Privacy Policy

The following declaration about data protection applies to the use of the website https.//kingplus.eu hereinafter referred to as “the website” and “the online offer”.

KingCard attaches great importance to privacy. The collection and processing of your personal data is carried out in compliance with the applicable data protection regulations, in particular with the General Data Protection Regulation (GDPR) and the Bundesdatenschutzgesetz (BDSG) for Germany and the UK General Data Protection Regulation (UK-GDPR) and the Data Protection Act of 2018 (DPA) for UK. For better reading the term ‘GDPR’ as follows refers to the GDPR and the UK-GDPR. We collect and process your personal data in order to offer you this Website. This Declaration describes how and for what purpose your personal data is collected and used, and what choices you have in connection with your data. 

By using this Website, you consent to the collection, use and transfer of your data in accordance with this Data Protection Declaration. If you wish to object to our collection, processing or use of your data completely or with regard to individual measures in accordance with this Data Protection Regulation, you can address your objection to the controller.

1. General

1.1 Controller

The controller who is the body responsible for the collection, processing and use of your personal data within the meaning of GDPR is 

Card Compact Ltd. 

483 Green Lanes London N13 4BS United Kingdom 

Email: support@cardcompact.com

1.2 Data Protection Officer and EU Represenatative

Our data protection officer and EU representative can be reached:

Email: privacy@cardcompact.com

1.3 Definition 

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘processing’ means any operation or set of operations which is performed on personal data, whether or not by automated means. The term has a broad meaning and practically comprises all handling of data.

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

‘deletion’ of personal data means both the definitive and therefore irrevocable, complete removal of data (destruction) and of the personal reference to them (anonymisation). In any case, after the deletion process a reference to specific persons can no longer be established.

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

2. Data Processing 

2.1 Types of processed data:

• Name
• Date of birth
• Address data (street, house number, postal code and city)
• Contact data (e.g. email, phone numbers)
• Content data (e.g. text entries, history, foto);
• Usage data (e.g. visited websites, interest in contents, access times);
• Meta/communications data (e.g. device information, IP addresses);

2.2 Categories of Data Subjects

Visitors and Users of the Online Offer. Hereinafter, we will refer to the Data Subjects also as “user”.

2.3 Purpose of the processing

2.3.1 Registration process / Conclusion of contract

In order to issue your KingCard Prepaid Card and set up your eAccount, your personal data is required to be filled out in the online form during registration. During the application process, you will be provided with the required mandatory information (title, first name, surname, street no., postcode, city, date of birth, mobile phone number, email) and processed for the purposes of fulfilling the contract on the basis of Art. 6 sec. 1 lit. b GDPR. As a registered user you have the possibility to change or revise your personal data at any time in the “Personal data” section. 

In order to confirm your identity after registration, you will be asked to upload a scan of your identity card and a photo of yourself. Once the required data has been entered and your identity confirmed, your data will be sent to our card manufacturer Thames Card Technology Limited (based in Essex near London). There the card is produced and printed. During this process, the token is created for your card, which from its existence, as well as your personal data, the scan of the ID card and the photo are passed on to CardCompact and stored there in the system (GPS). The dispatch of the card will be processed within 5-7 days after receipt of full payment (issuing fee). 

In the app the card can then be activated upon receipt with the card number, card verification number and security code, where your personal data is also already stored by entering it into the system. Only for the purpose of upgrading your card, a separate KingCard proof of source of funds will be collected, stored and processed.

KingCard collects, stores and processes your personal information on their computers in order to further develop and improve all services provided to you, to communicate with you and to manage your eAccount. KingCard will only provide access to your personal information to those employees who need it to provide our services. 

