EasyPay Sh.P.K., with Tax ID K61730019P and headquarters at Rruga Vëllezërit Hobdari, Building No. 15, Tirana, is an electronic money institution licensed by the Bank of Albania, which supervises the processing of data on the official website. www.easypay.al dhe në Aplikacionin EasyPay (IOS dhe Android) dhe/ose përmes telefonit të shërbimit ndaj klientit si dhe çdo kanal tjetër që ne mund të vëmë në dispozicion, duke përfshirë ofrimin e shërbimeve të Easypay përmes palëve të treta. Në faqen zyrtare të EasyPay www.easypay.al and in the EasyPay application, in some sections such as applications for jobs or where services are offered require the user to complete some of the data personal. EasyPay collects your personal data for the purpose of providing the service. This applies to the information collected about visitors to our site, customers, job candidates and our current and former employees, other individuals who submit various requests for information, etc.

EasyPay guarantees secure conditions for the storage and further processing of this data, in full compliance with Law No. 124/2024 ‘On the Protection of Personal Data.’ The user confirms the accuracy and truthfulness of the information provided and also authorizes the processing of their data.

“This document describes the management tools of the EasyPay application and official website regarding the handling of users’ personal information and data when they visit or use our app or website. The information provided here is presented in accordance with Law No. 124/2024 ‘On the Protection of Personal Data’ for data subjects using EasyPay services offered via the internet.

1. TERMS

• “Personal Data” is any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
• “Sensitive Data” they are special categories of personal data that reveal a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, or sexual life and orientation.
• “Biometric Data” they are personal data resulting from the specific technical processing of a person’s physical, physiological, or behavioral characteristics, which allow or confirm the unique identification of that person, such as facial images or fingerprints.
• "Controller" is a natural or legal person, or any public authority, who, alone or jointly with others, determines the purposes and means of processing personal data. For the processing of personal data, the controller is the competent authority that, alone or jointly with others, decides the purposes and methods of such data processing.
• "Data subject" is any natural person who is identified or can be identified. A person is deemed identifiable if they can be identified, directly or indirectly, by reference to one or more specific identifiers, such as their name, identification number, location data, an online identifier, or one or more factors relating to their physical, physiological, genetic, mental, economic, cultural, or social identity.
• "Processor" is a natural or legal person, or any public authority, who processes personal data on behalf of the controller.
• "Processing of personal data" ‘Processing’ means any operation or set of operations performed on personal data or sets of personal data, whether or not carried out by automated means, such as: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, dissemination by transmission, distribution, or making available by any other means, alignment or combination, restriction, erasure, or destruction.
• "Recipient" is a natural or legal person, or any public authority, to whom personal data have been disclosed or made available, whether they are a third party or not.
• Third party is any natural or legal person, or any public authority, excluding the data subject, the controller, the processor, or other persons, who is authorized to process personal data under the direct authority of the controller or the processor.
• Consent Consent is any indication of the data subject’s will, given freely, informed, and unambiguously, by which they, through a statement or any other clear affirmative action, signify agreement to the processing of personal data relating to them for one or more specific purposes.
• "Agent" is a commercial or legal natural person, who acts in the name and on behalf of EasyPay.
• "Authentication" is the procedure that enables the payment service provider to verify the identity of a user of the payment service or the validity of the use of a specific payment instrument, including the use of personalized security data of the user.
• "Personalized security data" are personalized elements provided by the payment service provider for the payment service user, for authentication purposes.
• "Remote Payment Transaction" is a payment transaction initiated via the Internet or a device that can be used for remote communication.
• Archiving System is any structured set of personal data that is accessible based on specific criteria and may be centralized, decentralized, or functionally or geographically distributed

2.PRINCIPLES OF PERSONAL DATA PROCESSING

EasyPay processes personal data in accordance with the following principles

• Principle of lawfulness, fairness, and transparency – processing is carried out in a lawful, fair, and transparent manner with respect to the data subject.

