- Terms and conditions for visiting our websites;
Our data processing activities are subject to the Swiss Federal Act on Data Protection, although processing activities, particularly in connection with our websites and apps (such as „one“ Digital Service) for visitors and customers from abroad, may also be subject to foreign data protection laws.
Version: 1 September 2023
We provide information about certain data processing separately, for example in further data protection notices, in GTCs, in terms and conditions of participation for specific products or services, in product and service descriptions, on our websites, in the „one“ app or one-digitalervice.ch as well as in declarations of consent, contracts and forms.
If we receive data on other persons, the sender confirms that he is authorised to disclose such data and that the data is correct. Before notifying us, the sender must ensure that these third parties are informed about our processing of the data.
1.1 Who is responsible for the processing of the data?
1.2 What data are processed?
Depending on the situation and purpose, we process various data from different sources. We primarily collect and receive these data directly from our customers when they use our products and services or as part of general customer communications. We may also obtain information from other sources, such as Air France / KLM, that have referred you to us, from public registers or other publicly available sources, from public authorities and other third parties. Viseca processes various categories of data. The main categories of data are described below:
- Master data: Master data refers to data relating to the identity as well as personal characteristics and circumstances, for example name, address or date of birth. These data may also relate to third parties (for example authorised agents) and also include signatory powers, powers of attorney and declarations of consent.
- Contract data: If a contract is concluded with us, in addition to master data, we also process further data, such as information about the purchase and use of products and services. Such data includes information on the processing and enforcement of contracts as well as feedback from our customers on services, including the data you provide to us in connection with the payment card application.
- Financial data: Financial data are data about your financial situation such as data about your income, risk classification and your creditworthiness, including information on limits, payments and outstanding payments.
- Behavioural and preference data: Behavioural data are data about certain actions and interactions between our customers and Viseca. From this and other data, we may derive information about the statistical probability that you will be interested in certain products or services or will act in a certain manner. We also use this data for example to combat and defend against misuse and fraud and for creditworthiness checks. Furthermore, these data can be used for AI models. Viseca generates this data based on available information and links it with other data in order to improve the quality of the analyses.
Behavioural data provide us with information about certain actions, for example logins, use of physical and/or virtual payment cards, payments, the purchase and use of products and services from us or third parties, contact with our customer service or participation in sweepstakes, competitions and events.
Preference data that we obtain primarily from behavioural data and the combination with other data provide us with information about your needs, which products and services may be of interest, or when and how messages from Viseca are responded to. We gather this information from the analysis of existing data in order to better understand our customers and to tailor and improve offers to them more precisely.
Behavioural and preference data may either be evaluated on a person-specific basis in order to submit tailor-made offers or to display advertising, or for market research or product development purposes, including non-person-specific purposes.
- Communications data: Communications data refers to data in connection with communications with you in written correspondence, by telephone and via electronic channels (for example via „one“, email, SMS and push messages). They also include authentication data (for example biometric data) as well as video and audio recordings. When establishing your identity (for example in the case of a request for information), we also collect data in order to identify you (for example via a copy of an identification document).
In addition to the IP address and information about the end device, the technical data also includes the date and time, the geographical region and the type of browser or device with which the customer accesses our electronic options. This information helps us to display content in a browser or on an end device. Based on the IP address, we receive information about a telecommunications provider, but as a rule, we cannot infer the User's identity unless customers are logged in to a user account. Technical data are also log files that are generated in our systems. When customers use „one“, we collect technical data, for example regarding the installation and opening of the app as well as identifiers associated with the device used.
- Registration data: Registration data is data about customers that is transmitted during registration or activation in order to use or participate in certain options and services (for example newsletters and competitions).
- Other data: We collect additional data relating to customers in various contexts. For example, data is generated in connection with official or court proceedings (for example files, evidence, etc.). We may also collect data for misuse and fraud prevention purposes.
1.3 What is the data used for and how is it processed?
We process data for the following and thus agreed purposes:
- Establishment, processing and termination of business relationships: We process data for the establishment, registration, processing and termination of business relationships. The type of data processed varies according to the type and scope of the customer relationship and may include, in particular, master data, financial and risk data, order and transaction data, as well as registration and communication data. Order and transaction data are also processed graphically as part of transaction automation.
- Processing the payment card application: When applying for the payment card, the applicant transmits data directly to us, in particular master and contract data. In order to verify the payment card application (including checks of credit status and creditworthiness), we or the Air France / KLM Customer Service process, in particular, contact data, language, gender, date of birth, credit status data as well as data relating to a verification for the purpose of granting credit and combating money laundering (for example information concerning profession, income and the beneficial owner). We then process transaction data during your use of the payment card.
The applicant's data may also be processed and linked together with other data that we may obtain from other sources or collect ourselves. In particular, we receive and obtain this data from authorities, databases and credit agencies (including ZEK, IKO, Refinitiv World Check, CRIF, CreditReform), employers, registers such as local.ch, commercial registers, the media and generally from the internet.
- Use of the payment card: When customers use the payment card, we process data that are communicated to us during the term of the payment card contractual relationship or that we collect ourselves (for example name changes, changes in beneficial ownership, proof of assets, data of other persons in the event of an insured event and other contract data). From the transaction data in particular, we may draw far-reaching conclusions about the behaviour of the customers (behavioural data; for example place of residence and work, state of health, financial circumstances, leisure behaviour, social behaviour and other details).
- Chargebacks: As part of the chargeback process, we regularly receive detailed information about the transaction from the relevant acceptance point and the merchant banks (acquirers).
- Contactless payment: We enable our customers to make contactless payments with payment cards. Near Field Communication (NFC) technology is used to exchange information between the payment terminal and the payment card or a mobile device. No transaction data (such as data concerning the acceptance point and the time or amount of a transaction) or personal data concerning you (such as surname, first name or address) are stored on the chip or on the magnetic strip of the payment card. Both the chip and the magnetic strip of the payment card store the payment card number (Primary Account Number), the expiry date and payment card verification data that are necessary for processing the transaction and using the payment card.