We will not disclose any information except in the limited circumstances described below, as permitted by applicable law, or with your express permission: 

• To the issuer of electronic money Transact Payments Malta Limited is duly authorised and regulated by the Malta Financial Services Authority as a Financial Institution under the Financial Institution Act 1994.
• To the transaction processor Global Processing Services, 18-20 Hill Rise, Richmond, TW10 6UA UK, which we use for the processing of your card transactions 
• To third parties including card bureaus which we use for the production of your plastic card. Details of our current suppliers can be provided upon request 
• To other third parties for the processing of customer identifications services including KYC verification. Details of our current supplier can be provided upon request
• To other third parties for the processing of PEP and Sanctions checks. Details of our current supplier can be provided upon request. 
• To Auditors, for the purpose of reviewing our regulatory compliance. Details of our current suppliers can be provided upon request 
• To our scheme provider Mastercard®, in relation to cardholder information they may require in reference to chargebacks or disputes, audits and other exceptional cases. Details of the relevant contact office can be provided upon request 
• Other Banks, in relation cardholder information they may require in reference to chargebacks or disputes, audits and other exceptional cases. Details of the relevant contact office can be provided upon request 
• To anyone to whom we transfer or may transfer our rights and duties under our Terms and Conditions with you

The KingCard Prepaid Mastercard® card is issued by Transact Payments Malta Limited pursuant to licence by Mastercard International. Transact Payments Malta Limited is duly authorised and regulated by the Malta Financial Services Authority as a Financial Institution under the Financial Institution Act 1994. Registration number C 91879. Mastercard and the circles design are registered trademarks of Mastercard International Incorporated.

2.3.2 Website Hosting

The hosting service (GoDaddy Corporate Headquarters 14455 N. Hayden Rd., Ste. 226 Scottsdale, AZ 85260 USA, Server locations in Europe, Netherlands) are used for the purpose of providing the following services: infrastructure and platform services, computing capacity, storage space and database services, security and technical maintenance services which we use to operate this Online Offer.

Here, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this Website based on our legitimate interests in an efficient and secure provision of this Online Offer according to Art. 6 sec. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of the contract about the processing of commissioned data).

2.3.3 Replying to contact requests and communication with users

When you contact us (e.g. via contact form, chat bot or email), we store your details (e.g. name, address, telephone number, email address, conversation history) to process your enquiry and in the event that follow-up questions arise in relation to a subsequent contractual or business relationship in accordance with Art. 6 sec. 1 lit. b GDPR. We only store and use further personal data if you give your consent or if this is legally permissible without special consent. 

2.3.4 Cookies

The Website partly uses so-called cookies. Cookies do not damage your computer and do not contain viruses. Cookies serve to make our offer more user-friendly, effective and safer. Cookies are small text files that are stored on your computer and saved by your browser. 

Most of the cookies we use are so-called “session cookies”. They are automatically deleted at the end of your visit. Other cookies remain stored on your device until you delete them. These cookies enable us to recognize your browser on your next visit. You can set your browser so that you are informed about the setting of cookies and allow cookies only in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited. Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested (e.g. shopping basket function) are stored on the basis of Art. 6 sec. 1 lit. f GDPR. The website operator has a legitimate interest in the storage of cookies for the technically error-free and optimised provision of his services. Insofar as other cookies (e.g. cookies for analysing your surfing behaviour or such of third parties) are stored, these are treated separately in this data protection declaration. 

2.3.5 Further integration of third-party services and content (plugins)

Within our online offer we use on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation and in the interest of an appealing presentation of our online offer) in accordance with Art. 6 sec. 1 lit. f. DSGVO content or service offers from third parties to integrate their content and services, such as videos or contributions. Such integration always requires that the third-party providers of these contents are aware of your IP address, as they cannot send the contents to your browser without the IP address. The IP address is therefore required to display this content.

We endeavour to use only such content whose respective providers use your IP address only to deliver the content. Third party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on your device and may contain technical information about your browser and operating system, referring web pages, visiting time and other details about your use of our online services, as well as being linked to such information from other sources.

