Information on the processing of personal data (Art. 13 GDPR)

Protecting your personal data is important to us. According to the EU General Data Protection Regulation (GDPR) we are obliged to inform you to what purpose we collect, save or transmit data. In this information document, you can also see what rights you have regarding data protection.

  1. Responsible for data processing
    BASTUCK & Co. GmbH, In Bommersfeld 11, 66822 Lebach
    Telephone 06881 9249101, e-Mail: service@bastuck.de
    You can contact our data protection officer Mr. Ralf Müller under the e-mail address datenschutz@datenschutz.gesmit.de or per telephone under +49 (0) 681 9.88.99.100.
  2. Purpose and legal basis for data processing
    We process your data with the purpose of processing client enquiries and client orders. The processing to this purpose is necessary for the adequate processing of your enquiry respectively to the compliance of both sides with a completed contract. Also, we process your data for direct marketing (Art. 6 para. 1 lit. f GDPR) and to the enforcement of our claims (§24 para. 1 FDPA). If the consent has been obtained separately, we process your data for the purposes cited in the consent agreement. (Art. 6 para. 1 lit. a GDPR).
  3. Provenance of the data
    We collect the data directly from the person concerned, if possible. Though it can be necessary that we process your personal data that we obtained elsewhere (i.e. request of your credit score). The collection of your personal data happens in both cases on basis of the defined purposes.
  4. Recipients of your data
    A transmission of your data to a third party occurs only if it is necessary to the purposes cited in point 2, for example to our IT-service providers. In case of default of payment, we are rightfully allowed to transmit your data to a collection agency. In case of direct marketing, your data will be inter alia transmitted to our corresponding service provider.
  5. Duration of data storage
    The personal data collected by us will be deleted, once they are not necessary for the purpose they were collected or processed anymore, unless we are obliged after article 6 para. 1 S. 1 lit. c GDPR to store them further because of tax or commercial law storage and documentation obligations or if you have agreed to a further storage after art. 6 para. 1 S. 1 lit. a GDPR.
  6. Payment service (if payment by credit card)
    A lot of steps are necessary for you to pay by credit card safely. The dealer where you pay by card is working with a network operator and with at least one acquirer. Dealer, network operator and acquirer are individually responsible for processing data in their technical area of influence as follows:
    Dealer for the operation of the payment terminal at checkout and possibly for his intern network up to the secured transmission per internet or telephone to the network operator. Dealer is the BASTUCK & Co. GmbH, Im Bommersfeld 11, 66822 Lebach (see point 1).
    Network operator for the central network operation, the processing, recoding, risk testing and the further transmission is the BS PAYONE GmbH (address as follows).
    Acquirer is a payment service provider regulated according to the payment service control law (ZAG) that executes the receiving and settlement of payment transactions for the dealer. Acquirer is:
    BS PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main, www.bspayone.com
    Data protection officer: privacy@bspayone.com
    Responsible data protection agency: the Hessian data protection officer, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, https://datenschutz.hessen.de/
    1. What data is used for the payment?
      Card data (data, stored on your card):
      card number, card type, (i.e. VISA, Mastercard) and expiration date.
      Further payment data: amount, date, time, identification of the payment terminal (Location, company and store where you pay), test data from your card institute (“EMV-data”), possibly your signature.
      PIN:
      Your entered PIN is cryptographically secured and is verified by your card institute. The network operator collects the cryptographic security and transmissions but does not store your PIN and has no access to your PIN.
      Chargeback –
      If you deny a transaction that has been processed with your credit card: in that case, the purchase receipt and possibly more information about you, with which the dealer wants to prove his claim against you (i.e. name and address) can be transmitted to your card institute.
    2. What are the sources of your data?
      - The card data are read out by the payment terminal.
      - The further card data are collected by the payment terminal or by the dealer.
      - Your PIN is entered by you and your signature is given by you.
    3. Why is your data processed and on what legal basis?
      • Dealer:
        - Verification and processing of your payment to the dealer, art. 6 (1) (b) GDPR.
        - Storage of purchase receipts according to legal prescriptions, especially according to §§ 257 para. 1 Nr. 4 HGB, § 147 para. 1 Nr. 4 AO; Art. 6 (1) (c) GDPR.
      • Network operator:
        - Verification and processing of your payment to the dealer, art. 6 (1) (b) GDPR.
        - Secure transmission of your data especially according to the legal prescriptions, §§ 25a KWG, 27 ZAG, and the prescriptions of the credit card organisation, art. 6 (1) (c) and (f) GDPR.
      • Acquirer:
        - Verification and processing of your payment to the dealer, art. 6 (1) (b) GDPR.
        - Prevention of credit card abuse (§ 10 para. 1 Nr. 5 GWG); art. 6 (1) (c) GDPR