Customers who wish to opt out of this functionality despite the advantages of contactless payment can deactivate it using the „one“ Digital Services or request us to deactivate it. You acknowledge and understand that deactivating contactless payment does not reduce the data stored on the chip or magnetic strip. Only the function of contactless payment is technically disabled when the payment card is used.
- Registration of payment cards for mobile payment: When registering payment cards for mobile payment solutions, we collect information on the use of mobile payment, such as activating or deactivating it, information on the amount of the transaction and the type of verification.
When using a mobile payment solution from a third-party provider, the third-party provider may also collect and process data about you. When registering the payment card, customer and device data are exchanged with international card organisations for purposes of payment card management, verification of identity, combating misuse and fraud, compliance with legal provisions and processing and displaying transactions. For security reasons, the payment card number (Primary Account Number) is tokenised.
In connection with the registration of payment cards for mobile payment solutions, we process the data for deciding whether to accept the payment card, for activating, deactivating and updating it, for preventing misuse and for communicating with any third-party provider of a mobile payment solution.
In processing data, Viseca and the third-party provider are unrelated and independent controllers. The third-party provider processes the data domestically and abroad for its own purposes in accordance with its terms and conditions of use and its Privacy Policies. We have no influence on the use and protection of personal data by the third-party provider. Complaints must be addressed directly to the third-party provider.
- "one" Digital Service and Flying Blue Programme: We collect data when you use „one“.
When 3-D Secure is used, we collect information about the acceptance point, the transaction and its processing, as well as about the confirmation of the transaction. In addition, information relating to mobile devices and information used for the transaction and the confirmation, as well as information relating to access to the Internet or mobile network, such as IP address, name of the access provider, browser settings and biometric data (for example device fingerprint) are collected.
- Compliance with laws, recommendations from authorities and internal regulations: We also process data in order to comply with laws, directives and recommendations of authorities as well as internal regulations (compliance). The data processed includes, in particular, master data, financial data, communication data, contract and transaction data and behavioural data. This includes the legally regulated granting of credit and the fight against money laundering and terrorist financing. We are obliged to make certain enquiries, to monitor them or, under certain circumstances, to make a report. In addition, data processing requires the performance of duties of information, notification or reporting, the performance of retention obligations and the prevention, detection and investigation of criminal offences and other violations. This includes receiving and processing complaints and other reports, monitoring communications, internal investigations or disclosing documents to an authority if we are obliged to do so or have a legitimate interest in disclosing them. Customer data may also be processed in the case of external investigations (for example by a regulatory or law enforcement authority or an authorised private body) and in the case of internal investigations. This includes the analysis of order and transaction data as well as payment processes to identify unusual transactions.
- Combating misuse and fraud and other illegal activities: In order to defend and enforce claims, your data will be processed by ourselves or by third parties commissioned by us (for example Viseca Payment Services Ltd, lawyers, debt collection companies), in particular master data, contract data, behavioural data and financial data.
In order to prevent misuse, fraud and other illegal activities, we may conduct internal investigations and monitoring to detect irregularities.
- Risk management and corporate governance: We process data – in particular master data, contract and transaction data, financial data and behavioural data – also for purposes of risk management and in the context of prudent corporate management, including business organisation and business development.
In the area of business development, we may sell or acquire businesses, parts of businesses or companies and enter into partnerships, which may also lead to data sharing and processing. Data may also be processed in the context of reviewing and improving internal processes.
- Intermediary sales of products and services: We process master data as well as order and transaction data in connection with the selling of third-party products and services, for example insurance and expense management solutions. When we act as intermediaries in the sale of products and services, although they are offered via our infrastructure, they are executed and processed in whole or in part by third parties.
- Marketing, profile building and customer care: We process data for marketing purposes and customer care in order to provide customers with personalised information and offers concerning products and services of us and third parties (e.g. partners). This may be in the form of a letter, as part of a newsletter, in „one“ Digital Service, by email or other digital forms of communication. We may also process data to tailor marketing content to better suit the interests of our customers. For marketing purposes and customer care, we primarily use master data, financial data, contract and transaction data, as well as behavioural and preference data and other information concerning the contractual relationship.
In particular, you authorise us to create and evaluate customer, consumption and preference profiles in order to develop and evaluate products and services in which you may be interested and to offer or inform such products and services (including those of third parties) and send them to your postal address, email address or telephone number (for example SMS). You have the option to revoke authorisation for profiling for marketing purposes in the future by notifying us accordingly in writing (block on profiling). The foregoing does not apply to non-marketing messages and automatically generated system and invoicing texts.
We also process data in connection with competitions, sweepstakes and events. Customer service includes personalised contact with existing clients. As part of customer care, we operate a Customer Relationship Management System (CRM) in which the data of our customers that is necessary to maintain the relationship is stored. This includes data about contact persons, relationship history (for example products and services purchased or delivered as well as interactions), interests or marketing actions.
You may opt out of receiving information (ad blocking) or generally withdraw your consent to data processing for marketing purposes by notifying Viseca in writing (general withdrawal). The foregoing does not apply to non-marketing messages and automatically generated system and invoicing texts.
- Improvement of services, operations and product development: Data is also processed for market research purposes, to improve services and operations as well as for product development. For these purposes, we use master data, behavioural and preference data, as well as information from surveys.
We continuously develop our own products and services, adapt them to the needs of our customers and determine the level of satisfaction. We analyse which products are used by which groups of people and how new products and services could be designed and used. This gives us an indication of the market acceptance of existing products and services and the market potential of new products and services. For these purposes, we may also use mainly master data, behavioural and preference data and information from surveys.
- Security purposes and access control: Viseca may also process master data, technical data, behavioural data and other data for security purposes and access control. We continually review and improve the security of our IT and infrastructure. However, data security breaches cannot be ruled out with complete certainty. At Viseca, this risk is countered by appropriate technical and organisational measures in accordance with the state of the art. Access controls include not only the control of access to electronic systems, but also physical access control.