2.3.5.1 Facebook

We use Facebook Pages, Facebook Groups and Facebook Social Plugins (“Plugins”) of the social network facebook.com, which is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

The pages, groups and plugins can display interaction elements or content (e.g. videos, graphics or text contributions) and are recognizable to you by one of the Facebook logos (white “f” on blue tile, the terms “Like”, “Like” or a “thumbs up” sign) or are marked with the addition “Facebook Social Plugin”. If you call up a function of our online offer that contains such a plugin, your device establishes a direct connection with the Facebook servers. In doing so, user profiles can be created from the processed data. We therefore have no influence on the extent of the data that Facebook collects with the help of this plugin and therefore inform users according to our state of knowledge. By integrating the plugins, Facebook receives the information that you have called up the corresponding page through our online offer. If you are logged in to Facebook, Facebook can assign the visit to your Facebook account. If you are not a member of Facebook, there is still the possibility that Facebook will find out your IP address and save it. According to Facebook, only an anonymous IP address is stored in Europe. 

Furthermore, we use the so-called “Facebook pixel” on our website. This enables the users of our website to be presented with interest-related advertisements (“Facebook ads”) when they visit the social network Facebook or other websites that also use the procedure. With the use of the Facebook pixel, we pursue the purpose of displaying Facebook ads placed by us only to those Facebook users who have also shown an interest in our Internet offering. With the help of the Facebook pixel, we want to ensure that our Facebook ads correspond to the potential interest of the users and do not appear annoying. In addition, the Facebook pixel allows us to track the effectiveness of Facebook ads for statistical purposes by showing us whether users were redirected to our website after clicking on a Facebook ad. The legal basis for the use of the Facebook pixel is Art. 6 sec. 1 lit. a GDPR and depends on your consent, which you can change at any time in your cookie consent settings.

The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the relevant rights and setting options to protect the privacy of users, can be found in the https://www.facebook.com/about/privacy/. The joint processing of personal data takes place on the basis of a joint processing agreement.

2.3.5.2 Vimeo

Within our online offer, functions and contents of the Vimeo service can be used. Vimeo is operated by Vimeo, LLC with headquarters at 555 West 18th Street, New York, New York 10011.

On some of our website pages we use plugins from the provider Vimeo. When you access the Internet pages of our website that are equipped with such a plugin, a connection is established to the Vimeo servers and the plugin is displayed. This tells the Vimeo server which of our Internet pages you have visited. If you are logged in as a member of Vimeo, Vimeo assigns this information to your personal user account. When you use the plugin, such as when you click on the start button of a video, this information is also assigned to your user account. You can prevent this assignment by logging out of your Vimeo user account before using our website and deleting the corresponding cookies from Vimeo.

For more information on data processing and Vimeo’s privacy policy, please visit https://vimeo.com/privacy.

2.3.5.3 Twitter

Within our online offer, functions and contents of the service Twitter, offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, can be used.

This includes a button with which you can subscribe to our posts. If you are a member of the Twitter platform, Twitter can assign the access to the above-mentioned content and functions to your profile.

You can find more information on how Twitter handles user data in the https://twitter.com/de/privacy. You can object to the data collection here, https://twitter.com/personalization Twitter data collection opt-out.

2.3.5.4 Linkedin

Within our online offer, functions and content of the LinkedIn service, offered by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, may be used.

This includes a button with which you can subscribe to our contributions. If you are a member of the LinkedIn platform, LinkedIn may associate the access to the above content and features with your profile.

For more information about how LinkedIn handles user information, please see the LinkedIn privacy policy. You can opt-out of data collection here, LinkedIn data collection opt-out.

2.3.6 Zoho

Within our online offer, functions and contents of the Zoho service of Zoho Corporation service, 4141 Hacienda Drive Pleasanton, California 94588, USA can be used. 

