and has concluded a corresponding contract with us regarding participation in the givve® Card program. In order for us to be able to provide the respective services on the basis of these agreements, which are necessary to fulfil your givve® Card Usage Agreement, we need to collect the following data from you:

a) Setup data

In order to set up your givve® Card for the first time, we need to collect the following information from you:

  • First and last name including title
  • Your business email address

b) Credit data

In order to keep your givve® Card ready for you to use, we need to be able to manage the balance on it. For this purpose, we collect and process the following of your data:

  • the credit amount available on your givve® Card;
  • the credit amount reserved on your givve® Card.

c) Payment information

In order for you to be able to use your givve® Card and pay with it, we also need to collect and process your following personal data:

  • your transactions executed with the givve® Card
  • the Card’s activation status

Collecting the above data and processing them is necessary if you want to get and use your givve® Card (i.e. top it up and pay with it). If you do not wish to provide your data as described above, this may result in you not being able to receive or use your givve® Card.

Purpose of processing: Your above-mentioned data will be processed exclusively for the purpose of performing the existing givve® Card Usage Agreement concluded with you regarding the provision and use of your givve® Card.

Legal basis for processing: Legal basis for processing the respective data is that it is necessary in order to perform the existing givve® Card Usage Agreement with you in accordance with Section 6 para. (1) lit. b) GDPR.

Retention period: Your above data will generally only be stored for as long as is necessary to perform the existing givve® Card Usage Agreement with you. We will generally delete your above-mentioned data after 180 days, unless there is a legal basis under data protection law for your data’s further retention and processing (see the relevant description in Section 3.2. below).
 

3.2. Data we process in order to comply with legal obligations which we are subjected to
 

a) Data that we process in order to meet our obligations under the Payment Services Oversight Act (ZAG).

As part of providing the services we are obliged to provide in order to meet our obligations under the givve® Card Usage Agreement, we act as an “e-money agent” within the meaning of Section 1 Para. (10) ZAG of DiPocket UAB (Upès str. 23, 08128 Vilnius, Lithuania). As an “e-money agent” within the meaning of the ZAG, we are obliged, in accordance with Section 30 ZAG, to retain all our documents for regulatory purposes for at least five years, starting from the end of the calendar year in which the respective documents were created. In your case, this applies to the following data:

  • all data processed by us within the scope of payments
  • possibly available master data, to identify the Card user

The collection and processing of the above data is required for us to provide the services and comply with our respective mandatory legal obligations. If you do not wish to provide your data as described above, we may not be able to provide the services required for you to get or use your givve® Card.

Purpose of processing: The data are processed exclusively for the purpose of complying with the mandatory legal regulatory requirements stipulated by the ZAG, to which we are subject as an “e-money agent” within the meaning of Section 1 Para. (10) ZAG.

Legal basis for processing: The legal basis for this data processing is the necessity to comply with our aforementioned legal obligations in accordance with Section 6 para. (1) lit. c) GDPR. Said obligations arise from Section 30 ZAG.

Retention period: As stipulated by Section 30 ZAG in connection with Section 257 para. (3) and (5) German Commerical Code (HGB) and Section 147 para. (5) and (6) German Fiscal Code (AO), we are obliged to store the data mentioned in this Section 3. 2. a) for a period of five years, starting from the end of the calendar year in which the respective documents were created.

b) Data that we process for the purpose of meeting our obligations under the Money Laundering Act (GwG)

As “e-money agent” within the meaning of Section 1 para. (10) ZAG, we are also an “obligated party” within the meaning of Section 2 para. (1) No. 4 GwG and are thus subject to the extensive legal regulatory obligations stipulated by the GwG, in particular, where applicable, for the reliable identification of you as Card end user in accordance with Section 10 para. (1) No. 1 GwG.

We only process the Card user’s master data (name, email, possibly address), as and if it was handed over to us by the employer.

The collection and processing of the above data is required for us to provide the services and meet our respective mandatory legal obligations.

If you do not wish to provide your data as described above, we may not be able to provide the services required for you to get or use your givve® Card.

Purpose of processing: The data are processed exclusively for the purpose of meeting mandatory legal regulatory requirements stipulated by the GwG to prevent money laundering and terrorist financing in accordance with Section 11a para (1) GwG.

Legal basis for processing: The legal basis for this data processing is the necessity to meet our aforementioned legal obligations in accordance with Art. 6 para. (1) lit. c) GDPR. Said obligations arise from Section 10 para. (1) No. 1, Section 11 para. (IV), Section 12 para. (1) and from Section 8 para. (1) No. 1. a), para. (2) GwG.

