Effective Date: July 24, 2020
Effective Date: July 24, 2020
PayPal has developed this Privacy Statement to explain how PayPal, as a Data Controller, may collect, retain, process, share and transfer your Personal Data when you visit our Sites or use our Services. This Privacy Statement applies to your Personal Data when you visit Sites or use Services, and does not apply to online websites or services that we do not own or control, including websites or services of other PayPal Users.
As a European bank registered in Luxembourg, we comply with data protection and financial regulatory requirements. For the avoidance of doubt, this Privacy Statement does not constitute a “framework contract” for the purpose of the EU Payment Services Directive (2007/64/EC) or any implementation of that Directive in the European Economic Area.
This Privacy Statement is designed to help you obtain information about our privacy practices and to help you understand your privacy choices when you use our Sites and Services. Please note that our Service offerings may vary by region. This Privacy Statement may be supplemented with additional notices depending on the Sites and Services concerned. Supplementary information can be found in the Statement on Cookies and Tracking Technologies and the Banking Regulations Notice.
We have defined some terms that we use throughout the Privacy Statement. You can find the meaning of a capitalised term in the Definitions section.
Please contact us if you have questions about our privacy practices that are not addressed in this Privacy Statement.
We collect Personal Data about you when you visit our Sites or use our Services, including the following:
Registration and use information – When you register to use our Services by establishing an Account, we will collect Personal Data as necessary to offer and fulfil the Services you request. Depending on the Services you choose, we may require you to provide us with your name, postal address, telephone number, email address and identification information to establish an Account. We may require you to provide us with additional Personal Data as you use our Services.
We retain Personal Data in an identifiable format for the least amount of time necessary to fulfill our legal or regulatory obligations and for our business purposes. We may retain Personal Data for longer periods than required by law if it is in our legitimate business interests and not prohibited by law. If your Account is closed, we may take steps to mask Personal Data and other information, but we reserve our ability to retain and access the data for so long as required to comply with applicable laws. We will continue to use and disclose such Personal data in accordance with this Privacy Statement.
The cookies we use have defined expiration times; unless you visit our Sites or use our Services within that time, the cookies are automatically disabled and retained data is deleted. Please consult our Statement on Cookies and Tracking Technologies for more information.
We may Process your Personal Data for a variety of reasons that are justified under data protection laws in the European Economic Area (EEA) and Switzerland.
To operate the Sites and provide the Services, including to:
You can withdraw your consent at any time and free of charge. Please refer to the section on “Your Privacy Choices” for more information on how to do that.
We may share your Personal Data or other information about you with others in a variety of ways as described in this section of the Privacy Statement. We may share your Personal Data or other information for the following reasons:
With other members of the PayPal corporate family: We may share your Personal Data with members of the PayPal family of entities to, among other things, provide the Services you have requested or authorised; to manage risk; to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements and to help us manage the availability and connectivity of PayPal products, Services, and communications.
With other companies that provide services to us: We share Personal Data with third-party service providers that perform services and functions at our direction and on our behalf. These third-party service providers may, for example, provide you with Services, verify your identity, assist in processing transactions, send you advertisements for our products and services, or provide customer support.
With other financial institutions: We share Personal Data with other financial institutions that we have partnered with to jointly create and offer a product. These financial institutions may only use this information to market and offer PayPal-related products, unless you have given consent for other uses. We may also share Personal Data to process transactions, provide you with benefits associated with your eligible cards, and keep your financial information up to date.
With the other parties to transactions when you use the Services, such as other Users, merchants, and their service providers: We may share information about you and your Account with the other parties involved in processing your transactions. This includes other Users you are sending or receiving funds from, and merchants and their service providers. The information might include:
With other third parties for our business purposes or as permitted or required by law: We may share information about you with other parties for PayPal’s business purposes or as permitted or required by law, including:
With your consent: We also will share your Personal Data and other information with your consent or direction, including if you authorise an account connection with a third-party account or platform.