If you contact us through the chat bot, we store your details (e.g. name, address, telephone number, email address, conversation history) according to Art. 6 sec. 1 lit. b GDPR to process your request and in the event that follow-up questions arise in relation to a subsequent contractual or business relationship. 

You can find more information about how Zoho handles user data in the Zoho privacy policy.

2.3.7 Access data 

KingCard collects information about you when you use this Website. We automatically collect information about your user behaviour and the interaction with us and register information about your computer or mobile device. We collect, store and use data about every access to our Online Offer (so-called server log files). The access data includes the name and URL of the retrieved file, date and time of the retrieval, the amount of data transferred, the message about a successful retrieval (HTTP response code), browser type and browser version, operating system, referrer URL (i.e. the previously visited page), IP address and the requesting provider. 

We use this protocol data – without assigning it to you personally or creating another profile – for statistical evaluations in order to operate, make secure and optimize our Online Offer, but also to anonymously collect the number of visitors (traffic) on our Website and the extent and type of use of our Website and services, as well as for billing purposes to measure the number of clicks received from cooperation partners. Based on this information, we can provide personalized and location-based contents and analyze the data traffic, search and remedy errors and improve our services. We reserve the right to check the log data retrospectively if, on the basis of concrete indications, the legitimate suspicion of unlawful use exists. We store IP addresses in the log files for a limited period, if necessary for security purposes or for the provision of services or the billing of a service, e.g. if you use one of our offers. We also store IP addresses, if we have a specific suspicion of a crime in connection with the use of our Website. In addition, we store the date of your last visit (e.g. when registering, logging in, clicking links, etc.) as part of your account. 

The processing of personal data takes place here on the basis of our legitimate interests in an efficient and secure provision of this online offer as well as on the basis of legal obligations according to Art. 6 sec. 1 lit. c and f GDPR.

2.3.8 Access measurement

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”). Google Analytics uses so-called “cookies”, i.e. text files which are stored on your computer and which will enable an analysis of your use of the website. On behalf of the operator of this website, Google will use the above-mentioned information to evaluate your use of the website, to compile reports on website activities and to provide further services to the website operator in connection with website and internet use. The IP address transmitted by your browser within the scope of Google Analytics is not combined with other data from Google.

The purposes of data processing are to evaluate the use of the website and to compile reports on activities on the website. On the basis of the Use of the website and the Internet should then provide other related services can be provided.

Within the scope of the coverage analysis of Google Analytics, on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer) in accordance with Art. 6 sec. 1 lit. f GDPR the following data are processed:

Name and URL of the accessed file, date and time as well as country of origin of the access, transferred data volume, notification of successful access (HTTP response code), browser type and browser version, operating system, referrer URL (i.e. the previously visited page), IP address and the requesting provider as well as the number of visits and your time spent on the website.

Your IP address will be anonymized immediately after it has been saved by Google.

Pseudonymous user profiles of the users can be created from the processed data. The cookies have a storage period of one week. The data stored by the cookie about your use of this website will only be published on our website and server and not passed on to third parties. You can disable the storage of cookies by setting your browser software. You can also prevent the collection of the data generated by the cookie and stored information about your use of the website (including your IP address) and the processing of this data by Google, by downloading and installing the following browser plugin: Browser Add On to Deactivation of Google Analytics.

Additionally or as an alternative to the browser add-on you can disable tracking by Google Analytics on our pages by changing our cookie consent settings. Thereby an Opt-out cookie is installed on your device. This will prevent Google Analytics from collecting data for this website and for this browser in the future as long as the cookie remains installed in your browser.

The logs with your data will be deleted at the latest 1 year after the last visit of the website. Until then, the evaluation of the collected data is necessary for an effective control of the optimization and simplification of the online offer.

The website uses the function “demographic characteristics” of Google Analytics. This allows reports to be generated that contain statements about the age, gender and interests of the site visitors. This data comes from interest-based advertising by Google as well as from visitor data from third parties. This data cannot be attributed to any specific person. You can disable this feature at any time in your Google Account Ads settings or opt-out of having your information collected by Google Analytics as described in the “Opt-out of data collection” section.