- Communications: We process data in order to communicate with you, to provide you with information or to transmit messages and to be able to process your requests. For this purpose, we use master and communications data. As a rule, we retain this data in order to be able to document the communications made, but also for quality assurance purposes and for subsequent enquiries. When customers contact us by e-mail or another digital channel, we are expressly authorised to reply via the same channel to the sender address or to the address provided. E-mails are not consistently encrypted when transmitted over the open Internet and it cannot be ruled out that they may be accessed, viewed and manipulated by third parties. Thus, email communication is not suitable for the transmission of confidential information.
- Other purposes: Viseca may process data for other purposes, for example for the processing of insurance policies (also in cooperation with the policyholder Viseca Payment Services Ltd), as part of internal processes and for administrative purposes. Administrative purposes include the management of master and contract data, accounting and data retention, as well as the inspection and management of the IT infrastructure. We further use these data to safeguard and exercise our own rights, for example to enforce claims in court, in pre-litigation or extrajudicial contexts as well as before authorities in Switzerland and abroad, to secure evidence, to carry out legal investigations and to participate in court or official proceedings.
Other purposes include evaluating and improving internal processes and preparing and managing purchases and sales of companies and assets, as well as training and education purposes. Processing for other purposes is also part of this, in particular also for assessing the credit, misuse and fraud risk as well as the creditworthiness also in the ongoing contractual relationship (for example in the case of an application for a limit increase), but also other interests that cannot be named exhaustively.
1.4 On what basis do we process your data?
Depending on the applicable law, data processing is only permitted if the applicable law specifically allows it. This does not apply under the Swiss Data Protection Act, but for example under the European General Data Protection Regulation (GDPR), insofar as it applies. In this case, we base the processing of your personal data in particular on one or more of the following bases:
- the processing is necessary for the conclusion, fulfilment and enforcement of contractual relationships, in particular the payment card contract;
- the processing is necessary in order to safeguard legitimate interests. This also includes analyses of the credit, misuse and fraud risk and creditworthiness, the defence or enforcement of claims, the maintenance and expansion of customer relationships as part of customer service, support and the implementation of customer events as well as general communication and generally compliance with Swiss law;
- the processing is necessary to comply with legal obligations;
- the processing is based on your consent.
You can find the corresponding provisions in Art. 6 and 9 of the GDPR.
You are under no obligation to disclose data to us, except in specific cases (for example if you have to fulfil a contractual obligation and this involves disclosing data to us). However, we need to process data for legal and other reasons when we conclude and execute contracts. The use of our website is also not possible without data processing.
1.5 What applies to profiling and automated decision-making?
For the purposes specified in Section 1.3, we may process and evaluate data (including profiling) through the use of automated and IT-supported processes in order to determine preference data, to identify misuse/fraud and security risks, to carry out statistical evaluations or to plan the company's operations. We may also create profiles for the same purposes. In particular, we combine behavioural and preference data, master contract and transaction data and technical data so that interests and characteristics are better identified.
This also allows us to learn more about our customers and about the products and services that may be of interest or are already being used. For reasons of efficiency and consistency of decision-making processes, Viseca may make automated decisions. If these decisions have a legal effect or adverse effect on customers in any other way, we shall inform them immediately and take the legally required measures.
We will inform you on a case-by-case basis if we make an automated decision without your express consent that leads to negative legal consequences or significant impairments for you. If you do not agree with the outcome of the decision, you have the rights set out in Section 1.10.
1.6 To whom do we disclose data?
Products and services are often developed, delivered and executed in contexts involving a division of labour. Data are therefore processed by different bodies. We assume that you have no objection to these data disclosures, but please let us know if there are any special interests that speak against such disclosure:
- Service providers: We work with service providers in Switzerland and abroad. In order to provide our products and services efficiently, safely and cost-effectively, we obtain services from third parties in various areas. These services consist for example of IT services, dispatch of information, customer service, marketing, distribution, communications, market research or printing services, debt collection, anti-fraud measures, as well as services provided by consulting firms and law firms. Examples of service providers are ZEK/IKO, CRIF, Refinitiv Worldcheck, Creditreform, Intrum Ltd, SPS Switzerland Ltd and debt collection agencies. Another example is Viseca Payment Services Ltd, which on the one hand is our service provider for processing the payment card relationship, but on the other hand is also the policyholder of the group insurance for payment cardholders associated with the payment card.
- mobile payment: In the case of payment cards with a mobile payment function, customer and device data as well as data of the mobile payment provider are exchanged between us, the providers and the payment card networks in order to manage the payment card, to verify identification, to combat misuse and fraud, to comply with legal provisions and to process and display transactions. The provider may also stipulate in its terms and conditions that the data may be obtained, processed and disclosed for further purposes.
- International card organisations (Mastercard® and Visa®): When the payment card is used, data from the payment card used, in particular transaction data, is transmitted to us by the points of acceptance. This transmission takes place via the global networks of the international card organisations Mastercard® and Visa®.
By using the card in Switzerland and abroad, international card organisations and third parties commissioned by the card organisations who are charged with processing the transactions become aware of transaction data (for example card number, transaction amount, transaction date, acceptance point). In certain cases (for example when purchasing a flight ticket, paying hotel bills or car hire), additional data, such as the name of the cardholder, may be disclosed.
The data transmitted to or received by the international card organisations may also be processed for its own purposes and in accordance with its own data protection regulations in Switzerland and abroad. Card organisations require card issuers to offer their update services (Visa® Account Updater or Mastercard® Automatic Billing Updater). The purpose of these update services is to automatically update the cards stored by the cardholder with participating acceptance points and service providers (for example third-party providers of mobile payment solutions) that are used for making payments (for example for online services, subscriptions or ticket apps), specifically the card number and expiry date, in the event of any changes to them. This ensures that despite changes to the card data, the POAs and service providers that support these update services can continue to process card payments smoothly with the payment cardholder.