In addition, PayPal may provide aggregated statistical data to third-parties, including other businesses and members of the public, about how, when, and why Users visit our Sites and use our Services. This data will not personally identify you or provide information about your use of the Sites or Services. We do not share your Personal Data with third parties for their marketing purposes without your consent.
A significant benefit and innovation of PayPal’s Services is that you can connect your Account with a third-party account or platform. For the purposes of this Privacy Statement, an “account connection” with such a third-party is a connection you authorise or enable between your Account and a non-PayPal account, payment instrument, or platform that you lawfully control or own. When you authorise such a connection, PayPal and the third-party will exchange your Personal Data and other information directly. Examples of account connections include:
If you choose to create an account connection, we may receive information from the third-party about you and your use of the third-party’s service. For example, if you connect your Account to a social media account, we will receive Personal Data from the social media provider via the account connection. If you connect your Account to other financial accounts, directly or through a third-party service provider, we may have access to your account balance and transactional information, such as purchases and funds transfers. We will use all such information that we receive from a third-party via an account connection in a manner consistent with this Privacy Statement.
Information that we share with a third-party based on an account connection will be used and disclosed in accordance with the third-party’s privacy practices. Before authorising an account connection, you should review the privacy notice of any third-party that you authorised to have an account connection that will gain access to your Personal Data as part of the account connection. For example, Personal Data that PayPal shares with a third-party account or platform such as a social media account may in turn be shared with certain other parties, including the general public, depending on the account’s or platform’s privacy practices.
Our operations are supported by a network of computers, cloud-based servers, and other infrastructure and information technology, including, but not limited to, third-party service providers.
The parties mentioned above may be established in jurisdictions other than your own and outside the European Economic Area and Switzerland. These countries do not always afford an equivalent level of privacy protection. We have taken specific steps, in accordance with EEA data protection law, to protect your Personal Data. In particular, for transfers of your Personal Data within PayPal related companies, we rely on Binding Corporate Rules approved by competent Supervisory Authorities (available here). Other transfers may be based on contractual protections. Please contact us for more information about this.
If you make transactions with parties outside the EEA or Switzerland or connect our Service with platforms, such as social media, outside the EEA or Switzerland, we are required to transfer your Personal Data with those parties in order to provide the requested Service to you.
Do Not Track (DNT) is an optional browser setting that allows you to express your preferences regarding tracking by advertisers and other third-parties. We do not respond to DNT signals.
You have choices when it comes to the privacy practices and communications described in this Privacy Statement. Many of your choices may be explained at the time you sign up for or use a Service or in the context of your use of a Site. You may be provided with instructions and prompts within the experiences as you navigate the Services.
Online Tracking and Interest-Based Marketing. We work with partners and third-party service providers to serve you advertising using ad-related cookies and web beacons. You can opt-out of third-party advertising-related cookies and web beacons, in which case our advertising should not be targeted to you. You will continue to see our advertising on third party websites.
Subject to limitations set out in EEA data protection laws, you have certain rights in respect of your Personal Data. In particular, you have a right of access, rectification, restriction, opposition, erasure and data portability. Please contact us if you wish to exercise these rights. If you wish to complete an access request to all personal data that PayPal holds on you, please note that photo identity will be required to prove your identity.
If you have an Account with any of our Services, you generally can review and edit Personal Data in the Account by logging in and updating the information directly. We may use automated decision-making for decisions concerning credit with your consent or where necessary for the entry into or performance of a contract or authorised by Union or Member state law.
Please contact us if you require more information on automated-decision making.
We maintain technical, physical, and administrative security measures designed to provide reasonable protection for your Personal Data against loss, misuse, unauthorised access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centres, and information access authorisation controls. While we are dedicated to securing our systems and Services, you are responsible for securing and maintaining the privacy of your password(s) and Account/profile registration information and verifying that the Personal Data we maintain about you is accurate and current. We are not responsible for protecting any Personal Data that we share with a third-party based on an account connection that you have authorised.
The Sites and Services are not directed to children under the age of 16. We do not knowingly collect information, including Personal Data, from children or other individuals who are not legally able to use our Sites and Services. If we obtain actual knowledge that we have collected Personal Data from a child under the age of 16, we will promptly delete it, unless we are legally obligated to retain such data. Contact us if you believe that we have mistakenly or unintentionally collected information from a child under the age of 16.
