PayPal Privacy Statement
Effective Date: 15 April 2024
Please contact us if you have any questions regarding this Privacy Statement or in general questions regarding your Personal Data. Your information will be used to provide the Services and in accordance with this Privacy Statement and the relevant PayPal User Agreement.
Contents
2. PayPal’s role as a data controller.
4. Categories of Personal data We Collect about You
5. What Personal Data is used and for which Legal Basis?
6. Do We Share Personal Data, and why?
7. How long does PayPal store your Personal Data?
8. International Transfers of Personal Data
9. How Do We Use Cookies and Tracking Technologies?
10. Your Data Protection Rights
11. Specific information about automated decision-making and profiling
12. Why do we share your Personal Data with credit reference agencies?
13. How Do We Protect Your Personal Data?
14. Can Children Use Our Services?
15. Updates to this Privacy Statement.
16. Banking Regulations Notice for Users in the EEA and UK
1. Overview
This Privacy Statement aims to provide you with sufficient information regarding our use of your Personal Data when you visit our website, apply for, or use our services (collectively, the “Services”), We encourage you to read this Privacy Statement and to use it to help you make informed decisions.
Certain capitalized terms that are not otherwise defined in the Statement are explained in Section 17 (“Definitions”) at the end of this statement.
2. PayPal’s role as a data controller
In the European Economic Area (EEA), PayPal (Europe) S.a.r.l. et Cie, S.C.A. is the data controller for the Personal Data collected and processed in connection with Personal Data obtained when you visit our website, during the registration and application process, and throughout your continued use of the services.
Any reference made to “we”, “ours”, “us”, “PayPal” or “PayPal Companies” included in this Privacy Statement means PayPal (Europe) S.a.r.l. et Cie, S.C.A. and the group of companies which each directly or indirectly controls, is controlled by, or are under common ownership.
Some of the third-parties that we share Personal Data with are independent data controllers. This means that we are not the ones that dictate how the data that we share will be processed. Examples are authorities, credit bureaus, acquirers, and other financial institutions. When your data is shared with independent data controllers, their data policies will apply. We encourage you to read their privacy policies and know your privacy rights before interacting with them.
For more information about how we protect your Personal Data when transferred outside of the EEA, UK and Switzerland, please see Section 8, (“International Transfers of Personal Data”)
3. Non-Account Holders
Our Services may be accessed by individuals without a PayPal account or profile. We will collect Personal Data from you even if you are a non-account holder when you use our Services, such as when you use our Services without a PayPal account, use Unbranded Payment Services (e.g. Braintree), or when you receive a payment through our Services from account holders (“Recipient”). We use the term “User” to apply to account and non-account holders. If you are a non-account holder, your Personal Data will be used to provide the Services and in accordance with this Privacy Statement and the relevant PayPal User Agreement.
4. Categories of Personal Data We Collect about You
We collect the following categories of information about you to provide our Services, continually improve your user experience, manage and improve our business. The types of Personal Data we collect about you are described below.
Categories of Personal Data collected from you, including from your interactions with us and use of the Services:
Registration and Contact Information. Depending on the Services you choose, we will collect your name, mailing address, email, income, telephone number, tax ID, Payment Information, profession, employment or business information, and other information necessary to establish an account and use our Services.
Identification and Signature Information. Depending on the Services you choose, we will collect information to verify your name, address, email, phone number, government- issued identification, age and biometric data as well as to create and issue your electronic signature.
Payment Information. Information such as amount you send or request, your payment instrument, card, or financial or funding account used in connection with the Services, including issuer name, card type, country code, payment account number, CVV, username, and IBAN information.
Information about your imported contacts. If you choose to import your contact lists, we will collect Information you enter or import about your contacts, such as name, address, phone number, images, email address or usernames associated with the contacts you import or enter manually.
Information in your Account Profile. Information you choose to enter such as your username, email, mobile number, profile picture, preferred language, or personal description which may include sensitive Personal Data that reveals religious beliefs, political or philosophical views, disability, sexual orientation as well as biometric data. You can set your profile to “Private” at any time.