For these update services, we transmit the card number and expiry date of the payment card to the payment card organisations. For further data processing, reference is made to the data protection provisions of the payment card organisations.
Each customer has the option of preventing disclosure as part of the update services by (a) providing Viseca with notice of termination of the payment card contract relationship before receiving a replacement card, (b) deleting the payment card data stored with the POA or the service providers or terminating the contractual relationship with the POAs with which payment cards are registered, or (c) objecting to the participation in the update services.
- Air France / KLM: In order to process the contractual relationship, we are authorised to exchange data (for example customer and payment card data as well as cumulative turnover figures) with the partner Air France / KLM, in particular also with the Customer Service. Furthermore, we may share data on the Flying Blue Programme with Air France / KLM as necessary.
Consent to the disclosure of transaction data may be revoked in writing with future effect at any time without stating reasons, in which case we reserve the right to terminate the payment card relationship.
- Authorities and other official bodies: We may request data from offices, courts and other authorities or official bodies when checking the payment card application and may also subsequently disclose this data when processing the contract if we are legally obliged or entitled to disclose it or if we represent our own rights and legitimate interests.
- Public and private registers in connection with payment card: We are required by law to process and exchange your data with third parties for the purposes of combating money laundering and the financing of terrorism, as well as under the Consumer Credit Act. Your data may therefore be exchanged with third parties for these purposes and linked to data from other sources, for example data from authorities, from public and private registers such as the commercial register and the debt collection register, from databases and credit agencies (for example Refinitiv World Check, Intrum Ltd, CRIF Ltd, CreditReform, Zefix, tel.search.ch, employers, etc.). We also exchange and share data with the Consumer Credit Information Office (IKO) as part of our legal obligations. In addition, in accordance with the relevant regulations, we report to the Central Office for Credit Information (ZEK), particularly in the case of payment cards with a partial payment option and where a block has been placed on a card. Viseca is a member of this association, the purpose of which is, inter alia, to manage a data centre on parties seeking credit, leasing and credit cards as well as on the obligations and creditworthiness of borrowers, lessees and payment cardholders. The ZEK may make these data available to its members for credit, leasing or other agreements. To process the payment card application, we generally use the data from the payment card application and subsequently submitted information, data and documents. By signing the payment card application, you expressly consent to us making such enquiries and disclosing the necessary data and documents.
- Electronic data transmission: In the event of electronic data transmission, data may be transmitted to third parties in Switzerland and abroad even without our involvement. In particular, manufacturers of devices or software (such as Apple or Google) may receive data when the App and/or mobile devices are used. These third parties may process and also disclose such data in accordance with their own terms and conditions of use or data protection notices. This may result in these third parties being able to infer that there is a relationship between customers, Viseca and the payment card issuer.
1.7 Do we disclose data abroad?
As explained in Section 1.6, not only do we process the data of our customers, but it is also possible that other bodies may do so where necessary, in particular the international card networks. These data are not only located in Switzerland. Data can therefore be processed worldwide, including outside the EU or the European Economic Area (so-called third countries). If recipients are located in a country lacking adequate statutory data protection, Viseca will contractually oblige them to comply with data protection requirements, generally by entering into recognised standard contractual clauses. We may dispense with this if data recipients are already subject to a set of rules to ensure data protection that are recognised in Europe or if we can rely on an exception. The latter may be the case, in particular, in legal proceedings abroad, in cases of overriding public interests or where the performance of the contract requires such disclosure, if we have obtained our consent or if the data in question is made publicly available by customers. It should be noted that data exchanged over the Internet is often sent via third countries. Data may therefore also be transferred abroad even if the sender and recipient are located in the same country.
1.8 How long does Viseca store the data and when does Viseca erase it?
We store and use data for as long as required by the applicable legal requirements or the purpose of the processing. The retention period is therefore governed by statutory and internal regulations. Viseca also takes into account retention obligations and processing purposes and the need to safeguard legitimate interests (for example to enforce or defend claims and to ensure IT security, avoid and prevent misuse and fraud and/or minimise credit risks). If these purposes have been achieved or no longer apply and there is no longer any obligation to retain the data, Viseca will therefore delete or anonymise these data as part of its usual processes. This can be more than ten years, depending on the legal basis.
Documentation and evidentiary purposes include Viseca's interest in documenting processes, interactions and other facts in the event of legal claims and irregularities, for IT and infrastructure security purposes as well as to demonstrate good corporate governance and compliance. Retention may be technically necessary because certain data cannot be separated from other data and these data must continue to be stored together with them (for example in the case of a backup or document management system).
1.9 How does Viseca protect the data?
Viseca takes appropriate staff-related, technical and organisational security measures to maintain the security of the data, to adequately protect it against unauthorised or unlawful processing and to counteract the risk of loss, accidental alteration, unwanted disclosure or unauthorised access.
These security measures include encryption and pseudonymisation of data, logs, access restrictions, storage of backup copies, instructions to employees, confidentiality agreements and controls. In addition, Viseca also requires any third parties involved to take appropriate state-of-the-art security measures. However, security risks cannot generally be completely ruled out. Residual risks are unavoidable.
1.10 What rights do customers have in connection with their data?
Customers have the right, within the scope and under the conditions of applicable law, to request certain information about data and the processing by us (right to information). Customers also have various rights that help to control the processing of data by us. Customers may request that we correct or supplement incorrect data or incomplete data (rectification). Customers may also request that we erase certain data. When we provide information about an automated decision, customers have the right to present their position and request that the decision be reviewed by an individual.
