Menu

Your privacy and trust are important to us.

This Privacy Center will help you understand how FIS uses your personal data and how you can exercise your privacy rights.

Click on a topic from the menu above to load the policy content you would like to view.

Who we are

Fidelity National Information Services, Inc. (“FIS”) is a leading provider of technology solutions for Fidelity National Information Services, Inc. (“FIS”) is a leading provider of technology solutions for clients such as banks and capital markets firms globally. Headquartered in Jacksonville, Florida, United States, FIS is a Fortune 500® company and a member of Standard & Poor’s 500® Index. FIS and its subsidiaries operate in multiple jurisdictions located around the globe. 

As a fintech group with a broad portfolio of solutions, FIS and its subsidiaries fulfill many roles including when processing personal data. For example, when we act as a service provider to banks and capital markets firms, we usually act as a “processor”, processing personal data based on our clients’ instructions. However, for the processing of personal data of our own staff, we act as an independent controller.

Definitions

Please click here for a description of the terminology used in this FIS Privacy Center, including our privacy notices.

How to contact us

Your rights may be limited, for example, if fulfilling a request would reveal personal data about another person, or if the processing is required by law or another compelling legitimate interest. FIS reserves the right, where permitted by law, to verify your identity.

Alternatively, you can write to our Chief Privacy Officer or our global Data Protection Officer:

Chief Privacy Officer
347 Riverside Avenue
Jacksonville, FL 32202
United States of America

Data Protection Officer
Orhideelor Road 15A
Orhideea Towers building – HotSpot Skyhub, 13th floor, rooms 13.25 & 13.26 District 6, Bucharest
Romania.

The names and contact details of FIS’ data protection officers are available here.

The contact details of our representatives are available here.

Privacy Notices

Sharing your personal data

We take care to allow your personal data to be accessed only by those who really need to in order to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it. We disclose your personal data to the following categories of recipients.

Exercising your rights

Depending on your location, you have certain rights under privacy and data protection laws related to the data we process about you. You may exercise those rights through the form accessible here or by sending us an email at DataRights@fisglobal.com.

We aim to respond to your request within 1 month or the specific timeframe required by the applicable laws, upon verification of your identity. We will honor the requests you make related to your rights as the law allows, which means, in some cases, there may be legal or other reasons we may not be able to address the specific request you make related to your rights.

Details of your rights are set out here.

Where we process your data and international data transfers

FIS is headquartered in the United States of America, and almost all data we process will be transferred to or accessed from the United States. Our subsidiaries and third-party service providers operate in the European Economic Area (“EEA”), the United Kingdom (“UK”), and multiple other countries around the world.

We may transfer, access, or store personal data about you outside of the EEA, Switzerland, the UK, China, Japan, or another country that requires legal protections for international data transfer. When we do, we will make sure an adequate level of protection is provided for the personal data by using one or more of the following approaches:

  • We may transfer personal data to countries that have privacy laws that have been recognized by the country from which the data is transferred as providing similar protections for the data (“adequacy”).
  • We may enter into written agreements, such as standard contractual clauses and other data transfer agreements, with recipients that require them, in substance, to provide the same level of protection for the data.
  • We may seek your consent for transfers of your personal data for specific purposes.
  • We may rely on other transfer mechanisms approved by authorities in the country from which the data is transferred.

When we share personal data within and among FIS affiliates, we make use of the Standard Contractual Clauses (as approved by the European Commission), the UK International Transfer Addendum, as well as model clauses issued in other countries to legitimize data transfers.

For Japanese individuals, information about the personal information protection system of various foreign countries where your data may be processed is available here. An overview of data protection and privacy legislation worldwide is available here.

Retention

We will retain personal data we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax, or accounting requirements).

When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize it, or, if this is not possible, for example, because your personal data has been stored in backup archives, we will securely store your personal data and isolate it from any further processing until deletion is possible.

Methods of destruction: FIS’ workforce and vendors with access to personal data are required to comply with secure deletion standards in alignment with the latest NIST Guidelines for media sanitization.

Security

We use appropriate technical and organizational measures to protect the personal data we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal data.

Please read our Security Statement that summarizes FIS’ information security policies, procedures, and standards including its technical and organizational measures for the security of data.

While we do our best to protect your personal data, privacy incidents are unfortunately becoming more common. In addition to the steps we take to protect your personal data, we believe there are measures you should take to protect yourself as well. We advise you to not share any personal data with others unless you clearly understand the purpose of the individual requesting the information, and you have confirmed you are dealing with a legitimate contact. We also recommend you not share any significant personal data via email or voicemail.

While we take precautions to protect your personal data from loss, theft, alteration, or misuse, no system or security measure is completely secure. Any transmission of your personal data is at your own risk, and we expect you will use appropriate measures to protect your personal data as well.

Data Processing Agreement

FIS’ Personal Data Processing Annex, which supplements our client contracts, is available here.

You can request a DPA for completion and electronic signature by sending an email to gdpr@fisglobal.com.

Cookies

Change your cookie preference at any time in our cookie preference center at the bottom left hand corner of this page.

Please read our Cookie Notification for fisglobal.com for more information about our use of cookies.

Please note that our websites and mobile apps are not designed to respect "do not track" browser settings.

Direct Marketing

Please read our marketing privacy notice to understand how FIS processes personal data for direct marketing purposes.

Click here to adjust your settings or unsubscribe from marketing communications.

Sale of Information

Please read our CCPA / CPRA Sale of Information statement here.

Law enforcement

FIS may be required by law to provide information to government, law enforcement, and parties in civil lawsuits. This means we comply with court orders, subpoenas, lawful discovery requests, and other legal requirements. To protect clients and their customers’ rights, we only provide client information when we reasonably believe there is a legal requirement to do so and after comprehensive legal review. Click here to learn more.

Changes to our Privacy Center

We will update this page from time to time in response to legal, technical, and/or business developments. We will obtain your consent to any material changes if and where this is required by applicable data protection laws.

You can see when this page was last updated by checking the “last updated” date displayed at the end of this page.

Last update: April 15th, 2024

Store owner talks on phone while writing in ledger

Definitions

  • Personal Data is any information relating to an identified or identifiable natural person. In some jurisdictions, such as Switzerland and South Africa, personal data also includes data of legal entities. Personal data is also known as Personal Information or Personally Identifiable Information.
  • Processing of personal data refers to any operation or set of operations which is performed on personal data, whether or not by automated means. Examples are the collection, recording, storage, use, disclosure, erasure or destruction of personal data.
  • What is considered sensitive personal data (also referred to as special category data) varies from country to country, but it generally includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. Additional categories considered sensitive/special in certain jurisdictions are data relating to criminal convictions or offences/criminal records, financial data, bankruptcy details, data relating to drug problems and infidelity, personal data of children, personal identifiers (for example passport details, social security numbers, social insurance numbers, resident registration numbers, or state ID numbers), work performance information, citizenship / immigration status, driver’s license numbers, precise geo-location data, membership of a trade association, biometric templates, information concerning an individual’s ideology or faith, membership of a political party, health or medical treatment information, communal origin, etc.
  • Data Processing Agreement, or Data Processing Annex / Data Processing Addendum refers to an agreement that supplements FIS’ contracts with clients and suppliers, which agreement sets out parties mutual obligations with regard to the processing of personal data.
  • CRM database refers to FIS’ Client Relationship Management system(s).
  • GDPR refers to the (EU and/or UK) General Data Protection Regulation.
  • PIPL refers to the Chinese Personal Information Protection Law.

We believe everyone has a right to privacy, wherever they live in the world, and our commitment to privacy goes beyond legal compliance. As a result, our privacy and data protection compliance program applies globally, irrespective of whether there are local privacy and data protection laws. Our compliance program is based on the European Union General Data Protection Regulation (GDPR) and establishes a framework within which local privacy and data protection laws are respected, and it sets a baseline for those jurisdictions where there are no specific legal requirements.

When processing personal data, we apply the following principles:

  • Fairness and lawfulness: we comply with privacy and data protection laws and act with integrity and fairness.
  • Transparency: we communicate openly and transparently about our personal data processing operations.
  • Purpose limitation: we only use personal data for defined, appropriate purposes.
  • Choices and rights: we give individuals the ability to make simple and meaningful choices about their privacy and allow individuals, where appropriate, to access, update, or delete their personal data.
  • Privacy by design: we maintain a respect for privacy as a key component in the design, development, and delivery of our products and services.
  • Responsible data management: we apply appropriate data management practices to govern the processing of personal data. We carefully select external vendors and partners, and we limit disclosure of personal data to what is described in our privacy notices or to what has been authorized by our clients. We also store personal data for no longer than what is necessary or as is required by applicable laws and to maintain accuracy of data.
  • Security: we implement appropriate technical and organizational security measures to protect personal data against unauthorized access, use, modification, or loss.
  • Accountability: we are accountable for living up to our commitments throughout the FIS organization.
  • Training: all FIS employees are trained on an annual basis on privacy and security.

Data Protection Officer

All FIS Data Protection Officers (DPOs) can be contacted via Data.Protection@fisglobal.com

Chief Privacy Officer

Anna Shea
FIS
347 Riverside Avenue
Jacksonville, FL 32202
privacyoffice@fisglobal.com

 

Global Data Protection Officer

Adriana Neagu

The Global DPO acts as DPO for all FIS entities, except for the following FIS entities that have appointed a local Data Protection Officer (or for South Africa: Information Officer):

Germany

FIS Systeme GmbH, Dr. Moritz Moeller-Herrmann

FIS Global Trading (Deutschland) GmbH, Dr. Moritz Moeller-Herrmann

Switzerland

FIS Switzerland S.A, Dr. Moritz Moeller-Herrmann

Sweden

Fidelity Information Services Front Arena AB, Marko Femic

South Africa

FIS Systems South Africa (Pty) Ltd., Kershika Nookiah

GL Trade (South Africa) Proprietary Limited, Kershika Nookiah

Representatives

GDPR Representative

Article 27 of the General Data Protection Regulation (GDPR) requires organizations that are not established in the European Union (EU) to designate a representative in the EU if they are subject to the GDPR.

FIS entities outside the EU may undertake processing activities to which the GDPR applies. For that reason, Fidelity National Information Services Inc. and all of its direct and indirect subsidiaries, have appointed Fidelity Information Services GmbH to act on their behalf if, and when, they undertake data processing activities to which article 3(2) of the GDPR applies. Such appointment is not intended to be an acknowledgement that the GDPR is applicable to any of their processing activities.

Contact details:

Fidelity Information Services Operations GmbH
Solmsstr. 18
60486 Frankfurt am Main
Germany
data.protection@fisglobal.com

Swiss Data Protection Representative

Article 14 of the Federal Act on Data Protection (FADP) requires organizations with registered offices outside of Switzerland to designate a Swiss data protection representative in Switzerland if they are subject to Article 14 of FADP.

FIS entities outside Switzerland may undertake processing activities to which Article 14 of FADP applies. For that reason, all FIS entities in the group, subject to these conditions have appointed FIS (Switzerland) SA to be their Swiss data protection representative where required. Such an appointment is not intended to be an acknowledgment that the FADP is applicable to any of their processing activities.

Contact details:

FIS (Switzerland) SA
Route de l'Aeroport 29-31,
1215, Le Grand-Saconnex,
Switzerland
data.protection@fisglobal.com

South Korea

The contact details of FIS’ domestic representative in South Korea:

Name:            SeokPil Oh
Address:        FIS 18FL, O2 Tower 83 Uisadang-daero, Yeongdeungpo-gu, Seoul, Korea 07325
Email:            seokpil.oh@fisglobal.com

 

People using public transportation using personal electronic devices

Individual rights under privacy and data protection law

Details of your rights are set out below:

  • You can request access, correction, updates, or deletion of your personal data;
  • You can object to our processing of your personal data, ask us to restrict processing of your personal data, or request portability of your personal data;
  • If we have collected and processed your personal data with your consent, you can withdraw your consent at any time, subject to permitted or required exceptions under applicable data protection laws. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent;
  • You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. We will keep your name and email address on our CRM databases in order to prevent future communications. If you prefer your data is deleted from our CRM databases, please complete the relevant form here. If you decide you do not want to receive marketing content from us, please note that we may still be required to send you emails regarding factual, transactional, and/or servicing information in connection with the products and services we are providing to you or the organization through which you are known to us;
  • You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. You have the right to obtain human intervention to express your point of view and to contest such decision;
  • You have the right to complain to a data protection authority about our collection and use of your personal data;
  • For consumers who reside in the State of California, you have the right to opt-out of the disclosure of your personal data for monetary or other valuable consideration.
  • For individuals in China, you have the right to request that FIS explains the rules set out in this Privacy Center (right to explain processing rules). Close relatives of a deceased person have the right to access, make copies of, correct or delete personal data of the deceased person, unless the deceased person has arranged otherwise before their death.

FIS does not tolerate any retaliation against anyone who, in good faith, exercises any of these rights.

You may exercise any of these rights through the form accessible here or by sending us an email at DataRights@fisglobal.com.

Workforce

We process personal data for our workforce (temporary and permanent employees, contingent workers, independent contractors, students, retirees, and persons formerly in such roles with FIS) as well as personal data of other persons in relationships with members of our workforce.

