cashless payment

Studierendenwerk Dortmund AöR
Vogelpothsweg 85, 44227 Dortmund
Phone: 0231-20649-0
Fax: 0231-754060
E-mail: info(at)stwdo.de

For further information about us, please see the imprint and the contents of this website.

When paying by girocard or credit card, we work together with so-called network operators and with so-called acquirers, whereby each has its own separate responsibility for processing in the respective technical sphere of influence of the data.

In the case of payment by girocard or credit card, StwDo is responsible for the operation of the payment terminals and for the internal data transmission network up to the secure transmission via internet or telephone line to the network operator in terms of data protection.

Our network operator for card payments in our catering facilities, at the drinks and snack machines and at the washing machines in our residential complexes is PAYONE. If payment is made by credit card, PAYONE is also the so-called acquirer. PAYONE's contact details: PAYONE GmbH, Lyoner Str. 9, 60528 Frankfurt/Main, www.payone.com. The company data protection officer of PAYONE can be contacted at the above address with the addition of "Data Protection Officer" or by e-mail at privacy@payone.com. Details on the processing of your personal data can be found at www.payone.com/dsgvo.

When paying by credit card or by Girocard in the area of student housing (rental payments), the network operator and also the acquirer is VR Payment GmbH. Contact details of VR Payment:

VR Payment GmbH, Saonestraße 3a, 60528 Frankfurt am Main, www.vr-payment.de. The company data protection officer can be contacted at the above address or by e-mail at datenschutz(at)vr-payment.de. Details on the processing of your personal data can be found at https://www.vr-payment.de/datenschutz-haftung.

You can obtain a paper copy of PAYONE's data protection information at the Infopoint, or from VR-Payment in the Student Housing area if you pay your rent by card there.

The purpose of data processing is to collect and process the data required to carry out cashless payments. The payment processes are designed in such a way that the identity of the paying persons is not known to StwDo.

The possibility of cashless payment exists at all locations operated by the StwDo, in particular at the checkout locations of the refectories and cafeterias, at the beverage and snack vending machines and at the washing machines in our residential facilities. There is also the option of card payment in our Student Housing area for rent payments.

Payment via smartphone using an app, for example via Bluecode, is only possible at some selected dining locations.

For the purpose of cashless payment, the following means of payment are accepted

a. Girocards (or cards with EC Cash function),
b. Credit cards,
c. Mobile payment via a smartphone using an app such as Bluecode®, Apple Pay or Google Pay
d.the GeldKarte chip on the student or service ID card,
e. the GeldKarte chip on the MensaCard or Whitecard.

If personal data is processed in order to make cashless payments, you will find further information on the individual means of payment below.

To answer a frequently asked question at the same time:

When making cashless payments, StwDo does not record who eats what food and drinks or who does their laundry and how often. At the checkout, of course, each individual item is recorded in the POS system when payment is made, and the washing machine management system records every single wash that is done. But in the context of payment processing, only the information that the respective items or wash cycles have been paid for or that the payment has been rejected is processed, without any assignment to persons being made at our end. This applies to all cashless means of payment.

a. Girocards (or cards with electronic cash function)

If you pay by girocard, the StwDo is the payment recipient. When the payment is processed, the StwDo receives the information whether the payment is confirmed or the transaction was not successful. The StwDo does not receive any information about the balance of your bank account. The terms and conditions and data protection information of the respective payment service providers apply.

With the payment terminal at which the Girocard is scanned, the payment recipient collects personal data and transmits it to the network operator (PAYONE GmbH or VR Payment GmbH, for contact details see point 1 above).

The network operator and the respective payment service providers for the acceptance and settlement of payment transactions further process the data. This is done in particular for payment processing, to prevent card misuse, to limit the risk of payment defaults and for legally prescribed purposes, such as anti-money laundering and criminal prosecution. For these purposes, your data will also be transmitted to other responsible parties, such as your card-issuing bank.

For the payment, card data (IBAN, card expiry date, card sequence number) and payment data (amount, date, time, location and checkout location identifier of the card reader, verification data of the card-issuing bank) as well as the PIN you entered are processed. This data is read in or entered at the card reader and transmitted in a secure manner; the identity of the cardholder cannot be identified by the StwDo.

Details on the processing of your personal data can be found at www.payone.com/dsgvo or at https://www.vr-payment.de/datenschutz-haftung.

b. Credit cards

If you pay with your credit card, StwDo is the payment recipient. When the payment is processed, the StwDo receives the information whether the payment is confirmed or the transaction was not successful. StwDo does not receive any information about the balance of your bank account or credit card. The terms and conditions and data protection information of the respective payment service providers apply.

With the payment terminal at which the credit card is read, the payment recipient collects personal data and transmits it to the network operator and to the so-called acquirer (in our case PAYONE GmbH or VR-Payment GmbH, see point 1 above). The "acquirer" is responsible for the secure forwarding and settlement of credit card transactions with international card companies (e.g. VISA, MasterCard, etc.).

