As part of this information will be contributed to third parties in order to detect fraud, these third parties are selected by Opayo.
Opayo will process personal data in order to:
provide the card payment facility services and manage and administer those services;
fulfil their contractual obligations under this our agreement with them;
liaise with regulators, banks, payment schemes, law enforcement agencies (including the police) and fraud detection parties;
In some circumstances, Opayo will process personal data as a data controller (this means that they determine the purposes and means of the processing of personal data), for more information please refer to their privacy notice which is linked above.
Transfers of Personal Data
Opayo may disclose information to other companies in the Elavon Financial Services DAC group of companies, their contractors, and other organisations for example, they may disclose information to:
Elavon Financial Services DAC;
organisations which Opayo use to help them send communications;
law enforcement agencies and fraud detection parties;
third parties (if any) used by Opayo to perform their services;
any other person in order to meet any legal obligations on Opayo, including statutory or regulatory reporting;
the payment schemes;
the merchant acquirer; and
your issuing bank.
Opayo is part of the Evalon Group, they are a large multinational group and as such this may result in transfer of personal data outside of the UK and/or the EEA, they do this on the basis of their Master Data Processing and Transfer Agreements, which incorporate the European Commission’s standard contractual clauses.
The provision of the card payment services by Opayo may require the Processing of Personal Data by sub-processors in countries outside the EEA or the United Kingdom. Opayo indicate that unless we consent that this will only take place where appropriate safeguards are in place and set these out as follows:
an adequacy decision; or
appropriate safeguards (in accordance with Article 46 of the GDPR); or
binding corporate rules (in accordance with Article 47 of the GDPR),