The primary controller of FIS’ workforce personal data is the FIS company which employs, contracts, or engages the member of our workforce. If you have any questions about who this company is, please raise a ticket via the People Office Support Center.

Workforce personal data includes all personal data collected and processed in the context of an individual’s working relationship with FIS. FIS also processes workforce personal data regarding relatives, dependents, or other persons in relation to employees, contingent workers, independent contractors, students, retirees, and persons formerly in such roles with FIS when their personal data has been given to FIS by such persons with a working relationship with FIS.

In some jurisdictions, workforce personal data that is considered “sensitive personal data” under applicable laws may need to be collected as required or permitted by local law, for example, for the purposes of complying with equal opportunity measures or local tax requirements. What is considered sensitive personal data varies from country to country. An overview of the different types of sensitive personal data is available here. Please note, this does not mean that all the listed examples of potentially sensitive personal data will be processed for every member of our workforce; sensitive personal data will only be processed insofar as required or permitted under applicable law or as deemed necessary for the purposes of the legitimate interests pursued by FIS from time to time and always in compliance with applicable laws. Applicable local law may in some circumstances require the data subject’s consent to process sensitive personal data.

Access Badge Information

All of FIS’ workforce will be issued an access badge which is required to gain access to our facilities. In some jurisdictions, where authorized by applicable law, we will monitor access badge use and records for security, building management and staff attendance purposes. This includes sharing individual badge access and team badge access data with managers to provide an overall view of how many team members go into their assigned office/facility.

Categories of workforce personal data that may be processed is set out below:

Data Category

Examples

Applicant data

CVs, covering letters, application forms, information provided in interviews, information provided during on-boarding of successful applicants.

Advice, opinions, and other comments

Engagement surveys, exit interviews.

Attendance data

Work absences, leave entitlements and requests, attendance records, paid, and unpaid leave records.

Bank and financial details

Payroll and/or expense reimbursement direct deposit banking information, credit card information.

Benefit data

Insurance, powers of attorney, benefit plan records for employees, and/or dependents enrolled in benefit continuation records.

Business travel and movement data

Travel data, including travel schedules, lodging, conveyance, meals, and other expenses.

Company property issuance data

Records of company-issued assets, equipment, and vehicles.

Compensation data

Base salary, bonus, and other compensation elements, pay type, pay grade, pay level, full-time equivalent (FTE), currency, compensation requests (past and current), employment terms, pension plan number and contribution, non-salary benefits, share options.

Dependent information

Personal contact and identity data on dependents and significant others, dates of birth, gender.

Disciplinary data

Warnings, letters of reprimand, written, and oral counselling.

Employment related data

Employee number, signature, employment status, social security, tax number, insurance number, country of residence, nationality, photo, emergency contacts, passport information, immigration status, travel visa information, work, and residence permit.

Grievance data

Complaints, tribunal data.

Information recorded on or in company systems, equipment, or documents

Emails, text messages, web site usage, voicemail recordings, calendar, or diary entries, correspondence, including staff personal data included in or on company systems, equipment, or documents by employees or independent contractors, background, and credit check data.

Job information and work metrics

Position, title, employment contract, payroll ID, line manager, job band, performance history, employment status, working time logging, training records, performance targets and development goals. In some cases, we may also record results of capability assessments, safety reports and incidents, professional feedback

Key card and access records

Dates, times, and locations of entry and exit from controlled facilities, computer and system logon/off audit trails.

Military status

Branch of service, rank, dates of enlistment or discharge, discharge status, disabled veteran status, awards or medals granted, protected veteran status.

Organizational data

Name, company structure, organizational charts, reporting relationships, titles, resumes, work contact details, email, accounting code details, employment terms, job descriptions, and salary levels.

Parent / guardian data

Name, signature, consent of parent/guardian for students under the age of 16.

Payroll processing data

Name, government-issued ID, home address, email, time attendance, remuneration, compensation data, hire date, termination date, employment terms, dependents data, bank and financial data, benefit data, accounting code details, withholdings and deductions, and benefit enrolments with employee contribution.

Performance and employment

Performance assessments, Performance Improvement Plan (PIP), performance counselling, disciplinary action(s), letters of appreciation, details of performance complaints.

Personal details and contact information

Name, gender, birth date, place and country of birth, home address, phone numbers, email, government-issued identification numbers, identification numbers issued by or on behalf of the company, signatures, handwriting, and photographs.

Photo, video, or audio recordings

Information collected by security systems, closed-circuit television, profile photographs, photo security badges, voicemail, recorded trainings, conferences, or marketing materials.

Recruiting and application data

Application details, applicant testing, background check, notes compiled by recruiter pertaining to the applicant and screening results.

Reports of misconduct or policy violations

Records of oral, written, email, telephone, or Ethics Helpline website, Ethics Helpline, InTIRT, FSIRT, SIRI-P, and similar reports pertaining to alleged and confirmed staff misconduct or violations of company policies.

Right to work / immigration data

Right to work documents, nationality, residency, citizenship, passport, and visa information.

Software applications

Use of software applications to process workforce data including in relation to engagement and collaboration, in order to improve efficiency at FIS.

Talent, education, and training details

Education, skills, work experience, prior employment, accomplishments, projects, development and training, language skills, technical skills, educational background, professional certifications and registrations, membership in professional bodies and organizations.

Work history

Dates of hire and/or termination, title, dates of promotion, training courses attended, acknowledgement of company policies, completion of various mandatory company trainings with quiz scores, if applicable, reason for resignation or termination, public offices held, publications.

Work schedule data

Planned and actual working times, billable and administrative time records, employment terms, alternative working arrangements (remotely).

Workplace safety data

Reports, photographs, video recordings.

A list of the potential types of workforce sensitive personal data that may be processed is set out below:

Sensitive Personal Data Category

Examples

Biometric and Health Data

Fingerprints, thumbprints, vaccination status, temperature scanning, facial identification/recognition and voiceprints.

Data revealing offenses, criminal convictions, or information deriving from security measures

Criminal proceedings, outcomes, and sentences, driving history, prior employment, substance abuse screening, court records, and background check information.

Data revealing sex life

Personal contact and identity data on dependents and significant others, marital/partnership status, accommodation, and housing information.

Data revealing personal credit and financial information

Credit check, child support, debt payments, bankruptcy, foreclosure, attachment of earnings, bank account numbers.

Data revealing physical or mental health or condition

Physical limitations and special needs, disabilities and requested or required reasonable accommodations, on-site screenings, company referrals for medical or counselling support, substance abuse testing, medical reports, health certifications.

Data revealing racial or ethnic origin

Racial designations, nationality, and cultural identity.

Data revealing religious affiliation or beliefs or other beliefs of a similar nature

Affiliation with religious organizations, membership of religious congregations (e.g. if required for tax purposes), declaration of religious preference or other beliefs.

Data revealing trade union membership

Union or works council records, directories, meeting documentation, and other materials.

Data revealing political opinions

Professional and other affiliations, offices held, publications, and writings.

Personal identifiers

Passport details, social security numbers, or state ID numbers.

Purposes for which we process personal data about our workforce:

  • Human resources management including organization and personal administration, working hours management, improving and maintaining effective workforce administration, internal workforce analysis, reporting and planning;
  • Compensation and benefits programs, including salary, bonuses, pensions, medical benefits, insurance policies, vacation, and leave of absence for members of our workforce and their dependents;
  • Diversity programs, including compliance with diversity objectives, FIS controlled recognition and rewards programs, employment-related education, training, and awareness programs;
  • Global mobility programs and the transfer, relocation, and movement of employees and dependents;
  • Manpower, staffing, and succession planning;
  • Payroll, compensation, and benefits management, including providing employee benefits and maintaining salary, compensations, including intellectual property, allowances, benefits, insurances, pensions, and performance reviews;
  • Payroll, tax, and other required withholdings (such as court-ordered garnishments), reimbursements for business travel, and other reimbursable business expenses;
  • Talent management and acquisition, including recruitment, assessing suitability and working capacity, background checks, verification of qualifications, obtaining and providing references;
  • Learning and development management, including certifications, workforce training, performing assessments, and employee satisfaction surveys;
  • Processes related to joining and leaving, including internal moves and terminations;
  • Sickness and other leave and vacation management;
  • Workplace and workforce health;
  • Internal health and safety programs, including health, safety, and accident records, or reporting and managing process quality;
  • Travel and expenses management and organization of business trips, including monitoring of travelers to provide support during security or medical emergencies; providing travel security, health, and safety training, and on a voluntary basis, assistance in giving security support during emergencies;
  • Business operations, including staffing proposals, client billing, business transition activities, business negotiations, and transactions;
  • Carrying out the obligations and exercising specific rights in the field of employment and social security law or a collective agreement;
  • Internal and external communication of the FIS organization;
  • Representation of FIS including commercial register and assigning powers of attorney;
  • Organizing FIS events and documentation of such events including managing and organizing internal non-marketing related campaigns, events, and meetings;
  • Opinion and engagement surveys;
  • Managing FIS assets, including pictures and videos depicting staff or other individuals available for download on our intranet, website, etc.;
  • Finance and shared accounting services providing record to report, order to cash, and purchase to pay services;
  • Reorganization, acquisition, and sale of activities, business units, and companies;
  • Business reporting, statistics, and analytics;
  • Monitoring and auditing compliance of workforce activities in the workplace with FIS’ corporate regulations and policies, contractual obligations, and legal requirements, including disciplinary actions;
  • Carrying out audits, reviews, and regulatory checks to meet obligations to regulators;
  • Workplace investigations into alleged policy violations, misconduct related to work, safety, and security concerns;
  • Litigation or potential litigation;
  • Governance, risk and compliance, including compliance with laws, law enforcement, court and regulatory bodies’ requirements and prevention, detection, investigation, and remediation of crime and fraud or prohibited activities or to otherwise protect legal rights and to establish, exercise or defend legal claims;
  • Managing suppliers, contractors, advisers, and other professional experts, including contact interaction, processing and fulfilling purchases and invoices, and contract lifecycle management;
  • Making use of work performance and products and for references on documents, such as drawings, purchase orders, sales orders, invoices, reports;
  • Workplace and workforce safety and security, i.e., thumbprints, facial identification/recognition, etc. used for device and security access for computers, phones, building, and room access;
  • Access control system providing electronically controlled ingress and/or egress for authorized individuals to locations that have access restrictions and a registry of personnel on site in case of emergencies;
  • Intrusion detection including 3rd party monitoring of duress, perimeter, internal security points, and ancillary supervisory monitors for site maintenance/automated systems;
  • Maintaining and protecting the security of products, facilities, services, systems, networks, computers and information, preventing and detecting security threats, fraud or other criminal or malicious activities, and confirming business continuity; and
  • Managing IT resources, including infrastructure management including data back-up, information systems’ support and service operations for application management, end user support, testing, maintenance, security (incident response, risk, vulnerability, breach response), master data and workplace including user accounts management, software licenses assignment, security and performance testing, and business continuity.

Certain personal data collected from our workforce relates to next of kin and emergency contacts. In these cases, members of our workforce are requested to inform such persons about the processing of their personal data in accordance with this Notice.

If a member of our workforce is working at a third-party site (for example at a client location or facility), such third party may need to process their personal data for such third party’s own purposes acting as a data controller. In these cases, our workforce members will receive or may request a separate privacy notice from the relevant data controller.

Recipients

Workforce personal data may be disclosed to the following recipients or categories of recipients for a legitimate business need and/or process: FIS People Office, Legal, Corporate Compliance, Risk, M&A Team, Security, Supply Chain Management and Real Estate, Internal Audit, Finance and Accounting, Information Systems, members of the Board of Directors, management personnel, FIS Clients, and FIS-selected service providers.  FIS may also make workforce personal data available to other third parties as authorized, such as law enforcement, tax authorities, other public bodies, potential and actual acquirers of FIS companies or businesses if a change of ownership or business transfer is anticipated or occurs. For more information about the categories of entities to which we have disclosed this information, and the purposes for which we have disclosed the information, please see “With whom we share your personal data”.

Storage limits and other relevant information

Workforce personal data will be retained for as long as there is a business need or as required by law and regulation. More information on FIS’ data retention standards may be found in the Record Management Policy found in the FIS Enterprise Policy Office on the company’s intranet, FIS&me. If you are a job applicant, retiree, or other person without access to FIS internal systems to review such policies, requests for such information should be directed to the FIS Privacy Office.

Exercising your rights

Click here for an overview of your rights as a data subject under applicable privacy and data protection laws and how to exercise these rights.

