debiX+ App

Version
1.0.2
Last Update
30.06.2024

Terms of Use & Data Protection Notice

Table of Contents

Operation by SIX

SIX BBS Ltd shall operate the debiX+ app (hereinafter “debiX+ app”) on behalf of the financial institutions participating in the debiX+ app. This operation shall include the provision of services to the customers of the commissioning financial institutions (hereinafter “User”). This shall be performed together with its sister company SIX Group Services Ltd.

To simplify readability, SIX shall hereinafter refer – without prejudice to the User of the debiX+ app – to both SIX BBS Ltd and SIX Group Services Ltd.

Terms of Use

The User shall accept the following conditions of use in the context of the use of the debiX+ app:

a.    By installing the debiX+ app, the User confirms that they are the legal owner or holder of the mobile device used. Registration shall be made with at least one or more debit cards that the User is authorized to use for private or business purposes. The transactions performed in connection with the mobile device used and the debit card used shall be deemed, as a rule, to have been lawfully made and accepted by the User.

b.    The User shall be responsible for the safekeeping of the mobile device used. The User shall take appropriate security measures to prevent any misuse by unauthorized third parties.

c.     The User shall handle their username and password with care. The password must be created specifically for the debiX+ app and must not be easily guessed. The username and password must be kept secret and secure. When entering the username and password, it must always be ensured that they cannot be seen by third parties.

d.    If the User wishes to link the login to the debiX+ app or the approval of transactions with the biometric data stored on the mobile device used, they can activate this via the corresponding consent in the system.

e.    The User agrees that the camera of the mobile device used can be accessed for the use of the card data read-in functionality (scan).

f.      The User authorizes SIX to use the information provided as part of the payment process in accordance with applicable laws and exclusively in connection with the debiX+ app. The User is aware that information is passed on to third parties for the purpose of transaction processing.

g.    If the User wishes to receive notifications in connection with 3D Secure transactions, one-time activation of the push notifications function is recommended. The User can enable this function when registering their debit card, after which they can manage this function independently via the operating system settings.

h.    The User may use only operating systems provided by the manufacturer of the mobile device used and shall be responsible for regularly implementing the relevant security updates. Intrusions into the operating systems of the mobile device or the functionality, architecture or programming code of the debiX+ app shall not be permitted.

i.      If the User has reason to believe that the security of the debiX+ app is no longer ensured, in particular if the mobile device used is no longer in their possession and the security of their data is compromised, they must immediately report this to the respective card-issuing financial institution of the debit card registered in the debiX+ app. 

j.      By registering their e-mail address, the User agrees that SIX may use it for electronic communication with them in connection with the debiX+ app. Possible use cases may include master data changes initiated by the User, notifications of changes to the terms of use from SIX, inquiries from SIX in connection with transactions for the purpose of avoiding card and debiX+ app misuse.

k.     It shall be the responsibility of the User to ensure technical access to the debiX+ app. SIX assumes no liability in connection with the network operator selected by the User or the functionality of the hardware and software used by the User.

l.      SIX shall not be liable for damages, lost profits or loss of data of the User in connection with the use of the debiX+ app to the extent permitted by law.

m.    No transfer of intellectual property rights takes place in the context of the use of the debiX+ app. All rights to the debiX+ app remain with SIX at all times.

Privacy Statement for the debiX+ App

This Privacy Statement explains how SIX BBS Ltd. (“SIX”) collects, uses and discloses (hereinafter referred to together as “processes”) personal data (hereinafter referred to as “Personal Data”) of the users of the debiX+ app (hereinafter referred to as “User(s)”), and the means by which this is done. The Privacy Statement also describes how SIX safeguards the confidentiality of the Personal Data processed.

The User agrees to SIX processing Personal Data in accordance with the Privacy Statement. Legal or contractual duties to maintain confidentiality to which SIX is subject in relation to the User’s Personal Data are not affected by this Privacy Statement.

Where the User uses the debiX+ app for processing purposes in which SIX is not the data controller of the Personal Data, the privacy statement of the respective data controller, for example the privacy statement of the financial institution which issued the debit card registered in the debiX+ app (“financial institution”), shall apply.

SIX may amend the Privacy Statement unilaterally at any time. The most recent version is published in the app store by SIX.