Information you provide when you contact us. Information you disclose when you respond to surveys, or contact our customer support teams, such as Services you have used, recorded conversations, chat conversations with us, email correspondence with us, account status, repayment history, voice identification. This may include information about others if you choose to share it with us.
Device Information. Information that can be automatically collected from any device used to access the Site or Services. Such information may include, but is not limited to, your device type; your device’s network connections; your device’s name; your device IP address; information about your device’s web browser and internet connection you use to access the Site or Services; Geolocation Information; information about apps downloaded to your device; and biometric data.
Inferred data. We may derive inferences from your transactions and personal data when you use the Services. We do this, for example, to help keep your account secure and protect your use of the Services from fraud. We may draw inferences that reflect your behavior patterns and personal preferences, browsing and purchasing habits, and creditworthiness.
Categories of Personal Data collected from third parties, including from identity verification vendors, data brokers, vendors that help us with fraud detection, your bank, merchants or third party platforms you engage with using our Services:
Information from your connected third party accounts. If you choose to connect non-financial or financial account such as your personal email, social media, or bank or credit accounts, we will collect information consistent with the disclosed purpose for which it was linked. For example, if you choose to participate in Open Banking, we will collect account credentials, account balances, account transactions, and information about your financial standing from your linked accounts. You may change your mind about use of this feature and unlink your connected accounts at any time.
Information from Credit Reporting Agencies. Where permitted by law, we collect credit-related information such as outstanding and historical debt, repayment history, previous credit approvals, current employment relationship, and relationship with other financial institutions within the framework of your use of our Services.
Transaction Information. Information about your order details and purchases, such as item description, quantity, price, currency, shipping address, online shopping cart information, seller and buyer information, and Payment Information. This includes information from your transactions where you use our Services without a PayPal account (e.g. Guest checkout).
Information related to legal requirements. Consistent with applicable law (et. anti-money laundering laws), this may include information from external sanction lists such as name, date of birth, place of birth, occupation, and the reason why the person is on the list in question.
Third party applications. Information from others from your use of third-party applications, such as the Apple App Store or Google Play Store, social networking sites, such as name, your social network ID, Location Information, email, device ID, browser ID, and profile picture. Your use of third-party applications is subject to the privacy notice and terms of service for such applications.
Categories of Personal Data automatically collected about you, including through your access to our website or mobile app, from cookies and similar tracking technologies, and your devices:
Technical Usage Data. Information about response time for web pages, download errors and date and time when you used the service, such as your IP address, statistics regarding how pages are loaded or viewed, the websites you visited before coming to the Sites and other usage and browsing information collected through Cookies (“Technical Usage Data”).
Information from your device. Information about your language settings, IP address, browser ID, device ID, cookie preferences, time zone, operating system, platform, screen resolution and similar information about your device settings, and data collected from cookies or other tracking technologies,
Location Information. Information from IP-based geolocation such as latitude and longitude data, and Global Positioning System (GPS) information when you give us permission through your device settings.
Inferred data. Inferences drawn to create a profile about you that may reflect behavior patterns and personal preferences, such as gender, income, browsing and purchasing habits, and creditworthiness.
5. What Personal Data is used and for which Legal Basis?
We may process your Personal Data for a variety of reasons that are permitted under data protection laws applicable in the European Union (EU), United Kingdom (UK), and Switzerland, and in accordance with the lawful bases below:
We collect the following Personal Data we consider necessary to fulfil our pre-contractual and contractual obligations to you and without which you will not be able to use the Services.
Necessary categories of Personal Data include:
- Registration and Contact Information
- Identification and Signature Information
- Payment Information
- Information related to legal requirements
- Information you provide when you contact us
- Transaction information
- Package Tracking
- Service-specific Personal Data
- Information from credit reporting agencies and financial institutions
- Information from your connected financial accounts
- Information from your use of the Services
- Technical usage data
- Device information
- Location data
These activities include:
- to provide our Services, to fulfil relevant agreements with you and to otherwise administer our business relationship with you.
- to administer your payment for products and the customer relationship.