Legal grounds for processing personal data of our workforce and persons in relationship with members of our workforce are:

We process workforce personal data for thefulfilment of obligations in any employment contractor other contract of engagement with us and relevant collective agreements, or as part of pre-contractual measures to establish employment, or other contractual relationships

Article 6.1.b GDPR

Article 13.(2) PIPL

In some cases, and only in countries where this is allowed (*), we rely on ourlegitimate intereststo process workforce personal data insofar as this is not overridden by an individual’s own privacy interests. Such interests may include:

  • developing and managing our workforce;
  • analyzing performance and providing appropriate compensation
  • equal opportunity monitoring and reporting;
  • preserving records for business purposes, assuring security at our facilities and systems, and making contact information available to relevant colleagues and clients;
  • promoting and delivering our products and services, developing business opportunities;
  • maintaining the security and integrity of our facilities, systems, and IT infrastructure
  • monitoring (for example through IT systems), investigating, and confirming compliance with legal, regulatory, standard, and FIS internal requirements and policies;
  • prevention of fraud and criminal activity including investigations of such activity, prevention of misuse of FIS assets, products and services, and as necessary and proportionate for confirming network and information security;
  • conducting sanctions and anti-money laundering screening and meeting regulatory requirements
  • transmitting personal data within the FIS group for internal administrative purposes as necessary, for example, to provide centralized services;
  • promoting and improving health, safety, security, and performance

(*) For example, in China, legitimate interest is not deemed a legal ground for processing under the PIPL. In China, we process workforce personal data for the above purposes on the basis of the employment contract (or other contract of engagement) with you and our internal employment rules which are established in accordance with Chinese laws.

Article 6.1.f GDPR

Article 13.(2) PIPL

In some cases, we process workforce personal data on the basis ofstatutory requirements, for example, on the basis of labor and social security law, allowances, tax or reporting obligations, regulatory obligations, cybersecurity obligations, cooperation obligations with authorities, or statutory retention periods in order to carry out our contractual responsibilities as an employer or engager.

Article 6.1.c GDPR

Article 13.(3) PIPL

We mayask for an individual’s consentat the time of collecting the personal data. If we ask for consent in order to use personal data for a particular purpose, that individual is free to withdraw consent at any time and we will tell the individual how to do this.

Article 6.1.a GDPR

Article 13.(1) PIPL

Legal grounds for processing sensitive personal data:

With regard to special categories of personal data, we will only process such data in accordance with applicable law and:

With explicit consent for specific activities in accordance with applicable law

Article 9.2.a GDPR

Article 29 PIPL

With consent of the holder of parental responsibility (for students under the age of 16)

Article 8.1 GDPR

Article 31 PIPL

When necessary for exercising rights based on employment or other contractual engagement, social security or social protection law or as authorized by collective agreement, or for preventive and occupational medicine or evaluation of working abilities

Article 9.2.b GDPR

Where necessary, for the establishment, exercise or defense of legal claims or to comply with directions or demands of courts acting in their judicial capacity.

Article 9.2.f GDPR

With regard to personal data concerning criminal convictions and offences, we will only process such data where such processing is permitted by applicable (local) law.

Article 10 GDPR


 

Job Applicants

We process information from and about candidates in connection with employment or engagement opportunities at FIS. Information will be collected and used for the following purposes:

  • Assess a candidate’s skills, qualifications, and suitability for the role.
  • Carry out background and reference checks, where applicable.
  • Communicate with candidates about the recruitment process.
  • Keep records related to our hiring processes.
  • Comply with legal or regulatory requirements.
  • Stay connected with candidates who join the FIS Talent Network.

The information that is processed and how it is used

The information we collect, the manner in which it is used, and the timing in which it is gathered varies depending on the country in which the FIS entity to which the candidate applies is located.

As general matter, the data we collect regarding all job applicants includes the information provided on resumes, CVs and/or application forms, including name, contact details, employment history and qualifications.

We use a candidate’s personal data to assess their skills, experience and suitability for roles offered by FIS. This information is passed to the relevant hiring managers and persons involved in the recruitment process to decide whether to invite the candidate for an interview.

FIS will process further information if the candidate is invited to the interview (or equivalent) stage and onward. Such information may include interview notes, assessment results, feedback and offer details. This information will be used to decide whether to offer a role and, depending on the country, may also be used for the purpose of drawing up and concluding a contract.

If FIS decides to make an offer, further information will be processed as part of the pre-employment background screening before the appointment is confirmed to confirm that a candidate meets internal and legal requirements relevant to the position and to confirm the information provided by the candidate. Such information may include education history, work history and references.  We will also need to confirm and/or establish a candidate’s right to work in the country in question. 

For successful candidates, we process personal data necessary for onboarding the candidate which may include processing information required to enroll the successful candidate in company benefits and to provide access to FIS systems. Such information may include applicable personal identity number (tax, citizenship, social security or possibly other types of individual numbers applicable due to that candidate’s country and role); data of any relevant related persons (name of spouse/partner, children, etc.); signature; bank account details; emergency contacts; insurance data; driving license number and training records.

Further information on the information processed on members of our workforce can be found here

If a candidate fails to provide information when requested, which is necessary for FIS to consider their application (such as evidence of qualifications or work history), we may not be able to take the application any further. 

In connection with our recruitment activities including applications and onboarding, we may also process special category data or sensitive personal data from candidates where we have a legal obligation to do so, or with the individual's explicit consent, where collecting such information is permitted by law. For example;

  • Where allowed under applicable law, we may collect information about an individual’s disabilities to determine if requested or required adjustments during the recruitment process can reasonably be accommodated.
  • Once onboarded, an individual’s provision of information regarding disabilities will also be used to provide a suitable working environment.
  • We may also conduct criminal background checks for certain candidates to assess their eligibility or suitability to work at FIS or for FIS clients.
  • In certain countries, we will also ask candidates to provide diversity information (for example about their race and/or ethnicity) for diversity monitoring and reporting purposes, although the provision of this information will in most countries be entirely voluntary. However, where a candidate does not voluntarily provide such information, we could be required by law in some countries to make our own assessment of such criteria.

FIS Talent Network

Candidates have the opportunity to join the FIS Talent Network. Joining the Talent Network enhances a candidate’s job search and application process. By joining the Talent Network, candidates will receive job alerts with new job opportunities that match their interest, relevant recruitment marketing communications and have the possibility to share opportunities with family and friends. The data required to join the Talent Network are first name, last name, email address, phone number and areas of interest. Candidates can chose to also provide their current employer and current title.

How personal information is collected

Depending on the country in which the FIS entity to which the candidate applies is located, FIS collects personal data about candidates from the following sources:

  • Directly from the candidate – for example, information that provided by the candidate when applying for a position directly through the FIS careers website(s) or when joining the FIS Talent Network;
  • From recruitment agencies – for example, when a recruitment agency contacts us to suggest an individual as a potential candidate;
  • Through publicly available sources online – for example, where a candidate has a professional profile posted online (e.g., on their current employer's website or on a professional networking site, such as LinkedIn);
  • By reference – for example, through a reference from a former employee or employer, or from a referee identified by the candidate;
  • Results of assessments or background screening checks, either conducted directly or via a reputable background check provider.  Depending on the relevant country, such checks may include criminal record check, drug tests, credit check, employment history, education and/or qualification checks, identity and right to work checks and checks against international sanctions registers.

Recipients

Candidate personal data may be disclosed to the following recipients or categories of recipients for a legitimate business need and/or process: FIS People Office, Legal, Corporate Compliance, Risk, M&A Team, Security, Supply Chain Management and Real Estate, Internal Audit, Finance and Accounting, Information Systems, members of the Board of Directors, management personnel, FIS Clients, and FIS-selected service providers.  FIS may also make candidate personal data available to other third parties as authorized, such as law enforcement, tax authorities, other public bodies, potential and actual acquirers of FIS companies or businesses if a change of ownership or business transfer is anticipated or occurs. For more information about the categories of entities to which we have disclosed this information, and the purposes for which we have disclosed the information, please see “With whom we share your personal data”.

Automated processing

FIS recruitment processes do not result in decisions based solely on automated processing, although part of the application processes are automated. For example, FIS will ask questions about work authorization, compensation or travel requirements so that our recruiters can easily filter applicants for review (or not) based on their responses. In some countries, where this is legally allowed, FIS may decline applicants based on work authorization requirements. Candidates that apply for a role in one of FIS’ call centers may be subject to an additional text screening capability that may automatically invite candidates to the interview process based on satisfactory responses to the text questionnaire. Candidates not meeting the requirements will be manually declined by an FIS recruiter.

Exercising your rights

Click here for an overview of your rights as a data subject under applicable privacy and data protection laws and how to exercise these rights.

Data retention

If you apply for a role at FIS, we will retain your personal data only for as long as necessary after we have communicated to you our decision about whether to appoint you to. We retain your personal data for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal data.

If you join our Talent Network, we will retain your personal data (even if you had an unsuccessful application) so that we can send you job alerts with new job opportunities and relevant recruitment communications until you request us to delete your personal data.

Legal grounds for processing personal data of our job applicants are:

Explicit consent of the candidate – for example, a candidate’s information may be retained by FIS for the purpose of potential future recruitment opportunities withinFIS, with the candidate’s consent.

Article 6.1.a GDPR

Article 13.(1) PIPL

Our legitimate interest in attracting, identifying and sourcing talent

Article 6.1.f GDPR

Our legitimate interest to process and manage applications for roles at FIS, including the screening and selecting of candidates

Article 6.1.f GDPR

Our legitimate interest to identify the most suitable candidate for the opened job position

Article 6.1.f GDPR

Our legitimate interest to hire and onboard candidates by making an offer to successful candidates and carrying out pre-employment screening checks

Article 6.1.f GDPR

Our legitimate interest to manage our career websites (including conducting statistical analyses)

Article 6.1.f GDPR

Compliance with a legal or regulatory obligation (when carrying out background checks to confirm a candidate is eligible to work in the relevant country)

Article 6.1.c GDPR

Article 10 GDPR

Article 13.(3) PIPL

In order to take steps prior to entering into a contract with the candidate

Article 13.(2) PIPL

Two colleagues having a discussion in an open office space.

Clients

If you sign up to become one of our clients by entering into an agreement with FIS, we will collect information we need to establish and perform a contract with you, including your contact information, address, ID documentation, tax information and payment details.

We use this information to set up our products and services for you, including providing you with access to our Client Portal. In addition, we use your information for our legitimate interest of managing our internal administration and for complying with our legal obligations, such as know-your-client and anti-money laundering obligations and taxation obligations.

We also collect data about your use of our products and services, including your login details, and the questions, queries, comments and complaints you send or share with us in relation to our business relationship. We process this data to be able to perform our contract with you by following up with you and providing you with support and for our legitimate interest of being able to optimize and improve our products and services.

We can also use your (company) e-mail address for: keeping you up-to-date with our products and services; making you offers tailored to your needs (meaning similar products and services you have already purchased from us); or inviting you to events.

We have an obligation to act in compliance with applicable laws and regulations and to prevent fraud, money laundering and financing terrorism. As we are active in the financial sector, we are not allowed to accept just any client without checking them and we have to determine and report when suspicious transactions take place. Therefore, if you are applying to become one of our clients and during the performance of our agreement, we will need to collect up to date information and documents to:

  • Verify your identity;
  • Identify the ultimate beneficial owners of your business;
  • Identify the purpose and intended nature of your future business relationship with us;
  • Monitor your behaviour and transactions across the FIS solutions using automated systems which detect risks and verify the origins of your capital/assets; 
  • Check whether a natural person representing you is competent to do so (and verify the identity of this person); and
  • Check whether you act on behalf of yourself or on behalf of a third party.

To carry out the above checks, we process the information (including personal data) that you have provided to us and other information created by your use of the FIS services. Which may include your name, your contact information, a copy of your identification document, your tax identification number (if legally required), the address of your legal representative and shareholders, your bank account number, information contained in correspondence between us, bank statements, your signature and an extract of your company registration document. We use third party identification and verification services (including credit reporting agencies) in order to assist us to verify your identity and the documents provided to FIS.

Legal grounds for processing personal data of clients are:

Performance of a contract

Article 6.1.b GDPR

Article 13.(2) PIPL

Compliance with a legal or regulatory obligation, including know-your-client, anti-money laundering and taxation obligations

Article 6.1.c GDPR

Article 13.(3) PIPL

Our legitimate interest in providing you with our goods and services and securing prompt payment of any fees, costs and debts in respect of our services

Article 6.1.f GDPR

Our legitimate interest in responding to questions, queries, comments and complaints you send or share with us

Article 6.1.f GDPR

Our legitimate interest in safeguarding FIS against inadvertently dealing with the proceeds of criminal activities or assisting in any other unlawful or fraudulent activities (for example, terrorism)

Article 6.1.f GDPR

Our legitimate interest in sending you direct marketing communications to keep you informed about our products and services and to invite you for relevant events

Article 6.1.f GDPR

Customer inserts chip card into a credit card terminal.

Consumers ("buyers")

FIS is a payment service provider and as such Worldpay from FIS (“Worldpay”) provides payment processing, acquiring and gateway services to its clients which operate as merchants. Being an acquirer means that Worldpay accepts payment on behalf of the relevant merchant and then transfers the funds paid by the buyer (“you”) to the merchant. Worldpay’s role is to request the relevant payment scheme, such as Mastercard, Visa or Maestro or an alternative payment method provider, to authorize the transaction and (if necessary) send this to the buyer’s bank for approval. If the necessary authorizations and approvals are given, Worldpay is notified of this by the relevant payment scheme or alternative payment method provider and makes the payment to the merchant’s bank. Worldpay may also enable merchants to pay others, like you, by sending payments to your bank account or payment card (for example, payouts of insurance claims or gambling winnings). We rely on card networks and banking partners to complete the payment to your bank account or payment card.

When we provide merchant acquiring services and other payment services to our client, Worldpay processes your personal data as an independent data controller.

