DECTA SECURE Privacy Policy

Effective from 18 August 2022


This Privacy policy explains how SIA “DECTA” (hereinafter – “DECTA” or “We”) process Your personal data when You: (i) use Our DECTA SECURE Application (hereinafter – the “App”) and (ii) communicate with Us by phone, email or otherwise.

 

We process Your personal data in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter – “GDPR”). For the purposes of the GDPR, Your data controller is SIA “DECTA”, incorporated in Latvia, with address at Roberta Hirsa iela 1, Riga, LV-1045.

 

Take Your time to carefully read this Privacy Policy and, if You have any questions, please feel free to contact Us. Any changes We may make to Our Privacy Policy in the future will be posted on this page. Please check back frequently to see any updates or changes to Our Privacy Policy.
 

Definitions

  • You in this Privacy Policy refers to a user of the App; 
  • DECTA SECURE Application (App) – our 3DS solution for performing Strong Customer authentication (SCA). You can install our App on your Android and iOS smart devices and use it to authenticate your online purchases;
  • Authentication – an electronic process during which DECTA conducts the verification of Your electronic identification data in order to perform the strong customer authentication (SCA);
     

On what legal grounds do we process your personal data?

We process Your data specified in this Privacy Policy on the following legal grounds:

  • for conclusion, performance, amendment and administration of an agreement between You and Us (Article 6(1)(b) of the GDPR);
  • for fulfilment of legal obligations and requirements of legal acts applicable to Us (Article 6(1)(c) of the GDPR);
  • for pursuing Our legitimate interests and those of third parties (Article 6(1)(f) of the GDPR)
  • on limited occasions – based on your consent.

In the scope and under the conditions set by applicable legislation, one or several of the abovementioned legal grounds may apply to processing of the same set of Your personal data.

Where do we obtain your personal data?

We obtain your personal data from the following sources: 

  • From you, when you use the App to authorise a purchase; 
  • From your personal device when you use the App to authenticate a purchase;
  • From our partners who issue your payment instrument; 
  • Electronic service providers; 
  • Registration authorities and e-identification providers (e.g. banks, mobile operators, the police).

What personal data do we collect and for what purpouses do we use it?

In this paragraph we explain in detail in respect to each processing activity: (i) the purpose of the processing, (ii) the legal basis for the processing, (iii) which personal data we process and (iv) data retention periods. 

- Enabling enrolment process for the App

We process your personal data in order to initially set up the App so that you can use it later to authorise your payments.   

Data categories
 
  • Your unique activation link and passcode provided by the card issuer;
  • Masked payment card number;
  • Device data (model and version of operating system, device name, and other technical parameters of the device);
  • Technical data related to the set-up of the App (whether authentication has been successful or not);
  • QR code required to complete the enrolment process.

 

Legal grounds for data processing
 

Conclusion, performance, amendment and administration of the agreement (Article 6(1)(b) of the GDPR).

Legal obligations and requirements of legal acts (Article 6(1)(c) of the GDPR) in the following areas:

  • personal data protection;
  • information security;
  • other areas relevant for us.

Your consent (Article 6(1)(a) of the GDPR).
 

Duration of data processing
 
  • The data are retained throughout the use of the App and for a maximum period of 5 years after ceasing to use the App.
  • Chapter VII of the Privacy Policy lists cases and conditions when the personal data can be stored or otherwise processed for a longer period of time.

 

- Providing payment confirmation or denial services

Once you have set up the App and start shopping online and purchasing products or services, we process your personal data required to ensure strong customer authentication. 
 

Data categories
 
  • Information required for strong customer authentication (passphrase, data related to the push notification generated for the App, data related to unlocking the App unlocked using either biometrics or PIN code);
  • Payment information (cardholder data, name of the seller/service provider, amount and currency, time of the purchase, action type (whether you approve or deny the payment);
  • Information regarding the confirmation of the payment or denial of the payment;
  • Device data (model and version of operating system, device name and other technical parameters of the device);

 

Legal grounds for data processing
 

Conclusion, performance, amendment and administration of the agreement (Article 6(1)(b) of the GDPR).

Legal obligations and requirements of legal acts (Article 6(1)(c) of the GDPR) in the following areas:

  • personal data protection;
  • information security;
  • other areas relevant for us.