Changes to this Privacy Statement.
We may revise this Privacy Statement from time to time to reflect changes to our business, the Sites or Services, or applicable laws. The revised Privacy Statement will be effective as of the published effective date.
If the revised version includes a substantial change, we will provide you with 30 days prior notice by posting notice of the change on the “Policy Update” page of our website. We also may notify Users of the change using email or other means.
You may contact us if you have general questions or concerns about this Privacy Statement and supplemental notices or the way in which we handle your Personal Data.
We want to make sure your questions go to the right place:
Click here to contact us about your PayPal account or transaction, or a card payment made to a merchant.
If you are not satisfied by the way in which we address your concerns, you have the right to lodge a complaint with the Supervisory Authority for data protection in your country.
Our Data Protection Officer can be contacted at firstname.lastname@example.org or PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.
Device Information means data that can be automatically collected from any device used to access the Site or Services. Such information may include, but is not limited to, your device type; your device’s network connections; your device’s name; your device IP address; information about your device’s web browser and internet connection you use to access the Site or Services; Geolocation Information; information about apps downloaded to your device; and biometric data.
Geolocation Information means information that identifies, with reasonable specificity, your location by using, for instance, longitude and latitude coordinates obtained through GPS or Wi-Fi or cell site triangulation.
Personal Data means information that can be associated with an identified or directly or indirectly identifiable natural person. “Personal Data” can include, but is not limited to, name, postal address (including billing and shipping addresses), telephone number, email address, payment card number, other financial account information, account number, date of birth, and government-issued credentials (e.g., driver’s license number, national ID, passport number).
Process means any method or way that we handle Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, and consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.
Technical Usage Data means information we collect from your phone, computer or other device that you use to access the Sites or Services. Technical Usage Data tells us how you use the Sites and Services, such as what you have searched for and viewed on the Sites and the way you use our Services, including your IP address, statistics regarding how pages are loaded or viewed, the websites you visited before coming to the Sites and other usage and browsing information collected through Cookies.
The information provided in this section may be specific to customers depending on your region or is provided to PayPal from third parties whom you may interact with when using the Services. You can contact us if you have any questions about the details in this section.
In general, the Luxembourg laws to which PayPal’s handling of user data is subject (data protection and bank secrecy) require a higher degree of transparency than most other EU laws. This is why, unlike the vast majority of providers of internet-based services or financial services in the EU, PayPal has listed in this Privacy Statement the third party service providers and business partners to whom we may disclose your data, together with the purpose of disclosure and type of information disclosed. You will find a link to those third parties here. By accepting this Privacy Statement and maintaining an account with PayPal, you expressly consent to the transfer of your data to those third parties for the purposes listed.
PayPal may update the list of third parties referred to above every quarter (January 1st, April 1st, July 1st and October 1st). PayPal will only start transferring any data to any of the new entities or for the new purposes or data types indicated in each update after 30 days from the date when that list is made public through this Privacy Statement. You should review the list each quarter on the PayPal website on the dates stated above. If you do not object to the new data disclosure, within 30 days after the publication of the updated list of third parties, you are deemed to have accepted the changes to the list and to this Privacy Statement. If you do not agree with the changes, you may close your account and stop using our services.
In order to provide the PayPal Services, certain of the information we collect (as set out in this Privacy Statement) may be required to be transferred to other PayPal related companies or other entities, including those referred to in this section in their capacity as payment providers, payment processors or account holders (or similar capacities). You acknowledge that according to their local legislation, such entities may be subject to laws, regulations, inquiries, investigations, or orders which may require the disclosure of information to the relevant authorities of the relevant country. Your use of the PayPal Services constitutes your consent to our transfer of such information to provide you the PayPal Services.