The network operator, acquirer and the respective payment service providers for the acceptance and settlement of payment transactions further process the data. This is done in particular for payment processing, to prevent card misuse, to limit the risk of payment defaults and for legally prescribed purposes, such as anti-money laundering and criminal prosecution. For these purposes, your data will also be transmitted to other responsible parties, such as your card-issuing bank.

For the payment, card data (card number, card type, expiry date) and payment data (amount, date, time, location and checkout location identifier of the card reader, verification data of the card-issuing bank) as well as the PIN or signature entered by you are processed. This data is read in or entered at the card reader and transmitted in a secure manner; the identity of the cardholder is not recognisable to the StwDo.

In the event of a chargeback, if you dispute the transaction that was made with the credit card, further data may be processed.

Details on the processing of your personal data can be found at www.payone.com/dsgvo or at https://www.vr-payment.de/datenschutz-haftung.

c. Mobile payment via a smartphone using an app such as Bluecode, Apple Pay or Google Pay.

The payment recipient is the StwDo. When the payment is processed, the StwDo receives the information whether the payment is confirmed or the transaction was not successful. The StwDo does not receive any information about the balance of your electronic money account or your credit card or bank account stored in the app. Instead of a smartphone, a tablet or a smartwatch can also be used, for example; if the term smartphone is used, these devices are also meant - insofar as this is technically implemented. The terms and conditions and data protection information of the respective payment service providers apply; information on some payment apps is provided here as an example:

-Bluecode

If you pay with Bluecode, StwDo is the payment recipient. "Bluecode" is a payment technology for making cashless, contactless payments via a smartphone, provided by SPT, Secure Payment Technologies GmbH, Müllerstraße 27, A-6020 Innsbruck, Austria. The Bluecode app displays a payment code on the mobile phone display in the form of a barcode. This code, which is anonymous from the point of view of StwDo, is scanned or read by us directly from your mobile phone display and forwarded to the Bluecode authorisation system, from where the payment release is then immediately transmitted to us. SPT processes the data for payment execution in accordance with their terms of use and data protection information, see https://bluecode.com/de-de/rechtliche-dokumente/.

-Payment app of a credit institution

If the payment app of a credit institution (bank, savings bank, etc.) is used, the terms of use and data protection information of the payment app or the respective credit institution apply.

-Apple Pay

If you opt for the "Apple Pay" payment method of Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, StwDo is the payment recipient, the payment processing takes place via the "Apple Pay" function of your terminal device operated with iOS, watchOS or macOS by charging a payment card deposited with "Apple Pay". Apple Pay uses security functions that are integrated into the hardware and software of your device to protect your transactions. In order to release a payment, you must enter a code previously defined by you and verify it using the "Face ID" or "Touch ID" function of your terminal device.

For the purpose of payment processing, the payment data is passed on to Apple in encrypted form. Apple then encrypts this data again with a developer-specific key before the data is transmitted to the payment service provider of the payment card stored in Apple Pay to process the payment. After the payment has been made, Apple sends your device account number and a transaction-specific, dynamic security code to the payment terminal to confirm the success of the payment. If personal data is processed during the described transfers, the processing is carried out exclusively for the purpose of payment processing in accordance with Art. 6 para. 1 lit. b DSGVO. Apple retains anonymised transaction data, including the approximate amount of the purchase, the approximate date and time, and whether the transaction was completed successfully.

Further information on data protection with Apple Pay can be found at the following Internet address: https://support.apple.com/de-de/HT203027

-Google Pay

If you opt for the "Google Pay" payment method of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"), the StwDo is the payment recipient, the payment processing takes place via the "Google Pay" application of your mobile device running at least Android 4.4 ("KitKat") and having an NFC function by charging a payment card deposited with Google Pay or a payment system verified there (e.g. PayPal). For the release of a payment via Google Pay in the amount of more than €25, the prior unlocking of your mobile end device by the respective verification measure set up (such as facial recognition, password, fingerprint or pattern) is required.

For the purpose of payment processing, the payment data will be passed on to Google. Google then transmits your payment information stored in Google Pay to the payment terminal in the form of a uniquely assigned transaction number, so that a payment made is verified. This transaction number does not contain any information about the real payment data of your payment means deposited with Google Pay, but is created and transmitted as a one-time valid numeric token. For all transactions via Google Pay, Google only acts as an intermediary to process the payment. The transaction is carried out exclusively between the user and the payee by debiting the payment means deposited with Google Pay. Insofar as personal data is processed during the described transfers, the processing is carried out exclusively for the purpose of payment processing in accordance with Art. 6 (1) lit. b DSGVO.

Google reserves the right to collect, store and evaluate certain transaction-specific information for each transaction made via Google Pay. This includes, for example, the date, time and amount of the transaction, merchant location and description, as well as other data depending on the transaction. According to Google, this processing is carried out exclusively in accordance with Art. 6 (1) lit. f DSGVO on the basis of the legitimate interest in proper billing, the verification of transaction data and the optimisation and functional maintenance of the Google Pay service. Google also reserves the right to merge the processed transaction data with further information collected and stored by Google when using other Google services. The terms of use and information on data protection for Google Pay can be found here: https://payments.google.com/payments/apis-secure/u/0/get_legal_document?ldo=0&ldt=googlepaytos&ldl=de
https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=de

d. GeldKarte chip on the student or service ID card

The student or service ID card contains a separate chip on which the wallet or the so-called GeldKarte chip is displayed. The GeldKarte chip has a serial number that was determined during card production. This chip number is not printed on the card for security reasons. The name printed on the ID card is not recorded by the StwDo when the card is used and is also not stored on the GeldKarte chip, so the StwDo cannot draw any conclusions about a specific person when the card is paid for. If the GeldKarte chip of a student ID card (TUCard, FHCard, Chiporello) is used for payment, student prices will be charged.