Retention period: According to Section 8 para. (4) GwG, we are obliged to store the data mentioned in this Section 3. 2. b) for a period of five years.

c) Data we are obliged to retain for the purpose of complying with other legal retention obligations

Furthermore, we are obliged to retain some of your data for a certain period of time due to other mandatory legal retention regulations. According to Section 257 para. 1 No. 1 of the German Commerical Code (HGB) in conjunction with para. 4 and Section 147 para. 1 No. 2 in conjunction with para. 3 of the German Fiscal Code (AO), we are obliged to store received commercial letters for a period of six years. Said retention of documents required by law serves for documentation purposes, for example to facilitate tax audits and controls. Data on contract-related information are classified as commercial letters – also by data protection authorities. Deleting your data would thus be unlawful.

The data we are required to retain in accordance with Sections 3.2 a) to c) above will be blocked until the respective retention periods expire. Therefore, any further processing only takes place for the purposes mentioned above, which are the objective of mandatory legal retention. Once the statutory retention requirements have expired, your blocked data will of course be deleted immediately.

If data are only stored in our digital archive system for the purpose of data backups or data protection control, suchlike data cannot be deleted separately. It is thus possible that individual information that gave rise to the context of a process that requires retention is stored in the archive. The data sets in the archive will be deleted once the statutory deadlines have expired. The data sets may only be used for data backup or data protection control purposes and the archive is only accessible to a limited group of users. The data sets may only be used for data backup or data protection control purposes and the archive is only accessible to a limited group of users.
 

3.3. Data we process as a processor for DiPocket UAB in order to comply with legal obligations which DiPocket UAB is subjected to
 

In deviation from section 1., we process personal data of Card users as a processor for DiPocket UAB in accordance with Art. 4 No. 8 GDPR, where necessary in certain cases, e.g. in the case of cards for the receipt of state benefits. In your case, this applies to the following data:

  • First name
  • Last name
  • Date of birth
  • Nationality

In justified exceptional cases, it may be necessary to collect further data from you, such as a scan of an identification document.

Purpose of processing: The data are processed for the purpose of complying with the legal obligations of transaction monitoring and verification under sanctions law to which DiPocket UAB is subject.

Legal basis for processing: The legal basis for this data processing for the purpose of transaction monitoring is the necessity to comply with legal obligations in accordance with Art. 6 para. (1) lit. c), para (3) GDPR in conjunction with Art. 9 (16), 9 (18) and 29 (1), (3) of the Lithuanian Money Laundering Law. The legal basis for this data processing for the purpose of verification under sanctions law is the necessity to comply with legal obligations in accordance with Art. 6 para. (1) lit. c), para (3) GDPR in conjunction with Art. 9.4.1, 25.1 and 26 of Resolution No. 03-98 of the Bank of Lithuania.

The processing of this personal data of Card users is related to the legal obligations of DiPocket UAB as an e-money institution authorized in Lithuania and controller pursuant to Art. 4 No. 7 GDPR. We process personal data of Card users in this context as a processor for DiPocket UAB in accordance with Art. 4 No. 8 GDPR.

 

4. Sources of data related to you that we process
 

If possible, we will collect the above data from you directly. However, since we generally have neither a direct contractual relationship with nor direct contact to you, we collect the data mentioned above in Section 3.1. a) as setup data usually from our clients, i.e. your employer.

The credit data mentioned above under Section 3.1. b) is received from Thredd Group Limited (6th Floor Victoria House, Bloomsbury Square, London, WC1B 4DA).

The payment information mentioned above under Section 3.1. c) is received from Thredd Group Limited (6th Floor Victoria House, Bloomsbury Square, London, WC1B 4DA).

 

5. Categories of recipients of your personal data
 

Within our company, our employees generally only have access to your data on a “need-to-know”-basis, according to their respective tasks and in order to be able to process your data for the purposes described above.

In certain cases, we may have to share some of your information with entities and people outside our organisation. Such parties are e.g. service providers who process personal data disclosed by us for a specific purpose on their own responsibility. Any disclosure of your data to suchlike third party-recipients will depend on a corresponding legal basis under data protection provisions for this purpose. In some cases, disclosure to external partner companies might be necessary e.g. to perform the existing givve® Card Usage Agreement with you. The respectively applicable legal basis under data protection provisions is Section 6 para. (1) lit. b) GDPR.

In other cases, service providers who work on our behalf may process some data in accordance with our respective instructions within the scope of so-called order processing. If so, we enter into a so-called data processing agreement (DPA) with them, through which we oblige the service provider to process the data carefully, in accordance with our instructions and only for the purpose specified by us.