• Principle of data minimization – personal data shall be adequate, relevant, and limited to what is necessary for the purposes of processing.
• Principle of data accuracy – personal data shall be accurate and kept up to date when necessary. In accordance with the purpose of processing, all necessary measures shall be taken to promptly erase or correct inaccurate or incomplete data.
• Principle of storage limitation – personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed. Personal data may be retained for longer periods provided they are processed solely for archiving purposes in the public interest, scientific, historical, or statistical purposes, while applying appropriate technical and organizational measures to safeguard the rights and freedoms of the data subject.
• “Principle of integrity and confidentiality – personal data shall be processed in a manner that ensures the necessary security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, through the use of appropriate technical and organizational measures.
• Principle of accountability – the controller is responsible and must be able to demonstrate compliance with the principles set out in this article.

3. PROCESSING OF PERSONAL DATA

The processing of personal data related to services offered through the official website or the EasyPay application is managed by the technical staff of the responsible IT department, as well as by personnel authorized to process data within EasyPay. No information obtained through the website or application is communicated or shared, except in cases where the information is requested by competent authorities legally entitled to access it, in compliance with the requirements of Law No. 124/2024 ‘On the Protection of Personal Data.

Personal data provided by clients/users are used solely for the purpose of delivering the service or fulfilling the request and are shared with the service provider/processors and third parties only if necessary for this purpose, in compliance with legal requirements.

The employees of EasyPay are subject to the obligation to maintain the confidentiality of the information which is given to the latter in order to exercise its functions based on the Law, and can only disseminate it to the legal authorities.

EasyPay always evaluates the integrity of new employees before they are hired.

EasyPay continuously monitors the accesses and processing of the personal data it controls to ensure their integrity and confidentiality.

4. CATEGORIES OF DATA SUBJECTS WHOSE DATA ARE PROCESSED

EasyPay will process the personal data of data subjects in accordance with the applicable legal framework if:

1. The data subject has given consent for the processing of their personal data for one or more specific purposes. In this case, the processing of personal data is permitted on the legal basis of your consent, which can be withdrawn at any time. You may withdraw your consent in the same manner as it was given or through our free contact channels. Withdrawal of consent does not affect the lawfulness of processing carried out based on the consent prior to its withdrawal.

Personal data will be collected processed and, stored in accordance with legislation: Law on Payment Services, Regulatory Framework for Electronic Money Institutions, Law on the Prevention of Money Laundering and Terrorist Financing, Law on the Protection of Personal Data and other applicable legal acts.

Personal data will be collected, processed, and stored in accordance with the legislation: the Law on Payment Services, the Regulatory Framework for Electronic Money Institutions, the Law on the Prevention of Money Laundering and Terrorist Financing, the Law on the Protection of Personal Data, and other applicable legal acts.

The official website and the EasyPay application collect data as part of their normal operations, with transmission occurring during the use of internet communication protocols.

The official website and EasyPay application do not include links to other sites and the data that these the latter collect or process. When you are on another page or application, we advise you to read the privacy statements of the respective sites and applications.

Access to the EasyPay application in any case is carried out through the credentials created by the customer at the time of registration (username, password) as a system that processes personal data and other financial data of a confidential nature. For special payment services, the customer may be required to process payments after inputting the credentials they have in accordance with the legal framework regarding the security of data processing and cyber security.

EasyPay in no case collects data such as fingerprints, face ID used for access via electronic remote communication devices. This data is processed and recorded only in your electronic device.

The personal data of the electronic services are stored in systems with a high security standard certified as per the international ISO standards.

EasyPay processes the personal data of the user and authorized persons for the purpose of providing payment services or ancillary services or information services.

Data voluntarily provided by the user on the site or in the application, all optional emails, explicit and voluntarily sent to the specified addresses, includes the subsequent receipt of the sender’s address that is needed to respond to the requests as well as for any other personal data contained in the email.

