Effective Date: March 2023
At Mastercard, we develop market-leading applications, products, and services to underpin, enable and safeguard the Open Banking ecosystem. We provide account information services (“AIS” or “Data”) and payment initiation services (“PIS” or “Pay”) (collectively “Open Banking Solutions”). This Open Banking Notice (“Notice”) describes how Mastercard OB Services Europe A/S (“MCOBS Europe”) and other entities within the Mastercard group of companies (collectively, “Mastercard”, “us” or “we”) process Personal Information in connection with our Open Banking Solutions in Europe.
This Notice describes our processing of Personal Information as a data controller in connection with our Open Banking Solutions, such as:
- Data allows you to retrieve, view and store information from your bank account(s) and share that information with third party service providers, and
- Pay allows you to initiate payments from and receive payments to your bank account(s).
This Notice does not cover the processing of Personal Information in connection with our Spiir product. Please consult the Spiir Privacy Notice for more information. This Notice also does not cover the processing of Personal Information that we perform as a data processor, on behalf of our customers (such as financial institutions and merchants) who use our Open Banking Solutions. Please refer to our customers’ respective privacy notices for more information regarding the processing of your Personal Information.
1. Personal Information We May Collect
“Personal Information” means any information relating to an identified or identifiable individual. We may collect the following types of Personal Information:
- Personal and/or Business Contact Information and Credentials
- AIS User Account Information and/or PIS Account Information
- Financial Information
- Authorizations
- Payment Initiation Service Request Information
- Transaction Information
- Device-related Information
- KYC/AML Information
- General Communication Information
- Logs of your use of the Open Banking Solutions
In connection with the provision of the Open Banking Solutions, we obtain Personal Information relating to you from the various sources described below.
a. Personal Information provided by you
- Personal and/or Business Contact Information and Credentials: such as, name, user ID, email address and phone number.
- AIS User Account Information such as e-mail address and password and any other information that you may be able to add to your account, such as name or third-party services with whom you wish to share your Personal Information and/or PIS Account Information: information relating to the bank account(s) from which you would like to initiate a payment or to which you would like to receive a payment, such as bank account numbers or unique identifiers and bank card details.
- Authorizations that you grant us to manage your Personal Information (e.g., to access, retrieve and display your financial information or transaction information through our AIS, to update your AIS account based on recent transactions or to transfer financial information through our PIS to third party service providers of your choice).
- General Communication Information which we may receive when you contact us (e.g., via email, phone, or online web forms), such as your first and last name, telephone number, email address, physical address, as well as any other content that you provide. If you do not provide such information, we may not be able to answer your requests or queries.
- KYC/AML Information such as name, address, date of birth, account number, BIC and IBAN of account holders and beneficiaries, senior management, or authorized signatories, including copies of documents, if necessary.
b. Personal Information provided by third parties
- Financial Information: such as information relating to a bank account (e.g., account name or reference, unique account reference ID), refund account details (account number, sort code and financial institution servicing the refund account), payment receipts, payment card details and billing address, and balance and transactions (only for our AIS solution).
- PIS Request Information: such as, payment initiation service requests, request reference number, and response status.
- Transaction Information: such as, account provider and account number, date / time of payment, payment recipient and data needed for communication with your account provider, information about disputed transactions, fraud-related information (e.g., failed logins).
c. Personal Information automatically obtained from your interaction with the Open Banking Solutions
- Device-related Information such as information which we obtain by automated means such as cookies, web beacons, and embedded scripts. This may include information from a web browser (such as browser type and browser language), an IP address, device identifier numbers, and the actions taken on a website (such as how a visitor interacts with the web pages and the links clicked, mouse location and keystroke timing). For detailed information about the use of cookies and similar technologies, please see the cookie notices and consent tools that are provided in our Open Banking Solutions.