When exercising their rights, customers must contact Viseca with a signed letter and a clearly legible copy of their identification document. A withdrawal of consent may be made in another manner, provided that we offer that option. It should be noted that these rights are subject to statutory requirements and limitations and therefore cannot be exercised in full under all circumstances. We will inform you if exceptions apply. These rights may also be exercised vis-à-vis other entities that work under their own responsibility with Viseca. Provided that the requirements of applicable law are met, customers and other data subjects thus have the following rights:
- the right to demand information about your own data, how Viseca processes it, as well as copies thereof;
- the disclosure of certain data in a machine-readable format;
- the right to demand rectification of incorrect or incomplete data;
- the right to demand erasure of own data;
- to object to the processing of own data;
- the right to lodge a complaint against the form of the data processing with a competent data protection authority;
- the right to withdraw consent given for data processing, whereby the data may continue to be processed by Viseca to the extent permitted by law in the event of withdrawal.
1.11 Do customers have a right to withdraw consent?
Customers have the right to withdraw given consent at any time with future effect. In certain cases, customers may also object to the processing of data (for instance, where your data is processed in connection with advertising). However, processing activities carried out in the past on the basis of consent do not become unlawful as a result of the client's withdrawal of consent.
In cases where data processing is absolutely necessary in order to provide the service or perform the payment card contract (for example data processing for risk purposes), withdrawal of consent is not possible. In such cases, such data processing may only be ended by terminating the payment card contractual relationship.
2.1 What data are processed?
We process the following categories of data in particular:
2.1.1 What data are disclosed by Users?
Provided that the payment card application can be ordered and issued via „one“ (note: function of the digital ordering process and identification service is not available for all Viseca payment cards), the following applies: When ordering and issuing a payment card digitally and using the identification service in „one“, Users are requested to provide the personal data required for applying for a payment card, including first and last name, gender, date of birth, place of birth, nationality, ID card number, issuing authority, address, e-mail address, telephone number, information on creditworthiness and credit capacity as well as images required for checking and issuing a payment card.
If the payment card was not ordered and issued digitally, a subsequent registration and login in „one“ is required. For this purpose and as part of the management of the user account, users may be asked to provide Viseca with their home address, date of birth, e-mail address, mobile phone number, payment card number and activation code, among other information.
2.1.2 What data are collected automatically?
- Data relating to the use of mobile devices, such as for example manufacturer, device type, operating system with version number, device ID and IP address;
- Data concerning the use of computers and browsers and for accessing the Internet, such as device type, operating system and IP address;
- Data concerning the settings desired by Users, such as storage of user name or login;
- Data relating to visits and manner of usage of the website, such as for example data relating to the estimation of aggregate traffic and usage figures, data exchange volume, identifying content that may be of particular interest to Users, as well as the general improvement, further development and availability of „one“;
- Data generated when using the app, such as manner of usage, updates or device information.
2.1.3 What information is collected during the digital order process and the digital identification service?
- Personal Data (such as first and last name, gender, date of birth, place of birth, nationality, ID card number, issuing authority, address, e-mail address, telephone number, data on financial and professional situation) for the purpose of identification, credit assessment and compliance with the Anti-Money Laundering Act;
- During the verification and identification process, the User uses a technical end device (for example PC, tablet or smartphone) to record his or her ID document using the integrated camera and make it available for use;
- During the identification process, photographs of the ID document are taken, stored and used to match the previously obtained data with the data on the ID document. The data collected by Viseca differs depending on the ID document and the case: For passports and identity cards, the first and last name, gender and date of birth are collected in particular. For identification under the Money Laundering Act, the issuing authority, ID card number, nationality and address of the applicant are also collected.
- In a second step, depending on the configuration, photos of the applicant's face are taken with the solution we use and compared with the identity document.
- Depending on the payment card product, the applicant also has the option of submitting a personal image as a payment card image on the payment instrument, which will be checked and used and stored after approval.
- For the verification of the digital payment application in „one“, your personal data is processed and evaluated completely automatically, i.e. without human influence. Insofar as the decision results in a rejection of the application and leads to a negative legal consequence for you, you have the possibility to have the decision reviewed by a human being. In this case, please contact us with a written request, enclosing a valid copy of your identity document for verification purposes (see Section 1.1 ).
2.1.4 What information is collected during subsequent registration in „one“?
- Information regarding Users and payment cards registered with „one“ that are stored in the User account;
- Information about the activation of 3-D Secure for the payment card registered with „one“, including the corresponding confirmations in the app or by entering an SMS code during use.
2.1.5 What data are collected at the merchant's location (Point of Sale)?
- Merchant and location data (when using 3-D Secure), such as merchant name, location, country and sector;
- Automated periodic Google query to specify the merchant's location.
2.1.6 What data are collected when using mobile payment?
- Information concerning the use of mobile payment, such as activating or deactivating the payment card and further use for mobile payment;
- Information about the amount (such as currency), the time of the transaction and the type of verification.
2.1.7 What information is collected when using 3-D Secure?
- Information about the merchant, the transaction and the processing thereof as well as confirmation of the transaction with 3-D Secure;
- Information related to the devices used for the transaction and confirmation;
- Information related to access to the Internet or mobile network, such as IP address and name of the access provider.
2.2 What is the data used for and how is it processed?
We process the data specified in Section 2.1 for the following and thus agreed purposes:
2.2.1 Provision of the „one“ Digital Service
- Digital ordering process and digital identification service for the payment card application;
- Enabling registration, login and use of one;
- Authentication of Users when performing actions. The app and/or mobile devices used are clearly assigned to the Users when registering with one. In this way, Viseca can ensure that the confirmation actions are carried out in the app or with the registered mobile devices;
- Communication with the Users and transmission of information in connection with fraud warnings and monitoring, on behalf of the payment card issuer and as operator of „one“ (for example provision of invoices) via „one“ and the mobile device;
- Receipt of messages from Users, for example via the contact form;
- Display of transactions and invoices on behalf of the payment card issuer;
- Transmitting confirmation requests, for example for confirmation of online payments by push notification or SMS code;
- Processing of the „one“ contractual relationship;
- Establishing a secure connection between „one“ and the Users' mobile devices;
- Operation of 3-D Secure web transactions.
