As part of the performance of the Contract with the Customer, Spendesk and SFS SAS (Spendesk Financial Services SAS) (respectively defined in the General Terms and Conditions) are required to process together, as joint Data Controllers, specific Customer Personal Data, namely the one relating to its beneficial owners, its legal representatives, its Main User, and the Users designated by the Customer (the "Data Subjects").
To protect this Personal Data, and in accordance with the Data Protection Legislation, Spendesk and SFS SAS have entered into a joint controllership agreement that specifies their respective roles and obligations towards the Customer and Data Subjects whose Personal Data is processed in order to provide the Payment Services.
In addition, SFS SAS may act as an independent Data Controller when processing the Personal Data of Data Subjects in its capacity as a payment institution, to comply with its legal and regulatory obligations, and to meet its legitimate interest.
This information note (the "Note") includes (1) the main points of the joint controllership agreement between Spendesk and SFS SAS, (2) the information relating to the Processing carried out by SFS SAS acting as an independent Data Controller and (3) the technical and operational measures put in place, including the security measures and the distribution of responsibility between Spendesk and SFS SAS to ensure the protection of Personal Data and the management of the Data Subjects’ rights.
The Customer undertakes to inform the Data Subjects of the Processing described in the Note, and to provide them with information on how they can exercise their rights with Spendesk and SFS SAS.
This Note may be updated, in particular in the event of modification of the Data Protection Legislation, or in the event that the Services are modified.
In this Note, capitalised terms not specifically defined have the meaning attributed to them (a) in the Data Processing Agreement annexed to the General Terms and Conditions, (b) failing that, in the body of the General Terms and Conditions or, (c) failing that, in the GDPR.
1. Processing carried out by SFS SAS and Spendesk as joint Controllers
A. Characteristics of the Processing
To provide the Payment Services and comply with their legal and contractual obligations, Spendesk and SFS SAS jointly process Personal Data collected from Data Subjects, as set out below:
| Personal Data Processing purposes | Categories of Data Subjects | Categories of Personal Data processed | Legal basis for the Processing of Personal Data |
|---|---|---|---|
| Opening and provision of the Account in the name of the Customer | Main User // Beneficial owners and legal representatives of the Customer | Identification data: surname(s), first name(s), date of birth, nationality // Contact data: postal address, professional email address (only for the Main User) // Other data: nature of the relationship with the Customer (only for beneficial owners) // Identity document and any other proof necessary for the validation of the Customer's compliance for entering into a business relationship | Compliance with a legal obligation // Performance of the Contract |
| Issuance of Cards | Users designated by the Customer | Identification data: surname(s), first name(s) // Contact data: phone number, professional email address, postal address (only for the delivery of the physical Card) | Performance of the Contract |
| Management of Payment Transactions | Users designated by the Customer | Identification data: surname(s), first name(s) // Contact data: phone number // Connection data: IP address // Financial data: IBAN, transactional data of Payment Transactions relating to business expenses | Performance of the Contract |
| Management of requests | Users designated by the Customer | Identification data: surname(s), first name(s) // Content of the request | Performance of the Contract |
| Management of complaints related to Payment Services | Users designated by the Customer | Identification data: surname(s), first name(s) // Financial data: transactional data of Payment Transactions relating to business expenses // Content of the complaint | Compliance with a legal obligation |
The Processing of the aforementioned Personal Data is mandatory. Failing that, the Customer will not be able to benefit from the Payment Services.
B. Personal Data retention periods
Spendesk and SFS SAS undertake to retain Personal Data only for the periods necessary to achieve the purposes described above.
Certain Personal Data may be kept for an additional period of five (5) years, in accordance with the ordinary limitation period in civil and commercial law matters, to allow Spendesk and SFS SAS to defend their rights and interests in the event of a litigation.
For Processing carried out under a legal obligation, Spendesk and SFS SAS comply with the retention periods imposed by the applicable regulations.
C. Recipients of Personal Data
Spendesk and SFS SAS may need to share certain Personal Data with their sub-processors and partner payment service providers when necessary for the provision of the Payment Services, as well as to communicate this to the competent authorities insofar as they are required to do so by the applicable regulations.
2. Processing carried out by SFS SAS as an independent Controller
A. Characteristics of the Processing
SFS SAS, as an independent Data Controller, processes Personal Data collected indirectly from Data Subjects, through Spendesk or third parties (and in particular from publicly available information sources, administrative bodies, and public authorities), as set out below:
| Personal Data Processing purposes | Categories of Data Subjects | Categories of Personal Data processed | Legal basis for the Processing of Personal Data |
|---|---|---|---|
| Ensuring the security and continuity of the Payment Services | Users designated by the Customer | Identification data: User ID // Connection data: logs, IP address | Legitimate interest |
| Optimisation of the Payment Services | Users designated by the Customer | Identification data: User ID // Connection data: logs, IP address | Legitimate interest |
| Compliance with accounting and tax standards | Users designated by the Customer | Identification data: surname(s), first name(s) // Financial data: transactional data of Payment Transactions relating to business expenses | Compliance with a legal obligation |
| Follow-up management of complaints related to Payment Services | Users designated by the Customer | Identification data: surname(s), first name(s) // Financial data: transactional data of Payment Transactions relating to business expenses // Content of the complaint | Compliance with a legal obligation |
| Anti-money laundering and countering the financing of terrorism (AML-CFT) | Main User // Beneficial owners and legal representatives of the Customer | Identification data: surname(s), first name(s), date of birth, place and country of birth, nationality // Contact data: postal address, professional email address (only for the Main User) // Other data: nature of the relationship with the Customer (only for beneficial owners) // Identity document and any other proof necessary to meet the AML-CFT framework requirements based on the identified risk // Any publicly available information to meet the AML-CFT framework requirements based on the identified risk | Compliance with a legal obligation |
| Anti-money laundering and countering the financing of terrorism (AML-CFT) | Users designated by the Customer | Identification data: surname(s), first name(s), date of birth, place and country of birth, nationality // Connection data: IP address // Financial data: IBAN, transactional data of Payment Transactions relating to business expenses | Compliance with a legal obligation |
The Processing of the aforementioned Personal Data is mandatory. Failing that, the Customer will not be able to benefit from the Payment Services.