Worldpay also offers its clients fraud detection services. For some of these fraud services we act as a processor on behalf of, and under the instructions of, our merchants. We recommend you read the merchant’s privacy notices for more information regarding the processing of your personal data. This notice applies to the processing of your personal data for fraud detection, prevention and monitoring where Worldpay acts as an independent controller.

Purposes for which we process buyer’s personal data and types of personal data

  • We process the data we need for our legitimate interest of providing so-called gateway, payment processing and/or acquiring services to our merchants which receive payments from you for any reason (including, without limitation, for the sale of their goods and services). This means that we receive your payment transaction data on behalf of the merchant and handle related matters around these financial transactions. In addition, when a merchant wishes to charge your card for a recurring payment and your card has expired, Worldpay may request the relevant payment scheme or lookup up your up-to-date card information on the Worldpay platform, to facilitate your payment.
  • We process the data to pay others, like you, on behalf of our merchant clients and handle related matters around these financial transactions.
  • We may process your personal data when necessary to initiate (or arrange the initiation of) payments from your bank account, if you and your bank authorize us (and/or our partners) to do so.
  • In addition, we process your data to comply with our legal obligations, such as to monitor financial transactions for the purpose of preventing money laundering and terrorist financing. For these purposes we may collect your card number (which we encrypt in accordance with PCI DSS standards), the expiry date (month and year) of your credit card, your bank account details (typically excluding your name), including IBAN and SWIFT/BIC, the amount of the transaction and the currency in which the transaction is done, the date, time and location of the transaction and the category and ID of the merchant with whom you are shopping. 
  • If necessary, we can also process any of your information above for our legitimate interest of protecting our legal rights, for example in connection with legal claims, and when we have a legal obligation to process your information. 
  • In addition, Worldpay processes your personal data for the following purposes:
    • To provide the service pursuant to the agreements with our clients and the specific payment schemes;
    • To comply with applicable laws and regulations;
    • To conduct analysis for statistical, strategic and scientific purposes; and
    • To protect our platform, systems and services from misuse, fraud, financial crimes or other unauthorized or illegal activity.
  • We process personal data for purposes of protecting you and our clients against fraud or unauthorized transactions and preventing and monitoring fraud across Worldpays payment solutions. This includes the identification of fraud with the payment details provided by our merchants or information about fraud from other third parties such as issuing banks, acquirers or scheme owners. Additionally, Worldpay may use and aggregate your personal data to create and run models or other methods to accurately identify, predict, prevent and mitigate fraud across Worldpays payment solutions. These models or other methods may be leveraged to offer fraud-related products and services to our merchants. For fraud detection, prevention and monitoring, Worldpay may process transaction data (such as card number and cardholder name, email address, location data, IP address, information about disputed transactions, information on confirmed fraud, merchant details, mobile devises and unique identifiers).The use of these fraud models and/or other methods may result in merchants making decisions as to whether or not to grant you access to a product or service and/or whether or not to authorize a transaction.

Recipients

In some jurisdictions, we may need the help of third parties to be able to offer you our acquiring or issuing services, for example payment schemes such as Mastercard and VISA. It will depend on your location, payment method and issuing bank which of these payment schemes is used. Additionally, we share your information with the merchant with whom you are shopping. We may also share some of your information with competent authorities and/or regulators in case this is required to comply with legal obligations to which Worldpay is subject, for example for the purpose of preventing money laundering and terrorist financing.

We use third-party service providers to support us in providing acquiring and fraud detecting services. These include risk, fraud, and compliance service providers (e.g. for transaction risk monitoring); debt service providers (e.g. for debt collection analysis or management); and for business analytics (e.g. for data aggregation, visualization and reporting).

Otherwise, we will not share your identifiable information with any third party, unless we have your permission, where this is necessary in connection with the purposes above or with legal claims or when we have a legal obligation to do so.

Exercising your rights

Click here for an overview of your rights under applicable privacy and data protection laws and how to exercise these rights.

Legal grounds for processing personal data of “buyers” are:

Our legitimate interest in providing payment processing, acquiring and gateway services to merchants pursuant to the agreements with our clients and the relevant payment schemes

Article 6.1.f GDPR

Our legitimate interest in conducting analysis for statistical, strategic and scientific purposes

Article 6.1.f GDPR

Our legitimate interest to protect FIS from misuse, fraud, financial crimes or other unauthorized or illegal activity

Article 6.1.f GDPR

Compliance with a legal obligation

Article 6.1.c GDPR

Article 13.(3) PIPL

Suppliers

We process personal data about our suppliers (including subcontractors, and individuals associated with our suppliers and contractors) in order to manage our relationship and contract and to receive services from our suppliers.

The personal data we process is generally limited to contact information (name, name of supplier, phone, email, and other contact details) and financial information (payment-related information).

Before we take on a new supplier, we perform compliance searches that could include – depending on the risk level - for example anti-money laundering, anti-bribery and anti-corruption checks, modern slavery audits, adverse media checks, Politically Exposed Persons (PEPs) searches, and/or Sanction Lists checks.

Legal grounds for processing personal data of our suppliers are:

Performance of a contract

Article 6.1.b GDPR

Article 13.(2) PIPL

Compliance with a legal or regulatory obligation

Article 6.1.c GDPR

Article 13.(3) PIPL

Our legitimate interest in managing payments, fees, and charges, and to collect and recover money owed to FIS

Article 6.1.f GDPR

Our legitimate interest in safeguarding against FIS inadvertently dealing with the proceeds of criminal activities or assist in any other unlawful or fraudulent activities (for example, terrorism)

Article 6.1.f GDPR

Processing personal information which has been publicly disclosed or legally disclosed, within a reasonable scope.

Article 13.(6) PIPL

Visitors to our offices

When you visit an FIS office, we process your personal data to provide you with certain facilities (such as access to our buildings, our conference rooms, and Wi-Fi), to control access to our buildings, and to protect our offices, personnel, goods, and confidential information.

The personal data we collect is generally limited to your name, contact information, location, vehicle registration (if you use our car park), and the time you enter and leave our building. In some jurisdictions, we may also request you to show proof of identification in the form of a valid government issued photo ID.

Visitor records and access badges

We require visitors to our offices to sign in at reception, and we keep that record of visitors for a short period of time. Visitors to our buildings are provided with a temporary access badge to access our building. Our visitor records will be used to verify that access badges are returned, to look into a security incident, and for emergency purposes (for example, if an office needs to be evacuated).

Wi-Fi

We monitor and log traffic on our Wi-Fi networks. This allows us to see limited information about a user’s network behavior but will also include being able to see at least the source and destination addresses the user is connecting from and to.

CCTV

FIS uses CCTV monitoring where permitted by law. CCTV images are securely stored and only accessible on a need-to-know basis (for example, to investigate a potential incident). We are allowed to disclose CCTV images to law enforcement bodies. We will also share CCTV images with our insurers for purposes of processing an insurance claim as a result of an incident. CCTV recordings are typically deleted or automatically overwritten after a short period of time unless an issue is identified that requires further investigation.

Exercising your rights

Click here for an overview of your rights under applicable privacy and data protection laws and how to exercise these rights.

Legal grounds for processing personal data of visitors to our building are:

Our legitimate interest in protecting our offices, personnel, goods, and confidential information

Article 6.1.f GDPR

Our legitimate interest in preventing and detecting crime, and establishing, exercising, and defending legal claims

Article 6.1.f GDPR

Consent of the visitor

Article 6.1.a GDPR

Article 13.(1) PIPL

Visitors to our websites and other digital channels

Personal data that we collect about you when you visit our website (“site”) and other digital channels (hereinafter referred to as ‘our site’) falls into several categories.

Information that you provide voluntarily

We collect personal data you provide voluntarily through our site, for example, when completing online forms to contact us, subscribing to a newsletter, subscribing to receive marketing communications from us, participating in surveys, or registering for events we are organizing. The information we collect about you includes the following:

  • Name
  • Job title, job level or job function, role
  • Education
  • Company or organization
  • Company data
  • Contact information, including primary email, email address, and telephone numbers
  • Demographic information, such as industry, country, postcode, preferences, and interests
  • Other information relevant to client surveys or similar research
  • Information relating to events captured through event-related forms, such as dietary restrictions, hotel and flight information, registration/participation status, media interview attendance, previous event experience, and gender 
  • Information pertinent to providing goods and services to you
  • Any other personal data you voluntarily choose to provide to us

We do not intentionally collect sensitive personal data, unless you provide us with such data. While there may be free text boxes on the site where you are able to enter any information, we do not intend to process sensitive personal data. You are not required to provide, and should not disclose, sensitive personal data. If you choose to provide any sensitive personal data in this manner, you acknowledge you consent to the collection and processing of this sensitive information.

If you register on our website, your personal data will be stored in our Client Relationship Management (CRM) system. If you have opted out of receiving marketing communications, your basic contact details will remain on our opt-out list.

Information we collect automatically

When you visit our site, we collect certain personal data automatically from your device. Specifically, the data we collect automatically includes information, such as your IP address, pixel ID, device type, unique device identification number, browser type, operating system, broad geographic location (e.g., country or city-level location), and other technical information. We also collect information about how your device has interacted with our site, including the pages accessed, current URL, time you visited the site, and links clicked. Collecting this information enables us to better understand the visitors who come to our site, where they come from and what content on our site is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our site to our visitors.

Information will be collected using cookies and similar tracking technology, as explained further in our Cookie Notification.

Purposes for which we process your personal data as a visitor to our site are:

  • To administer and manage our site, including to confirm and authenticate your identity, and prevent unauthorized access to restricted areas of our site (for example, we may confirm your IP address matches the location entered into our online forms or may confirm you are not listed as a restricted party with whom we are legally prohibited from doing business);
  • To personalize and enrich your browsing experience by displaying content (including targeted advertising) that is more likely to be relevant and of interest to you
  • To analyze the data of visitors to our site and site traffic information
  • To capture web metrics about the journey of users within our site
  • To determine the company, organization, institution, or agency you work for or with which you are otherwise associated
  • To develop our business and services
  • To deliver products and services to our clients to provide them with information about such products or other legitimate business purposes
  • To provide you with marketing communications
  • To conduct benchmarking and data analysis (for example, regarding usage of our site and demographic analyses of visitors of our site)
  • To understand how visitors use the features and functions of our site
  • To monitor and enforce compliance with applicable terms of use
  • To conduct quality and risk management reviews
  • To enable the better management of our events
  • To enable teams managing events to coordinate their email campaigns and event notifications more effectively
  • To allow for event and webinar sign-up
  • To allow for content download and lead capturing
  • To allow services and information to be delivered effectively to you
  • Any other purpose for which you provided information to FIS

 

When you contact us or request us to contact you

Via our website, or other digital channels, you can contact us or ask us to contact you regarding questions, queries, (support) requests, comments or complaints, fill out an application to become a client, merchant or a partner or sign up for an account. When you do this, we collect the information you supply, including your name, company, contact details, the reason you are contacting us, verification you are not a robot and other information you provide us with. You can also contact us by calling us or e-mailing us using, for example, the contact details listed on our website. If you do so, we will collect your name, company, and any other information we need to be of further assistance to you and/or communicate with you.

We use the aforementioned data to answer your questions, comments, complaints, respond to your queries and (support) requests, and to assess your application to become a client or partner. As such, this data is used by us to establish or perform our (future) contract with you and for our legitimate interests in following up with you. We also use the data above for our legitimate interest of conducting business with you and managing our internal administration, for training purposes, for establishing and performing our contract with you, for our legitimate interest of conducting marketing research, so we can improve our products and services and to offer our (future) clients tailored products and services.

Geolocation data

When you use our mobile apps, we collect and use geolocation information linked to your device, with your permission, and where permitted by local law.  FIS uses this data as part of its processes to prevent and detect fraudulent card use and send alerts. FIS retains geolocation information processed as part of a transaction for 180 days. Where permitted by local law, FIS may monitor your geolocation information in the background while the mobile app is being used. You may change location permissions at any time either directly in the mobile app or in your device settings.

Children’s privacy

FIS does not knowingly solicit or collect personal data from children under the age of thirteen (13) without verifiable parental consent. If FIS learns that a child under the age of thirteen (13) has submitted personal data without parental consent, FIS will take all reasonable measures to delete such information from our databases and not use such information for any purpose (except where necessary to protect the safety of the child or others as required or allowed by law). If you become aware that we have collected any personal data from children under the age of thirteen (13), please contact us at datarights@fisglobal.com.

FIS website(s) are not directed at persons under the age of 18. FIS does not knowingly collect, maintain, or use personal data from persons under the age of 18 on any FIS website. If you are under the age of 18 years, please do not register or otherwise provide information to FIS on an FIS website. Minors under 18 years of age may request to have the personal data they have provided to us deleted by sending an email requesting deletion to datarights@fisglobal.com

Please note, while we make reasonable efforts to comply with such requests, deletion of your personal data does not confirm complete and comprehensive removal of that data from all FIS systems.

Cookies and tracking on FIS websites and apps

When visiting FIS’ corporate website, https://www.fisglobal.com/, users are not immediately tracked and have the option to accept cookies by selecting “Accept”. By not selecting the “Accept” option or by blocking specific types of cookies, FIS will not install non-essential cookies.

