Updated: August 15, 2018
PayPerse welcomes the General Data Protection Regulation (GDPR) as an opportunity to reaffirm our commitment to data protection and privacy rights. PayPerse is GDPR compliant, and as your trusted provider, we are committed to supporting your GDPR-compliant use of the PayPerse platform. We also understand that data privacy and compliance with the GDPR is a shared responsibility between PayPerse and you, as our customer. To support your GDPR compliance, we have outlined in this FAQ the most common questions asked about the GDPR and your use of the PayPerse platform.
What is the GDPR?
The GDPR is a new comprehensive EU data protection law that regulates the processing of personal data of EU individuals and became effective on May 25, 2018. The objective of the GDPR is to strengthen the personal data rights of EU individuals through tighter limits on processing of personal data, providing increased transparency into the nature, purpose and use of personal data, and increasing the individual’s rights over their data. The GDPR replaced the prior legal framework, the Data Protection Directive, also known as Directive 95/46/EC.
Does the GDPR affect my organization?
The GDPR regulates the processing of personal data of EU individuals. If you are established in the EU and processing personal data, then GDPR applies to you. If you are not established in the EU and you offer goods or services to EU individuals or monitoring behavior of EU individuals, then GDPR applies to you. If your use of the PayPerse platform includes processing personal data of EU individuals, the GDPR applies to such EU personal data.
What is processing of personal data?
Data processing is a broadly defined term under the GDPR and includes collection, storage, transfer, use or deletion of personal data. Personal data is data that relates to identified or identifiable natural person, referred to in the GDPR as data subjects. Natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Are there different categories of personal data?
Pseudonymous data. The GDPR defines certain categories of personal data as less sensitive pseudonymous data and recognizes that pseudonymization can protect the rights of individuals and encourages the use of such measures. The GDPR defines pseudonymization as the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information, where the additional information is kept separately and subject to technical and organizational measures so that the individual is not identified. The PayPerse platform supports use of pseudonymized data as best practice in implementing channel IDs and use of pseudonymized or hashed IDs as the “named contact” value.
Special classes of data. The GDPR also defines certain classes of personal data as extra sensitive and provides that sensitive personal data should not be processed unless a special exception applies, such as the individual providing explicit consent. These special categories of data are personal data revealing race, ethnicity, political opinion, religious or philosophical beliefs, trade union membership, genetic data, health data or data concerning an individual’s sex life or sexual orientation. PayPerse contractually prohibits processing these special classes of data using the PayPerse platform as well as any individual financial data, credit or debit card numbers, government issued identification numbers, or data relating to criminal history.
Does the GDPR require EU personal data to remain in the EU?
The GDPR does not require EU personal data to remain in the EU. However, it does require that EU personal data may only be transferred outside the EU if the country to which the data is transferred has been deemed by the EU Commission to have adequate data protection laws. If the country has not been deemed adequate, there must be some other approved mechanism for transfer of EU personal data to that county. The PayPerse platform is operated from and the data is stored in cloud data centers located in the each country.
Who are the data controllers and data processors under the GDPR?
Under the GDPR, a data controller is the organization that determines the purposes, conditions, and means of the processing of personal data. A data processor is an organization that processes personal data on behalf of the data controller. When you use the PayPerse platform to process personal data, your organization is the data controller and PayPerse is the data processor under the GDPR.
As the data controller, you determine the personal data we process on your behalf through your use of the PayPerse platform. Depending on your specific configuration and use of the PayPerse platform, we may process EU personal data for you. As the data controller, you provide privacy notices to individuals who engage with your digital assets detailing how you plan to message them and how you collect and use information, and obtain any required consents.
As the data processor, we process data on your behalf based on instructions you provide, which include your configuration and use of the PayPerse platform and terms set out in your agreement with us.
Is consent needed to send notifications using the PayPerse platform?