2.3.9 Google Analytics Remarketing

Our websites use the functions of Google Analytics Remarketing in conjunction with the cross-device functions of Google Ads and Google DoubleClick. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This feature allows advertising audiences created with Google Analytics Remarketing to be linked to the cross-device capabilities of Google Ads and Google DoubleClick.

In this way, interest-based, personalized advertising messages that have been customized for you on one device (e.g. mobile phone) can be displayed on another of your devices (e.g. tablet or PC) depending on your previous usage and surfing behavior on that device. If you have given permission, Google will link your web and app browsing history to your Google Account for this purpose. In this way, the same personalized advertising messages can be displayed on any device you sign in with your Google Account. 

To support this feature, Google Analytics collects Google-authenticated user IDs that are temporarily linked to our Google Analytics data to help define and create audiences for cross-device advertising. You can opt-out of cross-device remarketing/targeting permanently by deactivating personalized ads in your Google Account at https://www.google.com/settings/ads/onweb.

The aggregation of the collected data in your Google Account is based solely on your consent, which you can give or withdraw to Google (Art. 6 sec. 1 lit. a GDPR). For data collection operations that are not merged into your Google Account (e.g. because you don’t have a Google Account or because you have objected to the merging), the collection of data is based on Art. 6 sec. 1 lit. f GDPR. The legitimate interest arises from the fact that the website operator has an interest in the anonymised analysis of website visitors for advertising purposes. Further information and the data protection regulations can be found in the Google data protection declaration at https://www.google.com/policies/technologies/ads.

2.3.10 Google Ads and Google Conversion-Tracking

This website uses Google Ads. Ads is an online advertising program of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). As part of Google Ads, we use what is known as conversion tracking. 

When you click on an ad placed by Google, a conversion tracking cookie is set. These cookies expire after 30 days and are not used to personally identify users. If the user visits certain pages of this website and the cookie has not expired, Google and we may recognize that the user clicked on the ad and was redirected to that page. Each Google Ads customer receives a different cookie. The cookies cannot be tracked through the websites of Ads customers. The information collected through the conversion cookie is used to compile conversion statistics for those Ads customers who have opted in to conversion tracking. Customers are told the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. 

However, you will not receive information that personally identifies users. If you don’t want to participate in tracking, you can opt-out of this use by turning off the Google Conversion Tracking cookie slightly in your web browser under User Preferences. You will then not be included in the conversion tracking statistics. 

The storage of “conversion cookies” takes place on the basis of Art. 6 sec. 1 lit. a GDPR and therefore relies on your consent you can also easily change in your cookies consent settings. More information about Google Ads and Google Conversion Tracking can be found in the privacy policy of Google https://www.google.de/policies/privacy.

2.3.11 eTracker

This website uses the services of etracker GmbH, Erste Brunnenstraße 1, 2459 Hamburg, Germany www.etracker.com to analyze usage data.

The data processing is based on the legal provisions of Art. 6 sec. 1 lit. f GDPR (legitimate interest). Our concern in terms of the GDPR is the optimization of the online offer and our website. Since the privacy of our users is important to us, the data that may allow a reference to an individual person, such as the IP address, registration or device IDs, are anonymized or pseudonymized as soon as possible. No other use, combination with other data or transfer to third parties will take place.

We do not use cookies for web analysis by default. If we use analysis and optimization cookies, we will obtain your explicit consent in accordance with Art. 6 sec. 1 lit. a GDPR separately in advance. If this is the case and you agree, cookies are used to enable a statistical range analysis of this website, a measurement of the success of our online marketing measures and test procedures, e.g. to test and optimize different versions of our online offer or its components. etracker cookies do not contain any information that would allow a user to be identified.