Specifically, you consent to and direct PayPal to do any and all of the following with your information:
Disclose necessary information to: the police and other law enforcement agencies; security forces; competent governmental, intergovernmental or supranational bodies; competent agencies, departments, regulatory authorities, self-regulatory authorities or organisations (including, without limitation, the Agencies referenced in the “Agencies” section of the Third Party Provider List here) and other third parties, including PayPal Group companies, that (i) we are legally compelled and permitted to comply with, including but without limitation the Luxembourg laws of 24 July 2015 on the US Foreign Account Tax Compliance Act (“FATCA Law”) and 18 December 2015 on the OECD common reporting standard (“CRS Law”); (ii) we have reason to believe it is appropriate for us to cooperate with in investigations of fraud or other illegal activity or potential illegal activity, or (iii) to conduct investigations of violations of our User Agreement (including without limitation, your funding source or credit or debit card provider).
If you are covered by the FATCA or CRS Law, we are required to give you notice of the information about you that we may transfer to various authorities. Please read more about PayPal's obligations under the FATCA and CRS Law and how they could affect you as well as take note of the information we may disclose as result.
We and other organisations, including parties that accept PayPal, may also share, access and use (including from other countries) necessary information (including, without limitation the information recorded by fraud prevention agencies) to help us and them assess and to manage risk (including, without limitation, to prevent fraud, money laundering and terrorist financing). Please contact us if you want to receive further details of the relevant fraud prevention agencies. For more information on these Agencies, fraud prevention agencies and other third parties, click here.
Disclose Account Information to intellectual property right owners if under the applicable national law of an EU member state they have a claim against PayPal for an out-of-court information disclosure due to an infringement of their intellectual property rights for which PayPal Services have been used (for example, but without limitation, Sec. 19, para 2, sub-section 3 of the German Trademark Act or Sec. 101, para 2, sub-section 3 of the German Copyright Act).
Disclose necessary information in response to the requirements of the credit card associations or a civil or criminal legal process.
Disclose your name and PayPal link in the PayPal user directory. Your details will be confirmed to other PayPal users in response to a user searching using your name, email address or telephone number, or part of these details. This is to ensure people make payments to the correct user. This feature can be turned off in the PayPal profile settings.
If you as a merchant use a third party to access or integrate PayPal, we may disclose to any such partner necessary information for the purpose of facilitating and maintaining such an arrangement (including, without limitation, the status of your PayPal integration, whether you have an active PayPal account and whether you may already be working with a different PayPal integration partner).
Disclose necessary information to the payment processors, auditors, customer services providers, credit reference and fraud agencies, financial products providers, commercial partners, marketing and public relations companies, operational services providers, group companies, agencies, marketplaces and other third parties listed here. The purpose of this disclosure is to allow us to provide PayPal Services to you. We also set out in the list of third parties, under each " Category", non-exclusive examples of the actual third parties (which may include their assigns and successors) to whom we currently disclose your Account Information or to whom we may consider disclosing your Account Information, together with the purpose of doing so, and the actual information we disclose (except as explicitly stated, these third parties are limited by law or by contract from using the information for secondary purposes beyond the purposes for which the information was shared).
Disclose necessary information to your agent or legal representative (such as the holder of a power of attorney that you grant, or a guardian appointed for you).
Disclose aggregated statistical data with our business partners or for public relations. For example, we may disclose that a specific percentage of our users live in Manchester. However, this aggregated information is not tied to personal information.
Share necessary Account Information with unaffiliated third parties (listed here) for their use for the following purposes:
Fraud Prevention and Risk Management: to help prevent fraud or assess and manage risk. For example, if you use the PayPal Services to buy or sell goods using eBay Inc, or its affiliates (“eBay”), we may share Account Information with eBay in order to help protect your accounts from fraudulent activity, alert you if we detect such fraudulent activity on your accounts, or evaluate credit risk.
As part of our fraud prevention and risk management efforts, we also may share necessary Account Information with eBay in cases where PayPal has placed a hold or other restriction on your account based on disputes, claims, chargebacks or other scenarios regarding the sale or purchase of goods. Also, as part of our fraud prevention and risk management efforts, we may share Account Information with eBay to enable them to operate their programmes for evaluating buyers or sellers.