The PayPerse platform supports opt-in consents and withdrawal of consents for mobile application push notifications, web notifications, email and SMS. As the data controller, you must implement your integration with the PayPerse platform with the legally appropriate level of notice and consent enabled. Since consent under the GDPR must be freely given by an affirmative act that is specific, informed and unambiguous, if consent is the basis for lawful processing, a separate opt-in notice and consent for each specific channel, such as for push notifications, web notifications, email etc,. is required. Also, the individual has to be able to easily withdraw their consent at any time.
Legitimate interest is another basis for lawful processing under the GDPR. If you process personal data based on a legitimate business interest, then you need to balance those business interests against the right of the EU individual to not have you process their personal data.
How does PayPerse help meet data minimization requirements?
The data minimization principle under the GDPR requires that you only process personal data that’s adequate, relevant and limited to what is necessary to achieve the purpose. At default settings, the PayPerse platform processes anonymous data, such as time-zone, location, mobile OS & app, mobile phone type; and pseudonymous data, such as tokenized ID specific to each separate installation of your mobile application on a device, MID/TID. In addition, PayPerse supports processing of anonymous data triggered by activity or tags, and pseudonymous data such as hashed or tokenized identifiers that may tie back to additional personal data in your systems that is not accessible to PayPerse. A current list of data collected in the default settings of the PayPerse platform is available to customers upon request. Processing of any data by PayPerse in addition to such list is determined by you and is automated based on your configuration and use of the PayPerse platform. Use of the PayPerse platform for email or SMS will require processing of email addresses and mobile phone numbers.
How does PayPerse help meet storage limitation requirements?
The GDPR requires that EU personal data must be stored no longer than necessary to achieve the purpose for which it was collected. The storage limitation principle with the data minimization principle taken together means that you should not collect personal data you don’t need in the first place, and securely delete personal data you no longer need. PayPerse supports you in this requirement by implementing a data retention schedule on personal data. For data elements not listed on that schedule, PayPerse holds the data during the term of your contract, including any renewals. PayPerse continues to evaluate the Data Retention Schedule in light of the GDPR storage limitation principle. Additionally, after 90 days from a termination of your contract without a renewal, PayPerse will delete your data stored in the production systems of the PayPerse platform.
What security measures are in place for the PayPerse platform?
The GDPR requires appropriate technical and organizational measures to be in place for processing of personal data to ensure a level of security appropriate to the risks associated with the specific processing activity. The security measures for the PayPerse platform include physical access controls, logical and data access controls, network security, applicational security, personnel security, security incident management.
How does PayPerse support data subject rights in relation to EU personal data?
The GDPR provides EU individuals with certain rights regarding their personal data, including:
PayPerse will provides you with a number of ways that you may use to retrieve, correct, delete or restrict EU personal data, as well as opt-out features you can implement to respond to data subject requests.
Is a Privacy Impact Assessment required for use of the PayPerse platform?
Under the GDPR, Privacy Impact Assessments are needed where personal data processing, particularly processing using new technologies, would likely result in high risk to the rights and freedoms of data subjects. As PayPerse prohibits processing via the PayPerse platform any sensitive personal data or “special classes of data” as defined in the GDPR as well as any individual financial data, credit or debit card numbers, government issued identification numbers, or data relating to criminal history, use of the PayPerse platform would not likely result in high risk to the rights and freedoms of data subjects.
As a data processor, PayPerse relies on our customers’ decision on whether to conduct a Privacy Impact Assessment for their current and intended use of the PayPerse platform, and PayPerse commits to supporting our customers in that process.
This FAQ is meant as a general set of questions and answers based on PayPerse’ interpretation of GDPR requirements as of the date of publication. This FAQ should not be relied upon as legal advice or to determine how GDPR applies to your business or organization. We urge you to consult with your professional advisors with regard to requirements that govern your specific situation to ensure compliance. The information contained in this FAQ is provided “as is” and may be updated or changed without notice. This FAQ is not an amendment or supplement to any agreement between PayPerse.