FIS websites may be linked to other websites

FIS websites may contain links to other websites. As you navigate our websites, you may click on links that take you to websites that belong to other business units or business partners affiliated with FIS. In addition, we may include links to third-party websites, which are not FIS business units or FIS affiliates. FIS is not responsible for the content or privacy practices of other non-FIS websites to which our websites link. If you are asked to provide information on one of these websites, we encourage you to carefully review their privacy policies before doing so.

Managing your preferences

FIS strives to provide you with choices and preferences regarding certain personal data uses, particularly around marketing and advertising. You may change your preferences or opt-out of receiving communications about FIS products and services by visiting our subscription preference center at any time.

Exercising your rights

Click here for an overview of your rights under applicable privacy and data protection laws and how to exercise these rights.

Legal grounds for processing personal data of visitors of our site are:

Our legitimate interest in the effective delivery of information and services to you, and the effective and lawful operation of our businesses

Article 6.1.f GDPR

Our legitimate interest in responding to questions, comments, complaints, respond to queries

Article 6.1.f GDPR

Our legitimate interest in developing and improving our sites and digital channels and your user experience

Article 6.1.f GDPR

Explicit consent of the visitor

Article 6.1.a GDPR

Article 13.(1) PIPL

Compliance with a legal obligation

Article 13.(3) PIPL

Processing personal information which has been publicly disclosed or legally disclosed within a reasonable scope

Article 13.(6) PIPL

Cookies and other similar tracking technologies

You can accept or reject cookies for our websites and other digital channels through the cookie preference center made available on these sites. You can also do so by adjusting your web browser controls. Please read our Cookie Notification for more information about our use of cookies on www.fisglobal.com.

Legal grounds for processing cookies are:

Non-essential cookies: consent

Article 6.1.a GDPR

Essential cookies: our legitimate interest in making sure our websites and digital channels function properly

Article 6.1.f GDPR

Essential cookies in China: compliance with legal obligation (cybersecurity obligation), and/or processing is necessary to provide our products or services.

Article 13.(3) PIPL

Article 16 PIPL

Marketing

If you are one of our (potential) clients and, as required by applicable law or regulation, have opted in or have not elected to opt-out of receiving marketing communications, we may contact you in relation to relevant products or services via physical mail, telephone, text message and/or e-mail. We may also send you marketing communications if you have signed up and provided your consent at a trade show or conference.

If you are not one of our clients, you can sign up and select the types of content you would like to receive including events, product information and thought leadership/industry insights by providing your name and e-mail address via the subscription preferences form on our website or other digital channels. By completing and submitting this form, you indicate your consent to receive your preferred choice of content via the communication method selected including email, telephone, physical mail and/or text message. At any time, you  can unsubscribe from receiving marketing communications by following the instructions provided in the communication, contacting us via DataRights@fisglobal.com or by clicking here to unsubscribe or adjust your preference settings . Our action will be subject to applicable limitations of the laws of your home jurisdiction.

We may indirectly market to you via our website or social media. You can download content, for example white papers and research reports, from our website or social media using the forms designed for this purpose. We collect and process the data you fill out on the form, including your name, company, country and e-mail address to provide you with the content or for our legitimate interest of keeping track of who downloads our content and for the performance of a contract with you. We will not add you to our marketing distribution lists unless you have provided your consent.

We are committed to ensuring you only receive the marketing communications you want from us and will never send you unsolicited marketing communications.

Legal grounds for processing personal data for marketing purposes are:

Consent

Article 6.1.a GDPR

Article 13.(1) PIPL

Performance of a contract, if you request a copy or download of our white papers / reports

Article 6.1.b GDPR

Article 13.(2) PIPL

Our legitimate interest in developing our business

Article 6.1.f GDPR

Our legitimate interest in sending you direct marketing communications to keep you informed about products and services and to invite you for relevant events

Article 6.1.f GDPR

Events

We process personal data about participants in FIS meetings, conferences, events and learning sessions (events). We use various applications to manage event registration processes, which applications will contain their own privacy notices explaining why and how personal data is collected and processed by these applications. We encourage participants to refer to the privacy notices available on those applications.

As part of our event management processes, we process the following personal data (but only to the extent required for a specific event):

  • Name, age or date of birth
  • Registrant’s contact details (address, email address and phone number)
  • Company name
  • Gender
  • Home or other physical address
  • Names of employers (FIS or company)
  • Occupation (job title)
  • Credit or debit card number
  • Passport number
  • Personal web URL (if you have a personal website that you would like to share)
  • Event-related data such as: Dietary restrictions or special requirements, registration status, participant status/type, media interview attendance, previous event experience, arrival time/departure time, hotel check-in/check-out time, flight information (airline, arrival and departure dates)

We do not intentionally collect sensitive personal data, unless you provide us with such data (for example, special dietary requirements which reveal your religious affiliation or any food allergies or other data relating to your health necessary to provide support to participants, if needed, for example, if a wheelchair will be required).

Attendees of FIS events hosted at external venues may be required to bring a photo ID for identification purposes to safeguard our people, assets and information, and to prevent unauthorized people gaining access to off-site FIS events.

FIS is allowed to take photographs and make audio or video recordings in public areas of the FIS events. We use such media in our marketing materials. Images and voices of attendees will be recorded. Recordings will be edited, copied, exhibited, published or distributed.

Legal grounds for processing personal data of Event participants are:

Explicit consent of the participant

Article 6.1.a GDPR

Article 13.(1) PIPL

Our legitimate interest in organizing events and managing the registration process for such events

Article 6.1.f GDPR

Our legitimate interest in protecting our people, assets and information, and to prevent unauthorized people gaining access to off-site FIS events

Article 6.1.f GDPR

Our legitimate interest in providing information about FIS, our services and events we organize

Article 6.1.f GDPR

Individuals who correspond with FIS via email

FIS uses a variety of tools to maintain the security of our IT infrastructure, including our email facilities. Examples of such tools are:

  • Systems that scan incoming emails to FIS recipients for suspicious attachments and URLs in order to prevent malware attacks
  • Tools that provide end-point threat detection to detect malicious attacks
  • Tools that block certain content or websites

If you correspond via email with an FIS recipient, your emails will be scanned by the tools FIS operates to maintain the security of its IT infrastructure, which could result in content being read by authorized FIS persons other than the intended recipient.

Legal grounds for processing personal data of individuals who correspond with FIS via email:

Our legitimate interest in protecting our IT infrastructure against unauthorized access or data leakage

Article 6.1.f GDPR

Our legitimate interest in analyzing email traffic

Article 6.1.f GDPR

Processing personal data which has been publicly disclosed or legally disclosed within a reasonable scope.

Article 13.(6) PIPL

Consent

Article 13.(1) PIPL

Individuals who correspond with FIS via phone and voice mail services

When you call FIS personnel, only your phone number will be stored on our servers and will be delivered to the voice mail box holder via recording and/or via an email. No other personal data is collected but technical logs and reports may be stored for trouble shooting purposes.

Recording of client phone calls

Client phone calls to call centers or help desks operated by FIS may be recorded. FIS will always inform the caller that the call is being recorded and the reasons for recording. Where required under applicable law, FIS will obtain the caller’s consent.

Recording will be initiated for reasons of improving quality of client service, dispute resolution, regulatory and compliance, and training of staff.

Legal grounds for processing personal data of individuals who correspond with FIS via phone and voicemail services:

Our legitimate interest in maintaining communication networks

Article 6.1.f GDPR

Our legitimate interest in improving client service, dispute resolution, and training of staff

Article 6.1.f GDPR

Compliance with a legal obligation

Article 6.1.c GDPR

Article 13.(3) PIPL

Consent (for the processing of sensitive personal data, such as biometric data)

Article 9.2.a GDPR

Article 13.(1) PIPL

Processing personal data which has been publicly disclosed or legally disclosed within a reasonable scope.

Article 13.(6) PIPL

Voice authentication

As an additional account authentication option, FIS offers biometric voice recognition technology that can capture your voiceprint and use it to identify you when you call us.

Before collecting your voiceprint, we will notify you that voice authentication is available, and we will ask for your consent before enrolling you in our voiceprint program. Participation in the voiceprint program is not compulsory and you may terminate your participation at any time.

After you sign up for the voiceprint program, we’ll record a short sample of your voice using an Interactive Voice Response (IVR) system. This will pinpoint unique characteristics in the way you speak, such as pitch, language, and speech patterns, to create a mathematical formula to produce a unique identifier for your voice. This identifier is a unique code made up of a series of numbers and letters which can be used only to identify your voice.

Once you've enrolled in the voiceprint  program, whenever you call us, our phone system will confirm who you are by comparing your voice to your unique voiceprint and check details about the device and phone number that you're contacting us from. This confirms it's really you calling and you’ll then be able to speak to one of our representatives or use our self-serve features.

Our goal is to make it simpler for you to do business with us, and by using voiceprints, it protects both you and FIS against fraud, misrepresentations and other errors. Your voiceprint will only be used to confirm your identity and replaces other methods of verification such as questions asked by one of our representatives to validate your identity.

Your unique voiceprint cannot be used to reverse engineer, reuse or recreate your voice.  Your voiceprint is encrypted and kept in a secured database.

Exercising your rights

If you no longer want to use our voice authentication services, just let us know and we will  deregister you from the service and remove your voiceprint data from our systems.

Click here for an overview of your rights under applicable privacy and data protection laws and how to exercise these rights.

Legal grounds for processing voiceprints:

Explicit consent

Article 6.1.a GDPR

Article 9.2.a GDPR

Article 13.(1) PIPL

 

Two colleagues working in a shop.

Worldpay

Worldpay, LLC, and its subsidiaries and related entities, collectively known as “Worldpay” (“Worldpay” or “we” or “our”), recognizes and respects the privacy of individuals whose personal data it collects, uses, and stores in the course of conducting business.

This Privacy Notice explains to individuals who access or use Worldpay’s services, including those who interact with our websites, mobile sites, and applications (“Sites and Services”) (“you”), how Worldpay uses your personal data. This includes buyers, Worldpay merchants, and other Worldpay clients who trade as individuals, as well as website or app users. When Worldpay uses the word “buyer” in this Privacy Notice, this means any shopper or individual whose payment transactions may be processed using Worldpay’s Sites and Services.

This Privacy Notice is global in scope but is not intended to override any legal rights in any territory where such rights prevail.

The Worldpay entity responsible for collecting, storing, or using your personal data (that is, the “Controller” where the GDPR or the United Kingdom Data Protection Act 2018 apply) depends on why or how you interact with Worldpay and your location.

Personal data used by Worldpay

Worldpay collects personal data relating to buyers, merchants, or other clients in order to carry out its business activities. Worldpay may collect personal data from various sources, including:

  • information provided to us, either directly or via our merchants, or other clients;
  • information automatically collected when you use our Sites and Services, including but not limited to our role as a payment processor;
  • information collected from third parties, including but not limited to: fraud monitoring service providers, commercial databases, or know your client (KYC) service providers.

This personal data may include:

  • Contact information, including but not limited to: name (first, last, and business), telephone numbers, address (home, billing, and business), fax, email address, and other communications;
  • Demographic information, including but not limited to: nationality, country of residence, date of birth, marital status, birth place, gender, preferred language, citizenship;
  • National Identification information, including but not limited to: national insurance number, passport, social security number, taxpayer identification number, driver license or other form of identification to verify a buyer, merchant, or other client;
  • Monitoring or Recording, including but not limited to: monitoring or recording of telephone calls, emails, web chats, CCTV, access control, or other communications;
  • Merchant or other Client identification, including but not limited to: merchant or client ID;
  • Merchant or other Client management, including but not limited to: billing, invoicing, refunds, financial position (including debt position), reconciliations, and reporting;
  • Information related to items purchased, including but not limited to: location of the purchase, value, time, method, any feedback that is given in relation to such purchase;
  • Payment transaction information, including but not limited to: which Alternative Payment Method (“APMs”) is used (e.g. bank transfer, pre-pay service, post-pay service, eWallets, and local card schemes), transaction monitoring and fraud monitoring information (e.g. transaction values and volumes,  risk scores attributed to transactions, merchant category code, IP address from where a transaction is made (optional), buyer email address (optional)), and analytics or trend analyses related to a client’s sales or refunds (including chargebacks);
  • Financial and credit/debit card information, including but not limited to: payment account number (PAN) or account number, card expiration date, CVC details, bank, and/or issuer details;
  • Credit, fraud, sanctions, and transaction risk information, including but not limited to: information obtained about our clients from credit reference or fraud prevention agencies, including credit history, credit score, and business name, business address and any business ID (such as the registered number or VAT number), financial statements for the applicant or companies within the same group of companies as the applicant and payment transaction information from our fraud and transaction monitoring activities which relates to our clients, such as transaction types, values, and risk scores;
  • Technical information, including: the IP address used to connect your computer or device to the Internet, your device ID, login information (username/password), browser type and version, time zone setting, browser plug-in types and versions, device operating system platform, mobile carrier, location, or GPS/geo-location;
  • Information about your visit or whether you opened an email, including: the full Uniform Resource Locators (URL) clickstream to, through and from Worldpay’s site (including date and time), products or services you viewed or searched for page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs), methods used to browse away from the site page, any phone number used to call Worldpay’s client service number;
  • Photographs and videos of you, from Worldpay events, e.g., through identity verification;
  • Publicly accessible comments and opinions reviewed and used by Worldpay, through Internet searches or posted on social networking sites, such as Facebook and LinkedIn;
  • Insights gained through Worldpay gatherings from sessions that you participate in and contribute at Worldpay events;
  • Social media posts on Worldpay social media sites or made publicly about Worldpay on social media;
  • Event participant details from a Worldpay event, including but not limited to: name, title, and company from a Worldpay app for the event which is available to registered delegates; and
  • Applications, if you download or use mobile or desktop applications, including information about your location, your device or the service you are using, including where a payment transaction takes place.

