Data protection at PAYBACK
Millions of people in Germany collect PAYBACK points on a daily basis and enjoy the benefits of the loyalty programme in their everyday lives. They rightly expect their data to be handled securely and appropriately. Data protection is of primary importance to market leader PAYBACK. Customers are provided with clear, detailed information about the programme and data protection on the registration form, on the website and on flyers available in partner company stores. If you have any questions relating to this topic, please send an e-mail to: datenschutz(at)payback.de.
Dr. Robert Selk
Data Protection Officer
TÜV Saarland e.V., one of Germany's leading technical inspection associations, certificates PAYBACK with the privacy trust seal
1. Complying with data protection requirements
PAYBACK's data protection system is certified by TÜV. PAYBACK handles the data it collects from loyalty programme participants in a responsible manner and in accordance with the provisions of the German Data Protection Act (Bundesdatenschutzgesetz or “BDSG”).
2. No address trading
PAYBACK does not pass on addresses. In other words, it does not sell or trade customer addresses or customer data. All personal data can only ever be accessed by PAYBACK or the company that issued the card.
3. High IT security
PAYBACK uses a variety of measures to ensure customer data is safe, including a security architecture with several firewalls, a clear structure of rights defining who can access which data, and clearly defined interfaces to partner companies. Data transferred electronically is encrypted using the internationally recognised SSL security standard.
4. Fuss-free cancellation
PAYBACK offers customers the opportunity to cancel their card without fuss at any time (e.g. through payback.de).
Most important Questions about data protection
PAYBACK holds the data provided by the member on the registration form
in addition to information on
- the partners from which purchases were made
- the dates on which purchases were made
- the sales generated by the card
- details from certain partners on items purchased in terms of product group (electrical goods, gourmet foods, etc…)
PAYBACK issues extensive information on this both at registration (general terms and conditions: “Information on Data Protection”) and online. In addition, flyers on data and data protection are available in partner stores. All customers are free to submit a written, telephone or online request for a list of the data stored by PAYBACK at any time. Customers can also e-mail queries to the Payback data protection officer via payback.de.
No. That would require partner companies to provide PAYBACK with comprehensive information such as specific data on individual items purchased. That is not the case.
Like PAYBACK, each company has address details of customers who were issued with their PAYBACK card by that particular company (e.g. Galeria Kaufhof has address details for customers who obtained their card from Galeria Kaufhof). In addition, these companies each have product data for purchases made from their own company. However, these addresses are not available to other partners, nor do the other partners have access to any additional data on these customers.
Partners are only allowed to use and analyse data pertaining to their own customers.
Specific customer groups – such as all members in a certain postal area – can be identified for a partner. The addresses are transferred to a lettershop where they are merged with the appropriate text, sent out and then deleted. In principle, such data records are not forwarded to the company which requested the mailshot. The partner receives information only about the number of addresses.
Mailshots are always carried out via PAYBACK in its role as a central trust centre – no members’ addresses are passed on within the partner network (partners receive only data pertaining to customers who obtained cards from them). If a member gives the appropriate permission at the point of registration, he/she will also receive mailshots with information and offers relating to other partner companies.
The magnetic strip stores the customer number which is also visible on the card. The card is not personalised.
During electronic transfer, customer data is encrypted using the internationally recognised security standard 128 Bit-SSL which is also employed by banks. A security architecture featuring several firewalls ensures the process is protected.
No. If they did, it would reflect very badly on PAYBACK as a direct marketing company. Our task is to make customers aware of offers from companies that are of interest to them – and to do so at sensible and appropriate intervals. One rule therefore states that customers are to receive no more than one PAYBACK mailshot per month.
The customer is deleted from the list of members and the distribution list. He/she is no longer listed as a member and will not be contacted. However, according to the German Commercial Code, as a trader, PAYBACK is obliged to retain all accounting vouchers in order to ensure business transactions can be traced for a period of ten years. In addition, PAYBACK is obliged to disclose information to customers and partners. PAYBACK must therefore retain all data. This data is not divulged to any other party and is not used for marketing purposes. Once the retention period has expired, the data is deleted in its entirety.