- to assess your creditworthiness in connection with your application, confirm your identity and your contact information, and protect you and others from fraud.
- to confirm your identity, also through the use of electronic signature, and verify your personal and contact details.
- to prove that transactions have been executed.
- to establish, exercise or defend a legal claim or collection procedures.
- to comply with internal procedures.
- to assess which payment options and services to offer you, for example by carrying out internal and external credit assessments.
- for customer analysis, to administer our Services, and for internal operations, for example troubleshooting, data analysis, testing, research and statistical purposes.
- to communicate with you in relation to our Services.
- to comply with applicable EU and Member State laws, such as anti-money laundering and booking keeping laws and rules issued by our designated banks and relevant card networks.
We have a legitimate interest in ensuring that PayPal remains a secure financial service and continuing to offer services that are innovative and of interest to you. We do this where our legitimate interests are not outweighed by your right not to have your data processed for this purpose.
These activities include:
- to ensure that content is presented in the most effective way for you and your device.
- to prevent misuse of our Services as part of our efforts to keep our platform safe and secure.
- to determine your eligibility for and to communicate with you about Services for which you may qualify or that may be of interest to you, for example by carrying out internal credit assessments.
- to carry out risk analysis, fraud prevention and risk management.
- to improve our Services and for general business development purposes, for example improving risk models to minimize fraud, develop new products and features and explore new business opportunities.
- To keep your Account and financial information up to date.
- for marketing, product and customer analysis, including testing, for example to improve our product range and optimize our customer offerings.
- to comply with applicable laws, such as anti-money laundering, bookkeeping laws, regulatory capital adequacy requirements, and rules issued by our designated banks and relevant card networks. For example, when we process Personal Data for know-your-customer (“KYC”) requirements, to prevent, detect and investigate money laundering, terrorist financing and fraud. We also carry out sanction screening, report to tax authorities, police enforcement authorities, enforcement authorities, supervisory authorities where we are not compelled by EU and Member State law but where we have a good faith belief that sharing the information is necessary to comply with applicable law.
- to facilitate your participation in competitions, offerings, and events.
- to conduct financial risk management obligations such as credit performance and quality, insurance risks and compliance with capital adequacy requirements under applicable law
- to process information about your contacts to make it easy for you to find and connect them and improve payment accuracy. By providing us with information about your contacts you certify that you have permission to provide that information to PayPal for the purposes described in this Privacy Statement.
- to provide you with information, news, and marketing about our Services, including where we partner with others to offer similar services.
- to associate information about you to identify your use of Services without a PayPal account (e.g. Pay without a PayPal account) or Unbranded Payment Services (e.g. such as Braintree) and to associate such transactions with your account, if you have one or later establish an account.
- to remember your preferences for the next time you use the Services, such as which of your payment methods you prefer or whether you choose to receive digital receipts via email or text when you checkout.
We have a legal obligation under EU and Member State laws to conduct certain processing activities. We do this where it is necessary to comply with applicable laws.
These activities include:
- to provide our Services and products.
- to certify your identity, also for signature purposes, and verify your personal and contact details.
- to establish, exercise or defend a legal claim or collection procedures.
- to prevent misuse of our Services as part of our efforts to keep our platform safe and secure.
- to carry out risk analysis, fraud prevention and risk management.
- to comply with applicable laws, such as anti-money laundering and bookkeeping laws and regulatory capital adequacy requirements and rules issued by our designated banks and relevant card networks. For example, when we process Personal Data for know-your-customer (“KYC”) requirements, to prevent, detect and investigate money laundering, terrorist financing and fraud. We also carry out sanction screening, report to tax authorities, police enforcement authorities, enforcement authorities, supervisory authorities.
We rely on your explicit and voluntary consent to process your Personal Data to participate in certain features that while not necessary for use of the Services may be of interest to you, such as syncing your contact list to your account, providing biometric data, targeted advertising, linking your email account for package tracking or connecting to a third-party platform. You may change your mind about use of these features at any time through your account settings. Note that withdrawing your consent will not affect the lawfulness of any processing we have conducted prior to your withdrawal. Please refer to Section 10 (“Your data protection rights”) for more information on your right to withdraw your consent.
