Visa is providing this supplemental privacy notice to give individuals in the European Economic Area (EEA), the United Kingdom (UK) and Switzerland the additional information required by the EU General Data Protection Regulation and the UK and Swiss equivalents. These provisions, which should be read together with the statements in the Visa Global Privacy Notice explain our practices with regard to data privacy in the EEA, UK and Switzerland.
Important information: European Economic Area (EEA), United Kingdom (UK) and Switzerland
-
This information is being provided by Visa Inc. for itself:
Visa Inc.
900 Metro Center Boulevard
Foster City, CA 94404
USAand its affiliates, including:
Visa Europe Limited
1 Sheldon Square
London, W2 6TT
Registration Number: Z8657396You can contact the Visa Global Privacy Office within the EEA, UK or Switzerland by emailing privacy@visa.com or writing to us at:
Global Privacy Office
Visa Europe Limited
1 Sheldon Square
London, W2 6TT
United Kingdom -
The Visa Global Privacy Notice explains the reasons why we process your Personal Information (as defined in the Global Privacy Notice). We only process Personal Information when we have a legal basis for the processing, as follows:
- To fulfil a contract with you, or as needed to fulfil a contract between you and a merchant or between you and the financial institution or other entity that issued your card, where Visa is providing payment services or acting as a data processor,
- For closely-related purposes, such as payment processing and financial account management, contract management, website administration, business continuity and disaster recovery, security and fraud prevention, corporate governance, reporting and legal compliance,
- With your consent (or provided you have not objected, or opted-out, as may be appropriate under applicable law), to provide you with marketing communications, or,
- To comply with the laws that are applicable to us around the world
We may also process your Personal Information for the purposes of our own legitimate interests or for the legitimate interests of others, provided that processing does not and shall not outweigh your rights and freedoms. In particular, we will process your Personal Information as needed to:
- Protect you, us or others from threats (such as security threats or fraud),
- Enable or administer our business, such as for quality control, consolidated reporting, and customer service,
- Manage corporate transactions, such as mergers or acquisitions, and
- Understand and improve our business or customer relationships generally
-
We use profiling and analytics to understand how individuals use their Visa cards and other products, for product development purposes and business intelligence purposes. These analytics help us understand and improve our products and better serve our clients and consumers. We also use analytics for security and anti-fraud purposes, such as to identify the unauthorised use of Visa cards.
We will not make automated-decisions about you that may significantly affect you, unless (1) the decision is necessary as part of a contract that we have with you, (2) we have your explicit consent, or (3) we are required by law to use the technology.
-
You are not required by law to provide any Personal Information to Visa. For example, you always decide whether to participate in Visa promotions or to use Visa services. You are required to provide certain Personal Information to enable us to enter into a contract with you so that you can use our products and services or participate in promotions. Our registration forms indicate which data elements are required for our contracts.
When Visa provides payment processing services or acts as a data processor, we receive your Personal Information from third parties as needed to provide services or operate the Visa network.
-
You have choices about how Visa uses your Personal Information. You always have the right to object to our marketing communications. You can also object to having your Personal Information used to create anonymised and aggregated marketing reports. To exercise these choices and other choices, please visit the page Your Privacy choices.
Visa also respects the rights of EEA residents to access, correct and request erasure or restriction of their Personal Information as required by law. Where Visa is a data controller, this means:
- You generally have a right to know if Visa is storing your Personal Information. If we are, you have the right to request that we provide you with a copy of that Personal Information, or in some cases, provide the information to another data controller. If your information is incorrect or incomplete, you have the right to ask us to update it.
- You have the right to object to our processing of your Personal Information.
- You may also ask us to delete or restrict your Personal Information. If we are processing your Personal Information based on your consent, you have the right to withdraw your consent at any time.
- To exercise these rights, please contact us via email to privacy@visa.com or write to the Global Privacy Office at the address above and a member of our Privacy Team will assist you. Please understand that we may need to verify your identity before we can process your request.
If Visa is processing your Personal Information as a data processor, we will refer you to our client (such as to your Visa card issuer) for assistance with these requests. Visa supports its clients in responding to requests as required by law.
Where Visa is jointly responsible for the protection of your personal information with its clients or merchants, the parties have entered into an arrangement to determine their respective responsibilities under the GDPR. This concerns in particular the exercise of your rights and the obligation to provide you with information on the processing of your personal information. Under this arrangement, your Visa card issuer or the merchant with whom you are transacting, as applicable, is responsible for providing you with information about the processing and acts as the contact point for your queries and GDPR requests. Please check the privacy notices provided by your issuer or merchant and contact them directly if you wish to learn more about such arrangements or for assistance with any privacy requests.
If you believe that we have processed your Personal Information in violation of applicable law, you may also file a complaint with the Visa Data Protection Officer, who can be reached by contacting the Visa Global Privacy Office, or with a supervisory authority.
-
As noted in the Visa Global Privacy Notice, your Personal Information may be transferred to, stored at or processed in the United States, Singapore, Australia, the UK and other countries that may not have equivalent privacy or data protection laws.
We generally use approved Standard Contractual Clauses to ensure that Personal Information is adequately protected when it is transferred out of the EEA, the UK, or Switzerland to countries without an adequate level of data protection, but we may also make transfers to recipients with approved binding corporate rules.
Visa will assure that any transfer of Personal Information between the EEA, Switzerland and/or the UK continues to be safeguarded as described in this section and in accordance with applicable data protection laws.
Please contact us via email to privacy@visa.com if you would like more information about cross-border transfers or to obtain a copy of the Standard Contractual Clauses.
-
We will retain your Personal Information for as long as the information is needed for the purposes set forth above and for any additional period that may be required or permitted by law. The length of time your Personal Information is retained depends on the purpose(s) for which it was collected, how it’s used, and the requirements to comply with applicable laws. You may request that we delete your Personal Information by contacting us via email to privacy@visa.com or writing to the Global Privacy Office at the address above. If we do not have a legal basis for retaining your information, we will delete it as required by applicable law.