Considerations for your request
1. Identification
In some instances, we may need to request additional information from you or details about the services you have used within our group to proceed with your request. We need to identify that you are our customer, and which services you used in which country. We will contact you if we are unable to find you in our systems or additional information is necessary to properly identify you. We will request additional information when the channels used to contact us are not registered in our systems.
2. Applicability
While we strive to grant all legislated rights (referenced in Section 3 below), some rights may not be fully enforceable due to business necessities or legal obligations when providing you with our services. Your rights may be limited in order to comply with other legal obligations such as anti-money laundering regulations, contractual, and compliance obligations. You will always receive a response when exercising any of the legislated rights and/or any additional rights you may have depending on your jurisdiction. If your data rights request can’t be processed, you will always receive an explanation.
3. Common types of requests and how we handle them:
You have various rights related to your personal data, the most common of which are outlined in the following section. We aim to be transparent and inform you about our process, any limitations due to our status as a financial institution, and the timeframes for executing your request.
Opt-Out:
- The right to opt-out/withdraw from the processing of personal data for the purposes of targeted advertising.
- The right to opt out of the processing of personal data for profiling in furtherance of decisions that produce legal or similarly significant effects related to you.
- The right to limit use and disclosure of sensitive personal information for specific purposes. This right will not be available when such data is required to be processed due to compliance obligations (eKYC).
If you contact us to opt out, we will make the necessary adjustments in our systems to fulfill your request. As mentioned above, we may need to contact you for further details should the contact information you provide differ from that originally provided.
Deletion:
When you request the deletion of your personal data, please note that as regulated financial institution certain rules apply and we are obligated to retain part of your records.
When can we delete your data and when we are not allowed:
We can delete all your data if you have not initiated any transactions with us:
We will proceed with the deletion of your records, and you will receive a notification upon completion in accordance with the stipulated legal timeframe in the jurisdiction where the request is made. In rare cases, we may inform you of an extension.
We will erase all your personal data from our systems and retain non-identifying information for analytical purposes for three years. We will also preserve communications with our Privacy team for three years to demonstrate that we addressed and resolved your request.
We are not permitted to delete all your data If you have initiated a transaction.
When you initiated the order:
What does “initiate a transaction” mean? If you have entered the details of a transaction and accepted it, even without payment, the order has been documented and financial regulations are triggered with accompanying obligations to maintain the record.
When your account has been involved in suspicious activity:
If you have been a victim of fraud, your account may have been compromised or the transaction has been identified as suspicious. In such cases we are legally obligated to retain your data. On occasion, we may have a legal obligation to withhold the reason for retaining your data.
When any exemption applies,
Which data do we retain?
- Identification data (images collected by our identification providers, such as a photo and your ID)
- Contact details (including address, email, and telephone number)
- Transaction records
- Communications through email, telephone, or messaging systems
Which data can we delete?
- Information related to the use of our digital services.
- Data not associated with your identity or transactions, for example, marketing, analytics, profiles or similar.
How long do we keep your records?
We will keep the information provided in the previous section for 10 years, at which point we will delete the records in full. Your information will only be accessible to our internal Compliance Department, Authorities and to you when you submit an access request within the first 5 years of the most recent transaction. During this period, your data will not be used for any other purposes. After the first 5 years you will no longer be permitted to access your records.
Access:
Where applicable by law, you may request access to all the information we have about you. In such cases, we will collect the data in our servers and provide it to you with a link granting you access to the requested records for ten days. The link allows you to download the records.
Please note that some exemptions apply to access requests, such as:
- Information bound by secrecy obligations.
- Data protected by legal privilege.
- Information related to internal investigations concerning money laundering. anti-fraud activities, or other criminal activities associated with your account.
- Internal communications for account investigations.
- Internal communications of the compliance and customer services teams.
- Information about data processing that is subject to secrecy obligations or that may reveal security and crime prevention controls.
- Information related to the cause of denial of service.
- Reasons for the closure of an account under investigation.
Other requests
Depending on where you live, your personal data rights under applicable law may include:
Right to Know: the right to know what personal data is being collected, sold or shared and to whom.
Right to Correct Inaccuracies: the right to request correction of inaccuracies in your personal data.
Right to Restrict Processing: the right to restrict processing where certain conditions apply.
