Version 1.7 (01/31/2024)
Through this website, we’d like to inform you, as the end user of a givve® Card, about the collection and processing of your personal data by PL Gutscheinsysteme GmbH (Ainmillerstrasse 11, 80801 Munich, Germany; hereinafter also referred to as “givve®”, “we” or “us”) related to the set up and use of your givve® Card.
The European General Data Protection Regulation (hereinafter abbreviated as GDPR) and the Federal Data Protection Act (hereinafter abbreviated as BDSG) serve, among other things, to ensure that every person affected by data processing (the “data subject”) is aware of the extent to which their personal data is being processed.
Personal data is data that relates to you or allows conclusions to be drawn about you (e.g. your name, date of birth or your presence, your salary or your vacation plans). Hereinafter, we will use the abbreviation “data”, which shall generally mean personal data. Also hereinafter, the term “data processing” shall refer to any collection, storage and other use of Data. With respect to your Data, we are happy to comply with the transparency requirements stipulated by the GDPR and BDSG.
1. Name and address of the data controller
PL Gutscheinsysteme GmbH
Ainmillerstrasse 11
80801 Munich
Germany
CEOs: Patrick Loeffler, Alexander Klaiber | Companies Registration Office: 188665 | VAT ID: DE815242749 E-mail: datenschutz@givve.com www.givve.com
2. Data protection officer’s (DPO) contact data:
To contact the DPO at givve®, please use the contact details listed in section 1 and the delivery suffix “FAO DPO”. You can use these contact details to contact the DPO directly if you would like to discuss a confidential or sensitive matter. Please send all general requests or information in relation to data protection at givve® to the address and email listed under Section 1 without stating the mentioned delivery addendum.
3. Data we process and collect from you
As part of the setup and use of your givve® MasterCard® Card, we collect and process data about you. Below you find an overview on the data we process, for what purpose and on what legal basis we do so, and for how long we retain your data.
3.1. Data we process for the purpose of fulfilling the agreement concluded with you regarding the use of your givve® Card
You entered into an agreement with your employer regarding the provision and use of your givve® Card (hereinafter also referred to as the “givve® Card Usage Agreement”). In this context, your employer has commissioned us to provide your givve® Card and has concluded a corresponding contract with us regarding participation in the givve® Card program. In order for us to be able to provide the respective services on the basis of these agreements, which are necessary to fulfil your givve® Card Usage Agreement, we need to collect the following data from you:
a) Setup data
In order to set up your givve® Card for the first time, we need to collect the following information from you:
b) Credit data
In order to keep your givve® Card ready for you to use, we need to be able to manage the balance on it. For this purpose, we collect and process the following of your data:
c) Payment information
In order for you to be able to use your givve® Card and pay with it, we also need to collect and process your following personal data:
Collecting the above data and processing them is necessary if you want to get and use your givve® Card (i.e. top it up and pay with it). If you do not wish to provide your data as described above, this may result in you not being able to receive or use your givve® Card.
Purpose of processing: Your above-mentioned data will be processed exclusively for the purpose of performing the existing givve® Card Usage Agreement concluded with you regarding the provision and use of your givve® Card.
Legal basis for processing: Legal basis for processing the respective data is that it is necessary in order to perform the existing givve® Card Usage Agreement with you in accordance with Section 6 para. (1) lit. b) GDPR.
Retention period: Your above data will generally only be stored for as long as is necessary to perform the existing givve® Card Usage Agreement with you. We will generally delete your above-mentioned data after 180 days, unless there is a legal basis under data protection law for your data’s further retention and processing (see the relevant description in Section 3.2. below).
3.2. Data we process in order to comply with legal obligations which we are subjected to
a) Data that we process in order to meet our obligations under the Payment Services Oversight Act (ZAG).
As part of providing the services we are obliged to provide in order to meet our obligations under the givve® Card Usage Agreement, we act as an “e-money agent” within the meaning of Section 1 Para. (10) ZAG of DiPocket UAB (Upès str. 23, 08128 Vilnius, Lithuania). As an “e-money agent” within the meaning of the ZAG, we are obliged, in accordance with Section 30 ZAG, to retain all our documents for regulatory purposes for at least five years, starting from the end of the calendar year in which the respective documents were created. In your case, this applies to the following data:
The collection and processing of the above data is required for us to provide the services and comply with our respective mandatory legal obligations. If you do not wish to provide your data as described above, we may not be able to provide the services required for you to get or use your givve® Card.