Customer Service: for customer service purposes, including to help service your accounts or resolve disputes (e.g., billing or transactional).
Shipping: in connection with shipping and related services for purchases made using PayPal.
Legal Compliance: to help them comply with anti-money laundering and counter-terrorist financing verification requirements.
Service Providers: to enable service providers under contract with us to support our business operations, such as fraud prevention, bill collection, marketing, customer service and technology services. Our contracts dictate that these service providers only use your information in connection with the services they perform for us and not for their own benefit.
Use of your personal data by Credit Reference Agencies in Germany
Why do we need credit scores?
Some PayPal Services require that we make advance payments and therefore take creditworthiness risk in relation to our customers (for example in case you pay with direct debit, or in connection with a credit product of PayPal). Therefore it is necessary, that we confirm the willingness and ability to pay of our customers for the purpose of certain services, by requesting creditworthiness information. This helps us in making the decision whether we can offer the product to the customer.
Why do we share personal data with credit reference agencies?
We share your information (name, address, and date of birth, bank account details) for purposes of credit checks, for the acquisition of information to assess the risk of default based on mathematical methods utilising address data, and for verifying your address.
The legal bases for such transmissions are found in Article 6, paragraph 1, letter b and Article 6, paragraph 1, letter f of the EU General Data Protection Regulation (“EU GDPR”). Information may be shared on the basis of these provisions only insofar as doing so is necessary to safeguard the legitimate interests of PayPal or third parties and where this does not override the data subject’s interests or fundamental rights and freedoms that require the protection of personal data.
Detailed information on ICD within the meaning of Article 14 of the EU GDPR, i.e., information on the business purpose, on the purposes for storing data, on the data recipients, on the data subject’s right to obtain information, on the right to have information deleted or corrected, etc. can be found at the links in the table below provided by the Credit Reference Agencies.
Please see the table below for links to the credit reference agencies for more information on how they use your data and how to contact them.
How to Find Out More
You can contact credit reference agencies currently operating in Germany and ask them about the information they have stored about you.
Name of credit reference agency and seat
Address, contact details to obtain information on what data are stored about a consumer
Accumio Finance Services GmbH
Accumio Finance Services GmbH
CEG Creditreform Boniversum GmbH
Creditreform Boniversum GmbH
CRIF Bürgel GmbH
CRIF Bürgel GmbH
SCHUFA Holding AG
SCHUFA Holding AG
See more here
infoscore Consumer Data GmbH/Arvato
infoscore Consumer Data GmbH
What Data will be sent to the credit reference agency for obtaining the Score? What data will remain with the database of the credit reference agency?
In cases where PayPal has requested a credit score about you with such credit reference agency, information may be provided to the credit reference agencies on a subsequent “negative behavior” on your side, i.e. certain instances of breaches of our contract. This includes where you have not paid an outstanding amount on your PayPal account despite there being several reminders, or any enforcement measures taken against you. This information will only be transferred if this is required in the legitimate interest of PayPal, the credit reference agency or their customers, and if no reason exists to believe that your justified interest in not transferring this information would prevail.
This information will be stored in the data base of the credit reference agency and may be used to determine a scoring value with the agency, as specified below.
How a credit reference agency uses data about "negative behavior" and use of address data for credit scores
The credit reference agency stores and uses the information received. The use includes the calculation of a probability value on the basis of the data available to the agency, to assess the credit risk (score). For the calculation of the score the credit reference agency may, on the basis of a mathematical-statistical procedure, also use address data. The data received may be transferred to contract partners in the European Area and Switzerland, in order to give these persons information for the assessment of creditworthiness of individuals. Contract partners of the credit reference agency are companies, which bear, on the basis of their services, financial credit risk (in particular financial institutions, credit card companies and leasing companies, but also traders, telecommunication companies, and energy suppliers, insurances and debt collection agencies). The credit reference agency will only make available the information to these customers, if they can establish a legitimate interest in the individual case, to require such information, and the transfer of such information is permitted after weighting all involved interests. Therefore, the information made available may vary between contract partners of the credit reference agency.
ReCaptcha is only used to fight spam and abuse.