Fraud Mitigation Privacy Notice
Fiserv, Inc., on behalf of itself and its affiliates, including First Data Corporation (together, "Fiserv" or “we”) provide the Fraud Mitigation services (formerly branded as the Fraud Detect service) (the Service) to subscribing merchants to help identify and reduce fraud in certain card transactions and, as applicable, in card or account registrations performed through the merchant’s mobile application and/or website. The Service includes various sub-services, products, and functionality, such as “Score” and “Control” (as those services may be rebranded from time-to-time). Merchants are not required to use all aspects of the Service. This “Privacy Notice” explains how we collect, use, disclose, and otherwise process personal information about cardholders and merchants in connection with the Service. This Privacy Notice does not apply to Fiserv’s privacy practices outside of the context of the Service, such as its payment card acceptance services.
Fiserv’s processing of personal information in connection with the Service is governed by this Privacy Notice and our agreement with the merchant for this Service (Service Agreement). In the event of any conflict between this Privacy Notice and a Service Agreement, the Service Agreement will control to the extent permitted by applicable law.
We provide important information here for individuals located within Member States of the European Union, countries in the European Economic Area, the United Kingdom, and Switzerland (collectively, “Europe” or “European”). We also describe European data protection rights, including a right to object to some of the processing which Fiserv carries out. More information about your rights, and how to exercise them, is set out in the “Your rights and choices” section.
This Privacy Notice is not a substitute for any privacy notice that merchants are required to provide to their customers or end-users.
Table of Contents
We collect information about the merchant that subscribes to use the Service upon registration and when consumer transactions are processed. This information may include:
We collect information about the following categories of individuals in connection with the Service (e.g., when an individual places an order for physical or digital goods or services or registers for an account with a merchant). In many instances, these will be the same person:
Merchants may provide us with a variety of information about individuals, such as:
We may obtain a variety of information about transactions performed via the merchant’s website or mobile application. This information is associated with an individual. This type of information includes:
Merchants can choose to submit additional information to us in connection with payment transactions, account registrations, and our performance of the Service. Such information may include, without limitation:
We may collect information automatically about end-users’ computers or mobile devices in connection with account registrations or transactions. This information varies depending on whether the relevant transaction or interaction was performed via a web browser or mobile application. We may use service providers to facilitate our collection of computer or device data, including through the use of third-party cookies when the Service is implemented on a website. If we are unable to collect information about an end-user’s computer or mobile device in connection with a transaction or registration, we may be unable to provide the Service for that transaction or registration; and, as a result, a merchant may choose whether to reject or accept that transaction or registration.
The specific information we collect via mobile applications may vary depending on whether an Android or Apple device is used and the version of the operating system installed on the end-user’s device. In addition, our ability to collect certain information may depend on whether the end-user has granted the merchant’s app certain permissions. Typically, the information we may collect includes:
We use the information we collect about individuals, transactions, and devices for the purposes described in this Privacy Notice and otherwise in our Service Agreement.
We use the information we collect to provide and improve the Service, which includes:
We may send merchants who have subscribed to the Service marketing communications as permitted by law. Our marketing communications may be targeted based on aggregated information about a merchant’s use of the Service – such as transaction volume, velocity, amounts, and types of goods or services sold, and chargeback ratios. Merchants will have the ability to opt out of such communications. We do not use the data that we collect in connection with the Service to send marketing emails to the end-users or consumers of merchants that use the Service.
We use the information we collect for our own legitimate business purposes, which include:
In some circumstances, we may need consent of the data subject in the performance of our Service. Merchants are responsible for ensuring data subject consent is obtained for the performance of our Service.
We may create anonymous or deidentified data from the personal information we collect. We make personal information into anonymous or deidentified data by excluding information that makes the data personally identifiable, and use that anonymous or deidentified data for our lawful business purposes.
In addition, we may also use personal information as we believe necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Service; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
We may share the information we collect:
We may sell, transfer or otherwise share some or all of Fiserv’s business or assets, including personal information, in connection with a business deal (or potential business deal) such as a merger, consolidation, acquisition, reorganization or sale of assets or in the event of bankruptcy.
In connection with the Service, Fiserv may transfer personal information to countries outside of the country where the data was initially collected, including to the United States. Please see the Service Agreement for additional information regarding how Fiserv safeguards the personal information it transfers across borders. Additional information is provided in the section titled “Information of Relevance to European Data Subjects.”
Fiserv is made up of different legal entities. The controller is the member of the Fiserv group that signs the Service Agreement, or which is otherwise identified as the controller in the Service Agreement. If you would like more information about which Fiserv entity is the controller in respect of your information, you can contact us for this.
