Merchant Data Processing Notice

Updated: May 2025

This Merchant Data Processing notice applies if you are entering into an agreement with the entity mentioned below, part of Global Payments Group (“GP”), for the provision of products and services.

When we refer to “you” or “Merchant” in this notice, we refer to the individuals who provide us with personal data in order to procure these products and services. In the case of sole traders, partnerships and other private companies, this will be the individuals who own the business, and for non private companies, this will mean any directors, officers, shareholders or other parties responsible for the operation of the business whose data we collect. In all cases, this will include any joint applicants or guarantors whose personal data we process.

1. Who we are and how to contact us?

ELECTRONIC DATA PROCESSING SOURCE SINGLE MEMBER S.A. (EDPS S.A.), registered with the General Commercial Registry (GEMI) under Nr. 122142501000, Tax Identification Nr.    

099350676, KEFODE Attikis, with registered seat at 134 Vouliagmenis Avenue, 16674, Glyfada, Attica is the data controller of your personal data, which means information that is about you or from which we can identify you. This notice describes how we deal with your personal data.

We are the data controller of this personal data under relevant data protection laws because in the context of our business relationship with you, we decide how and why it is processed in the ways explained in this notice. When we use terms such as “we”, “us” and “our” in this notice, we mean EDPS S.A..

Our Data Protection Officer can be contacted at any time, including if you have queries about this notice or wish to exercise any of the rights mentioned in it, by emailing dpo@globalpay.com or by mail to 3 Vouliagmenis Avenue, 16674, Glyfada, Attica

1. Where do we get your personal data?

We will generally collect your personal data from the following sources:

• from you directly and indirectly.
• from our Partners with whom you may have a contractual relationship.
• from other members of our GP Group of companies if you already have a product with them,

Some of the personal data may also have originated from publicly accessible sources.

1. What kinds of personal data about you do we process?

We process the personal data that you provide to us when you are requesting the provision of our products and services as well as during your ongoing relationship with us.   

The personal data includes:  

• Your title, full name, your contact details (business / home address, email address, telephone numbers);
• Data you provide to us to verify your identity, such as copies of passports, driving licences or utility bills;
• Data arising from your use of our services (for example, data on the volume of transactions, and transaction execution data);
• Information regarding our interactions with you, including, but not limited to, customer service requests, online and telephone communications;
• Device Information and other unique identifiers, including device / browser identifiers, internet protocol (IP) address, cookies, beacons, pixel tags, or similar unique identifiers;
• Where required in accordance with applicable law, special category data in cases of disclosed merchant vulnerabilities (such as physical disability, hearing / visual impairment, mental health, critical illness etc).

If you are a corporate entity, we will collect the personal data mentioned above about the directors, shareholders and other managers whose names are provided to us by you.  You must show this notice to the other applicant and ensure they confirm that they know you will share it with us for the purposes described in it.  

4. What are the legal grounds for our processing of your personal data?

Data protection laws require us to explain what legal grounds justify our processing of your personal data (including when sharing it with other organisations). For some services more than one legal ground may be relevant. Here are the legal grounds that are relevant to us:

• Processing necessary to perform our contract with you or for taking steps prior to entering into it, in accordance with Art. 6 (1)(b) GDPR, such as:
  1. Verifying your identity.
  2. Administering, managing your products and services and updating your records.
  3. Providing you with the requested services or products (which may include sharing your data with 3^rd Parties).
  4. Providing you with customer service via telephone, customer chat, via social media platforms or other online channels of communication; and

• Where we consider that it is appropriate for us to do so for processing that is necessary for our legitimate interests or in some cases, that of a 3^rd party, in accordance with Art. 6 (1) (f) GDPR including:
  1. To administer and manage our relationship and our services and to keep appropriate records;
  2. To improve our products and services, by reviewing which products you choose, the frequency and type of use, and to test their performance;
  3. To adhere to guidance and best practice under the regimes of governmental and regulatory bodies;
  4. To administer good governance for us and other members of GP, and for audit of our business operations including accounting and other compliance obligations;
  5. For debt recovery;
  6. To carry out monitoring (including of telephone calls, and where consent is not required by applicable law) as necessary for security, regulatory and quality control purposes;
  7. For market research, product surveys, analytics and statistics development;
  8. To determine your eligibility for additional products or services that we believe may be of interest to you (which may include sharing your data with 3^rd Parties);
  9. For direct marketing of our products and partnership offers, (where consent is not required by applicable law), to inform customers about updates to our existing products, the launch of new products as well as products which are offered together with or by our partners; and
  10. To maintain the safety and security of our systems, employees and premises.