Right to Data Portability: the right to receive personal data in a structured, commonly used and machine-readable format and have the right to transmit the Personal Data to another controller under certain conditions.
Right to Object: the right to object to the processing of Personal Data (i.e., for direct marketing purposes).
Rights related to Automated Individual Decision-Making: the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on the individual.
Right of No Retaliation: a business shall not discriminate against an individual for exercising their personal data rights.
4. Complaints procedure (Appeal process)
If you feel that you are receiving unfair treatment in this procedure, you have the option to directly reach out to our Data Protection Officer (“DPO”). The DPO will investigate within a maximum of 20 days and provide an unbiased resolution required by law in order to protect your rights.
In some instances, under applicable law, you have the right to appeal a refusal. If an appeal is submitted, we will notify you in writing of any action taken or not taken within the time frame provided within the applicable law.
You may contact the DPO directly by email.
Yago Amat Martinez at: yamat@euronetworldwide.com
5. Official Complaints
If you find that your rights are not being properly addressed, you have the option to file a complaint with your respective Data Protection Authority. The contact information and relevant details for each country can be found in the table below.
While we are always eager to address and resolve your requests, it's important to emphasize that this is your fundamental right.
| Country | Data Protection Regulation | Data Protection Authority | Days to resolution | |
| United States |
GLBA CCPA
|
Attorney general for Indiana, Oregon, Tennessee, Iowa, Montana, Texas, Colorado, and Connecticut.
|
45* | |
| European economic Area (EEA) | GDPR | European Data Protection Board | 30* | |
| United Kingdom |
“UK GDPR” Data Protection Act of 2018 |
Information Commissioner Officer | 30* | |
| Switzerland | Swiss Federal Data Protection Act (FADP) | Federal Data Protection and Information Commissioner | 30* | |
| India | The Personal Data Protection Bill, 2019 (Draft) | Department of Electronics and Information Technology | 30* | |
| Singapore | Personal Data Protection Act (PDPA) | Personal Data Protection Commission | 30* | |
| Philippines | Data Privacy Act of 2012 (DPA) | National Privacy Commission | 30* | |
| Malaysia | Personal Data Protection Act 2010 (PDPA) | Department of Personal Data Protection | 30* | |
| New Zealand | New Zealand - Privacy Act 2020 | Office of the Privacy Commissioner | 20* | |
| Australia | Privacy Act 1988 (including Notifiable Data Breaches Scheme) | Office of the Australian Information Commissioner | 30* | |
| Canada | Personal Information Protection and Electronic Documents Act (PIPEDA) | Office of the Privacy Commissioner of Canada | 30* | |
| México | Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) | Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales | 30* | |
| Chile | Ley N° 19.628 sobre Protección de la Vida Privada | Consejo para la Transparencia | 30* | |
| Colombia | Ley Estatutaria 1581 de 2012 | Superintendencia de Industria y Comercio (SIC) | 30* | |
| Serbia | Personal Data Protection Law | Commissioner for Information of Public Importance and Personal Data Protection | 30* | |
| South Africa | Protection of Personal Information Act (POPIA) | Information Regulator of South Africa | 30* | |
|
Senegal
|
Data Protection Act (Loi sur la protection des données à caractère personnel) | Commission de Protection des Données à Caractère Personnel (CDP) | 30* | |
|
Argentina |
Personal Data Protection Law ( Law No. 25.326.) | Agencia de Acceso a la Información Pública (AAIP) | 30 days | |
| Pakistan | Personal Data Protection Bill 2021 (draft) | National Commission for Personal Data Protection | 30 days | |
| Bangladesh | Digital Security Act 2018 | Digital Security Agency. | 30 days | |
| Egypt | Law No. 151 of 2020 on Personal Data Protection | Personal Data Protection Centre | 30 days | |
| UAE | Federal Decree-Law No. 45 of 2019 on Data Protection | Telecommunications Regulatory Authority (TRA) | 30 days | |
| Turkey | Law on the Protection of Personal Data (KVKK) | Personal Data Protection Authority (KVKK) | 30 days | |
| Ukraine | Law of Ukraine on Personal Data Protection | State Service of Special Communication and Information Protection of Ukraine (SSSCIP) | 30 days | |
| Brazil | Lei Geral de Proteção de Dados (LGPD) | Autoridade Nacional de Proteção de Dados (ANPD) | 15 days | |
ND – No period defined by law
* Extension applicable