GDPR info

1. Preamble

Protecting clients' privacy when processing personal data in accordance with applicable laws is a top priority for WAYFORPAY, s.r.o. (hereinafter referred to as the “Administrator”). The Administrator acts as a sales representative in the area of payment services (hereinafter referred to as “services”), and this document contains the conditions for processing personal data of the client (natural person) in the provision of the Services.

The Administrator undertakes to handle the personal data obtained in accordance with Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the 'GDPR General Regulation') and repealing Directive 95/46 / EC and in accordance with Act No. 253/2008 Coll. on certain measures against money laundering and terrorist financing (hereinafter the “AML Act”).

The Administrator places great emphasis on compliance with the GDPR General Regulation and, in the course of its activities, it respects the basic principles of the handling of personal data, which are:

  • Legality, fairness and transparency
  • purpose limitation
  • minimizing data
  • accuracy
  • Restriction of placement
  • integrity and confidentiality.

The Client's personal data will be used by the Administrator only for the purposes specified in these rules and will not be disclosed to unauthorized third parties.

During the processing of personal data, the Administrator shall ensure that the rights of natural persons in connection with the processing of personal data are not prejudiced. At the same time, the Administrator is obliged to comply with the provisions of the relevant legislation and to apply appropriate measures to protect the rule of law, democratic society and its specific important interests, as set out below..

The Privacy Policy contains all information provided to the data subject in accordance with Article 13 of the GDPR General Regulation.

The Administrator warns clients to exercise caution, prudence and always to ensure the lawfulness of the processing of personal data when providing their personal data.

2. Type and time of data processing

The Administrator collects personal data for the purpose of concluding and fulfilling the Service Agreement concluded between the Administrator and the Client.

Pursuant to the General Regulation GDPR and in order to fulfill the legal obligations of the data Administrator pursuant to § 9 AML of the Act, the Administrator is authorized to process the personal data of clients to the extent of:

  • name, surname, title, social security number or date of birth, place of birth, sex,
  • residence or other residence and citizenship, telephone number, e-mail address,
  • copies of personal documents proving the identity of the client;
  • for a natural person doing business: business name, distinguishing the addendum or other designation, place of business and person identification number,
  • bank account number incl. Account holder names
  • data on executed and canceled payment transactions,
  • details of any credit, debit or other credit card, including PAN number, expiration date and credit card holder name,
  • all communication implemented,
  • information obtained from questionnaires or similar forms that you may be asked to complete;
  • IP address and connection times of client devices
  • Client logging data on its website, in particular operational data, location data, weblogs, etc., as well as data on client behavior in the Internet environment.

The Administrator obtains the personal data of its clients, especially from themselves, within the framework of negotiations on the conclusion of a service contract between the Administrator and the client. The Administrator also obtains client's personal data also from card transaction processors, while the Administrator also transfers client's personal data to the acquirers necessary for the implementation of the services..

Processing of personal data for the Administrator may be carried out by processors solely on the basis of a contract on processing of personal data.

The administrator provides personal information about customers to state authorities and other entities in the exercise of statutory rights and the fulfillment of statutory obligations.

Only employees of the Administrator and third parties (see Chapter 5) who have access to the purposes of processing personal data set out in these rules have access to the client's personal data.

Personal data will be processed for the entire duration of the Service Agreement and until the end of the calendar year in which the Service Agreement was terminated.

The processing of personal data is 10 years from the date of the transaction or from the termination of the business relationship between the client and the data Administrator (whichever comes later). The Client is aware that he / she cannot withdraw such consent as a data subject.

The data Administrator shall be entitled to provide such data to the competent national authorities upon request.

3. Method and principles of data processing

The Administrator processes personal data fairly and lawfully and transparently to the client, ensuring that personal data is properly secured, including by protecting it by appropriate technical or organizational measures against unauthorized or unlawful processing and accidental loss, destruction or damage.

The Administrator uses for data processing and storage the CRM system of the RAYNET implementing personal data processing obligations approved in accordance with the GDPR General Regulation.

The basis for data protection of the CRM system of the RAYNET data processor is to ensure that only authorized persons have access to individual groups of information and further:

  • The application itself is protected by a unique user name and password.
  • Sets 2-step verification, expiration and password quality (length, special characters, case-sensitive).
  • RAYNET CRM includes a simple tool for managing user roles and groups that allows you to define permissions to access data, both individual user groups and completely individually.
  • All data transmissions are TLS encrypted.

4. Client's rights in connection with data processing

The Administrator processes personal data without the Client's consent, as it processes personal data only for the purpose necessary for the fulfillment of the Service Agreement concluded between the Administrator and the Client. In this case, the law for processing personal data does not require the client's consent to the processing of personal data.

The client's rights are as follows:

  • the right of access to personal data
  • Right to repair
  • right of erasure ("right to be forgotten")
  • the right to limit processing
  • the right to data portability
  • the right to object
  • the right not to be subject to any decision based solely on automated processing, including profiling.

The Client has the right to have the administrator correct unreasonable personal data concerning him without undue delay. Taking into account the purposes of the processing, the data subject has the right to complete incomplete personal data, including by providing an additional declaration.

The Client has the right to ask the Administrator at any time to what extent and for what purpose personal data will be processed, who and how the personal data will be processed and to whom personal data can be disclosed.

The information shall be provided to the Client without undue delay, provided that the Administrator is entitled to request a reasonable compensation not exceeding the costs necessary for providing the information.

If the Client believes that the Administrator is processing his / her personal data in violation of the protection of his / her private and personal life or in violation of the law, he / she is entitled to ask the Administrator for explanation or request blocking, correction, completion or destruction of personal data.

The Administrator shall notify the individual recipients to whom personal data have been disclosed of any rectification or deletion of personal data or processing restrictions made in accordance with Article 16, Article 17 (1) and Article 18 of the GDPR General Regulation, unless this proves impossible. or it requires a disproportionate effort.

The Administrator shall inform the data subject of these beneficiaries if the data subject so requests.

If the client's request is found justified, the Administrator shall immediately remedy the defective condition. If the Administrator does not comply with the request, the client may contact the Office for Personal Data Protection; the Client's right to contact the Office for Personal Data Protection is not directly affected by this.

The Client is entitled to contact the Administrator with a request regarding the processing of personal data or with a request for correction, cancellation and blocking of his / her personal data.

The contact details of the DPO are as follows:


Telephone: +420 234 665 111 (Ústředna)

FAX: +420 234 665 444

WWW: https://www.uoou.cz

E-mail: [email protected]

ID databox: qkbaa2n

ID: 70837627

Address: Úřad pro ochranu osobních údajů, Pplk. Sochora 27, 170 00 Praha 7