6. Do We Share Personal Data, and why?
We will share your Personal Data with third parties where there is a lawful basis to do so.
This includes:
- With other PayPal Companies, in order to provide you with the Services and for our own legitimate interests in conducting our business. These interests are described further in Section 5 (“What Personal Data is used and for which legal basis?”). The receiving PayPal company will process your Personal Data in accordance with this Privacy Statement.
- With authorities, to the extent we are under a legal obligation to do so. Such authorities include tax authorities, police authorities, enforcement authorities and supervisory authorities in relevant countries. We may also be required to provide competent authorities information about your use of our Services, for example revenue or tax authorities, which may include your name, address and information regarding card transactions processed by us on your behalf through our Services. The legal basis for complying with disclosure obligations under EU and Member States’ law is legal obligation and where acting under non-EU and Member State law, on the basis of our legitimate interest to comply with relevant laws to deter illegal conduct.
- With other financial institutions and card networks, for example to facilitate payment processing, to jointly offer a product or to add cards to your electronic wallet. The legal basis for our disclosure is performance of our contract with you. These parties may also access your Personal Data for other legitimate purposes such as identification verification, fraud prevention and risk management. The legal basis for this processing is the legitimate interest of ourselves and our partners to deter fraudulent and illegal conduct.
- With fraud prevention and identity verification agencies, for example to assist us in detecting activities suggestive of fraud. The legal basis for this processing is the legitimate interest of ourselves and our partners to deter fraudulent and illegal conduct.
- With debt collection agencies, for example to collect unpaid overdue debts through a third party such as a debt collection agency. We do this on the basis of our legitimate interest to conduct business and recover debts. Please be aware that these parties’ privacy notice applies to the processing of Personal Data that you share directly with them, and they may report your unpaid debts to credit reporting agencies which may affect your creditworthiness or ability to secure future credit.
- With service providers that operate at our direction and on our behalf to perform services we outsource to them, such as marketing, IT development, maintenance, hosting and support and customer service operations. The legal basis for this processing is the performance of our contractual obligations to you.
- With other Users in accordance with your Account Settings. You may display or make certain information available to other Users, such as your profile photo, first and last name, username, or city in accordance with your Account Settings. The legal basis for this processing is your consent. Please note that you can change your profile settings at any time and at no cost to you.
- With financial institutions in connection with your participation in Open Banking, for example when you initiate an Account connection with another bank, card account, or aggregator. We do this to check if you have sufficient funds or confirm your ownership of the account. When you choose to link your Account the legal basis for accessing your account data is performance of our contractual obligations to you.
- With partners and merchants, their service providers and others involved in a transaction, for example when you use the Services to initiate online purchases, pay other Users, or return goods we may share information about you and your Account with the other parties involved in processing your transactions. The legal basis for this processing is the performance of our contractual obligations to you and for our legitimate interests. Please note that Personal Data shared with partners and merchants (or their service providers) involved in a transaction is subject to the partners and merchants’ own privacy policy and procedures.
- With third parties that are independent data controllers, for example when we share Personal Data to credit reference agencies, acquirers and other financial institutions, or security products to prevent bots from accessing our Services. Please be aware that these parties’ privacy notice applies to the processing of Personal Data that you share directly with them. For example, we use Google’s reCAPTCHA to prevent misuse of our Services, when you access our mobile application. Google’s Privacy Policy and Terms of Use apply to the processing of Personal Data you share with them. For more information specific to credit reference agencies we partner to assess your creditworthiness, see Section 12, (“Credit Reference Agency Information Notice”).
- With buyers or in connection with business transfer, for example if we sell business or assets, we may share your Personal Data to a buyer of those business or assets. If PayPal or a significant portion of PayPal’s assets are acquired by a third party, Personal Data may also be shared. PayPal has a legitimate interest in being able to carry out these transactions.
7. How long does PayPal store your Personal Data?
We retain Personal Data for as long as needed or permitted in context of the purpose for which it was collected and consistent with applicable law.