The data generated with etracker is processed and stored exclusively in Germany by etracker on behalf of the provider of this website and is therefore subject to the strict German and European data protection laws and standards. etracker has been independently tested, certified and awarded the ePrivacyseal

You can object to the aforementioned data processing at any time. The objection will not have any negative consequences.

You can find more information about data protection at etracker here.

2.3.12 Signalize – Push Notifications

If you enable push notifications for this website through the “Signalize” service of etracker GmbH, a feature of your Internet browser or mobile operating system will be used to deliver the notifications to you.

The data processing for statistical analysis of the notifications and to better tailor future notifications to the interests of the recipients is based on our legitimate interest in personalized direct advertising according to Art. 6 sec. 1 lit. f GDPR. Since the privacy of our users is very important to us, data that may allow a reference to an individual person, such as the IP address, login or device IDs, are anonymized or pseudonymized as soon as possible. A direct personal reference is thereby excluded. There will be no other use, combination with other data or transfer to third parties. 

Only anonymous or pseudonymous data will be transmitted for sending messages. This can be depending on the configuration of the website:

Pseudonymous user ID: a randomly generated value (example: 108bf9a85547edb1108bf9a85547edb1), which is stored in a tracking cookie ID.

Pseudonymous digital fingerprints, pseudonymous mobile device identifiers and possibly pseudonymous cross-device identifiers.

This data is only processed to deliver the notifications you have subscribed to and to create notification-related settings. For the storage of this data in cookies we ask for your consent. In this case, the legal basis for data processing is Art. 6 sec. 1 lit. a GDPR. You can object to receiving notifications at any time via the settings of your browser or mobile device. You can also find information on how to unsubscribe for push notifications here.

In order to make the content of the push notifications meaningful to you, we use the preferences collected on the basis of a pseudonymous user profile by means of tracking pixels and, with your consent, also by means of cookies, and we merge your notification ID with the user profile of the website solely for the purpose of personalized message dispatch. The tracking technology is also used for statistical evaluation of the notifications on our behalf. This allows us to determine whether a notification was delivered and whether it was successfully clicked. The data generated by this technology is processed and stored exclusively in Germany.

You can object to the aforementioned data processing at any time.

3. Legal bases and storage period 

Unless specifically stated, we only store your personal data for as long as necessary to fulfil the purposes pursued in accordance with Art. 6 GDPR. Furthermore, your data will be deleted if the data is no longer required to fulfil contractual or legal storage obligations in accordance with Art. 17 sec. 3 lit. b GDPR (e.g. tax and commercial law storage obligations) as well as dealing with possible warranty and comparable obligations. In addition, we store your personal data for the purpose of asserting, exercising or defending legal claims according to Art. 17 sec. 3 lit. e GDPR. 

If personal data may no longer be processed for the original purpose, but storage obligations still exist, the data will be archived from the productive processing or storage locations, completely deleted from the productive level and access restricted. Once all storage obligations have been fulfilled, storage rights have lapsed and all deletion periods have expired, the corresponding data is routinely deleted. 

4. Your rights as a Data Subject 

Under applicable law, you have various rights regarding your personal data. If you wish to assert these rights, please send your request to the data protection officer by email or by mail with a clear identification of your person (see Clause 1.2). As a Data Subject, you have the following rights:

4.1 Right of access 

According to Art. 12 and 13 you have the right to obtain from us a confirmation as to whether or not personal data concerning you is being processed. Where that is the case, you have the right to obtain free information from us about the personal data stored about you and a copy of this data. In addition, you have the following rights: 

• the processing purposes; 
• the categories of personal data being processed; 
• the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular in case of recipients in third countries or to international organizations; 
• if possible, the planned duration for which the personal data is stored or, if this is not possible, the criteria for the determining of that duration; 
• the existence of the right to request rectification or erasure of the personal data concerning you; 
• the right to restriction of processing by the controller 
• the right to object to this processing; 
• the right to lodge a complaint with the supervisory authority; 
• where the personal data is not collected from you, any available information as to the source of the data; 
• the existence of automated decision-making, including profiling, in accordance with Art. 22 sec. 1 and 4 GDPR and – at least in those cases – meaningful information about the logic involved, and the significance and envisaged consequences of such processing for you. 