        - Limitation of risk of cash loss, art. 6 (1)  (f) GDPR.
        - Secure transmission of your data especially according to the legal prescriptions, §§ 25a KWG, 27 ZAG, and the prescriptions of the credit card organisation, art. 6 (1) (c) and (f) GDPR.
        - Deduction of charges that the dealer owes the credit card institute, art. 6 (1)(f) GDPR.
        - Storage of purchase receipts according to legal prescriptions, especially according to §§ 257 para. 1 Nr. 4 HGB, § 147 para. 1 Nr. 4 AO; Art. 6 (1) (c) GDPR
        - Collection of claims after a return debit note, art. 6 (1) (f) GDPR.
    4. Who gets the data?
      Besides the dealer and the network operator, more institutions need your data to process the payment of to satisfy legal prescriptions. Only in this context, your data will be transmitted to the following institutions:
      - the payment card system,
      - your credit card institute and the bank of the acquirer,
      - the institutions between the credit card organisations that handle the clearing and settlement of payments,
      - law enforcement agencies in legally required cases,
      - anti money laundering agencies in legally required cases.
    5. Will data be transmitted to a third country or to an international organisation?
      The acquirer transmits the data to the card payment system outside the European Economic Area according to the agreed rules (i.e. „Binding Corporate Rules“, „Standard Contractual Clauses“) or to the compliance of the contract with a foreign payer to authorize and process your payment.
      In regard of the processing of your data by the card payment system please check its data protection information.:
      MasterCard Europe SPRL, Chaussée de Tervuren 198A, 1410 Waterloo, Belgium, for the brands „MasterCard“ und „Maestro“,
      Visa Europe Services LLC, registered in Delaware USA, acting through the branch in London, 1 Sheldon Square, London W2 6TT, Great Britain, for the brands „Visa“, „Visa Electron“ and „V PAY“.
    6. For How long is my data stored?
      BS PAYONE stores and processes personal data as long as it is necessary to comply with the contract and to fulfil the contractual and legal requirements. Should the data no longer be necessary to fulfil contractual or legal requirements and should the purpose of data storage be no longer active, the personal data will be deleted, unless their further processing is necessary for the following purposes:
      Compliance with tax or commercial law prescriptions of storage (i.e. storage of data relevant for accounting for 10 years);
      Storage of evidence in regard of the legal limitation period.
    7. What rights do I have?
      Each concerned person can plead his rights under number 7 to the party responsible of payment processing.
    8. Do I have to provide my data?
      You are not required legally nor contractually to provide your data. If you do not want to provide your data, you can choose a different payment method.
    9. Right of objection in individual casel
      You have the right of objection anytime, for reasons that arise from your individual situation, against the processing of data, which is done because of article 6 (1)(f) GDPR, so against the processing of data on basis of consideration of interests.
      Please direct your objection to:
      BS PAYONE GmbH / data protection officer Axel Moritz
      Lyoner Straße 9
      D-60528 Frankfurt/Main
      www.bspayone.com / privacy@bspayone.com
      If you rightfully file an objection, your data will no longer be processed according to article 6 (1)(f) GDPR, with two exceptions:
      Your data will be further processed if the party responsible can prove binding protection requiring reasons for the further processing that predominate your interests, rights and freedom, especially i.e. legally binding storage prescriptions and to process a payment that has been started at the payment terminal but was not yet terminated.
      Your data are further processed if the processing is needed to plead, practice or defend legal claims.
    10. Is my data used for automatic decision making?
      If you want to use your credit card to pay, the payment must be authorized first. The authorization happens automatically by using your data. During this process, these considerations con come into play: payment amount, location of payment, previous payment behaviour, dealer, purpose of payment. Without authorization, the payment by credit card is not possible. This has no influence on the other payment methods (i.e. other cards or cash).
  7. Your rights
    You have the right to get information about your personal data. You can also demand the correction of false personal data. What is more, under certain circumstances, you have the right to delete data, to limit data processing and to transfer data. Does the processing of your data happen in a rightful interest of the responsible party, you have the right of objection. If the processing of data happens on basis of a signed agreement, you have the right to object to the agreement for future data processing. You have also the right to complain about data protection at the responsible agency if you feel like the processing of your data is not legitimate. The address of the agency responsible for the Bastuck & Co GmbH: Unabhängiges Datenschutzzentrum Saarland, Fritz-Dobisch-Str. 12, 66111 Saarbrücken. In number 6. You can find the responsible data protection agencies for the responsible parties of payment processing.

Right to object (Art. 21 para. 1 GDPR)
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. 2The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.