• Processing necessary to comply with our legal obligations, in accordance with Art. 6 (1) (c) GDPR:
  1. For compliance with laws that apply to us;
  2. For establishment, defence and enforcement of our legal rights or those of any other member of GP;
  3. To carry out identity (know your customer), and other relevant checks pre-application, at the application stage, and periodically after that;
  4. To respond to requests from you to exercise your rights under data protection laws;
  5. When we share your personal data with these other people or organisations:
• Law enforcement agencies and governmental and regulatory bodies; or
• Courts and other organisations where that is necessary for the administration of justice, to protect vital interests and to protect the security or integrity of our business operations.
• Processing with your consent where required by applicable law, in accordance with Art. 6 (1) (a) GDPR:
  1. To send you direct marketing communications;
  2. Share your information with a 3rd party;
  3. To collect information via cookies or similar technologies; and
  4. For identity verification purposes: In order to provide you with certain services, we are legally obliged to verify your identity. This verification may be through documentary, photographic and/or biometric means and is based on the technology of comparing facial biometric features and a photo from an identity document. Biometric data is considered to be a “special category of data” when used for verification purposes and therefore, the legal basis for processing is your consent. Once you have completed the identification process, your personal data will be retained only for as long as required to fulfil our legal obligations.

5. Personal data processing as part of providing the GP products and services

When you choose to use GP products or services, unless otherwise stated, our legal basis for processing is performance of the contract between you and GP in accordance with Art. 6 (1)(b) GDPR.

GP may provide additional products and/or services not listed in this notice. The services and/or products you have chosen will be listed in our agreement with you.  Additional  information regarding individual products and/or services will be provided as part of your contract, where required.

Note that some of the services and/or products listed below may not be currently available in Greece.

In general, we process your personal data (which may include a transfer to a 3rd party) as described below:

GP Partner Products:

When you use the following products that are provided to you via 3rd Parties or in collaboration with  GP Partners, GP is an intermediary in these relationships and the data processing may also be  subject to the terms, conditions, and privacy practices of those 3rd Parties.

GP may share your data with these 3rd Parties in order to facilitate the provision of the services which you have requested. For information on how these 3^rd Parties process your personal data, please visit their websites as applicable.

The specific personal data processed may vary depending on which service / products you choose. Where required, supplementary  privacy information will be provided as part of your contract documentation. 

6. How and when can you withdraw your consent?

Where processing of your personal data is based on your consent, you have the right to withdraw that consent for future processing at any time. You can do this by contacting us by email via dpo@globalpay.com or by visiting the merchant marketplace or portal (where applicable) or, for direct marketing communications, from the unsubscribe link in any marketing communication.

The consequence might be that we cannot send you some marketing communications, or that we cannot consider special categories of personal data or provide you with certain services. Please note that if you opt out of receiving marketing-related communications from us, we may still send you administrative, transactional, or account information messages, from which you cannot opt out.

7. Is your personal data transferred outside the European Union ?

As our affiliate companies are located around the globe, your personal information may be transferred to and stored in another country outside of the country in which you reside, including in the United States, which may be subject to different standards of data protection than your country of residence. 

Subject to your consent if required by applicable law, we may appoint an affiliate or other 3rd party company to process personal data in a service provider role. We will remain responsible for that company’s processing of your personal data pursuant to applicable data privacy laws.

We take appropriate steps to ensure that transfers of personal data are in accordance with applicable law, are carefully managed to protect your privacy rights and interests and limited to countries which are recognized as providing an adequate level of legal protection or where alternative adequate arrangements are in place to protect your privacy rights.

For more information about suitable safeguards and (where relevant) how to obtain a copy of them or to find out where they have been made available, you can contact our Data Protection Officer using the email details above.