Where personal data is transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards relating to the transfer according to Article 46 GDPR. 

This access is normally free but we reserve the right to charge a €10 handling fee for this service if we receive multiple requests for the same data or if the request is overly complex. 

4.2 Right to rectification 

According to Art. 16 GDPR you have the right to obtain from us the immediate rectification of inaccurate personal data concerning you. In consideration of the purposes, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement. 

4.3 Right to erasure (“Right to be forgotten”) 

According to Art. 17 GDPR you have the right to obtain from us the immediate erasure of the personal data concerning you and we are obliged to erase your personal data immediately, if one of the following reasons applies: 

• the personal data is no longer necessary for the purposes for which it was collected or otherwise processed. 
• You withdraw your consent, on which the processing was based, in accordance with Art. 6 sec. 1 lit. a or Art. 9 sec. 2 lit. a GDPR, and there is no other legal ground for the processing.
• You object to the processing according to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing (e.g. statutory retention periods), or you object to the processing according to Art. 21(2) GDPR. 
• The personal data was processed unlawfully. 
• The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which we are subject. 
• The personal data was collected with regard to services offered by the information society according to Art. 8 sec. 1 GDPR. 

Where we have made personal data public and we are required to erase it, we will take appropriate measures, taking into account available technology and implementation costs, also of technical nature, to inform the controllers who process the personal data that you have requested the deletion of any links to such personal data or of copies or replications of such personal data according to Art. 19 GDPR. 

4.4 Right to restriction of processing 

According to Art. 18 GDPR you have the right to obtain from us restriction of processing, where one of the following applies: 

• the accuracy of the personal data is contested by you, as long as necessary enabling us to verify the accuracy of the personal data;
• the processing is unlawful and you opposed the erasure of the personal data and requested the restriction of its use instead;
• the personal data is no longer needed for the purposes of the processing, but you need it for the establishment, exercise or defense of legal claims; 
• you have objected to the processing according to Art. 21 sec. 1 GDPR pending the verification whether the legitimate grounds of our company override yours. 

4.5 Right to data portability 

According to Art. 20 GDPR You have the right to receive the personal data concerning you provided to us in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance from us, provided that: 

• the processing is based on consent according to Art. 6 sec. 1 lit. a or Art. 9 sec. 2 lit. a or on a contract according to Art. 6 sec. 1 lit. b GDPR; and 
• the processing is carried out by automated means. 

In exercising your right to data transferability in accordance with paragraph 1, you have the right to have the personal data transmitted directly from us to another controller, if this is technically feasible. 

4.6 Right to object 

According to Art. 21 GDPR you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 sec. 1 lit. e or f GDPR, including profiling based on those provisions. We do no longer process the personal data unless we can demonstrate compelling grounds, worthy of protection, for the processing which override your interests, rights and freedoms or the processing serves for the establishment, exercise or defense of legal claims. 

4.7 Right of withdrawal of a declaration of consent given under data protection law 

According to Art. 6 sec. 1 lit. a GDPR, you have the right to revoke the previously granted consent to data processing without giving reasons. If no other lawfulness of the processing within the meaning of Art. 6 sec. 1 GDPR justifies further data processing, your personal data must then be deleted immediately. Otherwise, the processing of the personal data of the data subject must be temporarily restricted (blocked).

4.8 Right to appeal to a supervisory authority 

You have the right to appeal to a supervisory authority, in particular in the Member State of your home, work or at the place where the infringement has allegedly been committed, if you have the opinion that the processing of the data concerning you is unlawful. 