Worldpay sharing of personal data

Worldpay may make personal data available to:

  • other parts of Worldpay, or FIS group companies;
  • third-party service providers, including information technology service providers (e.g., for cloud computing), credit reporting agencies, risk, fraud, and compliance service providers (e.g. for transaction risk monitoring); debt service providers (e.g. for debt collection analysis or management); and for business analytics (e.g. for data aggregation, visualization and reporting);
  • our business partners, including payment processors, payment infrastructure providers, digital wallet providers, banks, and other financial institutions;
  • advertisers (where a Worldpay client opts-in to this service);
  • our professional legal advisors (accountants, consultants, lawyers, and tax advisors);
  • law enforcement, regulatory, prosecuting, tax or governmental authorities, courts, other tribunals, or dispute resolution bodies;
  • prospective sellers or buyers as part of a sale or merger of our company, business, or assets; and
  • any other third party to the extent the disclosure is required by a law which applies to us.

As Worldpay is a global business, the above recipients may be based internationally (that is in a different country or territory to you), and some will be based outside of the European Economic Area or United Kingdom.

For U.K., products and customers, you can learn more about the credit reporting agencies (CRA), their role as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs on their websites in the Credit Reference Agency Information Notice (CRAIN) document. Download a copy from any of the websites below:

Transfer of personal data

Please click here if you would like to understand what safeguards Worldpay has put in place for the international transfer of personal data.

Exercising your rights

Click here for an overview of your rights under applicable privacy and data protection laws and how to exercise these rights.

Why Worldpay processes personal data

We collect, use, and store your personal data for the reasons stated in the table below. 

We may also use your personal data so long as the use is not incompatible with the original purpose for which we obtained your personal data, and for any other purpose that we specifically tell you about.

In some cases, we may require you to provide your personal data because of a legal or contractual duty, and your failure to provide the information in these circumstances could result in us being unable to fulfil our relationship with you.

Purpose of processing

Legal ground(s) for use

Designing, evaluating, benchmarking, and administering:

Worldpay product and service offerings and their relevance for particular merchants or clients.

Worldpay relies on:

  • Consent to send promotional material (if required);

    Article 6.1.a GDPR

  • Worldpay’s legitimate interests in protecting and enforcing its rights or to send promotional material;

    Article 6.1.f GDPR

  • Worldpay’s legitimate interests in developing and improving products and services;

    Article 6.1.f GDPR

    and

  • The need to process personal data to provide a requested product or service or to fulfill a contract.

Article 6.1.b GDPR

Diversity programs, including compliance with diversity objectives

Worldpay controlled recognition and rewards programs for our merchants or other clients

Education, training, and awareness programs for our merchants or other clients

Sales and marketing campaigns

Offers of products, services, and contracts

Accounts receivable, accounts payable, bad debt and reserves; bank accounts for payments and receipts

Assembling, maintaining, and disseminating:

Client-specific job assignments for sales, marketing, and collections

Worldpay relies on:

  • Worldpay’s legitimate interests in the administration of its business or in meeting internal record-keeping requirements;

    Article 6.1.f GDPR

  • Worldpay’s legal obligations under tax, audit, or regulatory law to maintain internal records

    Article 6.1.c GDPR;

    and

  • Worldpay’s legitimate interest in assisting its merchants or other clients to understand their transactions or its contractual obligation to provide this information.

Article 6.1.f GDPR

Client directories

Emergency contact information for merchants or other clients

Identification credentials

Internal record-keeping and reporting, including reporting on credit and financial risk

Providing reports and analytics to our merchants or other clients

Supporting, monitoring, auditing, executing, and facilitating:

Business conferences and travel

Worldpay relies on:

  • Consent;

    Article 6.1.a GDPR

  • Worldpay’s legitimate interests in the administration of its business

    Article 6.1.f GDPR;

  • Worldpay’s legitimate interests in protecting the integrity of Worldpay services, facilities, and systems.

    Article 6.1.f GDPR

  • Worldpay’s legitimate interests in preserving records for business purposes, assuring security at its facilities and systems, and making merchant or other client contact information available to relevant employees;

    Article 6.1.f GDPR

  • Worldpay’s legitimate interests in promoting, developing, and improving products and services

    Article 6.1.f GDPR;

    and

  • The need to process personal data in order to provide a requested product or service or to fulfill a contract.

Article 6.1.b GDPR

Business negotiations and transactions (including due diligence)

Business operations, including client billing

Business transition activities, including mergers, acquisitions, and divestitures

Company marketing efforts, including websites, conferences, brochures, and other promotional media events and materials

Compliance with contractual obligations, client service, support, or account management

Identification for security and systems/ facility authentication

Internal and external business communications and management reporting

Complying with:

Applicable laws and regulations and industry requirements, including reporting and disclosure obligations.

Worldpay relies on:

  • Legal obligations to process personal data under applicable UK, EU, or EU Member State law;

    Article 6.1.c GDPR

  • Worldpay’s legitimate interests to comply with non-UK, EU, or EU Member State laws and regulations, or industry (e.g., card scheme or Payment Card Industry) requirements

    Article 6.1.f GDPR;

    and

  • Worldpay’s legitimate interests in protecting and enforcing its rights.

Article 6.1.f GDPR

Conducting:

Audits and accounting, financial and economic analyses (including to assess financial and insurance risks)

Worldpay relies on:

  • Legal obligations under UK, EU, or EU Member State audit, tax, or regulatory laws.

    Article 6.1.c GDPR

  • Worldpay’s legitimate interests in meeting non-UK, EU, or EU Member State audit, tax, or regulatory requirements.

    Article 6.1.f GDPR

  • Worldpay’s legitimate interests in analyzing performance, understanding Worldpay merchant or other client preferences;

    Article 6.1.f GDPR

  • Worldpay’s legitimate interests in protecting the integrity of Worldpay Sites and Services, operations, facilities, and systems

    Article 6.1.f GDPR;

    and

  • Worldpay’s legitimate interests in protecting its rights.

Article 6.1.f GDPR

In accordance with local law, investigations into alleged policy or contractual violations by merchants or other clients

Opinion and engagement surveys

Protecting:

Security of Worldpay assets, by implementation of identity authentication and other security measures, control of access to Worldpay and client workplaces and systems, monitoring of activity in Worldpay work locations, and execution of backup and storage procedures

Worldpay relies on:

  • Worldpay’s legitimate interests in protecting its rights, the integrity of Worldpay services, operations, facilities, and systems, and preventing fraud or the misuse of Worldpay services.

Article 6.1.f GDPR

Preventing, detecting, and assisting in the prevention, detection or prosecution of:

Crime, including fraud, sanctions offences and money laundering

Worldpay relies on:

  • Worldpay’s legal obligations under UK, EU, or EU Member State law;

    Article 6.1.c GDPR

  • Worldpay’s legitimate interests in conducting sanctions and anti-money laundering screening, and meeting non-UK, EU, or EU Member State legal or regulatory requirements;

    Article 6.1.f GDPR

    and

  • Worldpay’s legitimate interest in protecting and enforcing its rights and property.

Article 6.1.f GDPR

Monitoring, auditing, and reviewing:

Communications and information on company systems, including email and website usage

Worldpay relies on:

  • Worldpay’s legitimate interests in protecting the integrity of Worldpay services;

    Article 6.1.f GDPR

    and

  • Worldpay’s legitimate interests in protecting and enforcing its rights, protecting the integrity of Worldpay services, operations, facilities and systems, and staff, and preventing fraud or the misuse of Worldpay services.

Article 6.1.f GDPR

Compliance with company policies, procedures, and processes

Activity in company work locations

Preparing for, defending, participating in or responding to:

E-discovery requests for information

Worldpay relies on:

  • Legal obligations to participate in legal or complaints processes under UK, EU, or EU Member State law;

    Article 6.1.c GDPR

  • Worldpay’s legitimate interests in participating in legal or complaints processes under non-UK, EU, or EU Member State law, regulatory or industry requirements;

    Article 6.1.f GDPR

    and

  • Worldpay’s legitimate interests in protecting and enforcing its rights.

Article 6.1.f GDPR

Litigation or potential litigation and other types of dispute resolution (including complaints)

Communicating and sharing of information with FIS companies or potential or actual acquirers of FIS companies or businesses for:

 

Internal administration and business management and planning purposes

Worldpay relies on:

  • Legal obligations relating to audit, tax, or compliance requirements under UK, EU, or EU Member State law;

    Article 6.1.f GDPR

    and

  • Worldpay’s legitimate interests to structure its business appropriately and to meet non-UK, EU or EU Member State requirements relating to audit, tax, or compliance.

Article 6.1.f GDPR

Processing and administering:

Tax and other required withholdings

Worldpay relies on:

  • Legal recordkeeping and reporting obligations under UK, EU or EU Member State law;

    Article 6.1.c GDPR

  • Worldpay’s legitimate interests in protecting its rights and meeting non-UK, EU or EU Member State recordkeeping and reporting requirements;

    Article 6.1.f GDPR

    and

  • The need to process personal data to fulfil contractual obligations.

Article 6.1.b GDPR

Reimbursements for business travel and other reimbursable business expenses

Invoices, payments, cash balances, and accounting

Categories of data

With respect to data subjects whose personal data is processed by Worldpay for the purposes of the collection of accounts receivable, the processing of accounts payable, sales, marketing, vendor and client relationship management purposes, the processing may concern the following categories of data.

Data Category

Example

Advice, opinions, and other comments

Engagement surveys, exit interviews.

Bank and financial details

Payment and/or expense reimbursement; direct deposit banking information, payment card information, wire clearing information, bank account number and sort codes, invoicing details, and payment details.

Business travel and movement data

Travel data, including travel schedules, lodging, conveyance, meals, and other expenses.

Grievance data

Complaints, tribunal data.

Information recorded on or in company systems, equipment, or documents

Emails, text messages, web site usage, voicemail recordings, calendar or diary entries, correspondence, including personal data included in or on company systems, equipment, or documents by the Data Subject.

Access records

Dates, times, and locations of entry and exit from controlled facilities and systems, computer and system logon/off audit trails.

Organizational data

Name, company structure, organizational charts, reporting relationships, titles, work contact details, email, accounting code details.

Personal details and contact information

Name, gender, birth date, home and business address, phone numbers, email, government-issued identification numbers, identification numbers issued by or on behalf of the company, signatures, handwriting.

Photo, video, or audio recordings

Information collected by security systems, closed-circuit television, profile photographs, voice mail, recorded trainings, conferences, or marketing materials.

Countries

For some countries in which Worldpay has a presence, additional country specific information is available:

Argentina

The owner of the personal data has the right to access such data free of charge at intervals of not less than six months. Such six-month term may be shorter in case a legitimate interest is evidenced to that effect, as provided in paragraph 3 of article 14 of Law Nbr. 25,536.

The Agency for Public Information Access (“Agencia de Acceso a la Información Pública”), which is the competent authority under Law 25,326, has the power to deal with complaints and claims that are filed in relation to non-compliance with the personal data protection requirements.

The contact information of the “Agencia de Acceso a la Información Pública” is the following:

Address: Av. Pte. Gral. Julio A. Roca 710, 3rd floor – Autonomous City of Buenos Aires

Postal code: C1067ABP

Email: info@aaip.gob.ar

Canada

Worldpay Canada Corporation is accountable for the personal data processed in connection with the provision of merchant services in Canada. This personal data is maintained on secure servers and is accessible by authorized employees, representatives, and agents who require access for the purposes described in this Worldpay Privacy Notice. Personal data may be transferred and stored outside of Canada and therefore subject to disclosure pursuant to the privacy and data protection laws of the jurisdiction where such personal data is stored. We take care so that those we share your personal data with outside Canada protect it in a way that provides comparative safeguards to those under PIPEDA and other Canadian privacy and data protection laws.

Notwithstanding the lawful basis identified in the Appendix to this Notice, personal data is processed with consent, except as otherwise permitted or required by law. Consent can be express or implied. When we collect and process your sensitive data, we will obtain your express consent in writing or by electronic means and use it only for the purpose necessary to conduct our business in an appropriate manner or as permitted by applicable law and guidelines.

In some cases, we rely on third parties, such as merchants, to obtain consent on our behalf.

Worldpay Canada Corporation may make your personal data available to other parts of Worldpay, or FIS group companies, to facilitate the provision of the products and services and for Worldpay to comply with its legal and regulatory obligations.

China

Worldpay Marketing Consulting (Shanghai) Co. Limited is the entity responsible for processing your personal data for the purposes of any merchant services offered in China and will process personal data only on the appropriate legal ground(s) under the applicable local data protection laws.

