数据保护政策
Introduction
The Data Protection Policy (“Policy”) of Evonet (“Evonet”) is to protect the personal data of those various stakeholders connected to the organization, and is created in accordance to the data protection law in Singapore (Personal Data Protection Act 2012 (the “PDPA”) and the European Union’s General Data Protection Regulation (“GDPR”). It defines the principles and procedures that Evonet will adhere to and the responsibilities Evonet owe to various stakeholders. The Policy is part of the supplement to the Merchant Services Agreement given the Evonet’s customer (“Customer”), on how we implement the data protection.
Personal Data could be shared by the Customer for using Evonet services including wallet network services, payment processing gateway services, merchant acquiring services and other payment services (totally, hereinafter, “Services”). The categories and the processing activities of Personal Data shared are described in Data Processing Activities section.
Definitions
Unless otherwise defined herein, all capitalized terms shall have the meaning given to them in this Policy.
Data Controller | the natural or public or private legal person who alone or jointly with others determines the purpose, content and use of the data. |
Personal Data | any name, NRIC/ Passport, Mobile number, personal email address, thumbprint numerical, alphabetical, graphic, photographic, acoustic or any other type of information relating to identified or identifiable natural persons. |
Data Subject | an individual about whom the Personal Data relates. |
Notification | Notify individuals of the purposes for collecting, using and disclosing their personal data. |
Consent | Collect, use or disclose personal data for purposes which individuals have given consent to. Also allow them to withdraw their consent with reasonable notice. |
Purpose Limitation | Collect, use or disclose personal data for purposes that a reasonable person would consider appropriate under given circumstances, and for which the individual has given consent to. |
Accuracy | Ensure that the personal data collected is accurate and complete, especially if itis likely to be used to make a decision that affects the individual or to be disclosed to another organization. |
Protection | Make reasonable security arrangements to protect the personal data in your possession to prevent unauthorized access, collection, use, disclosure or similar risks. |
Retention Limitation | Stop keeping personal data or dispose of it properly when it is no longer needed for any business or legal purpose. |
Transfer Limitation | Transfer personal data to overseas according to the requirements prescribed under the regulations, to ensure that the standard of protection is comparable to the protection under the PDPA |
Access and Correction | the exercise by a data subject of his or her rights under applicable Data Protection Legislation. |
Data Breach | a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data. |
Data Portability | Upon request, transmit the individual’s data in your possession or under your control to another organization in a commonly used machine-readable format. |
Data Protection Legislation | any laws and regulations relating to the processing of Personal Data and privacy of the territory and, if applicable, the guidance and codes of practice issued by the relevant Data Protection or Supervisory Authority. |
Roles and Compliance
Evonet will act as independent Data Controller of the Personal Data under the Data Protection Legislations.
It is agreed that:
- Evonet shall comply with all applicable Data Protection Legislations; and
- Evonet shall ensure that it has a lawful basis under the Data Protection Legislation for the Processing of the Personal Data; and
- Evonet shall provide relevant assistance to the Authority of the Data Protection as required; and
- Evonet shall process Personal Data only for the purposes agreed herein under the Merchant Services Agreement and this Policy.
Notification of purpose
Evonet will notify individuals of the purposes for the collection, use, or disclosure of their personal data. A notification should also provide other information, such as the business contact information of the data protection officer, how an individual may withdraw consent, how an individual may access or correct this personal data, and the organization’s retention policies, among other matters.
Consent
Evonet will obtain individuals’ consent to collect, use, or disclose their personal data, unless an exemption applies. The request for personal data should be reasonable for providing the product or service. Evonet will allow individuals to withdraw consent. Upon withdrawal of consent, the organization must cease such collection, use, or disclosure of the personal data.
Purpose limitation
Evonet may collect, use, or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, only after it has notified the individual of those purposes. Evonet must collect, use, or disclose personal data only for the purposes for which the individuals gave consent.
If a Party receives a Data Subject Request, it shall immediately inform the other Party with the details of the Data Subject Request, unless the receiving Party is capable of fulfilling it by itself. If applicable, and to the extent legally permitted, the other Party shall provide the receiving Party with reasonable cooperation and assistance within the time limits imposed by all applicable Data Protection Legislations.
Accuracy
Evonet makes reasonable efforts to ensure that an individual’s personal data collected is accurate and complete, if it is likely to use that data to make a decision that impacts that individual or to disclose that data to another organization.
Protection
Evonet implements reasonable security processes to protect the personal data against unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. Evonet will ensure appropriate levels
of security for personal data of different sensitivities and security measures appropriate to the nature of the personal data and the potential impact to individuals from unauthorized use or disclosure.
Retention limitation
Evonet will cease to retain personal data or remove the means by which the personal data can be associated with particular individuals when the data is no longer necessary for any business or legal purposes
Transfers
In situations where personal data transferred or situated overseas remains in the possession or control of Evonet, Evonet has to comply with all the Data Protection Provisions. This is because the Transfer Limitation Obligation is a manifestation of the Accountability Obligation. The Accountability Obligation requires that the transferring organization takes steps to ensure that the recipient organization will continue to protect the personal data that it has received to a standard that is comparable to that established in PDPA.
Requests for access to and correction of personal data
Upon request, Evonet will provide individuals with their personal data and inform them of the ways in which it collected, used, or disclosed their personal data with the past year. Evonet will correct any error or omission in individuals’ personal data upon their request (unless an exception applies).
Data Breach Notification
In the event of a data breach, Evonet will take steps to assess if it is notifiable. If the data breach likely results in significant harm to individuals, and/or are of significant scale, Evonet is required to notify the Authority and the affected individuals as soon as practicable.
Data Portability
At the request of the individual, Evonet are required to transmit the individual’s data that is in our possession or under its control, to another organization in a commonly used machine-readable format.
Data Processing Activities
Categories of Personal Data | Purposes of Processing | Storage Country/Region | Usage Mode | Object of Disclosure | Retention Period |
Card Holder Name | Transaction processing | AWS/Ali Cloud Hong Kong | stored sensitive data such as merchant sign key or user password, are being encrypted with secure algorithm | Only disclose to card scheme or acquirer | 5 (five) years after the initial transaction or payment |
Card no. | Transaction processing | AWS/Ali Cloud Hong Kong | stored sensitive data such as merchant sign key or user password, are being encrypted with secure algorithm | Only disclose to card scheme or acquirer | 5 (five) years after the initial transaction or payment |
Expiry Date (MM/YYYY) | Transaction processing | Not stored | N/A | Disclose to card scheme or acquirer | N/A |
Card Verification Value (CVV) | Transaction processing | Not stored | N/A | Disclose to card scheme or acquirer | N/A |
Payment type | Transaction processing | AWS/Ali Cloud Hong Kong | being encrypted with secure algorithm
| Disclose to card scheme or acquirer | 5 (five) years after the initial transaction or payment |
Transaction amount | Transaction processing | AWS/Ali Cloud Hong Kong | being encrypted with secure algorithm
| Disclose to card scheme or acquirer | 5 (five) years after the initial transaction or payment |
Transaction time | Transaction processing | AWS/Ali Cloud Hong Kong | being encrypted with secure algorithm
| Disclose to card scheme or acquirer | 5 (five) years after the initial transaction or payment |
Email address | 3DS authentication or risk control | not stored | N/A | Disclose to card scheme or acquirer | N/A |
User location | 3DS authentication or risk control | not stored | N/A | Disclose to card scheme or acquirer | N/A |
Device ID | 3DS authentication or risk control | not stored | N/A | Disclose to card scheme or acquirer | N/A |