Quebec Privacy Notice Addendum
This Quebec Privacy Notice Addendum supplements and should be read in conjunction with the Comprehensive Privacy Notice that includes a hyperlink to this page. If you are unsure, you may always refer to the Paysafe Comprehensive Privacy Notice on paysafe.com.
Quebec’s Act respecting the protection of personal information in the private sector (as amended)
Key changes to Quebec’s Act respecting the protection of personal information in the private sector (Private Sector Act) have been implemented following Quebec’s adoption of Act 25 (an Act to modernize legislative provisions as regards the protection of personal information). These changes are effective from 22 September 2023 and apply to Paysafe’s entities that collect, hold, use or communicate personal information while conducting business in Quebec.
Quebec’s amended Privacy Sector Act requires that, when we render a decision based exclusively on an automated processing of personal information we must, at the time of or before the decision, inform the individual concerned. Automated decisions mean that a decision concerning you is made based on a computer determination (using software algorithms), without any human review or involvement. We will render decisions based exclusively on an automated processing of personal information in the following circumstances:
- When you successfully complete our biometric checks for identification and verification (ID&V) and fraud prevention, these decisions are generally made exclusively using automated processing. If you do not pass these checks, the decisions are reviewed manually by our team to determine the appropriate course of action.
- To complete credit assessments when you apply for certain Services.
- To carry out anti-fraud checks and/or to perform a risk analysis when we process your transactions, as explained in the section “What We Use Your Personal Information For” in the Paysafe Comprehensive Privacy Notice.
We have implemented measures to safeguard the rights and interests of individuals whose personal information is subject to automated decision-making. Upon request, Quebec’s amended Private Sector Act states that we must inform individuals about whom such a decision has been made of the:
- Personal information used to render the decision
- Reasons and principal factors and parameters that led to the decision
- Right to submit observations in respect of the automated decision
- Right to have the personal information used to render the decision corrected
To exercise this right, please complete our dedicated rights form or contact us via the details provided in the ‘Contact Us’ section in the Paysafe Comprehensive Privacy Notice.
In addition to the rights on automated decision making, Quebec’s amended Private Sector Act introduces a right to control the dissemination of personal information (referred to as the ‘right to be forgotten’), and a right to data portability. To exercise these rights, please complete our dedicated rights form or contact us via the details provided in the ‘Contact Us’ section in the Paysafe Comprehensive Privacy Notice.
Paysafe has implemented a range of governance policies and practices relating to the protection of personal information. These enable our organization to maintain an effective system of internal controls to facilitate compliance with the data protection laws in the province of Quebec. There are several aspects to our privacy framework, including:
- A dedicated Data Protection Officer and a centralized privacy team made up of qualified privacy Subject Matter Experts who provide advice and guidance to the organization on a range of privacy matters. Ongoing training and awareness to promote compliance with our global privacy requirements is in place, and all staff (including contractors and employees) must complete mandatory data protection training.
- Policies, procedures and guidelines are in place that define both general principles relating to the collection, use and disclosure of personal of information, and mandatory requirements with key business actions that must be incorporated into information handling practices.
- Privacy by Design has been implemented into our operating model, which requires the completion of Privacy Impact Assessments for projects and changes processes to ensure that privacy issues are identified and addressed in the project life cycle. Additional safeguards are in place to protect personal information that qualifies as sensitive.
- Personal information is protected using appropriate physical, technical and organizational security measures. Our Information Security Policy and its supporting standards, controls roles and responsibilities for protecting personal information and information systems are well defined. Our mandatory standards cover a range widely recognized information security areas, including, but not limited to: access control, asset management, management, information classification and protection, information systems acquisition, development and maintenance, and third party interactions.
- A reporting process is in place for staff to notify all suspected or confirmed security incidents to a dedicated operations team.
- An information retention policy and retention schedule define the minimum and maximum periods that different personal data can be retained for.
- Procedures are in place that outline the requirements for receiving and processing complaints and requests from individuals wishing to exercise their rights. Staff have been trained to identify ‘rights’ requests and there is a network of individuals across the business who manage Rights requests. If you want to know more about your rights, or you want to exercise them, please visit our dedicated rights page on our Paysafe website. Here you can submit a rights request directly to the relevant team. Alternatively, you can reach us at the details provided in the “Contact Us” section in the Paysafe Comprehensive Privacy Notice.
Technology enabling the identification, location or profiling of individuals
Paysafe, and/or its third-party service providers, collect information using technological means which enable the identification, location and/or profiling of individuals. We are required to inform you of the means available to activate these functions. Our Cookies Notice details how, when using our websites, mobiles sites and mobile apps, we obtain your consent before we place cookies or similar technologies on your device. You can withdraw or change this consent unless those cookies are strictly necessary to operate the site or provide the services. We use a Cookie Banner to make sure we have your permission to collect data, and a Cookie Preference Centre to allow you to grant and change your permissions. Further details on the technological means for collecting personal information using technologies with identification, localization or profiling functions is outlined below:
Identification and/or profiling of individuals
We also collect the IP address denoting the location that a device is connecting from to ensure that the targeted ads we display adhere to specific geographic restrictions. There are various methods to prevent the collection of your IP address, such as the use of a Virtual Private Network, but your ability to use our Services will be restricted if you do this. Further details can be located in the ‘Information We Collect About You Automatically’ section in the Paysafe Comprehensive Privacy Notice, and in our Cookies Notice.
Geolocation data relates to any data taken from a user's device that indicates its precise geographical location by using for instance, longitude and latitude co-ordinates obtained through their GPS or device settings. Location data relates to data taken from a user’s device that indicates, with reasonable specificity, its approximate location by using, for instance, longitude and latitude co-ordinates obtained through GPS or Wi-FI or cell site triangulation. For mobile app users, geolocation data is collected from hardware sensors that allow us to detect a wide variety of signals from different sources such as satellites (GPS) to determine the geographical position of a device during our address check for onboarding and transactional purposes. The collection of location data can be stopped by disabling the location settings in your device, but this may have an impact on your ability to use our services.
Transferring personal information to our service providers
Paysafe is required to explain that your personal information will be transferred to our service providers for the purposes described in this Quebec Privacy Notice Addendum and outline the categories of service providers with whom we share your information. The categories of our service providers can be located in the ‘Disclosure of Your Personal Information’ section in the Paysafe Comprehensive Privacy Notice.
Transfers out of Quebec
Data protection law in Quebec prohibits the transfer of personal information to locations outside of Quebec unless the organization transferring the information has implemented contractual safeguards and assessed the laws in the receiving country. Your personal information will be transferred out of Quebec to service providers and other entities within the Paysafe Group.
Where your personal information is transferred to entities within the Paysafe Group, for example for internal risk analysis and compliance checks, we have implemented an Intra Group Agreement as the mechanism to permit the lawful and secure transfer of personal information between Paysafe Group entities.
As an example of where your personal information is processed by service providers located outside of Quebec, if you have opened a Digital Wallet account or use our payment processing services, data obtained from your device will be processed by service providers located in Europe who provide risk analysis and anti-fraud services.
Where your personal information is processed by a service provider, we enter into written contracts that contain appropriate measures to protect the confidentiality of your information, to ensure that the information is used only for performing the contract and that the service provider does not retain the information unless there is a legal regulatory or professional obligation requiring that they do so. We perform due diligence on our service providers to confirm that they will implement appropriate administrative, technical and physical safeguards to protect personal information in accordance with our instructions.