The criteria used to determine our retention period is as follows:
- Personal Data used for the ongoing relationship between you and PayPal is stored for the duration of the relationship plus a period of 10 years
- Personal Data in relation to a legal obligation to which we are subject is retained consistent with the applicable law, such as under applicable bankruptcy laws and AML obligations.
- We retain Personal Data for the least amount of time necessary where retention is advisable in light of litigation, investigations, audit and compliance practices, or to protect against legal claims.
8. International Transfers of Personal Data
We operate in many countries, and we (or our service providers) may move your data and process it outside the country where you live. We use third-party service providers to process and store your information in the United States and other countries. These countries do not always afford an equivalent level of privacy protection. We have taken specific steps, in accordance with EU and UK data protection laws, to protect your Personal Data. For transfers of your Personal Data within PayPal Companies, we rely on Binding Corporate Rules approved by competent Supervisory Authorities (available here). Other transfers are based on standard contractual clauses, approved by the European Commission, to help ensure your information is afforded a high standard of protection and that your privacy rights are respected.
9. How Do We Use Cookies and Tracking Technologies?
When you interact with our Services, open email we send you, or visit a third-party website for which we provide Services, we and our partners use cookies and other tracking technologies such as pixel tags, web beacons, and widgets (collectively, “Cookies”) to recognise you as a User, customise your online experiences and online content, including to serve you interest-based advertising, perform analytics; mitigate risk and prevent potential fraud, and promote trust and safety across our Sites and Services. Certain aspects and features of our Services and Sites are only available through the use of Cookies, so if you decline certain Cookies, your use of the Sites and Services may be limited or not possible.
We use Cookies to collect your device information, internet activity information, and inferences as described above.
Cookies help us to do the following:
- Remember your information so you do not have to re-enter it
- Track and understand how you use and interact with our online services and emails
- Tailor our online services to your preferences
- Measure how useful and effective our services and communications are to you
- Otherwise manage and enhance our products and services
Do Not Track (DNT) is an optional browser setting that allows you to express your preferences regarding tracking by advertisers and other third parties. At this time our Sites are not designed to respond to DNT signals or similar mechanisms from browsers.
Please review our Statement on Cookies and Tracking Technologies to learn more about our use of Cookies.
10. Your Data Protection Rights
Under applicable data protection law, you have certain rights to control our collection and use of your Personal Data. Your rights include:
Access, rectification, deletion, objection, portability, and restriction of your information
- We recognize the importance of your ability to control use of your Personal Data and provide several ways for you to exercise your rights to access (right to know), rectification (correction or update), deletion (erasure), objection, portability (transferring), and to restrict process in whole or in part.
- If you have an Account you can exercise your data protection rights by accessing “Data and Privacy” from Account Settings in the PayPal app. Even if you do not you have an Account (for example, where you use Payment without a PayPal account), you can submit a request for access, modification, correction, or deletion of your information, for your Payment without a PayPal account transactions. You can submit a request related to someone else’s information, if you are their authorized agent, by contacting us. Please note that we may require you to provide additional information for verification.
Your right to object to the Automated Decisions and profiling
- If you are not approved under the Automated Decisions described below, you will not have access to our services, such as our payment methods. PayPal has several safety mechanisms to ensure the decisions are appropriate. These mechanisms include ongoing overviews of our decision models and random sampling in individual cases. If you have any concern about the outcome, you can contact us, and we will determine whether the procedure was performed appropriately.
- You have the right to object to an Automated Decision with legal consequences or decisions which can otherwise significantly affect you (together with the relevant profiling) by contacting us. We will then review the decision, taking into account relevant additional circumstances.
Consent
- Generally, if we use your Personal Data with your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
- Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on a lawful processing ground other than consent.
Right to object to Direct Marketing
Right to object to Legitimate Interest processing
|
How do you exercise your rights and how can you contact us or the data protection authority?
- If you are unhappy with our processing of your Personal Data for any reason, you have the right to lodge a complaint with the supervisory authority for data protection in your country.
- Our Data Protection Officer can be contacted online or by post at PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.