2.2.2 Digital ordering process and digital identification service via „one“
Where offered, the introduction of the digital order process with the digital identification service in „one“ („one“ app and web) will provide you with a quick, efficient and fully digitalised application check using your mobile or desktop device. We would like to point out that the application check is exclusively automated when you apply for a payment card via this process. The result will be communicated to you after the check. By submitting an application in this process, you expressly consent to the decision on the application being made solely by automated means.
2.2.3 Mobile payment
- Checking to verify that a payment card is eligible for mobile payment;
- Activating, deactivating and updating payment cards for mobile payment;
- Prevention of misuse of registered payment cards.
2.2.4 Flying Blue Programme
- Viseca is authorised to use the data processed in connection with Flying Blue for marketing purposes and to create and evaluate customer, consumption and preference profiles.
- To connect the „one“ data with data already available at Viseca (including data from third-party sources);
- To create individual customer, consumption and preference profiles that enable products and services (including those of third parties) to be developed and offered to Users;
- Transmission of information via „one“ to Users concerning existing or new products and services (including those of third parties);
- Users may withdraw their consent to the processing of data for marketing purposes at any time by notifying Viseca.
2.2.6 Click to Pay
- Viseca uses the personal and device data of Users when registering the payment card for Click to Pay in order to register or de-register for this solution and to allow Users to utilise it;
- Users acknowledge that upon registration of the payment card for Click to Pay, data (such as payment card information and Users' name, billing and shipping address, email address and telephone number) will be transmitted to the card organisations.
2.2.7 Market research and service improvement
- Viseca also processes User data for market research purposes and to improve the services. For this purpose, Viseca uses master data, behavioural data and preference data, in particular;
- Viseca analyses which services are used by which user groups and how in order to identify indications of market acceptance of existing products and services and the market potential of new products and services.
2.2.8 Security purposes and access control
- Viseca also uses User data – in particular master data, technical data, behavioural data and other data – for security purposes and for access control;
- This also includes controlling access to „one“ (for example log data and user accounts).
- Communications with Users and third parties in order to be able to provide information or send messages. For this purpose, Viseca uses master and communications data and generally stores these data in order to document communications with users.
- Insofar as Users contact Viseca by email – whether by using a published e-mail address or a contact form – Users expressly authorise Viseca to reply via the same channel to the sender address or to the address provided.
2.2.10 Further processing purposes
- Furnishing proof of actions and defending against claims lodged against Viseca;
- Complying with statutory and regulatory requirements;
- Training and education purposes;
- Administrative purposes, such as the management of master data, accounting and data retention, as well as the management of the IT infrastructure.
2.3 What generally applies to profiling and automated decision-making?
Viseca may process the User's data in order to create profiles from them, for example for analyses, evaluations and decisions. Such processing is used by Viseca in particular for risk management purposes, the further development of „one“ and to ensure information and data security.
In addition, Viseca may process user data automatically, i.e. on an IT-supported basis, for the purposes specified in Section 2.2, and evaluate personal aspects in the process, in particular for reasons of efficiency and uniformity of decision-making processes. Viseca may also create profiles for the same purposes. If these decisions have legal effects or impairments on Users, Viseca will inform them and take the legally required measures.
2.4 To whom do we disclose data?
You acknowledge that the following bodies may process your data. We assume that you have no objection to these data disclosures, but please let us know if there are any special interests that speak against such disclosure.
2.4.1 Service providers
2.4.2 Mobile payment providers
When using mobile payment, customer and device data as well as data of mobile payment providers are exchanged between Viseca, providers and payment card organisations for payment card management, verification of identification, combating misuse and fraud, compliance with legal provisions and for processing and displaying transactions. The relevant provider may also stipulate in its terms and conditions that it may obtain, process and disclose the aforementioned data for further purposes.
2.4.3 Authorities and other official bodies
Viseca may disclose data to public offices, courts and other authorities or official bodies if Viseca is legally obliged or entitled to disclose data or in order to safeguard its own rights and legitimate interests.
2.4.4 Electronic data transmission
User data may be transmitted electronically to third parties in Switzerland and abroad even without the involvement of Viseca. In particular, manufacturers of devices or software (such as Apple or Google) may receive data when the app and/or mobile devices are used. These data may be processed and passed on to third parties in accordance with their own terms and conditions of use or privacy policies. This may result in these third parties being able to infer that there is a relationship between Users, Viseca and the payment card issuer.
The transmission of information between Viseca and the app and/or mobile devices of Users is encrypted, with the exception of sending SMS messages. However, communication with Users takes place via public communications networks. These data are generally accessible to third parties and may be lost or intercepted by unauthorised third parties during transmission. It therefore cannot be ruled out that third parties, despite all security measures taken, can gain access to the communications with Users when „one“ is used.
When using the Internet, data may also be transmitted to third countries even if the Users are located in Switzerland. Such third countries may not offer the same level of data protection as Switzerland.
2.4.5 Digital ordering process of a payment card and digital identification service in „one“
The identification service serves the legally required verification and identification of natural persons as well as the verification of official identification documents within the scope of digital payment card orders. Licensed identification software from Intrum Ltd is used for identification. The identification service is available both website-based and via the „one“ app.
2.5 Do we disclose data abroad?
2.6 How long does Viseca store data and when does Viseca erase it?
Viseca stores data only for as long as necessary for the purpose for which it was collected. In addition, Viseca stores data if there is a legitimate interest in storage, for example if Viseca requires data in order to enforce or defend against claims, in order to ensure IT security or if limitation periods apply. Finally, Viseca stores data in order to comply with regulatory and statutory obligations.
If Users stop using „one“ for two years, Viseca will assume that the app is no longer being used or has been deleted. In this case, Viseca may delete all data that does not have to be retained based on statutory retention obligations or contractual obligations.
Data for which no statutory basis for processing or retention applies may be further processed in anonymised form. Data that must be retained longer due to statutory retention obligations is excluded from erasure or anonymisation.