When the student card is issued by the university/university, the university/university does not read the GeldKarte chip number, so that it is not possible for the university/university to allocate the GeldKarte chip number to the individual student.

The student or service ID card can only be used for payment if the GeldKarte chip has been "topped up" in advance and a credit balance is available. To top up the GeldKarte chip, the top-up terminals are used in the refectories in particular, where it is possible to top up the chip with cash or a girocard/EC card. StwDo does not collect any personal data at the top-up terminals. The current credit balance and the amount topped up are displayed. When paying by EC card, Sparkasse Dortmund collects the data required for direct debit processing without forwarding this account data/debit data to StwDo. The top-up amount is credited 1:1 to the cash card chip. The amount of credit, the amount of the top-up and the timestamp of the top-up or unloading are stored on the chip.

The credit on the chip is to be treated as cash. If the student or service card is lost, any credit balance on the GeldKarte chip cannot be refunded by the StwDo.

e. GeldKarte chip on the white card

A so-called White Card can be purchased at the InfoPoint, which contains a GeldKarte chip. This chip also only has a number and no name stored on it; the StwDo cannot use the White Card to assign it to a specific person; please refer to the information above under 2. d). If the White Card is used for payment, guest prices will be charged unless the valid student or service ID is presented at the time of payment.

The legal bases are Art. 6 (1) letter b DSGVO in connection with the contractual payment obligation arising from the purchase contract and Art. 6 (1) letter c DSGVO, in connection with the legal requirements for proper accounting and the fulfilment of obligations to provide proof under commercial or tax law.

An obligation to provide data exists insofar as a purchase contract has come into existence and thus the obligation to pay exists, the data required for this must be communicated.

Insofar as personal data is processed by us during cashless payment, it is only stored for as long as is necessary to achieve the associated purpose or for as long as there is a legal obligation to retain it. When it comes to accounting-related documents, there is a retention obligation of up to 10 years.

The processing of your data is carried out by the employees of StwDo responsible for this. The forwarding of the data collected by us for the execution of the cashless payment is carried out as described above to the respective network operators and payment service providers.

If necessary, other service providers (in particular for IT services) will be included in the processing to the extent permitted. In the event that you have given us your consent, we will pass on your data in accordance with your consent. Data will be passed on to authorities and public bodies if we are obliged to do so by a legal regulation. We will also forward your data if this is necessary for us to enforce legal claims.

We process data exclusively within the European Union.

You have the right to information about the personal data we process about you in accordance with Article 15 of the GDPR. You have the right to rectification under Article 16 of the GDPR, the right to erasure under Article 17 of the GDPR, the right to restriction of processing under Article 18 of the GDPR, the right to withdraw consent and to object under Article 21 of the GDPR and the right to data portability under Article 20 of the GDPR. In the case of these rights, the restrictions in accordance with the NRW State Data Protection Act may apply.

If you make use of your above-mentioned rights, we will check whether the legal requirements for this are met and you will receive a corresponding notification from us. If necessary, we will ask you to identify yourself; you are obliged to do so if you have any doubts.

You can contact us at any time with this and other questions on the subject of personal data or in the event of complaints, either to the contact persons known to you or to our data protection officer, contact details can be found here at the beginning of the data protection information. In addition, you have the right to lodge a complaint with a competent data protection supervisory authority, in our case the State Commissioner for Data Protection and Freedom of Information LDI NRW, Kavalleriestr. 2-4, 40213 Düsseldorf.

You can revoke any consent given to us to process your personal data at any time with future effect by sending us a message to that effect. This also applies to the revocation of declarations of consent given to us before the DSGVO came into force, i.e. before 25 May 2018. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

In principle, the revocation can be sent to us without any formalities, but for reasons of proof, we request that you send it to us by post or e-mail with the subject "Revocation" and stating your name and address.

As a precaution, we would like to point out that we may continue to process data in whole or in part even after you have withdrawn your consent if there is another legal basis for doing so.

You have the right to object to the processing of personal data concerning you at any time if this is based on your particular situation, provided that the processing is based on Article 6(1)(e) or (f) DSGVO.

In principle, the objection can be sent to us without any formalities, but for reasons of proof, we request that you send us a letter or e-mail with the subject "Objection", stating your name and address, or hand over a letter.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

In addition to this information letter, we refer to all information that you already have or know about us. If you would like further information, please contact our data protection officer. He/she will be happy to help you. Please bear in mind that in the case of part-time positions and in the event of holiday/illness, processing may be slightly delayed, thank you.

Status of this data protection information: January, 2021