B. Personal Data retention periods
SFS SAS undertakes to retain Personal Data only for the period necessary to achieve the purposes described above.
Certain Personal Data may be kept for an additional period of five (5) years, in accordance with the ordinary limitation period in civil and commercial law matters, to allow SFS to defend its rights and interests in the event of a litigation.
For Processing carried out under a legal obligation, SFS SAS complies with the retention periods imposed by the applicable regulations.
For the Processing necessary for anti-money laundering and countering the financing of terrorism, the documents and information relating to the identity of the beneficial owners, legal representatives and Main User of the Customer are kept for a period of five (5) years from the termination of the business relationship with the Customer, and the documents and information relating to the Payment Transactions carried out by the Users are kept for a period of five (5) years from their execution.
C. Recipients of Personal Data
SFS SAS may need to share certain Personal Data with its sub-processors and certain regulated professions, as well as to disclose it to the competent authorities, in particular to respond to any demand or request issued within the framework of the applicable regulations.
3. Technical and organisational measures to ensure the protection of Personal Data
A. Security measures
Spendesk and SFS SAS place the utmost importance on the security and integrity of the Personal Data entrusted to them. SFS SAS and Spendesk undertake to take all necessary measures to preserve the security of Personal Data and, in particular, to protect Personal Data against any destruction, loss, alteration (accidental or unlawful), unauthorised disclosure or access, as well as against any other form of unlawful Processing or disclosure to unauthorised persons.
To this end, SFS SAS and Spendesk implement industry-standard security measures to protect Personal Data from unauthorised disclosure. In order to prevent in particular unauthorised access and to ensure the accuracy and proper use of Personal Data, SFS SAS and Spendesk have implemented the appropriate electronic, physical and management procedures to safeguard and preserve the Personal Data collected through the Services.
These commitments are valid regardless of the Processing controllership defined in paragraphs 1 and 2 of this Note.
B. Transfers of Personal Data
The Personal Data processed by Spendesk and SFS SAS are hosted within the territory of the European Union.
To provide Payment Services to Users, for example, to enable Card Payment Transactions or refunds of business expenses, certain Personal Data may be transmitted to sub-processors located outside of the European Union.
Spendesk and SFS SAS undertake to put in place an adequate transfer mechanism in accordance with the applicable regulations, in particular the Standard Contractual Clauses. They also require each of their sub-processors to comply with Data Protection Legislation, and to provide contractual guarantees regarding the security and confidentiality of Personal Data Processing.
C. Rights of Data Subjects
In accordance with the Data Protection Legislation, Data Subjects have a right of access, rectification, limitation, and erasure of Personal Data concerning them, as well as a right to object, a right to portability and a right to submit instructions concerning the handling of Personal Data after their death.
In accordance with the joint controllership agreement between Spendesk and SFS SAS, Spendesk is responsible for managing requests from Data Subjects exercising their rights under the GDPR.
Thus, Spendesk and SFS SAS have determined that the preferred point of contact for exercising the rights of Data Subjects is Spendesk's data protection officer (DPO). Requests for information and requests to exercise rights should therefore be addressed preferably:
by email: privacy@spendesk.com; or
by post: Spendesk SAS - Data protection officer (DPO) - 51 rue de Londres, 75008 Paris, France.
However, Data Subjects may exercise their rights with any Data Controller.
SFS SAS has also appointed a data protection officer (DPO), who can be contacted by email at: privacy@spendesk-sfs.com.
In any event, the Data Subject is informed that there are exceptions to the aforementioned rights. In particular, SFS SAS and/or Spendesk may refuse to comply with the request if:
There are legitimate and compelling reasons to process the Personal Data, or that this is necessary for the establishment, exercise, or defence of legal rights;
The relevant Processing is necessary for the performance of the General Terms and Conditions; or
There is a legal obligation to process the Personal Data of the Data Subject.
For example, SFS SAS cannot respond to a request for right of access to the Personal Data of the Data Subject processed for AML-CFT purposes, in accordance with article L. 561-45 of the CMF. The right of access request relating to AML-CFT must be addressed indirectly to the French Supervisory Authority, Commission Nationale de l’Informatique et des Libertés (CNIL) at: www.cnil.fr.
Finally, the Data Subject has the right to notify the CNIL via its website (www.cnil.fr) or by post (CNIL, Service des Plaintes, 3 place de Fontenoy - TSA 80715 -75334 Paris Cedex 07).