1. Data Protection by SIX

The activity of SIX as an infrastructure provider for payments and financial services makes it necessary to collect and process a large amount of data. Thus, data protection is of the highest priority for us. The basic principle is that wherever data are processed, a high level of data protection and security must be guaranteed. This applies to data from financial institutions, Users and business partners as well as to employee data, because privacy is above all protection of the individual. As a consequence, we attribute such a high priority to compliance with the applicable laws and to protecting privacy and the private sphere of affected individuals in order to comply with national and international legal requirements.

Contact details:
 
SIX BBS Ltd.
Hardturmstrasse 201
8005 Zurich
Switzerland

2. Type of Collected Personal Data

SIX processes Personal Data about Users who download, install and use the debiX+ app from the relevant app stores.

In select cases, Personal Data are also processed if SIX records telephone calls with Users, whether to meet its own legal obligations or for training or quality assurance purposes.

SIX processes the Personal Data that the User expressly and actively provides to SIX when creating a user account.

  • Title
  • First name and surname
  • Date of birth
  • E-mail address
  • Mobile phone number
  • Account number
  • IBAN
  • Card number and expiry date
  • Address
  • Account authorizations

The SIX debiX+ app also processes technical data as well as data relating to behavior of the device used by the User,

  • Mobile phone information (device name, device language, device number and model, EMCert ID)
  • IP address
  • Browser type and version (in connection with a 3-D Secure payment)
  • Operating system (in connection with a 3-D Secure payment)

Where SIX processes the User’s Personal Data on behalf of financial institutions, the respective privacy statement of the financial institution shall apply.

3. Usage of Personal Data and Legal Basis

By processing Personal Data in accordance with this Privacy Statement, SIX is able to improve the quality of its debiX+ app as well as the features and services that can be used with it.

Personal Data is processed for the following purposes in particular:

  • Technical management as well as research and further development of the debiX+ app
  • User administration
  • Communications related to updates, changes to Privacy Statements and Terms and Conditions

The following procedural steps must be distinguished from one another when using the debiX+ app:

  1. The User receives a debit card and the OTRC registration code for the debiX+ app from their financial institution.
  2. The User downloads the debiX+ app to their device from the Apple Store or Google Play and registers as a user with SIX.
  3. The User then registers their debit card for 3-D Secure in the debiX+ app.
  4. The User makes payments using the debit card in online shops and confirms them via the debiX+ app using the 3-D Secure procedure or, alternatively, via SMS confirmation code.

These procedural steps involve processing of the data listed under point 2, but a distinction must be drawn between SIX and data for which financial institutions are responsible, which is also reflected in the different responsibility for data processing and erasure.

The individual procedural steps, the data attributes included and the responsibilities are explained below:

Procedural step

Data processed

 Responsible for data and contact point for questions*
The User receives a debit card and the OTRC registration code for the debiX+ app from their financial institution. - Title
- First name and surname
- Date of birth (optional)
- Account number
- IBAN
- Card number and expiry date
- Address
- Account authorizations		 Data controller: the User’s financial institution
The User downloads the debiX+ app to their device from the Apple Store or Google Play and registers as a user with SIX. - First name and surname
- Date of birth
- E-mail address
- Mobile phone number
- Mobile phone information (device name, device language, device number and model, EMCert ID)
- IP address
- Browser type and version (in connection with a 3-D Secure payment)
- Operating system (in connection with a 3-D Secure payment)		 Data controller: SIX 
The User then registers their debit card for 3-D Secure in the debiX+ app. - Card number and expiry date Data controller: the User’s financial institution
- Surname
- OTRC registration code 
 Data controller: SIX
The User makes payments using the debit card in online shops and confirms them via the debiX+ app using the 3-D Secure procedure or, alternatively, via SMS confirmation code. - Card number and expiry date
- CVV/CVC		 Data controller: the User’s financial institution

* see also Chapter 6


Users must contact the relevant financial institution directly regarding all procedural steps for which data responsibility lies with the financial institution as well as for all other data processing, in particular data processing associated with a debit card.