2.7 How does Viseca protect the data in „one“?
By using state-of-the-art security software, Viseca's IT infrastructure meets international security standards. In addition, Viseca takes additional security measures for providing access to User accounts over the Internet as well as technical and organisational measures to protect the data against loss, unauthorised access or misuse.
Irrespective of the measures taken, when using the Internet as a means of transmission via a computer, smartphone or other end device, it cannot be ruled out that third parties may gain access to Users' data. Any liability for direct and indirect damage arising as a result of such data transmission is rejected in its entirety.
2.8 What rights do Users have in connection with their data?
Provided that the requirements of applicable law have been met, Users have the following rights:
- the right to demand information about your own data, how Viseca processes it, as well as copies thereof;
- the disclosure of certain data in a machine-readable format;
- the right to demand rectification of incorrect or incomplete data;
- the right to demand erasure of own data;
- to object to the processing of own data;
- the right to lodge a complaint against the form of the data processing with a competent data protection authority;
- the right to withdraw consent given for data processing; whereby the data may continue to be processed by Viseca to the extent permitted by law in the event of withdrawal.
If Viseca informs Users about an automatic decision, they have the right to lodge a complaint and have the decision reviewed by a natural person. In order to exercise these rights, Users must assert their claims in writing with a copy of their identification document enclosed. Withdrawal of consent may be made in another manner, provided Viseca provides this option (for example in „one“). These rights may be subject to statutory requirements and restrictions, which is why they may not always be exercised to the fullest extent. Thus, there are, for instance, statutory retention obligations.
Furthermore, Users acknowledge in accordance with Section 2.4 that data may also be held with other controllers. In order to safeguard their rights as data subjects under data protection law, Users must contact them directly.
2.9 How are business communications handled?
By using „one“, Users expressly agree that Viseca may contact them for business communications via the registered and verified email address.
3. Terms and Conditions for Visits to Websites
The information published on our websites does not constitute a recommendation to carry out transactions, other legal transactions or offers. Third-party products and services presented may not be purchased by residents of certain countries. If problems arise in a contractual relationship between you and third parties, you, as the injured party, must pursue remedies against the third party. We shall not be liable for any damages arising from contractual relationships with third parties.
Although we take every care to ensure that the information published on our websites is accurate at the time of publication, the accuracy, reliability, timeliness or completeness of the information cannot be guaranteed, either expressly or by implication.
We assume no responsibility and make no representation that the functions will be available continuously or that the relevant server is free of viruses or other harmful components.
Viseca shall not be liable for direct or indirect damages and losses of any kind which may arise for the following reasons, even in the event of negligence:
- based on access to services;
- based on the inability to access or use services;
- based on linking or accessing links to other websites of third parties;
- as a result of unauthorised persons' manipulation of the Internet User's IT systems;
- based on contact with Viseca via the Internet or email.
Viseca websites are not intended for visitors who are subject to any jurisdiction that prohibits or otherwise restricts access to or disseminate, publish, provide or use of the information contained on them. Persons subject to such restrictions are not granted permission to access the websites and they are requested to refrain from accessing them.
By accessing Viseca websites, you consent to these Terms and Conditions.
We use the term "cookies" for cookies and similar technologies that are used in the context of electronic communication. With the following information we inform you about the most important aspects of the processing of your data in the context of the use of our websites, social media channels and „one“ Digital Service. You can also generally use our websites and social media channels without providing us with any personal data, such as your name or email address. In this case, we can clearly assign the data collected in connection with the corresponding use to specific visitors, but not to persons known by name. In this sense, online data is generally not personal. However, if you provide us with your name, an e-mail address or other personal data in this context, we will process this data. In addition to this processing, it also allows us to link you to otherwise non-personal data.
1. What are cookies and similar technologies?
- Cookies are small files that are transferred to your end device and stored there when you visit a website. A cookie contains, in particular, information about the origin of the website as well as the lifetime of the cookie (i.e. how long it remains stored on your end device). Some cookies are deleted after the end of the browser session ("session cookies"). Other cookies remain on your device ("permanent cookies").
- If you access these websites again, we can record your new visit even if we do not know your identity. Cookies may also collect information about your user behaviour.
2. What cookies do we use?
- Technically necessary cookies are necessary for the technical operation of the websites and enable security-related functionalities as well as making them user-friendly.
- Cookies for advertising purposes may record your visit to our websites as well as the links you click on. We use such information to tailor our websites and advertisements to your interests. We may also disclose this information for this purpose to third parties who process this information on our behalf.
- If you opt to disallow or disable cookies, this may restrict the functionality of our websites. If you do not want cookies, you can set up your web browser so that it informs you about the setting of cookies and you allow this to happen only on a case-by-case basis. In addition, you can configure your web browser to automatically disable cookies.
- Please note that most web browsers offer options to protect your privacy. Most web browsers automatically accept cookies, but offer the option to block or delete them. The instructions for managing cookies in your browser are usually found under the "Help" feature of the browser or in your mobile device's user manual.
4. How and where is your data stored?
- Please note that the IP address of the end device is stored by the website operator when you visit our websites. For technical reasons, further log data is collected, for example information about the internet service provider, information about the operating system of the end device and the browser used, information about the referring URL (origin), date and time of access and accessed content. Under certain circumstances, personal data such as the name and address of the visitor may also be collected, for example when you register on a website. In this case, we may also process log data on a personal basis.
- We process personal data that is necessary for the fulfilment of the contract or in the context of initiating business or for which you have given us your separate consent. Consent may be revoked at any time with effect for the future. Personal data that were communicated to us via our websites are stored only until the purpose has been met or for the retention period required by law.