Purpose of processing: The data are processed exclusively for the purpose of complying with the mandatory legal regulatory requirements stipulated by the ZAG, to which we are subject as an “e-money agent” within the meaning of Section 1 Para. (10) ZAG.
Legal basis for processing: The legal basis for this data processing is the necessity to comply with our aforementioned legal obligations in accordance with Section 6 para. (1) lit. c) GDPR. Said obligations arise from Section 30 ZAG.
Retention period: As stipulated by Section 30 ZAG in connection with Section 257 para. (3) and (5) German Commerical Code (HGB) and Section 147 para. (5) and (6) German Fiscal Code (AO), we are obliged to store the data mentioned in this Section III. 2. a) for a period of five years, starting from the end of the calendar year in which the respective documents were created.
b) Data that we process for the purpose of meeting our obligations under the Money Laundering Act (GwG)
As “e-money agent” within the meaning of Section 1 para. (10) ZAG, we are also an “obligated party” within the meaning of Section 2 para. (1) No. 4 GwG and are thus subject to the extensive legal regulatory obligations stipulated by the GwG, in particular for the reliable identification of you as Card end user in accordance with Section 10 para. (1) No. 1 GwG.
We only process the Card user’s master data (name, email, possibly address), as and if it was handed over to us by the employer.
The collection and processing of the above data is required for us to provide the services and meet our respective mandatory legal obligations.
If you do not wish to provide your data as described above, we may not be able to provide the services required for you to get or use your givve® Card.
Purpose of processing: The data are processed exclusively for the purpose of meeting mandatory legal regulatory requirements stipulated by the GwG to prevent money laundering and terrorist financing in accordance with Section 58 GwG.
Legal basis for processing: The legal basis for this data processing is the necessity to meet our aforementioned legal obligations in accordance with Art. 6 para. (1) lit. c) GDPR. Said obligations arise from Section 10 para. (1) No. 1, Section 11 para. (IV), Section 12 para. (1) and from Section 8 para. (1) No. 1. a), para. (2) GwG.
Retention period: According to Section 8 para. (4) GwG, we are obliged to store the data mentioned in this Section III. 2. b) for a period of five years.
c) Data we are obliged to retain for the purpose of complying with other legal retention obligations
Furthermore, we are obliged to retain some of your data for a certain period of time due to other mandatory legal retention regulations. According to Section 257 para. 1 No. 1 of the German Commerical Code (HGB) in conjunction with para. 4 and Section 147 para. 1 No. 2 in conjunction with para. 3 of the German Fiscal Code (AO), we are obliged to store received commercial letters for a period of six years. Said retention of documents required by law serves for documentation purposes, for example to facilitate tax audits and controls. Data on contract-related information are classified as commercial letters – also by data protection authorities. Deleting your data would thus be unlawful.
The data we are required to retain in accordance with Sections 3.2 a) to c) above will be blocked until the respective retention periods expire. Therefore, any further processing only takes place for the purposes mentioned above, which are the objective of mandatory legal retention. Once the statutory retention requirements have expired, your blocked data will of course be deleted immediately.
If data are only stored in our digital archive system for the purpose of data backups or data protection control, suchlike data cannot be deleted separately. It is thus possible that individual information that gave rise to the context of a process that requires retention is stored in the archive. The data sets in the archive will be deleted once the statutory deadlines have expired. The data sets may only be used for data backup or data protection control purposes and the archive is only accessible to a limited group of users. The data sets may only be used for data backup or data protection control purposes and the archive is only accessible to a limited group of users.
4. Sources of data related to you that we process
If possible, we will collect the above data from you directly. However, since we generally have neither a direct contractual relationship with nor direct contact to you, we collect the data mentioned above in Section 3.1. a) as setup data usually from our clients, i.e. your employer.
The credit data mentioned above under Section 3.1. b) is received from Thredd Group Limited (6th Floor Victoria House, Bloomsbury Square, London, WC1B 4DA).