Classified by category, we may disclose data to the following groups of third-party recipients:

  • authorities, such as financial authorities
  • courts
  • tax consultants working for givve®
  • lawyers working for givve®
  • auditors working for givve®.
  • Service providers who process personal data (so-called data processors, see service provider directory):
  • MongoDB Limited (Building Two, Number One Ballsbridge, Ballsbridge, Dublin 4, Ireland)
  • Amazon Web Services EMEA SARL (38 Avenue John F. Kennedy l-1855 Luxembourg)
  • exceet Card AG (Edisonstrasse 3 85716 Unterschleissheim, Germany)
  • Thredd Group Limited (6th Floor Victoria House, Bloomsbury Square, London, WC1B 4DA)
  • DiPocket UAB (Upès str. 23, 08128 Vilnius, Lithuania)
  • Google Cloud EMEA Limited (70 Sir John Rogerson’s Quay, Dublin 2, Ireland)
  • Help Scout (177 Huntington Ave Ste 1703 PMB 78505 Boston, Massachusetts 02115-3153 USA)
  • Twilio Inc. (101 Spear Street, Ste 500 San Francisco, CA 94105 USA)
  • The Rocket Science Group LLC (675 Ponce de Leon NE, Suite 5000, Atlanta, Georgia 30308, USA)
  • Talend, Inc. (400 South El Camino Real, Suite 1400 San Mateo, CA 94402 USA)
  • Asana, Inc. (633 Folsom St. San Francisco, CA 94107 USA)
  • Transferdata GmbH (Am Pfanderling 70, 85778 Haimhausen, Germany)
  • Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland)
  • MeaWallet AS (​​Akersgata 41, N-0158 Oslo, Norway)

 

6. Transmission to third countries
 

To the extent that personal data is transmitted by givve® to so-called third countries (outside the European Union or the European Economic Area) and the European Commission has not issued an adequacy decision (Section 45 GDPR) for these countries, we have taken appropriate precautions to ensure an appropriate level of data protection for suchlike data transmission. This includes e.g. the European Union’s standard contractual clauses or binding corporate rules.

 

7. Processing by means of automated decision-making (including profiling) within the meaning of Section 22 para. (1) and (4) GDPR
 

Processing of your data by means of automated decision-making (including profiling) within the meaning of Section 22 para. (1) and (4) GDPR will not take place under our responsibility when your data is processed as provided for in this Privacy Policy.

 

8. Your rights with respect to data processing by givve®

 

With regard to data processing by givve®, you have the following rights:

1. The right to be informed about which of your data we process (Section 15 GDPR)

You have the right to be informed about which of your data we process. Upon request, we will be happy to specify the respective data. You can also obtain further information to the extent legally defined.

2. The right to rectify incorrect data (Section 16 GDPR)

You have the right to have your data rectified. This may in particular apply if information subsequently changes, such as family name and marital status in the event of a marriage. In such cases we will of course correct any changed data.

3. Right to data deletion (Section 17 GDPR)

If data are no longer needed or in individual cases are processed without respective necessity, you are entitled to request respective deletion. In suchlike cases, we will promptly delete your data. However, in certain cases there may be an obligation to retain data, meaning that unfortunately your data cannot be deleted or cannot be deleted completely. We will then only keep your data for the intended retention purpose and will of course no longer use it for any other purpose (see Section 4).

4. Right to restrict your data’s processing (Section 18 GDPR)

If your data are subject to a retention obligation, we unfortunately cannot delete them. However, in suchlike cases, we will restrict the respective processing to the extent possible. Processing will also be restricted if you request that the data be corrected and it is not yet clear to what extent changes need to be made. Restricted processing usually means that the data are stored but blocked for other purposes. In general, employees cannot access respective data anymore.

5. Right to data portability (Section 20 GDPR)

The right to so-called data portability allows you to request data that you have provided to us yourself.

6. Right of withdrawal and objection

You have the right to withdraw your consent at any time. As a result, we will cease to process respective data based on this consent. The withdrawal of consent shall not affect the lawfulness of any processing undertaken on the basis of this consent before such withdrawal. Insofar as we process your data based on legitimate interests, you shall have the right to object to the processing of your data at any time for reasons arising from your particular situation. If you object to data processing for direct advertising purposes, you have a general right to object, which we will accept even without reasons. If you would like to exercise your right of withdrawal or objection, all you need to do is to send an informal message to the above contact details.

7. Right to lodge a complaint with the competent authority

Finally, you have the right to lodge a complaint with the competent data protection authority if you suspect the processing of your personal data to be non-compliant with data protection laws. You can exercise this right with a supervisory authority in the Member State of your residence, your place of work or the place of the alleged infringement. In Bavaria, the factual headquarters of givve®, the competent authority is the Bavarian State Office for Data Protection:

Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18
91522 Ansbach
Germany