Usage of personal data to send advertising material or commercial information for the sale of products or services by EasyPay requires the prior consent of the data subject. By using the application or accepting the terms of use or "cookies" or signing the cooperation contract with EasyPay, you give your consent regarding the further processing of data, having the possibility that through a link or dedicated functionality or through the request official at EasyPay to unregister in case you do not wish to be informed further, to use the service or be a customer of EasyPay. In this regard, EasyPay guarantees the deletion of any data that belongs to you and that is not a legal obligation to store or archive.

For individuals who apply for employment with EasyPay, we use their information to process the application and to monitor recruitment statistics. When we want to disclose the data to a third party, for example, when we want them to receive a reference, or to receive some data from other relevant institutions, we do not do this without first informing the data subjects, unless this information is legally required. Personal data related to applicants who are not selected in the recruitment process are stored until the end of the period defined in the legislation in force, then they are destroyed or deleted. We retain non-personalized information for statistical purposes about applicants to assist our recruitment activities, but no applicant is identifiable from this data.

“For individuals employed by EasyPay, we retain only the personal data necessary for employment purposes and no more. This data is stored in high-security environments as well as in computer systems, in compliance with the law and our internal policies. When an employee is no longer employed by EasyPay, we prepare a file regarding the period during which they were employed.

Të dhënat e përfshira në të mbahen të sigurta dhe përdoren vetëm për qëllime me rëndësi të drejtpërdrejtë mbi punësimin e personit deri në perfundimin e afatit të përcaktuar me ligj dhe më pas të dhënat shkatërrohen.

5. WHAT PERSONAL DATA WE COLLECT

We process your personal data related to your identity as well as other data necessary for the provision of payment services or ancillary services.

Without your consent for the use of this data, we would not be able to provide EasyPay services. If you do not share identifying information with us, it is impossible for us to enter into a business or service relationship with you, as this data is required not only to provide the service but also in compliance with the legal framework. EasyPay also processes data for marketing, physical security, and/or analytical purposes, in order to offer high-quality products and services based on our legitimate interest or your consent, whichever is applicable to that specific processing activity.

The following categories of personal data may be collected by EasyPay depending on the type of relationship (whether you are a potential client, a client, or a contracting party

Personal Information – First name, last name, date of birth, gender, personal identification number / identification document number, place of birth, nationality and citizenship, contact numbers and addresses, email address, residential address, a facial photograph, live photo captured during registration, identification document details (document barcode, date of issue, date of expiry, issuing authority, and a copy of the document), IP address, profession, vehicle license plate numbers, as well as historical data retained by us within the framework of an ongoing relationship and as required by regulatory acts, and other data requested by the legal acts governing the prevention of money laundering and terrorist financing.”

Device Information- when registering in the EasyPay mobile application, the following data is collected and processed from Users' Devices for the registration and use of the application: fingerprint usage, access to precise location, camera, reading and writing external memory, reading the user's Phone Contact List, device brand, device model, and operating system. All personal user data will be collected and further processed exclusively for the purposes of registration and providing the EasyPay application, which is an electronic wallet (“Application”). EasyPay will use users' personal data solely for the purpose of delivering application services to users who utilize the application.

Documentation – The type of your identification document, the issuing country, document number, expiry date, and information contained in the document barcode. Legal documentation regarding the registration of entities, as well as additional documentation for identification or commercial or business relationships.

pale të treta si cdo dokumenteacion tjetër të paraqitur nga ana juaj për qëllime të shërbimit të pagesave ose shërbimeve ndihmëse.

Economic identification data The client number or user code in the EasyPay application, the unique Credit Agreement number or an agreement number generated upon the conclusion of a credit agreement for payment services; data collected through ongoing monitoring in accordance with Know Your Customer (KYC) and ongoing due diligence requirements; your debit or credit card details (where you choose to make payments via direct debit); bank account numbers or other banking or payment information related to transactions carried out in favor of the Company; transaction details and history; FATCA/CRS status; and the Tax Identification Number (TIN).