- Logs of your use of the Open Banking Solutions, which comprise information on which user account is logged into or whether it concerns a one-time user, the IP-address used, the time and date, which action has been performed and device information, i.e., information on operating system, browser information and settings. Further, whenever a third-party service accesses the Open Banking Solutions, a similar log is created. We also monitor use of the Open Banking Solutions for fraud prevention and anomalies such as unusually high frequency of failed initiations, unusually high frequency of successful initiations, unusually high value of initiated payments or if payments are initiated from an unusual geographical location.
2. How We May Use Your Personal Information
We may use your Personal Information to:
- Provide and develop our Open Banking Solutions and related services.
- Diagnose, troubleshoot, and fix issues with the Open Banking Solutions, including customer support, ensuring the accuracy of our features and quality control.
- Monitor and understand IT performance.
- Market, promote and advertise our Open Banking Solutions.
- Enforce compliance with our terms (e.g., helping to resolve disputes about Open Banking transactions), comply with legal obligations, and to establish, exercise, or defend against legal claims.
- Develop new features and improvements to our Open Banking Solutions where possible based on de-identified data.
- Monitor, detect and investigate possible financial crime.
- Manage our customer, vendor, and partner relationships.
Where required under applicable law, we will only use your Personal Information as necessary to provide you with our Open Banking Solutions; with your consent; to comply with a legal obligation; or when there is a legitimate and overriding interest that necessitates the use. We have carried out balancing tests for the data processing based on this basis to ensure that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms.
We may use Personal Information we obtain about you for the purposes set out below. Depending on the country in which you are located, we will only process your Personal Information when we have a legal basis for the processing as identified in the table below.
Processing purposes | Legal basis | Categories of Personal Information |
Provide and operate our Open Banking Solutions and related services. This includes creating your and managing your user account, enabling the sharing of your Financial Information with third parties at your instruction and remembering your Credentials and preferred settings within the Open Banking Solutions. For our AIS, it also includes providing you with a consolidated view of your various bank accounts (including spending and income) and enabling spending categorization. For our PIS, it also includes facilitating direct and account-to-account payments from your linked payment account. | We rely on the “performance of a contract” legal ground to provide our Open Banking Solutions to you. | Personal and/or Business Contact Information and CredentialsAIS User Account InformationFinancial InformationAuthorizationsPIS Request Information |
Troubleshoot our Open Banking Solutions and provide customer support, ensuring the accuracy of our features and quality control. This includes our ticketing system where you contact us for assistance when you are experiencing a technical issue as well as analysis to ensure quality control. | This processing is necessary for performance of a contract to which you are party. In some cases, we have a legitimate interest in ensuring the safety, security, and performance of our Open Banking Solutions. Where required under applicable laws, we obtain your prior consent to access Financial Information and Transaction Information for these purposes. | AIS User Account InformationFinancial InformationAuthorizationsPIS Request InformationTransaction InformationLogs of your use of the Open Banking SolutionsDevice-related Information |
Monitor and understand IT performance. | This processing is necessary for performance of a contract to which you are party. In some cases, we have a legitimate interest in monitoring and understanding IT performance to ensure the stability and the integrity of our Solutions. | Logs of your use of the Open Banking SolutionsDevice-related Information |
Market, promote and advertise our Open Banking Solutions | We have a legitimate interest in promoting our business. Where required under applicable laws, we will obtain your prior consent to send you electronic direct marketing communications. | AIS User Account InformationPersonal and/or Business Contact Information and Credentials |
Comply with legal obligations, and to establish, exercise, or defend against legal claims. | Compliance with a legal obligation (e.g., to respond to law enforcement requests). We, or a third party, have a legitimate interest in protecting against legal claims. | Personal and/or Business Contact Information and CredentialsAIS User Account InformationFinancial InformationAuthorisationsPIS Request InformationTransaction InformationDevice-related InformationKYC/AML InformationGeneral Communication InformationLogs of your use of the Open Banking Solutions |
Develop new features and improvements to the Open Banking Solutions where possible based on de-identified information. | This processing is necessary for performance of a contract to which you are party (e.g., improve the categorization model). Where required under applicable law, we obtain your prior consent to process your Financial Information and Transaction Information for this purpose. | AIS User Account InformationPersonal and/or Business Contact Information and CredentialsFinancial InformationPIS Request InformationTransaction InformationDevice-related Information |
Detect, investigate, and prevent possible fraud. This includes tracking and hindering any possible illegal activities and abuse of our Open Banking Solutions. | We have a legitimate interest in detecting, investigating, and preventing fraud, such as illegal activities or abuse of our Open Banking Solutions, or we must do so to comply with legal obligations (e.g., under anti-money laundering laws). | Device-related InformationKYC/AML InformationGeneral Communication InformationLogs of your use of the Open Banking Solutions |
To manage our customer and vendor relationships. | This processing is necessary for performance of a contract to which you are party. | Personal and/or Business Contact Information and Credentials |
3. How We Share Your Personal Information
We may share Personal Information with the following third parties:
- Other permitted AIS users.