- You may also seek a remedy through local courts if you believe your rights have been breached.
- You may also lodge a complaint with our lead supervisory authority for data protection, Luxemburg National Commission for Data Protection (CNPD) by post at Commission Nationale pour la Protection des Donnees, Service des plaints, 15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg.
- UK Representative can be contacted by post for any UK-specific data protection inquiries at Bird & Bird GDPR Representative UK, 12 New Fetter Lane, Holburn, London EC4A 1JP.
11. Specific information about automated decision-making and profiling
“Automated-decision making” is the process of making a decision by fully automated means without human involvement. In some cases these decisions could have a legal or similarly significant effect on you as an individual. “Profiling” means analysis of an individual's personality, behaviour, interest and habits to make predictions or decisions about them. Where authorised under EU or Member State law or where necessary for the entry into or performance of a contract, we may in some cases use automated decision-making or profiling for decisions. An example of our use of automated decision making is evaluation of your creditworthiness to assess your suitability for certain credit products.
We believe that by making such decisions automatically, PayPal increases its objectivity and transparency in deciding which services to offer you. We deploy several safety mechanisms to ensure the decisions are appropriate. These mechanisms include ongoing overviews of our decision models and random sampling in individual cases. You can always ask for a manual decision-making process instead, express your opinion or contest decision making based solely on automated processing, including profiling, if such a decision would produce legal effects or otherwise similarly significantly affect you. You can find out more about how to object to these decisions in Section 10 (“Your data protection rights”).
Contact our Data Protection Officer (DPO) Online if you require more information on our use of Automated-decision making or Profiling.
12. Why do we share your Personal Data with credit reference agencies?
If you have applied for or use our credit Services, in order to process your application, we may supply your Personal Data to credit reference agencies (CRAs) and they will give us information about you, such as your financial history. We do this to assess creditworthiness and product suitability, check your identity, trace and recover debts and prevent criminal activity.
The legal bases for such transmissions are found in Article 6, paragraph 1, letter b (contractual) and Article 6, paragraph 1, letter f (legitimate interest) of the EU General Data Protection Regulation (“EU GDPR”).
We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. This information may be supplied by CRAs to other organizations to perform similar checks and to trace your whereabouts and recover debts that you owe.
Your data will also be linked to the data of any joint applicants or other financial associates.
How to Find Out More
Contact our Data Protection Officer (DPO) Online for details of which CRA we have used for a specific search.
The list of CRAs used in the UK and EEA, can be found here, including identities of the CRAs used in each relevant country, and a link to their privacy notice from which you can determine the ways in which they use and share Personal Data, including how long they will retain such Personal Data. You can contact the credit reference agencies operating in the country in which you live directly if you have any questions regarding their services, your credit score or the information they have stored about you, or if you wish to exercise your data subject rights towards them.
13. How Do We Protect Your Personal Data?
We maintain technical, physical, and administrative security measures designed to provide reasonable protection for your Personal Data against loss, misuse, unauthorised access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centres, and information access authorisation controls. While we are dedicated to securing our systems and Services, you are responsible for securing and maintaining the privacy of your password(s) and Account/profile registration information and verifying that the Personal Data we maintain about you is accurate and current. We are not responsible for protecting any Personal Data that we share with a third-party based on an account connection that you have authorised.
14. Can Children Use Our Services?
We do not knowingly collect information, including Personal Data, from children under the age of 16 or other individuals who are not legally able to use our Sites and Services. If we obtain actual knowledge that we have collected Personal Data from someone not allowed to use our Services, we will promptly delete it, unless we are legally obligated to retain such data.
Please contact us if you believe that we have mistakenly or unintentionally collected information from someone not allowed to use our Services.
15. Updates to this Privacy Statement.
We revise this Privacy Statement from time to time to reflect changes to our business, Services, or applicable laws. If the revised version requires notice in accordance with applicable law, we will provide you with 30 days prior notice by posting notice of the change on the "Policy Updates" or "Privacy Statement" page of our website, otherwise the revised Privacy Statement will be effective as of the published effective date.