Statistical Analysis Your personal data may be processed for statistical analysis purposes. The collection of your personal data for statistical analysis is based on legitimate interest in order to analyze, improve, and develop the activities carried out. The data subject has the right to object to the processing of personal data for this purpose at any time and in any form by informing EasyPay accordingly. Nevertheless, EasyPay may continue to process the data for statistical purposes if it demonstrates that the data are processed for compelling legitimate grounds that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

Service Improvement The data collected may be used to improve technical and organizational tools, IT infrastructure, the adaptation of services to the devices used, the development of new services, the enhancement of satisfaction with existing services, as well as the testing and improvement of technical tools and IT infrastructure.

Te dhenat per shendetin- The data are processed for the fulfillment of a specific obligation or right of EasyPay or of the data subject in the field of employment, social security, or social protection, in accordance with the applicable legislation in these areas.

CCTV – Images captured by security cameras in and around the company’s premises are processed for security purposes, in order to reduce and/or prevent risks and damage to you as well as to us, and to protect both your interests and ours. Such data are retained in accordance with the retention periods established by law and applicable secondary legislation.

Phone CallsDuring contact with data subjects by telephone, conversations may be recorded for security purposes and as evidence to verify contractual requests and to prevent and detect fraudulent behavior. Telephone recordings will be retained for as long as necessary for security and evidentiary purposes.

Direct Marketing – The use of personal data to send advertising materials or commercial information regarding the sale of EasyPay products or services requires the prior consent of the data subject. By using the application, you provide your consent for the further processing of your data, with the option to withdraw your consent to receiving such information at any time, either in the same manner as it was given or through our free contact channels. Withdrawal of consent does not affect the lawfulness of processing based on the consent prior to its withdrawal.”

Cookies On our website, cookies are used to improve the user experience, enable essential functionality, analyze site usage, and provide personalized content and advertising. Data subjects may give or withdraw their consent through the cookie management banner.

For the processing of personal data, EasyPay may engage data processors and/or, at its discretion, employ other individuals to perform specific support functions on behalf of EasyPay (e.g., data centers, cloud hosting, system administration, system development, software programming, development, delivery, support services such as service improvement and development; customer service center operations; marketing, communications, consulting, temporary staff, or similar services). In such cases, EasyPay will take the necessary measures to ensure that data processors handle personal data in accordance with EasyPay’s instructions and applicable laws, respect appropriate data security measures, maintain confidentiality, and do not use such information for any purpose other than performing their designated functions.

6. METHODS OF PROCESSING PERSONAL DATA

The personal data of data subjects are processed both electronically and physically, in full compliance with the security measures established under Law No. 124/2024 ‘On the Protection of Personal Data.

EasyPay protects personal data in secure environments and systems until the expiration of the retention period specified in the Guidelines of the Commissioner for the Right to Information and the Protection of Personal Data, except in cases where applicable legislation provides otherwise, after which the data is destroyed. In all cases, personal data is processed only to the extent necessary for EasyPay to fulfill its obligations for the purpose for which the data was collected, or as required by the applicable legal framework and regulatory acts.

We ensure that your personal data is processed in a secure, fair, and lawful manner.

7. ACCESS TO PERSONAL DATA

In accordance with the legal framework, EasyPay grants individuals access to their personal data. Individuals may determine whether we hold any personal data by submitting a ‘Request for Access to Personal Data.’ Under Law No. 124/2024 ‘On the Protection of Personal Data,’ EasyPay will respond within 30 days from the date of receipt of the request, either by providing the information or explaining the reason for not disclosing it.

If we hold your personal data, we will inform you why it is retained, where it may be transferred, and provide a description of the data. Where feasible, we will provide a copy of the information in an understandable format and clarify whether the provision of such data is mandatory or voluntary.

