UK
Leveraging PSD2
Account Aggregation - AISP
Dive deeper into transactional data and create value-added services
Payment Initiation - PISP
Accept A2A payments with the Fabrick licence
Bank coverage via API
Discover all of our connected banks
Mastering end-to-end payments
Fabrick Payment Orchestra
Enhance your payment management system and your information flows
Fabrick Payment Gateway
Accept payments on your website and app
Fabrick Advice
Leveraging SCA exemptions with real-time risk analysis
Fabrick Guaranteed payments
Secure payments with post-authorisation fraud checks and chargeback guarantee
Fabrick Payment Facilitator
Get pre-reconciled credits directly into your account
Unlocking banking services for businesses
Lending Place
Offer quick and easy loans
Fabrick Smart Banking
Create a customised app where digital payment services can be integrated
Industry
Banking and Financial Services
Fashion
Fintech
Ho.Re.Ca.
Insurance
Automotive
Customer stories
Insights
Articles
Whitepapers
Developers
Our APIs
Fabrick Producers
TPP Portal
Login Consumer Portal Fabrick
Corporate
Fabrick ecosystem
Our history
Our mission
Management Team
The Open Finance platform
Fabrick People
Our team
Why Fabrick
Career opportunities
Media Hub
Press releases
Press review
Events
Media kit
Privacy PolicyPrivacy Payment Services

Information on personal data processing for users of the payment service

Version 1Last update on 04/2024

Pursuant to Article 13 of the EU Regulation 2016/679 (hereinafter the “Regulation”), Fabrick S.p.A (hereinafter the “Company” and/or the “Data Controller”), provides you with the following information regarding the characteristics of its processing of your personal data.

1) Who is the Data Controller?

The Data Controller of personal data is Fabrick S.p.A. – with registered office in Biella (BI) 13900, Piazza Gaudenzio Sella No. 1.

2) How to contact the Data Protection Officer?

The Data Protection Officer (hereinafter, "DPO – Data Protection Officer") can be contacted using the following contact details:

  • Postal address of Fabrick S.p.A.: Piazza Gaudenzio Sella No. 1, 13900, Biella – DPO;
  • Email address: privacy@fabrick.com

3) What data is or may be processed, and what are the data sources?

The processing involves the personal data of the user of payment services (hereinafter, "Data Subject") and is carried out within the scope of the authorization, processing, and settlement of payment services through any payment instrument between the merchant where an online purchase is made (hereinafter, the "Merchant") and the Data Subject making the purchase, enabling the Merchant to accept and receive electronic payments (hereinafter, the "Service").

Specifically, the Data Controller processes personal data belonging to the following categories:

  • Identifying, contact, and contractual data (such as: name, surname, email address);
  • Data related to payment transactions (such as: card details used for payment, beneficiary, transaction purpose, and amount).

The aforementioned data is provided by the Data Subject by filling out specific forms for entering payment transaction details, either on the Data Controller’s or the Merchant’s system, and is subsequently communicated by the latter to the Data Controller.

4) On what legal bases and for what purposes is the data processed?

The processing of personal data is carried out by the Data Controller and/or third parties on its behalf only in the presence of one of the following legal bases and is limited to the pursuit of the related purposes:

  • Execution of a contract in which the Data Subject is a party or execution of pre-contractual measures requested by the Data Subject, pursuant to Article 6, paragraph 1, letter b) of the Regulation, in order to provide the Service;
  • Compliance with a legal obligation to which the Data Controller is subject, pursuant to Article 6, paragraph 1, letter c) of the Regulation, in particular to fulfill obligations related to the Service (e.g., where applicable: complaint management, anti-money laundering, and counter-terrorism measures, etc.);
  • If the Merchant has subscribed to the fraud prevention service, the legitimate interest of the Data Controller or third parties in preventing fraud in payments, pursuant to Article 6, paragraph 1, letter f) of the Regulation, to analyze the fraud risk level of transactions.

Regarding the above purposes, providing data is mandatory, and the Data Subject's consent is not required for processing. Failure to provide one or more data items will make it impossible to perform the Service.

5) To whom may personal data be disclosed?

Personal data may be accessed by personnel authorized by the Data Controller to process the data as part of their job duties, or by entities acting as processors – specifically appointed under Article 28 of the Regulation – or independent data controllers. Below are the various categories of recipients involved:

  • Public authorities within the scope of legally mandated communications (e.g., supervisory authorities);
  • Independent entities (so-called acquirers) managing payments with credit or debit cards belonging to national and international circuits;
  • Companies within the Sella Group, controlled or affiliated under Article 2359 of the Civil Code, in the case of detecting suspicious transactions, as well as Sella Group companies providing the technological infrastructure for the Service and technical support activities;
  • If the Merchant has subscribed to the fraud prevention service offered by the Data Controller, Riskified Ltd., whose privacy policy is available at the following link: https://www.riskified.com/privacy/.