International transfer

For Chinese data subjects, your personal data may be transferred outside of Mainland of China, except for the cases exempted by the Personal Information Protection Law of People’s Republic of China (PIPL). We take care so that those we share your personal data outside China protect it in a way that provides comparable safeguards to those under the PIPL, we will also take necessary measures such as obtaining consent to transfer personal data to third parties if required by the PIPL.

Japan

International transfer

For Japanese data subjects, your personal data may be transferred outside of Japan, except for the cases exempted by the Act on the Protection of Personal Information (APPI). We take care so that those we share your personal data outside Japan protect it in a way that provides comparable safeguards to those under the APPI, such as, via contractual data protection obligations or because the recipient is in foreign countries establishing a personal information system recognized to have equivalent standards to that in Japan in regard to the protection of an individual’s rights and interests. We will also take necessary measures such as obtaining consent to transfer personal data to third parties if required by the APPI.

Joint use with group companies

Worldpay’s services in Japan are provided by Worldpay Kabushiki Kaisha (“Worldpay K.K.”). Worldpay K.K., Worldpay, LLC, and its subsidiaries and related entities may jointly use and share personal data to the extent needed to carry out its business operations.

  • Items of personal data to be jointly used are set out under “categories of data” in the Appendix to this Privacy Notice;
  • Purposes of joint use and sharing of personal data are set out under “purpose of processing” in the Appendix to this Privacy Notice.
  1. Joint use of Merchant Information

    Worldpay K.K., Worldpay (UK) Limited, and Worldpay Limited will jointly use the personal data specified below for the following purposes. 

  • Items of personal data to be jointly used;
    1. Name, location, postcode and telephone number, e-mail address, bank account number and corporate registration number of the Merchant and the like, and name, address, date of birth, telephone number, e-mail address, bank account number of its representative, and other information disclosed on the application for admission or notice of change for registered items by the Merchant and the like;
    2. Date of application and admission (including a date when a settlement service is added), identification number of a Terminal, products to be sold, sales method, business category and other information related to transactions between Worldpay and the Merchant and the like;
    3. Information regarding circumstances on acceptance of the Card by the Merchant (including information relating to the Authorization Application);
    4. Card usage history of the Merchant and the like collected by Worldpay (this refers to the history of purchasing products and other transactions using the Card as a holder of the Card.);
    5. Matters mentioned in confirmation documents such as operating license, etc. of the Merchant and the like;
    6. Matters mentioned or registered in documents or information issued by public organization, such as a corporate registration (toki-bo) and a residence certificate (jumin-hyo), collected lawfully and properly by Worldpay;
    7. Publicly disclosed information by telephone directories, housing maps, official gazettes, etc.;
    8. In case of refusal of application for membership, the fact of the refusal and its reason;
    9. The fact that an investigation into the solicitation connected with a contract for a sale involving the intermediation of an individual credit purchase under Article 35-3-5 and 35-3-20 of Instalment Sales Act was made, contents of the investigation, and matters for the investigation;
    10. The fact that an investigation under item (i)(a) or (iii) of Article 60 of Ordinance for Enforcement of the Instalment Sales Act in accordance with the Instalment Sales Act was made and matters for the investigation;
    11. The fact that an individual credit purchase intermediary or a comprehensive credit purchase intermediary terminated or cancelled a contract regarding intermediation of credit purchases and related matters;
    12. Complaint raised by Cardholders to Worldpay or a Card Issuing Company or the Card Schemes and information gathered by Worldpay or the Card Issuing Company or the Card Schemes in connection with investigation made on the complaint;
    13. Information published by a governmental authority, consumer organization, or the press (including information publishing a fact of violation of the Act on the Specified Commercial Transaction), and information gathered by a merchant credit information agency (an organization whose business is to collect merchant information and provide them to participating members) or its participating members; and
    14. Contents of information provided from a detective agency to Worldpay or a merchant credit information agency, such as bankruptcy information or other credit information.
  • Purposes of joint use and sharing of personal data
  1. examining membership applications (including examination of additional applications for payment services; the same applies hereinafter) under the relevant merchant agreement with the merchant, making decision on transactions such as management following admission to membership, fulfilling the merchant investigation obligation following the execution of the merchant agreement, perform the obligations under the relevant merchant agreement or any other agreement ancillary to the merchant agreement, conducting examination pertaining to continuing business and promoting the use of the cards, gift cards and the like
  2. Business advertisement for Worldpay, a card issuing company and other merchants, and the like, including sending advertisements; and
  3. Development of new products, functions and services, etc. for Worldpay’s credit card business and other business (stipulated in Worldpay’s Articles of Incorporation).
  4. to deposit the merchant Information of(i) through 1(xiv) above to an entrustee to the extent necessary for the performance of services in the event services performed under merchant agreement are entrusted to such entrustee.

The person and entity in charge of managing joint use of personal data is:

Worldpay K.K.
Representative Director: Hideya Komori
12FL JA Building
1-3-1 Otemachi,
Chiyoda-ku,
Tokyo 100-6812, Japan

  1. Joint use with Japan Consumer Credit Association (JCCA)

     

    Japan Consumer Credit Association
    Merchant Information Exchange Center (JDM Center)

    Address

    Sumisho Nihombashi Koamicho Bldg. 6F

    14-1 Nihombashi Koami-cho, Chuo-ku, Tokyo

    103-0016

    TEL

    03-5643-0011

    Organization responsible for managing joint use

    Merchant Information Exchange Center

    Japan Consumer Credit Association

    URL

    https://www.j-credit.or.jp/

    Purpose of joint use

    The purpose is, in the merchant information exchange system operated in the course of business of the Certified Instalment Sales Association as stipulated in the Instalment Sales Act, to contribute to the sound development of credit transactions and the protection of consumers by Worldpay’s registering with the JDM Center, and providing and sharing with the member companies of the member information exchange system (“JDM Member,”) information on the acts of the JDM Members that lack, possibly lack or cannot be clearly judged to lack the protection of users or the like, and information on acts that hinder or possibly hinder the appropriate management of the Credit Card Numbers, etc., thereby improving the accuracy of the screening of the JDM Members prior to the execution of the Merchant Agreements or in the process of monitoring such members, eliminating malicious Merchants and strengthening the security measures of the Merchants.

     

    Information to be shared

    Facts and reasons of investigations necessary for the complaint procedure pertaining to the Merchants, etc. in the transactions of intermediation of comprehensive credit purchases or intermediation of individual credit purchases.

    Facts and reasons of the measures taken to prevent the occurrence of, and handle, complaints pertaining to the Merchants, etc. in the transactions of intermediation of comprehensive credit purchases

    Facts and reasons of terminating agreements on intermediation of comprehensive credit purchases or intermediation of individual credit purchases for having committed acts that lack the protection of users, etc. in the business of intermediation of comprehensive credit purchases or intermediation of individual credit purchases

    Information, which are objective facts concerning acts causing undue damage to the JDM Members, users, etc., pertaining to those that lack or possibly lack the protection of users, etc. or those which cannot be clearly judged to lack such protection

    Matters requested by users, etc. (not limited to those who have already entered into an agreement) to the JDM Members as well as said matters on acts that are judged to lack or possibly lack the protection of users or the like, or such acts as cannot be clearly judged to have been actually committed.

    Information collected by the JDM Center on the facts disclosed by administrative agencies and the contents thereof (such as information disclosed in violation of the Act on Specified Commercial Transactions)

    Facts and reasons of investigations necessary to find out the cause of incidents such as a leak of credit card information by the Merchant, or to take recurrence prevention measures, in the case of the occurrence or possible occurrence of incidents, in the transactions of intermediation of comprehensive credit purchases

    Facts and reasons of investigations necessary to find out the information on unauthorized uses or to take recurrence prevention measures when it is found that the unauthorized use of credit cards experienced by the Merchant hinders or possibly hinders the prevention of the unauthorized use of credit cards by the Merchant in the transactions of intermediation of comprehensive credit purchases

    Information on the failure of the Merchant to comply with the standards required by laws and regulations for the proper management of the Credit Card Numbers, etc. in the transactions of intermediation of comprehensive credit purchases

    Facts and reasons of why the Merchant is required to comply with the standards required by laws and regulations or to take recurrence prevention measures in relation to items (vii) through (viii) above

    Facts and reasons of terminating the credit card number management agreement because the Merchant failed to comply with the guidance on the measures in (ii) through (x) above, or has no prospects of complying with the standards required by laws and regulations

    Information on acts that lack the protection of users, etc. or hinder the proper management of the Credit Card Numbers, etc.

    Name, address, telephone number and date of birth of the Merchant concerning each of the foregoing (corporate number, name, address, telephone number, and the name and date of birth of the representative in the case of a corporation). However, the name, address, telephone number and date of birth (the name and date of birth of the representative in the case of a corporation) are excluded with respect to the information in (v) above concerning such acts as cannot be clearly judged to have been actually committed.

    Information pertaining to the preceding item that is registered with a Merchant Credit Information Institution, if any, with respect to other stores in the management of which the representative of the Merchant participates

    Term of registration

    The above information remains registered for a period not exceeding five (5) years from the date of registration, the date of completion of the necessary measures (or the date of completion of all measures if there are several measures to be taken) or the date of termination of the agreement.

    Scope of joint users

    Comprehensive credit purchase intermediaries, individual credit purchase intermediaries, brokers for third-party payments and merchant agreement administrators, which are the members of Japan Consumer Credit Association and the JDM Members, as well as the JDM Center,

    (See the above website for the names of the JDM Members.)

  2. Sensitive Data

    When we collect and process your sensitive data, we will obtain your consent in writing or by electronic means and use it only for the purpose necessary to conduct our business in an appropriate manner or as permitted by applicable law and guidelines.

  3. Data subject rights

    In accordance with the Act on Protection of Personal Information of Japan (APPI) and other applicable laws and regulations, Worldpay K.K. will disclose at your request the personal data that we hold about you according to the applicable procedures. If you inform us that your personal data is inaccurate, we will review and correct, add or delete the data as required in accordance with applicable laws, regulations and procedures.

    You have the right to request deletion of or cessation of processing of your personal data if your personal data has been used beyond the scope necessary to achieve the purpose for which it has been collected, processed or obtained by deceit or in violation of the APPI., if our use of your personal data triggers illegal acts, are no longer necessary in relation to the purposes for which they were collected, compromised or otherwise processed in a manner which could harm the rights or legitimate interest of you.

    You have the right to request cessation of transferring your personal data if your personal data is transferred to a third party in violation of the APPI or the transfer could harm your rights or legitimate interest.

    You may request us to disclose the following information (we may refuse your request to the extent we are permitted to do so in accordance with APPI or any other applicable laws and regulations):

    • data security measures we have been implemented; and.
    • in case where your data has been shared with foreign companies including Worldpay, LLC and its subsidiaries and related entities by way of joint use and foreign service providers, (i) measures so that data recipients take sufficient data security measures (the “Measures”) and the details of the Measures, (ii) measures and frequency that we audit the data recipients’ implementation of the Measures, (iii) name of the recipient country and rules of the country that could hinder the implementation of the Measures and (iv) other obstacles that could hinder the implementation of the Measures and measures that we have conducted to solve such obstacles.
  4. Worldpay Contact information

    For any inquires and complaints regarding the processing of personal data by Worldpay K.K. please contact:
    Worldpay K.K. Client Support Office
    Email: WorldpayKK_ClientSupport@fisglobal.com

  5. Contact information of Authorized Personal Information Organization

Worldpay K.K. is a member of the JCCA. For any inquires and complaints regarding the processing of personal data by Worldpay K.K., you may also contact to the JCCA.

The contact information of the JCCA is available at https://www.j-credit.or.jp/association/protection_center.html

Malaysia

In accordance with the Personal Data Protection Act 2010 (“PDPA”), Worldpay may:

a. Charge an administration fee for processing a data subject’s request for access to personal data; and

b. Refuse to comply with a data subject’s request for access or correction of the personal data.  

Worldpay shall take necessary measures as described in this Privacy Notice to safeguard any personal data transferred outside Malaysia to verify compliance with the PDPA.

In the event of any inconsistency between the English version and any other translation of this Privacy Notice, the English version shall prevail. 

South Africa

In accordance with the South African Protection of Personal Information Act, 2013 (“POPIA”), FIS Worldpay South Africa (Pty) Ltd is the entity responsible for collecting, storing, or using your personal data for the purposes of any merchant services offered out of South Africa. For any enquiries, please contact Worldpay’s South African Information Officer.

The Information Regulator is the competent authority under section 39 of POPIA to deal with complaints and claims that in relation to non-compliance with the personal data protection requirements under POPIA. The Information Regulator’s contact details are available at https://www.justice.gov.za/contact/contact_list.html.

With whom do we share your personal data

We disclose your personal data to the following categories of recipients:

Companies belonging to FIS

We share personal data with other companies within the FIS group.