The payment information mentioned above under Section 3.1. c) is received from Thredd Group Limited (6th Floor Victoria House, Bloomsbury Square, London, WC1B 4DA).
5. Categories of recipients of your personal data
Within our company, our employees generally only have access to your data on a “need-to-know”-basis, according to their respective tasks and in order to be able to process your data for the purposes described above.
In certain cases, we may have to share some of your information with entities and people outside our organisation. Such parties are e.g. service providers who process personal data disclosed by us for a specific purpose on their own responsibility. Any disclosure of your data to suchlike third party-recipients will depend on a corresponding legal basis under data protection provisions for this purpose. In some cases, disclosure to external partner companies might be necessary e.g. to perform the existing givve® Card Usage Agreement with you. The respectively applicable legal basis under data protection provisions is Section 6 para. (1) lit. b) GDPR.
In other cases, service providers who work on our behalf may process some data in accordance with our respective instructions within the scope of so-called order processing. If so, we enter into a so-called data processing agreement (DPA) with them, through which we oblige the service provider to process the data carefully, in accordance with our instructions and only for the purpose specified by us.
Classified by category, we may disclose data to the following groups of third-party recipients:
6. Transmission to third countries
To the extent that personal data is transmitted by givve® to so-called third countries (outside the European Union or the European Economic Area) and the European Commission has not issued an adequacy decision (Section 45 GDPR) for these countries, we have taken appropriate precautions to ensure an appropriate level of data protection for suchlike data transmission. This includes e.g. the European Union’s standard contractual clauses or binding corporate rules.
7. Processing by means of automated decision-making (including profiling) within the meaning of Section 22 para. (1) and (4) GDPR
Processing of your data by means of automated decision-making (including profiling) within the meaning of Section 22 para. (1) and (4) GDPR will not take place under our responsibility when your data is processed as provided for in this Privacy Policy.
8. Your rights with respect to data processing by givve®
With regard to data processing by givve®, you have the following rights:
1. The right to be informed about which of your data we process (Section 15 GDPR)
You have the right to be informed about which of your data we process. Upon request, we will be happy to specify the respective data. You can also obtain further information to the extent legally defined.
2. The right to rectify incorrect data (Section 16 GDPR)
You have the right to have your data rectified. This may in particular apply if information subsequently changes, such as family name and marital status in the event of a marriage. In such cases we will of course correct any changed data.
3. Right to data deletion (Section 17 GDPR)
If data are no longer needed or in individual cases are processed without respective necessity, you are entitled to request respective deletion. In suchlike cases, we will promptly delete your data. However, in certain cases there may be an obligation to retain data, meaning that unfortunately your data cannot be deleted or cannot be deleted completely. We will then only keep your data for the intended retention purpose and will of course no longer use it for any other purpose (see Section 4).
4. Right to restrict your data’s processing (Section 18 GDPR)
If your data are subject to a retention obligation, we unfortunately cannot delete them. However, in suchlike cases, we will restrict the respective processing to the extent possible. Processing will also be restricted if you request that the data be corrected and it is not yet clear to what extent changes need to be made. Restricted processing usually means that the data are stored but blocked for other purposes. In general, employees cannot access respective data anymore.
5. Right to data portability (Section 20 GDPR)
The right to so-called data portability allows you to request data that you have provided to us yourself.
6. Right of withdrawal and objection
You have the right to withdraw your consent at any time. As a result, we will cease to process respective data based on this consent. The withdrawal of consent shall not affect the lawfulness of any processing undertaken on the basis of this consent before such withdrawal. Insofar as we process your data based on legitimate interests, you shall have the right to object to the processing of your data at any time for reasons arising from your particular situation. If you object to data processing for direct advertising purposes, you have a general right to object, which we will accept even without reasons. If you would like to exercise your right of withdrawal or objection, all you need to do is to send an informal message to the above contact details.
7. Right to lodge a complaint with the competent authority
Finally, you have the right to lodge a complaint with the competent data protection authority if you suspect the processing of your personal data to be non-compliant with data protection laws. You can exercise this right with a supervisory authority in the Member State of your residence, your place of work or the place of the alleged infringement. In Bavaria, the factual headquarters of givve®, the competent authority is the Bavarian State Office for Data Protection:
Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18
91522 Ansbach
Germany