 

Duration of data processing
 
  • The data, including the log files related authentication and unsuccessful authentication attempts, are retained for a maximum period of 5 years.
  • Chapter VII of the Privacy Policy lists cases and conditions when the personal data  can be stored or otherwise processed for a longer period of time.

 

- Prevention of fraud, enforcement of legal requirements, administration of damages

We process your personal data in order to implement our legal requirements and to defend our legitimate interests (including fraud prevention), protect our property and interests and those of other persons, collect evidence of violations and prevent the abuse of our interests, those of other persons, abuse of the App, our services, also to administer, manage and recover damages inflicted on us and our property. 

Data categories
 
  • Information on the damages inflicted, including the debt amount, date, history, other related information;
  • Audit trail of your activities in the APP;
  • All other relevant personal data specified in this Privacy Policy.

 

                     Legal grounds for data processing
 

Our legitimate interest (Article 6(1)(f) of the GDPR):

  • to ensure protection of our property, property interests and those of other persons;
  • to ensure prevention of fraud, other actions of bad faith;
  • to administer, manage and recover any damages inflicted on us and our property;
  • to ensure pursuance of our rights and legitimate interests.

 

Duration of data processing
 
  • The data, including the log files related authentication and unsuccessful authentication attempts are retained for a maximum period of 5 years.
  • Chapter VII of the Privacy Policy lists cases and conditions when the personal data  can be stored or otherwise processed for a longer period of time.

 

- Providing client services – inquiries, requests, complaints

If you contact us in writing (by e-mail or otherwise), we will store the fact of you contacting us and the information provided, including personal data, so that we can properly examine your request and/or respond to your question, request or complaint. 

Data categories
 

The telephone number you are calling from or the e-mail address, other information pertaining to your inquiry, including, but not limited to, first name, surname, technical details of the call (date, duration, etc.); history of calls; complaint, request, inquiry text, description of the circumstances of the complaint or another inquiry, documents supporting the complaint, request, inquiry, other information provided to us. 

 

Legal grounds for data processing
 
  • Your consent (Article 6(1)(a) of the GDPR).
  • Conclusion, performance, amendment and administration of the agreement (Article 6(1)(b) of the GDPR).
  • Our legitimate interest and that of third parties (Article 6(1)(f) of the GDPR)

 

Duration of data processing
 
  • Complaints, claims, written requests related to the App and/or which may be related to disputes, shall be retained for 5 years after you initially contact us, unless longer periods specified below apply.
  • Chapter VII of the Privacy Policy lists cases and conditions when the personal data can be stored or otherwise processed for a longer period of time.

 

Automated decision-making and profiling

Under the GDPR, a person has the right that no decisions solely based on automatic processing would be made about them that have legal or other material consequences to them. Automatic decisions may be made if necessary to execute a contract between a controller and a person, permitted by law or with a person’s explicit consent.
 

DECTA makes automatic decisions whether to approve or decline your payment request, based on the information provided during the authentication process. 

Processing of Special Categories of personal data

Pursuant to the GDPR, special categories of personal data may be processed if there is the person’s explicit consent. Although the App enables you to select the biometric identification method (i.e. facial recognition or fingerprint recognition) during the authentication process, please note that this biometric data remains solely on your device and DECTA does not at any point gain access to your biometric data and the App does not retain your personal data. Instead, DECTA only receives information from your device, whether the biometric identification was successful or not, which in itself is not biometric data. Please note that if you do not wish for your device to process your biometric data, you have the option to select another method (i.e. by using a PIN code).  

Disclosure of your information

We do not disclose your personal data to third parties, unless one of the following conditions applies: 

  • An obligation arises from applicable legislation or measures adopted thereunder (e.g. providing data to an investigation authority or other competent authorities, authorised by law to request us to provide data); 
  • Parties involved in providing the services requested by you (this may include third-party financial institutions (e.g. international card payment networks (VISA and Mastercard), payment systems and credit/financial institutions, which issue you payment instrument, etc) and the online stores providing products or services you wish to purchase); 
  • Third parties in order to protect our legitimate interests or legitimate interests of other persons (e.g. legal advisers, bailiffs, competent state authorities (courts, police, etc.)); 
  • You provide us a written consent to disclose the information to other third persons.

