Data protection at PAYBACK
Millions of people in Germany collect PAYBACK points on a daily basis and enjoy the benefits of the loyalty programme in their everyday lives. They rightly expect their data to be handled securely and appropriately. Data protection is of primary importance to market leader PAYBACK. Customers are provided with clear, detailed information about the programme and data protection on the registration form, on the website and on flyers available in partner company stores. If you have any questions relating to this topic, please send an e-mail to: datenschutz(at)payback.de.
Dr. Robert Selk
Data Protection Officer
TÜV Saarland e.V., one of Germany's leading technical inspection associations, certificates PAYBACK with the privacy trust seal
1. Complying with data protection requirements
PAYBACK's data protection system is certified by TÜV. PAYBACK handles the data it collects from loyalty programme participants in a responsible manner and in accordance with the provisions of the German Data Protection Act (Bundesdatenschutzgesetz or “BDSG”).
2. No address trading
PAYBACK does not pass on addresses. In other words, it does not sell or trade customer addresses or customer data. All personal data can only ever be accessed by PAYBACK or the company that issued the card.
3. High IT security
PAYBACK uses a variety of measures to ensure customer data is safe, including a security architecture with several firewalls, a clear structure of rights defining who can access which data, and clearly defined interfaces to partner companies. Data transferred electronically is encrypted using the internationally recognised SSL security standard.
4. Fuss-free cancellation
PAYBACK offers customers the opportunity to cancel their card without fuss at any time (e.g. through payback.de).
Most important Questions about data protection
Privacy and security are guaranteed even with PAYBACK payment cards: The handling of all financial data also running alone on the responsibility of the banks. PAYBACK is only informed of the number of points to be credited.
PAYBACK holds the data provided by the member on the registration form
in addition to information on
- the partners from which purchases were made
- the dates on which purchases were made
- the sales generated by the card
- details from certain partners on items purchased in terms of product group (electrical goods, gourmet foods, etc…)
Online via PAYBACK.de:
- Day / Time
- Turnover or basket height per order
- Cancellation (full / partial cancellation)
- Number of items per basket
- Partial categories (e.g. book / non book)
- Whether the customer has purchased directly from the PAYBACK.de at each online shop or whether this occurs in the cookie period of validity (14 days)
PAYBACK issues extensive information on this both at registration (general terms and conditions: “Information on Data Protection”) and online. In addition, flyers on data and data protection are available in partner stores. All customers are free to submit a written, telephone or online request for a list of the data stored by PAYBACK at any time. Customers can also e-mail queries to the Payback data protection officer via PAYBACK.de.
Like PAYBACK, each company has address details of customers who were issued with their PAYBACK card by that particular company (e.g. Galeria Kaufhof has address details for customers who obtained their card from Galeria Kaufhof). In addition, these companies each have product data for purchases made from their own company. However, these addresses are not available to other partners, nor do the other partners have access to any additional data on these customers. Only in special cases, if the customer specifically consent, data can be passed to a PAYBACK partner companies.
Partners are only allowed to use and analyse data pertaining to their own customers.
We select certain customer groups for partners (e.g. all members of the postcode 8...). These addresses are transmitted to a letter shop, there linked with the texts, sent and then deleted. Selected records are generally not made available to the commissioning company. The partner will only receive information on the number of selected addresses.
Mailshots are always carried out via PAYBACK in its role as a central trust centre – no members’ addresses are passed on within the partner network (partners receive only data pertaining to customers who obtained cards from them). If a member gives the appropriate permission at the point of registration, he/she will also receive mailshots with information and offers relating to other partner companies.
The magnetic strip stores the customer number which is also visible on the card. The card is not personalised.
During electronic transfer, customer data is encrypted using the internationally recognised security standard 128 Bit-SSL which is also employed by banks. A security architecture featuring several firewalls ensures the process is protected.
No, our task is to make customers aware of offers from companies that are of interest to them – and to do so at sensible and appropriate intervals.
The customer is deleted from the list of members and the distribution list. He/she is no longer listed as a member and will not be contacted. However, according to the German Commercial Code, as a trader, PAYBACK is obliged to retain all accounting vouchers in order to ensure business transactions can be traced for a period of ten years. In addition, PAYBACK is obliged to disclose information to customers and partners. PAYBACK must therefore retain all data. This data is not divulged to any other party and is not used for marketing purposes. Once the retention period has expired, the data is deleted in its entirety.
PAYBACK stores the personal data obtained from use of the PAYBACK card only in data centres in Germany. Furthermore, the data security measures employed at these data centres are certified according to internationally recognised standards (e.g. ISO 27001) and are subject to PAYBACK’s own continuous checks.