8. With whom do we share your personal data?

• With Members of GP to facilitate entering into a contractual relationship with you and the provision of our products and services to you. A list of the members of our Group is available on our website at: com/en-gb/gdpr
• With our partners and 3rd parties, including those businesses who provide services directly to Merchants to facilitate requested products and/or, as needed.
• The sales company or organisation who referred or introduced you to us
• Debt recovery agencies and other third parties, individuals or legal entities, that undertake, acting on our behalf, either to notify you and/or your guarantors of your overdue debts arising out of or in connection with your agreement with us, or perform other debt collection related services in accordance with the provisions of Law 3758/2009, as in force.
• Our legal and other professional advisers, auditors and actuaries.
• Financial institutions and trade associations.
• Governmental and regulatory bodies.
• Qualified security assessors, or other providers, to verify your PCI DSS compliance and compliance with your security obligations under our agreement with you.
• Market research organisations, event & social media management and marketing companies who help us to develop, promote and improve our products and services.
• Other organisations and businesses who provide services such as providers of courier services, back up and server hosting providers (including cloud service providers), IT software and maintenance providers, document storage & destruction providers and suppliers of other back-office functions.
• Buyers and their professional representatives as part of any restructuring or sale of our business or assets.
• Supervisory, judicial, independent and other authorities at national and European level to meet our obligations under law or regulatory requirement or court judgment, such as public authorities in Greece and abroad, courts, public prosecutors, investigators, notaries-public, court bailiffs.
• Credit institutions, payment institutions, electronic money institutionsThird parties providing customer support services/call center services on our behalf.

9. How long do we retain your personal data?

We retain the personal data we collect for different periods of time depending on what it is and how we use it. In some contexts, we will provide additional information about retention as you use the services. When we collect personal data, we will retain it only for as long as is necessary to complete the legitimate business or legal purposes for which we collected it. In any case your personal data may be stored until the completion of the general limitation period for the exercise of legal actions, pursuant to the applicable legal provisions, namely twenty (20) years from the  termination of the relationship. The criteria used to determine our retention periods include:

• The length of time we have an ongoing relationship with you and provide services to you, for example, for as long as you continue to use our services, and the length of time thereafter during which we may have a legitimate need to reference personal data to address issues that may arise.
• Whether there is a contractual obligation to which we are subject, for example, our contracts with you may specify a certain period of time during which we are required to maintain the data.
• Whether there is a legal obligation to which we are subject, for example, certain laws require us to keep records of transactions for a certain period of time before we can delete them; and
• Whether retention is advisable to preserve our legal position, such as in regard to applicable statutes of limitations, litigation or regulatory investigations.

10. What are your rights under data protection laws?

You have certain rights in relation to the processing of your personal data, some of which may not apply in all circumstances.   To learn more or to exercise your rights, you can submit a request by completing this form. You may also contact our Data Protection Officer via dpo@globalpay.com.

• The right to be informed about our processing of your personal data;
• The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed;
• The right to object to processing of your personal data, where we are relying upon legitimate interest to process data;
• The right to restrict processing of your personal data;
• The right to have your personal data erased (the ‘right to be forgotten’);
• The right to request access to your personal data and to obtain information about how we process it;
• The right to move, copy or transfer your personal data (‘data portability’); and
• Rights in relation to automated decision making that has a legal effect or otherwise significantly affects you.

You have the right to complain to the Hellenic Data Protection Authority, using the following contact information, if you believe that our processing does not comply with applicable data protection laws:

Website: www.dpa.gr

Postal address: Leoforos Kifisias 1-3, 115 23, Athens

Contact Centre: +30 210 6475600

Fax: +30 210 6475628

Email: contact@dpa.gr

If you wish to exercise any of these rights against any entity that is a data controller in its own right, you should contact them separately. 

11. Data Anonymisation and Use of Aggregated Information

Your personal data may be converted into statistical or aggregated data, which cannot be used to re-identify you. It may then be used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described in this notice.

12. General

This document was last issued in May 2025 and may be amended from time to time. Updated versions will be posted on our website .