The contact information for Fiserv’s Data Protection Officer is:
Data Protection Officer, Fiserv
Email address: firstname.lastname@example.org
Postal address: Janus House
Our legal bases for the processing of personal information are as follows:
Processing purpose (click link for details)
Providing our products and services
If you are a subscribing merchant, processing is necessary to perform the contract governing our provision of the products or services or to take steps that you request prior to signing up for the Services.
Otherwise, the processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
· Research, development and analytics
· Creating anonymous data
· Compliance, fraud prevention, and safety
These processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Compliance, fraud prevention, and safety (where we have a legal obligation)
Processing is necessary to comply with our legal obligations
Direct marketing (where consent is required)
Processing is based on your consent. Where we rely on your consent you have the right to withdraw it anytime in the manner indicated at the time we collect your information or by contacting us at email@example.com.
When we transfer personal data outside of Europe or the UK to countries not deemed to provide an adequate level of protection for personal data, we make the transfer as follows:
Data subjects may contact us with questions about our transfer mechanism.
The Service may involve automated decision-making subject to Article 22 of the GDPR or other privacy and consumer protection laws. Decisions are made by matching the data provided to us by merchants such as consumers buying habits (for instance the number of transactions with a particular card in a 24-hour period) with patterns indicative of fraud. This data is used to inform the automated decision making tool and the rules that a merchant can set to ascertain if a purchase is fraudulent or not. The automated decision making is validated based on multiple data elements which are assessed against an analysis of historical transaction data. Depending on the Service selected by the merchant, where the Service identifies a suspected fraudulent account registration or purchase that is consistent with the merchant’s pre-established thresholds for blocking registrations or transactions, Fiserv will block the registration or transaction in an automated manner. Where a registration or transaction is blocked, certain unique identifiers associated with the registration or purchase will subsequently be blocked with that merchant.
To the extent that decisions are made based solely on automated processing that produce legal or similarly significant effects, such decisions will be made where (a) they are necessary for entering into, or performing, a contract between the data subject and a data controller; (b) as authorized by applicable law; or (c) based on the data subject’s explicit consent. The merchant's privacy notice will set out more information about your rights relating to automated individual decisions – in particular, your right to obtain human intervention, to express your point of view and to contest the decision.
Fiserv retains personal information for as long as necessary to (a) provide the Service; (b) comply with legal obligations; (c) resolve disputes; and (d) enforce the terms of the Service Agreement. Merchants may contact us for additional information about our data retention practices in connection with the Service.
Merchants are data controllers of the personal information that they provide to Fiserv or enable Fiserv to collect via the Service about their consumers or end-users. Fiserv is a data controller for personal information that it processes in order to offer its services to merchants in general and to develop and improve these services. Because merchants have a direct relationship with consumers or end-users, we ask merchants which use our services to provide all necessary privacy notices to data subjects, including information about Fiserv's processing of personal data for the Service. Merchants will also be responsible for dealing with data subject requests to exercise any rights afforded to them under applicable data protection law which relate to the transaction with the merchant. If the data subject request relates to personal data which Fiserv processes to provide services to merchants in general, then Fiserv will be responsible for dealing with the request. Fiserv and the merchants who receive services from us will assist each other in responding to such requests.
Under certain circumstances and where provided for by law, data subjects have certain rights relating to their personal data, which include the rights to request from the controller (a) access to the data subject’s personal data; (b) correction of incomplete or inaccurate personal data; (c) erasure of personal data; (d) restriction of processing concerning the data subject; and (e) that the controller provide a copy of the data subject’s personal data that the data subject provided to the controller in a structured, commonly used and machine-readable format. Data subjects may also object to a controller’s processing of personal data under certain circumstances. Where processing is based on a data subject’s consent, the data subject has the right to withdraw consent at any time; however, the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. More information about how to submit a request can be found on Fiserv’s Privacy Notice. You can submit requests to exercise these rights by contacting the Fiserv Privacy Office using the following link here. We may need to request specific information from you to help us confirm your identity and ensure you are entitled to exercise a right in respect of your personal data, for example, a merchant identification number or account number. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Data subjects in the EU or UK may also file a complaint with a supervisory authority that is located where you live, work or where you believe the breach has occurred.
We reserve the right to modify this Privacy Notice at any time. We will notify our merchants of updates by updating the date of this Privacy Notice and posting the updated Privacy Notice to our website and through such other manner as may be stated in our Service Agreement.
Merchants with questions about this Privacy Notice may contact the Fraud Mitigation support team at FraudMitigationSupport@fiserv.com. Both merchants and data subjects may contact our Data Protection Officer at firstname.lastname@example.org.