- Financial institutions, business customers, partners, and service providers acting on our behalf.
- Public authorities.
- Potential transactional partners.
Mastercard’s headquarters and other entities within Mastercard’s group of companies.
We may disclose Personal Information we collect about you to the following third parties, for the purposes described below:
a. Other permitted AIS users
When you use our AIS, you may allow other AIS users to access and view your Personal Information. If you choose to do this, you agree that we, to comply with our agreement with you, may disclose your Personal Information to the person that you have instructed us to allow access to your information concerned. You can revoke this access at any time in the Open Banking Solutions’ settings.
b. Financial institutions, business customers, partners and service providers acting on our behalf
To provide our Open Banking Solutions, we share the Personal Information we collect with financial institutions, business customers (where you instruct us to do so) and partners. For our PIS, this includes disclosing Transaction Information to a third-party provider to enable the payment transaction. For our AIS, this includes disclosing your Personal Information to your financial institution. In addition, we use service providers acting on our behalf, such as hosting and infrastructure providers, and providers of monitoring, security, and IT support services.
c. Public authorities
In some circumstances, we may share the Personal Information we collect with public authorities: (i) if we are required to do so by law or legal process, (ii) in response to a request from a court, law enforcement authorities, or government officials, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity.
d. Potential transactional partners
We may share the Personal Information we collect with potential transactional partners or other third parties in the event of a sale or transfer of our business or assets.
e. Mastercard Group
We share the Personal Information we collect with other entities within the Mastercard group of companies, for the purposes described in this Notice. Please see the “Data Transfers” section in the Global Privacy Notice to understand how we comply with applicable cross-border data transfer rules.
4. Your Rights, How To Contact Us, And Additional Information About Our Practices
The entity responsible for the processing of your Personal Information (or data controller) varies depending on the type of Open Banking Solutions that you use:
- For any Open Banking Solutions other than MCOBS Europe branded ones, the entity responsible for the processing of your Personal Information (or data controller) is Mastercard Europe SA. You may contact our global privacy office at privacyanddataprotection@mastercard.com, or write to us at:
Europe Data Protection Office
Mastercard Europe SA
Chaussée de Tervuren 198A
B-1410 Waterloo
Belgium - For MCOBS Europe branded Open Banking Solutions, the entity responsible for the processing of your Personal Information (or data controller) is MCOBS Europe. You may contact our European privacy office at privacyanddataprotection@mastercard.com, or write to us at:
Mastercard OB Services Europe
Att.: Privacy
Arne Jacobsens Allé 13
2300 Copenhagen
Denmark
You have certain rights and choices regarding the Personal Information we maintain about you. For more information about your rights, or to learn more about how we share, transfer, retain and protect your Personal Information, please read our Global Privacy Notice.
Our Spiir Open Banking Solution has its own specific privacy notices. Please consult that notice for more information about our processing in that context. For enquiries about your Mastercard card and your purchase, please contact your financial institution or merchant. More information about how to contact them can be found on their websites.