 

Support providers

We transfer or disclose the personal data we collect to external support providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage support providers to provide

(a) general office support including printing, document production and management, archiving, office cleaning and translation services;

(b) office security, including the installation, hosting and monitoring of CCTV;

(c) accounting, finance and billing support;

(d) IT functions including system management and security, data storage, cloud computing, analytics, business applications, voicemail and replication of systems for business continuity/disaster recovery purposes;

(e) HR functions including payroll, benefit and payment providers, global mobility providers, pension providers, training providers, recruitment agencies, search consultancy firms, background checking or other screening providers; 

(f) risk, fraud, and compliance service providers (e.g. for transaction risk monitoring and credit reporting agencies);

(g) Electronic identity verification providers;

(h) Voice recognition / voice verification service providers;

(i) debt service providers (e.g. for debt collection analysis or management); and

(j) business analytics (e.g. for data aggregation, visualization and reporting);

It is our policy to only use third-party support providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected

Business partners

Business partners, including payment processors, payment infrastructure providers, digital wallet providers, banks and other financial institutions.

Other participants in the payment ecosystem

Participants in the payment ecosystem, including financial institutions, credit card companies and merchants.

Other third party recipients

Depending on the purpose for which we collect and process your personal data, we share your personal data with the following recipients:

  • Professional advisors, such as law firms, tax advisors or auditors
  • Insurers
  • Pension funds
  • Banks
  • Regulators
  • Tax and customs
  • Regulatory and other professional bodies
  • Stock exchange and listing authorities
  • Public registries of company directors and shareholdings
  • Providers of identity verification services
  • Credit reference agencies
  • Insolvency administrators or creditors
  • Travel agents
  • Government departments and agencies

Acquirer or successor of FIS

If we go through a corporate sale, merger, reorganization, dissolution or similar event, personal data we gather from you will be transferred in connection with such an event. Any acquirer or successor of FIS may continue to use the data as described in this Privacy Center provided that the acquirer or successor is bound by appropriate agreements or obligations and may only use or disclose your personal data in a manner consistent with the use and disclosure provisions of this notice, or unless you consent otherwise.

Legally compelled disclosure

There are circumstances under which FIS is legally compelled to disclose your personal data. These circumstances include, among others, situations where disclosure is required by law applicable to FIS, or necessary to comply with an order of a court or governmental agency, export control, or necessary for matters of safety and security. In such cases, FIS will only provide the minimum amount of personal data permissible when responding to a request for disclosure.

CCPA / CPRA Sale of Information

FIS only uses personal information in accordance with applicable law, including the CCPA and the CPRA, and in accordance with contractual obligations owing to clients and other third parties. FIS only uses personal information provided by clients to FIS to provide its services and does not sell personal information to third parties if prohibited by law or contractual limitations.

FIS have not sold or shared personal information of any employee over the past 12 months for the purpose of cross-context behavioral advertising. 

We have disclosed personal information to our support providers for business purposes in the prior twelve months. The information we have disclosed for business purposes may include some or all of the categories listed in our Preference Center. For more information about the categories of entities to which we have disclosed this information and the purposes for which we have disclosed the information, please see “With whom we share your personal data”.

While FIS does not sell personal information in exchange for any monetary consideration (except where allowed under client contracts), we do share personal information for other benefits that could be deemed a “sale,” as defined by the California Consumer Privacy Act (Cal. Civ. Code 1798.140(t)(1)). We support the CCPA and wish to provide you with control over how your personal information is collected and shared. You have the right to direct FIS to not sell your personal information. If you wish to opt-out of sale of your information, please submit your request here or contact us via DataRights@fisglobal.com. You can also submit requests by calling +1 877-776-3706, and indicating you wish to submit a California Consumer Privacy Act rights request to FIS.

With respect to cookies, you can customize your settings at any time. Please note that we may still use aggregated and de-identified personal information that does not identify you or any individual; we may also retain information as needed in order to comply with legal obligations, enforce agreements, and resolve disputes.

Law Enforcement

FIS respects the rules and laws of the jurisdiction in which it operates, as well as the privacy and rights of its clients. Accordingly, FIS provides client information in response to law enforcement or other public authority requests only when we reasonably believe we are legally required to do so. To protect our clients’ rights, we carefully review requests to confirm they comply with the law and are within the powers of the requesting authority or law enforcement official.

To obtain client information from FIS, public authority and law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant. For example, FIS will not provide non-public client data unless served with a valid search warrant, issued on a showing of probable cause by a federal or state court authorized to issue search warrants, which requires FIS to disclose the content.

FIS reviews all governmental requests for data.  FIS strictly construes requests for data, and seeks to limit or object to requests that are overbroad or seek a large amount of information or affect a large number of users.  FIS also objects where production is prohibited or where the process served is insufficient to compel production of the requested data under the Electronic Communications Privacy Act, 18 U.S.C. § 2701, et seq. or other applicable law. FIS reserves the right to appeal any request for information, where available, and shall not disclose the requested information until required to do so under applicable procedural rules.

FIS occasionally does receive  requests  from  law  enforcement  agencies  in  the  United  States  and elsewhere, seeking data processed by FIS. More information about the requests that FIS has received can be found in our Transparency Reports that are available for our clients on the FIS Client Portal. Access to the FIS Client Portal can be arranged for clients via their FIS account manager.

How to contact us

Your rights may be limited, for example, if fulfilling a request would reveal personal data about another person, or if the processing is required by law or another compelling legitimate interest. FIS reserves the right, where permitted by law, to verify your identity.

Alternatively, you can write to our Chief Privacy Officer or our global Data Protection Officer:

Chief Privacy Officer
347 Riverside Avenue
Jacksonville, FL 32202
United States of America

Data protection officer: Adriana Neagu
30 Frumoasa street, 2nd floor, module no. 1.10, 1st District
Bucharest
Romania

data.protection@fisglobal.com

The names and contact details of FIS’ data protection officers are available here.

The contact details of our representatives are available here.

If you want to exercise any of your privacy rights, please complete the form accessible here or by sending us an email at DataRights@fisglobal.com.

Privacy notice related to Data Privacy Framework certification.

Fidelity National Information Services, Inc. (“FIS”) is a leading provider of technology solutions for merchants, banks and capital markets firms globally, headquartered in Jacksonville, Florida, United States.

FIS and its subsidiaries operate in multiple jurisdictions located around the globe. Its U.S.-based subsidiaries can be seen here.

FIS and its U.S. subsidiaries are called “FIS Group” for the purpose of this privacy notice.

As a fintech group with a broad portfolio of solutions, FIS and its subsidiaries fulfill many roles, including processing personal data. For example, when we act as a service provider to banks and capital markets firms, we usually act as a “processor,” processing personal data based on our clients’ instructions. However, if, for example, we provide merchant acquiring services, we act as an independent controller. For the processing of personal data of our own staff, we act as an independent controller.

Federal Trade Commission jurisdiction and Data Privacy Framework adherence:

The Federal Trade Commission has jurisdiction over FIS Group’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

FIS Group

  • Is complying with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce;
  • Has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF;
  • Has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

FIS Group is committed to the DPF Principles in connection with all personal data received from the European Union and, as applicable, the United Kingdom (and Gibraltar) and/or Switzerland in reliance on the relevant part(s) of the DPF program. If there is any conflict between the terms in this privacy notice and the DPF Principles, the DPF Principles shall prevail.

To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

FIS Group shall remain liable under the DPF Principles if its sub processors process such personal data in a manner inconsistent with the DPF Principles.

How to contact FIS with any inquiries or complaints

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, FIS Group commits to resolve DPF Principles-related complaints about our collection and use of personal data.

EU, U.K. and Swiss individuals with inquiries or complaints regarding how we process or handle the personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF or the Swiss-U.S. DPF are encouraged to first contact FIS Group using the below details:

Anna Shea - Chief Privacy Officer
347 Riverside Avenue
Jacksonville, FL 32202
United States of America
privacyoffice@fisglobal.com

Adriana Neagu- Global Data Protection Officer
Orhideelor Road 15Ar
Orhideea Towers building – HotSpot Skyhub, 13th floor, rooms 13.25 & 13.26 District 6,
Bucharestr
Romaniar
Data.Protection@fisglobal.com

Please click on this link to see the details of the relevant establishments in European Union, United Kingdom and Switzerland to who you may address any inquiry.

For additional details on how to contact us, please visit the FIS Privacy Center here: Privacy | FIS (fisglobal.com).

EU, U.K. and Swiss individuals are also entitled to contact their local data protection authorities and/or the DPF Program here: European Individuals (dataprivacyframework.gov).

Personal data processed. FIS as controller and processor

FIS Group processes personal data for a variety of purposes. Individuals may find comprehensive information about data processing activities, the purpose of processing and uses of personal data by accessing the dedicated privacy notices available on the FIS Privacy Center. FIS as a controller can share individuals’ personal data with certain types of third parties such as companies belonging to FIS, support providers, business partners, other participants in the payment ecosystem, other third-party recipients, acquirers or successors of FIS for the purposes detailed in the dedicated section on the FIS Privacy Center

FIS Privacy Center is available here: Privacy | FIS (fisglobal.com).

When any company in FIS Group is acting as a processor, it is operating under contractual requirements governing data retention, accuracy and purposes of processing determined by the controller. Such company will work with the EU, U.K. or Swiss controller to ensure that all these requirements are met. Whenever FIS is acting as a processor, FIS will share the personal data only to agreed subprocessors. Such sharing will be made based on a data protection agreement signed with subprocessors, which will ensure applicable data security and protection measures.

There are circumstances under which FIS is legally compelled to disclose individuals’ personal data. These circumstances include, among others, situations where disclosure is required by law applicable to FIS or necessary to comply with an order of a court or governmental agency, export control or necessary for matters of safety and security. In such cases, FIS will only provide the minimum amount of personal data permissible when responding to a request for disclosure.

Data subject rights

Individuals can request access, correction, updates or deletion of their personal data to object to our processing of the personal data, as well as all the other rights described in the dedicated section on the FIS Privacy Center: Privacy | FIS (fisglobal.com).

Whenever any company in FIS Group is acting as a processor, we will provide individuals with contact information of the controller to facilitate the exercise of their rights, or to allow them to work together with the controller to exercise such rights.

Individuals may exercise any of their rights through the form accessible here or by sending us an email at DataRights@fisglobal.com.

Recourse mechanism and arbitration

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, FIS commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data, including the personal data processed in employment context or for recruiting purposes received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

Moreover, under certain conditions, individuals may invoke binding arbitration for complaints regarding DPF compliance not resolved by us or DPAs Panel. Additional details about the binding arbitration can be found here: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2

Workforce notice

FIS privacy notices dedicated to staff or workforce and job applicants are available on the FIS Privacy Center here: Privacy | FIS (fisglobal.com).

Company Name

  • 11601 Roosevelt Boulevard Realty, LLC
  • AFSF II AIV Investors - D L.P.
  • AKC Insurance Company LLC
  • Armed Forces Financial Network LLC
  • Automated Securities Clearance LLC
  • Chex Systems, Inc.
  • Complete Payment Recovery Services, Inc.
  • CPRS Holdings, Inc.
  • eFunds Corporation
  • Fidelity Information Services International Holdings, Inc.
  • Fidelity Information Services, LLC
  • Fidelity International Resource Management, Inc.
  • Fidelity National Information Services, Inc.
  • FINANCIAL INSTITUTION BENEFIT ASSOCIATION, INC.
  • Financial Insurance Marketing Group, Inc.
  • FIS Asia Pacific Inc.
  • FIS Brokerage & Securities Services LLC
  • FIS Capital Markets US LLC
  • FIS Cares, Inc.
  • FIS Derivatives Utility Services LLC
  • FIS Foundation, Inc.
  • FIS GCS LLC
  • FIS International Subsidiaries Holdings LLC
  • FIS Investment Ventures LLC
  • FIS Investor Services LLC
  • FIS Management Services, LLC
  • FIS Payments LLC
  • FIS SG International Holdings LLC
  • FIS Solutions, LLC
  • FIS Systems International LLC
  • FIS-SG Holding Corp.
  • FV General Partner, LLC
  • Integrity Treasury Solutions Inc.
  • NYCE Payments Network, LLC
  • Panther HoldCo 2, Inc.
  • Panther HoldCo, Inc.
  • People's United Merchant Services, LLC
  • RealNet Payments LLC f/k/a Metavante Payment Services, LLC
  • Reliance Financial Corporation
  • Reliance Integrated Solutions LLC
  • Reliance Trust Company
  • Rocket Partners Holdings, LLC
  • Virtus Group, LP
  • Virtus LP Holdings, LLC
  • Virtus Trade Settlement, LLC
  • VP Fund Services, LLC
  • Zenmonics, Inc.

DPF- contact details of entities in EU, UK, Switzerland

EU:

Fidelity National Information Services (Netherlands) B.V.
Address: De Entrée 248, 1101 EE, Amsterdam, Netherlands
Email: Data.Protection@fisglobal.com

UK:

FIS Banking Solutions UK Limited
Address: 1st Floor Tricorn House 51-53 Hagley Road, Edgbaston, Birmingham, West Midlands, B16 8TU
Email: Data.Protection@fisglobal.com

FIS Capital Markets UK Limited
Address: C/O F I S Corporate Governance, The Walbrook Building, 25 Walbrook, London, England, EC4N 8AF
Email: Data.Protection@fisglobal.com

Switzerland:

FIS (Switzerland) S.A.
Address: Route de l'Aeroport 29-31, 3rd Floor, 01215 Geneva
Email: Data.Protection@fisglobal.com

Privacy Notice related to Data Privacy Framework certification.

Click here for more information on FIS data privacy framework.