16. Banking Regulations Notice for Users in the EEA and UK
In general, the Luxembourg laws to which PayPal’s handling of user data is subject (data protection and bank secrecy) require a higher degree of transparency than most other EU laws. This is why, unlike the vast majority of providers of internet-based services or financial services in the EU, PayPal has listed in this Privacy Statement the third party service providers and business partners to whom we may disclose your data, together with the purpose of disclosure and type of information disclosed. You will find a link to those third parties here. By accepting this Privacy Statement and maintaining an account with PayPal, you expressly agree to the transfer of your data to those third parties for the purposes listed.
PayPal may update the list of third parties referred to above on the first business day of every quarter (January, April, July and October). PayPal will only start transferring any data to any of the new entities or for the new purposes or data types indicated in each update after 30 days from the date when that list is made public through this Privacy Statement. You should review the list each quarter on the PayPal website on the dates stated above. If you do not object to the new data disclosure, within 30 days after the publication of the updated list of third parties, you are deemed to have accepted the changes to the list and to this Privacy Statement. If you do not agree with the changes, you may close your account and stop using our services.
In order to provide the PayPal Services, certain of the information we collect (as set out in this Privacy Statement) may be required to be transferred to other PayPal related companies or other entities, including those referred to in this section in their capacity as payment providers, payment processors or account holders (or similar capacities). You acknowledge that according to their local legislation, such entities may be subject to laws, regulations, inquiries, investigations, or orders which may require the disclosure of information to the relevant authorities of the relevant country. Your use of the PayPal Services constitutes your consent to our transfer of such information to provide you the PayPal Services.
Specifically, you agree to and direct PayPal to do any and all of the following with your information:
a. Disclose necessary information to: the police and other law enforcement agencies; security forces; competent governmental, intergovernmental or supranational bodies; competent agencies, departments, regulatory authorities, self-regulatory authorities or organisations (including, without limitation, the Agencies referenced in the “Agencies” section of the Third Party Provider List here) and other third parties, including PayPal Group companies, that (i) we are legally compelled and permitted to comply with, including but without limitation the Luxembourg laws of 24 July 2015 on the US Foreign Account Tax Compliance Act (“FATCA Law”) and 18 December 2015 on the OECD common reporting standard (“CRS Law”); (ii) we have reason to believe it is appropriate for us to cooperate with in investigations of fraud or other illegal activity or potential illegal activity, or (iii) to conduct investigations of violations of our User Agreement (including without limitation, your funding source or credit or debit card provider).
If you are covered by the FATCA or CRS Law, we are required to give you notice of the information about you that we may transfer to various authorities. Please read more about PayPal's obligations under the FATCA and CRS Law and how they could affect you as well as take note of the information we may disclose as result.
We and other organisations, including parties that accept PayPal, may also share, access and use (including from other countries) necessary information (including, without limitation the information recorded by fraud prevention agencies) to help us and them assess and to manage risk (including, without limitation, to prevent fraud, money laundering and terrorist financing). Please contact us if you want to receive further details of the relevant fraud prevention agencies. For more information on these Agencies, fraud prevention agencies and other third parties, click here.
b. Disclose Account Information to intellectual property right owners if under the applicable national law of an EU member state they have a claim against PayPal for an out-of-court information disclosure due to an infringement of their intellectual property rights for which PayPal Services have been used (for example, but without limitation, Sec. 19, para 2, sub-section 3 of the German Trademark Act or Sec. 101, para 2, sub-section 3 of the German Copyright Act).
c. Disclose necessary information in response to the requirements of the credit card associations or a civil or criminal legal process.
d. Disclose your name and PayPal link in the PayPal user directory. Your details will be confirmed to other PayPal users in response to a user searching using your name, email address or telephone number, or part of these details. This is to ensure people make payments to the correct user. This feature can be turned off in the PayPal profile settings.
e. If you as a merchant use a third party to access or integrate PayPal, we may disclose to any such partner necessary information for the purpose of facilitating and maintaining such an arrangement (including, without limitation, the status of your PayPal integration, whether you have an active PayPal account and whether you may already be working with a different PayPal integration partner).