6) Can data be transferred to countries outside the European Economic Area?

For technical support activities aimed at investigating and resolving anomalies and testing applications, the Data Controller may allow access to data, in a tracked manner, to Sella Group companies based in India. Personal data is not stored at the foreign company but is accessed remotely while remaining within the Company's information system. The transfer occurs based on standard contractual clauses approved by the European Commission.

Additionally, if the Merchant has subscribed to the fraud prevention service, certain data will be transferred outside the European Economic Area, specifically to Israel, to Riskified Ltd. for fraud risk analysis purposes. The transfer is permitted since the European Commission has recognized Israel as a third country that provides an adequate level of personal data protection.

7) How long is the data retained?

Personal data is processed and retained for the time necessary to provide the Service, subject to legal retention requirements for compliance and defense purposes, up to the expiration of the applicable statutory limitation period. Specifically, in accordance with Bank of Italy regulations on document, data, and information retention for anti-money laundering and counter-terrorism purposes, where applicable, data related to the execution of the Service (identifying, contact, and payment transaction data) is retained for ten years from the termination of the relationship with the Merchant.

At the end of the retention period, personal data will be stored in a manner that does not allow identification (e.g., irreversible anonymization), unless processing is necessary for one or more of the following purposes:

  • Resolution of pre-litigation and/or litigation initiated before the retention period expires;
  • Compliance with internal control function investigations/audits and/or external authority inspections initiated before the retention period expires;
  • Responding to requests from Italian and/or foreign public authorities received/notified to the Data Controller before the retention period expires

8) What rights do Data Subjects have?

Data Subjects may exercise specific data protection rights, listed below:

  1. right of access: a data subject has the right to obtain from the Controller confirmation as to whether personal data regarding him/her are being processed, and, if they are, to have access to the personal data and detailed information on the categories of data processed, the recipients of disclosure and/or transfer of the data and additional information;
  2. right to rectification: right to have the Controller rectify inaccurate personal data without undue delay as well as to have their personal data completed, including by means of providing supplementary information;
  3. right to erasure (“oblivion”): right to have the Controller remove personal data without undue delay in the following circumstances:
    • the subject’s personal data are no longer necessary for the purposes of the processing;
    • the consent on which the processing is based has been revoked and there are no other legal bases for the processing;
    • the personal data have been processed illegally;
    • the personal data have to be deleted in order to comply with a legal obligation;
  4. right to restriction of processing: right to obtain from the Controller the restriction of the processing of his/her data. The Company is obliged to proceed with the aforementioned restriction if:
    • the accuracy of your personal data is disputed (for the period necessary for the Data Controller to verify the accuracy of such personal data);
    • the processing is unlawful and you have objected to the deletion of your personal data and requested its restriction;
    • the personal data (although no longer necessary for the purposes of the processing) is required by you for the establishment, exercise or defence of legal claims;
    • where you have exercised your right to object as set out below, to verify that the Company's interests prevail;
  5. right to object to processing: the right to object at any time to the processing of personal data having as their legal basis a legitimate interest of the Controller;
  6. right to portability of data: the right to receive the subject’s personal data in a structured and widely used format that can be read by an automatic device, and the possibility of transferring the data to another Controller, if technically feasible; portability applies only to data processed with the consent of the data subject or based on an agreement, and only to data processed by means of electronic tools;
  7. right to lodge a complaint with a data protection authority: without prejudice to any other administrative or jurisdictional remedy, the data subject who believes the processing of his/her data violates the Regulation has the right to lodge a complaint with the data protection authority of the EU member state where he/she resides or works habitually, or the member state where the alleged infringement has occurred.

To exercise their rights and for any information regarding the processing of personal data, requests can be sent to the following addresses:

The Data Controller provides information on actions taken regarding the request without undue delay and no later than one month from receipt. If the exercise of the above rights could cause an actual and concrete prejudice to the interests protected under anti-money laundering and counter-terrorism regulations, pursuant to Article 2-undecies of the Privacy Code, the extent of these rights and certain related obligations of the Data Controller may be limited. In such cases, the exercise of these rights may be delayed, restricted, or excluded, for the necessary and proportionate time. If applicable, a reasoned notification will be sent without delay.