If we hold your personal data, we will inform you why it is retained, where it may be transferred, and provide a description of the data. Where feasible, we will provide a copy of the information in an understandable format and clarify whether the provision of such data is mandatory or voluntary./www.idp.al/.

8. RIGHTS OF THE DATA SUBJECT

Individuals whose personal data is processed enjoy certain rights in accordance with Law No. 124/2024 ‘On the Protection of Personal Data.

1. ‘Right to be Informed’ – ensuring that the requested information is provided in a concise, transparent, understandable, and easily accessible manner, particularly when the information is addressed to minors.
2. Right of Access’ – guaranteed by allowing individuals to obtain from EasyPay comprehensive information regarding the processing of their personal data
3. ‘Right to Rectification and Erasure’ – the right to request the correction of inaccurate personal data relating to them as soon as possible, but no later than 30 (thirty) days from the date of receipt of the request.
4. ‘Right to Be Forgotten’ – At the request of the data subject, EasyPay is obliged to remove from search results based on the data subject’s name any information that is no longer current over time but, when found, has a significant negative impact on the data subject’s reputation.
5. ‘Right to Restrict Data Processing’ – the right to request the restriction of personal data processing by EasyPay when the conditions set out in Articles 17 and 21 of Law No. 124/2024 are met, specifying the possible reasons for the restriction of processing.
6. ‘Right to Data Portability’ – aims to provide the data subject with the ability to transfer, copy, or transmit personal data easily from one controller to another for specific purposes, in a structured, commonly used, and machine-readable format.
7. ‘Right to Object’ – the right to object at any time, for reasons relating to their particular situation, to the processing of their personal data concerning them.
8. ‘Right Not to Be Subject to Automated Decision-Making’ – the right not to be subject to a decision based solely on the automated processing of personal data, including profiling, which produces legal effects or similarly significant consequences for them.
9. ‘Right to Lodge a Complaint’ – Regardless of other legal, administrative, or judicial remedies available, any data subject who believes that the processing of their personal data has been carried out in violation of Law No. 124/2024 has the right to lodge a complaint with the Commissioner, who shall examine it in accordance with the provisions of the Administrative Procedure Code and Law No. 124/2024.

9. SECURITY OF PROCESSED PERSONAL DATA

EasyPay processes the personal data of data subjects in order to carry out its activities and statutory duties in compliance with applicable legislation and internal rules. This may also include confidential information relating to the categories of data subjects being processed. EasyPay remains committed to ensuring the use of data and information within its technology systems in a manner that preserves the integrity and confidentiality of information under its control.

EasyPay processes the personal data of data subjects in order to carry out its activities and statutory duties in compliance with applicable legislation and internal rules. This may also include confidential information relating to the categories of data subjects being processed. EasyPay remains committed to ensuring the use of data and information within its technology systems in a manner that preserves the integrity and confidentiality of information under its control.

1. pseudonymization and encryption of personal data
2. the ability to ensure the confidentiality, integrity, availability, and resilience of processing systems and services
3. the ability to restore the availability and access to personal data within a reasonable time in the event of a physical or technical incident
4. a process for the regular testing, review, and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing

All EasyPay employees are subject to the obligation to maintain the confidentiality of information provided to them in order to perform their duties according to their job description and may disclose it only to lawful authorities. EasyPay evaluates their integrity prior to employment and monitors their compliance with information security obligations. EasyPay employees, under the confidentiality agreement they sign, bear legal, civil, and criminal responsibility, and are required to maintain the confidentiality of information even after the termination of their employment relationship.

By accessing the website or the EasyPay App, you confirm that you have read and accept the terms of use provided therein.

10. HOW TO CONTACT US

Requests for information regarding our privacy policy can be sent by e-mail to info@easypay.al and you may as well appear to the counters of EasyPay branches or agents everywhere Albania.