SIX processes Personal Data according to the applicable law. Depending on the processing purpose, the legal basis for the processing of the User’s Personal Data will be one of the following:

(a) necessary for the legitimate interests of SIX, without unduly affecting interests or fundamental rights and freedoms of the User,

(b) necessary for taking steps to enter into or execute a contract with financial institutions for the services or products requested or for carrying out our obligations to the User under such a contract,

(c) compliance with legal and/or regulatory duties, including compliance with acts and instructions of authorities.

Examples of the “legitimate interests of SIX” referred to above are:

  • pursuing the above-mentioned purposes
  • exercising SIX’s rights, including the freedom to conduct a business and right to property,
  • providing products and services and assuring a consistently high service standard and keeping our Users and other stakeholders satisfied, and
  • meeting accountability and regulatory requirements,

In each case provided such interests are not overridden by the User’s privacy interests.

4. Data Transfers

The User authorizes SIX to transmit Personal Data to employees, agents or other third parties within or outside the country where the User lives in order to provide services and for the purposes indicated above. This occurs especially when switching from the debiX+ app to another application. Employees, agents and other third parties which have access to Personal Data are required by SIX to ensure compliance with all applicable data protection provisions. Any person who authorizes SIX to access Personal Data as defined in this Privacy Statement will be made aware of the data security and data protection implications. When Personal Data of the User are transferred to other countries, SIX will ensure data protection by granting the protection level required by the applicable law, e.g. by adopting EU Standard Contractual Clauses (SCC) or similar safeguards.

SIX reserves the right to disclose Personal Data to regulatory and supervisory authorities, pursuant to this Privacy Statement. In so doing, SIX will comply at all times with applicable regulations, laws, court orders or official requests.

5. Data Protection Measures

SIX protects Personal Data with appropriate physical, electronic and process-related security measures, such as firewalls, personal passwords, encoding and authentication technologies. SIX adheres to regulatory requirements of PCI-DSS.

6. Data Subject’s Rights

Users whose Personal Data are processed within the scope of this Privacy Statement have the following rights:

to receive information on whether SIX may save Personal Data and what form these Personal Data may take (which categories of data, recipients or categories of recipients, retention periods for Personal Data or criteria governing retention periods)

  • to receive a copy of the Personal Data
  • to request the rectification of Personal Data if they are incorrect
  • to request the deletion of Personal Data
  • to request restrictions on processing Personal Data
  • to receive Personal Data in a structured, accessible and machine-readable format (if available)
  • to submit an objection to processing, especially for the purpose of direct advertising

The rights specified above may be denied or restricted if the interests, rights and freedoms of third parties take precedence or if processing is necessary to establish, exercise or defend legal claims of SIX.

The data controllers of the financial institution must be contacted in order to exercise data protection rights.

The data controllers of the financial institution must be contacted with any requests under data protection law.

Data protection rights relating to data collected and processed by SIX (according to the table in Chapter 3) can be exercised via this link (https://privacyportal-ch.onetrust.com/webform/a8a308f1-1ad4-4b5d-8b15-487e80eb979b/c1c6d998-274e-4ce5-8714-a9b5c2872e34).

Requests can also be sent to the following address:

SIX Group Services Ltd.
Data Protection Officer
Hardturmstrasse 201
8005 Zurich
Switzerland

E-mail: dataprotection@six-group.com

Users have also the right to lodge a complaint with the data protection authority responsible for them or in the place where they think an issue in relation to the Personal Data has arisen.

7. Storage

SIX will only retain Personal Data for as long as necessary to fulfill the purpose for which they were collected or to comply with legal or regulatory requirements.

8. Links and Cookies

The debiX+ app will redirect the User for the purpose of identity and access management configurations to a website of SIX. The only cookies saved on the User’s mobile device that are used by this webpage are functional cookies, for the purpose of loading the page and storing the information within the form.

9. Data Controller and Representative in the EU/UK

SIX BBS Ltd.
Hardturmstrasse 201
8021 Zurich
Switzerland

EU representative: SIX Financial Information Deutschland GmbH in Frankfurt (Theodor-Heuss-Allee 108, D-60486 Frankfurt am Main).

UK representative: SIX Financial Information UK Ltd. in London (33 St Mary Axe, 4th Floor, Exchequer Court, London EC3A 8AA, United Kingdom).