f. Disclose necessary information to the payment processors, auditors, customer services providers, credit reference and fraud agencies, financial products providers, commercial partners, marketing and public relations companies, operational services providers, group companies, agencies, marketplaces and other third parties listed here. The purpose of this disclosure is to allow us to provide PayPal Services to you. We also set out in the list of third parties, under each " Category", non-exclusive examples of the actual third parties (which may include their assigns and successors) to whom we currently disclose your Account Information or to whom we may consider disclosing your Account Information, together with the purpose of doing so, and the actual information we disclose (except as explicitly stated, these third parties are limited by law or by contract from using the information for secondary purposes beyond the purposes for which the information was shared).
g. Disclose necessary information to your agent or legal representative (such as the holder of a power of attorney that you grant, or a guardian appointed for you).
h. Disclose aggregated statistical data with our business partners or for public relations. For example, we may disclose that a specific percentage of our users live in Manchester. However, this aggregated information is not tied to Personal Data.
i. Share necessary Account Information with unaffiliated third parties (listed here) for their use for the following purposes:
- Fraud Prevention and Risk Management: to help prevent fraud or assess and manage risk.
- Customer Service: for customer service purposes, including to help service your accounts or resolve disputes (e.g., billing or transactional).
- Shipping: in connection with shipping and related services for purchases made using PayPal.
- Legal Compliance: to help them comply with anti-money laundering and counter-terrorist financing verification requirements.
- Service Providers: to enable service providers under contract with us to support our business operations, such as fraud prevention, bill collection, marketing, customer service and technology services. Our contracts dictate that these service providers only use your information in connection with the services they perform for us and not for their own benefit.
17. Definitions
- Device Information means data that can be automatically collected from any device used to access the Site or Services. Such information may include, but is not limited to, your device type; your device’s network connections; your device’s name; your device IP address; information about your device’s web browser and internet connection you use to access the Site or Services; Geolocation Information; information about apps downloaded to your device; and biometric data.
- Geolocation Information means information that identifies, with precise specificity, your location by using, for instance, longitude and latitude coordinates obtained through your GPS, or your device settings.
- Location Information means information that identifies, with reasonable specificity, your approximate location by using, for instance, longitude and latitude coordinates obtained through GPS or Wi-Fi or cell site triangulation.
- Partner means the merchant or business that our Users transact with for the purpose of obtaining goods or services.
- Pay without a PayPal account means the same as in the Terms for Payments without a PayPal account.
- PayPal Companies means companies that are owned and operated by PayPal, and process Personal Data in accordance with their terms of service and privacy policies. PayPal Companies include Honey Science LLC, Paidy Inc., Happy Returns, LLC, HyperWallet, and Braintree.
- Personal Data means information that can be associated with an identified or directly or indirectly identifiable natural person. “Personal Data” can include, but is not limited to, name, postal address (including billing and shipping addresses), telephone number, email address, payment card number, other financial account information, account number, date of birth, government-issued credentials (e.g., driver’s license number, national ID, passport number), and biometrics.
- Processing means any method or way that we handle Personal Data or sets of Personal Data, whether by automated means, such as by collection, recording, categorization, structuring, storage, adaptation or alteration, retrieval, and consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.
- Services means any PayPal branded or Unbranded Payment Services, Pay without a PayPal account, credit products and services, content, features, technologies, or functions, and all related websites, applications and services offered to you by PayPal. Your use of the Services includes use of our Sites.
- Sites means the websites, mobile apps, official social media platforms, or other online properties through which PayPal offers the Services and which has posted or linked to this Privacy Statement.
- Unbranded Payment Services means you are interacting with and making payments to merchants using our card payment services that do not carry the PayPal brand.
- User is any person who uses the Services as a consumer for personal or household use. For the purposes of this Notice, “User” includes “you” and “your”.
18. Our Contact Information
Contact our Data Protection Officer (DPO) Online or offline at PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.
If you are a resident of the UK, contact our representative at Bird & Bird GDPR Representative UK, 12 New Fetter Lane, Holburn, London EC4A 1JP.