- However, for the processing of data in connection with our websites, social media channels and „one“ Digital Service, we may engage service providers who carry out evaluations for us on the basis of this data. In this case, your data may also be transferred abroad, including to states outside the EU or the European Economic Area. These third countries may not have laws in place that protect your data to the same extent as in Switzerland or in the EU/EEA. In this case, we ensure data protection through data transfer agreements. In certain cases, we may transfer data in accordance with data protection requirements even without such contracts, for example if you have consented to the relevant disclosure or if the disclosure is necessary for the performance of the contract, for the establishment, exercise or enforcement of legal claims or for overriding public interests.
Regardless of the measures taken to protect your data, data protection and confidentiality in connection with data processing may be limited by universally accessible media. Because of the way in which the Internet is designed, it cannot be ruled out that third parties will gain access to your data when you use the Internet as a means of transmission with a computer, smartphone or other device. Any liability for direct or indirect damage arising as a result of such data transmission in connection with the use of our websites and „one“ Digital Service is rejected in its entirety.
5. For what purposes do we use online data?
- Provision of certain contents and features: If you use the content and functions of our service and provide us with data in the process, for example if you register for a newsletter, we process the online data you provide in the process in accordance with the respective purpose of the function or content.
- Security and stability: We use online data to improve the security and stability of the online service. As a rule, we do not require any direct personal data for this purpose. Insofar as we are able to assign cookies to you personally, we may use them for purposes of security and stability to the extent necessary, but also on a personal basis.
- Statistics: We use personal and not directly personal online data for statistical purposes, i.e. for evaluations with the aim of obtaining certain information, for example information on variations in the use of the online offer. This information is aggregated, i.e. no longer personal.
- Improvement of offers: We use online data to continuously improve our online services. However, we only use online data for this purpose in aggregated form.
- Market research and marketing: We also use online data for market research purposes and for marketing purposes, for example to send newsletters or to display advertisements within our online services and on third-party sites. We can also personalise the relevant content. For this purpose, we use marketing cookies, among other things.
- Communications: We use online data to communicate with you through electronic channels. To do this, we process the content of the communication, but also log data about the type and time of the communication.
- Complying with statutory and regulatory requirements: We may process online data to comply with laws, directives and recommendations from authorities and internal regulations. This includes the prevention, detection and investigation of criminal offences and other violations, internal and external investigations and the disclosure of online data to a public authority.
- Defending and enforcing claims: We may use online data for a civil or criminal action or defence in such proceedings.
6. How do we obtain evaluations and statistics?
Three of the most important service providers are Google, Cookiebot and Hotjar. Further details concerning them can be found below. Other service providers generally process online data in a similar manner:
Google Analytics: We use the "Google Analytics" analysis service operated by a Google company in Ireland (Google). In the process, cookies record data about behaviour on our online service (duration and frequency of page views, content accessed, geographical origin of access, etc.), and on this basis Google creates evaluations of the use of our online service for us. Google uses Google LLC in the USA as a processor, whereby IP addresses (which are the most likely way to identify individuals) are shortened before being forwarded to Google LLC. We have deactivated the settings "Data sharing" and "Signals". Nevertheless, we cannot rule out the possibility that Google may draw conclusions about the identity of visitors for its own purposes from the online data collected, create personal profiles and link this data to Google accounts. Information about the data protection of Google Analytics can be found at https://support.google.com/analytics/answer/6004245?hl=en, and if you have a Google account, information about processing by Google can be found at https://policies.google.com/technologies/partner-sites?hl=en-GB. You can disable Google Analytics by installing a browser extension at the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB.
Cookiebot: With Cookiebot and the "CookieConsent" cookie, we manage and store consent status on the websites. The "cookietest" cookie is also used to determine whether you have accepted the cookie settings box in our cookie banner. These cookies are categorised as functional cookies and cannot be deactivated via the cookie settings. However, information collected and stored through the use of these cookies is stored for no longer than one year and is not processed outside Switzerland or the European Union. We do not provide Cookiebot with any information that Cookiebot may associate with you. Cookiebot provides us with reports and evaluations based on the data collected and is therefore a contracted data processor.
Hotjar: Another example of a service for the statistical evaluation of our Users' needs is Hotjar, a service provided by Hotjar Ltd (Malta). Hotjar works with cookies and other technologies to collect data about the behaviour of the Users of our online service and their end devices, in particular the IP address of the end device (which is only recorded anonymously), screen size, device type, information about the browser used and the location (only the country) and language setting of the browser. Hotjar stores this information in a pseudonymised user profile and uses it for evaluations with which we can better understand the needs of the users of the online service and improve the online service and better align it to our users. For more information, see the "about Hotjar" section on Hotjar's help page. (https://help.hotjar.com/hc/en-us/sections/115003204947).
7. How do we conduct online marketing?
Our online service may also use the so-called "Facebook pixel" and similar technologies from Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). These technologies are used to display Facebook ads placed by us only to those Users on Facebook and partners cooperating with Facebook who are interested in them or whose characteristics correspond to those that we transmit to Facebook for this purpose (for example interest in certain topics or products, so-called "Custom Audiences"). It also allows us to see whether Users have been directed to our online service via a Facebook ad (this allows us to assess the effectiveness of Facebook ads for statistical and market research purposes). You can find more details here.
We are jointly responsible with Facebook for sharing data that Facebook obtains or receives, for Facebook interest-based ads and personalisation of Facebook features and content (but not further processing). We have concluded a corresponding supplementary agreement with Facebook. Users can submit data subject requests related to shared responsibility directly to Facebook.
8. How do we use social media plugins?
- After the buttons have been activated, the plugins will automatically transfer data to the third-party providers. If you are simultaneously logged into the network of the relevant third party when you visit our websites, the visit may be assigned to your account. We have no influence on this method of data transmission to social networks. If you would like to prevent for example Instagram, Facebook or Twitter from associating the data collected through our advertising presence to your personal profile, you must log out of the corresponding social network before visiting our websites.
1 This document is aimed at our entire clientele, regardless of the pronouns used here.
Viseca Card Services Ltd, Hagenholzstrasse 56, P.O. Box 7007, 8050 Zurich, Phone +41 (0)58 958 84 00