Please note that in cases when We transfer or disclose information to any third parties, We always carefully consider the conditions under which personal data will be processed and stored after transfer to other entities and We ensure the conclusion of appropriate data processing agreements.

Security

All information You provide to Us is stored on Our secure servers. Where You have chosen a password/PIN code which enables You to access the App and approve payments, You are responsible for keeping this password/PIN code confidential. We ask You not to share a password with anyone. Once We have received Your information, We will use strict procedures and security features to try to prevent unauthorised access.

Data storage and retention

Personal data specified in this Privacy Policy shall be stored and otherwise processed for no longer than the period necessary to achieve the purposes for which the data were collected. The data, including the log files related to authentication and unsuccessful authentication attempts are retained for a maximum period of 5 years.

We may retain certain categories of data for a longer period of time, based on our legitimate interest in appropriate situations (for instance, for the purposes of legal claims and defence of our legal and contractual interests). 

In the event We rely on Your consent for personal data processing, We will retain it until You revoke such consent or will delete it earlier, if the personal data is no longer necessary. 

Your rights

In respect to Your personal data, You have the following rights:

The right to access data processed and the right to obtain a copy of personal data 

You can submit Your request for the exercise of Your rights to data.protection@decta.com.
 

Right to rectification of personal data

In case of any changes in Your personal data or in case You think that the information processed by Us about You is inaccurate or incorrect, You have the right to demand to modify, amend or correct such information. 
 

Right to withdraw the consent

In case where We process Your data on the basis of Your consent, You have the right to withdraw Your consent at any time and data processing based on Your consent will stop. 
 

You have the right to withdraw consent at any time by e-mail: data.protection@decta.com
 

Right to object to data processing, when processing is based on legitimate interests

You have the right to object to personal data processing, when personal data is processed based on Our legitimate interests by contacting us at data.protection@decta.com.
 

Right to erasure (right to be forgotten) 

When there are certain circumstances indicated in the GDPR (e.g. when the basis for data processing has ceased to exist, etc.), You have the right to request that We erase Your personal data. 
 

Right to restriction of data processing

When there are certain circumstances indicated in the GDPR (when personal data is processed unlawfully, when You challenge data accuracy, You stated an objection to data processing on the basis of Our legitimate interest, etc.), You also have the right to restrict Your data processing.  
 

However, We must point out that, because of the restriction of data processing and during the period of such restriction, We may be unable to guarantee You all the services. 

 

Right to data portability

When there are certain circumstances indicated in the GDPR, you have the right to ask Us to send Your personal data to another controller. In order to exercise this right, please contact Us by e-mail: data.protection@decta.com
 

Right to lodge a complaint 

Should You consider that Your personal data is being processed in a con-compliant manner or Your rights in connection with data processing are violated, You also have the right to contact the relevant data protection authority and file a complaint:

  • Data State Inspectorate (Datu valsts inspekcija) is the national Data Protection Authority for Latvia and more information can be found on their website https://www.dvi.gov.lv/lv 
     

Examination procedure of requests


In order to protect Your data from illegal disclosure, upon receipt of Your request to present data or implement other rights of Yours, We will have to verify Your identity.  Upon receipt of Your request regarding implementation of any right of Yours and having successfully performed the above-indicated verification procedure, We undertake without undue delay, but in any case no later than within one month after receipt of Your request and completion of the verification procedure, to give You information about actions We took with regard to Your request. With regard to complexity and number of requests, We have the right to extent the period of one month for two more months, informing You about it before the end of the first month and indicating reasons for such an extension. 

If Your request is submitted electronically, We will give the answer to You electronically, too, unless it is impossible (e.g. due to a particularly large scope of information) or when You request to answer You in some other way.

We have the right to refuse to satisfy Your request by Our reasoned written response under the conditions and grounds provided for in the GDPR. We will provide You with information free of charge, however, if the requests are manifestly unfounded or disproportionate, in particular because of their repetitive content, We may require a reasonable fee to cover administrative costs or may refuse to act upon Your request.

Contact information

You can always exercise Your rights to protect Your personal data at any time in the first place by contacting Us at data.protection@decta.com.

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to data.protection@decta.com