For KingCard, the competent supervisory authority is the 

Information Commissioner’s Office, Wycliffe House

Water Lane, Wilmslow Cheshire, SK9 5AF

5. Security of data 

D-91522 Ansbach

Email: poststelle@lda.bayern.de

We endeavor to ensure the security of your personal data under the scope of applicable data protection laws and technical options. 

We transmit your personal data in encrypted form. This applies to your orders and also to a customer login. We use the SSL (Secure Socket Layer) coding system, but point out that data transmission over the Internet (e.g. when communicating by email) can have security gaps. It is not possible to protect such data completely against access by third parties. 

When personal data is accessed by authorized personnel, access is only possible via an encrypted connection. When accessing data in a database, the IP number of the person accessing the data must also be pre-authorized to gain access. All access to personal data is blocked by default. Access to personal data is restricted to individually authorized personnel. Our security and data protection officer issues authorizations and keeps a log of the authorizations granted. Authorized employees are granted only the minimum access they absolutely need for their tasks through our role and authorization concept. Administrative processes, including system access, are logged to provide an audit trail when unauthorized or accidental changes are made. System performance and availability is monitored by both internal and external monitoring services. Databases are backed up continuously to enable recovery at any time within a 35-day retention period. Backups are stored in file storage in the same geographic location as the database. To safeguard your data, we maintain technical and organizational security measures that we always adapt to state-of-the-art technology. 

Furthermore, we do not warrant that our offer will be available at specific times; disturbances, interruptions or failures cannot be excluded. The servers we use are regularly and diligently backed up. 

In the event that your data is compromised, we will notify you and the relevant regulatory authorities by email within 72 hours of the extent of the breach, the data involved, any impact on the service and the plan of action to secure the data and limit any adverse effects on the data subject.

6. Automated decision-making 

No automated decision-making will be done on the basis of the collected personal data. 

7. Transfer of data to third parties, data transfer to non-EU/EEA countries

As a rule, we only use your personal data in our company. 

In addition, your personal data will only be passed on if you have given your consent in accordance with Art. 6 sec. 1 lit. a GDPR, the transfer is necessary for the fulfilment of a contract in accordance with Art. 6 sec. 1 lit. b GDPR, we are subject to a legal obligation in accordance with Art. 6 sec. 1 lit. c GDPR (e.g. e.g. tax regulations, participation in the clarification of a criminal offence), or if this is necessary to protect our legitimate interests in accordance with Art. 6 sec. 1 lit. f GDPR, unless your interests or fundamental rights and freedoms that require the protection of personal data outweigh this. 

If and insofar as we involve third parties in the fulfilment of contracts, these third parties will only receive personal data to the extent that the transmission is absolutely necessary for the corresponding service. In the event that we outsource certain parts of data processing (“contract processing”), we contractually oblige our processors to use personal data only in accordance with the requirements of the data protection laws and this privacy policy and to ensure the protection of the rights of the data subject.

Furthermore, it is only permitted to transfer personal data to institutions or persons outside the EU/EEA under the conditions set out in Art. 44 following GDPR. In particular, adequate protection is then guaranteed by appropriate measures, such as standard contractual clauses of the EU Commission within the meaning of Art. 46 sec. 2 lit. d GDPR.

8. Data protection officer

Should you still have any questions relating to our data protection or to this Data Protection Declaration, or should you intend to exercise your rights named herein, kindly contact our data protection officer (contact details see point 1.2).

9. Changes to the Data Protection Declaration

KingCard reserves the right to change the Privacy Policy in order to adapt it to changed legal situations, or in the event of changes in the service and data processing. However, this only applies to declarations about the processing of data. If the consent of the user is required or elements of the Data Protection Declaration contain provisions of the contractual relationship with the User, the changes are only made with the approval of the User.

Users are asked to inform themselves regularly about the content of the Data Protection Declaration. You can save and print this Data Protection Declaration at any time.

(Last update: May 2022)