- What is GDPR?
- What is the purpose of GDPR?
- When does the Regulation come into effect?
- Will GoCardless be compliant with GDPR when it comes into effect? How will this affect me and my use of GoCardless?
- Are you independently audited or ISO27001 certified?
- What personal data do you process?
- What you do with the data GoCardless collects?
- Where is the data you collect processed?
- How long does GoCardless retain personal data for?
- If the data subject asked to be supplied with the information about them that you hold, could you do this?
- Could you change the personal data you hold if it was incorrect or incomplete?
- I’m a business using GoCardless to collect payments; do I need to put new measures in place with my customers in advance of GDPR coming into effect?
- Does GoCardless have an appointed GDPR representative I can contact regarding any additional queries I have?
The General Data Protection Regulation (GDPR) is a new pan-European regulation, which comes into effect on 25 May, 2018, replacing the 1995 EU Data Protection Directive. On the same day, the UK’s Data Protection Bill will also pass into law, as the Data Protection Act 2018, effectively implementing the GDPR into UK law.
GDPR, and the Data Protection Act 2018, expand the privacy rights granted to data subjects (EU/EEA individuals) and place greater obligations on organisations who handle personal data of those individuals (data controllers and processors), wherever those organisations are based.
The purpose of the GDPR and the UK’s Data Protection Bill is to provide a set of standardised data protection laws across EU member countries (and post-Brexit UK) which give EU and UK citizens greater control over their personal data. For example, giving you greater transparency into how your data is being used and ensuring that the organisations you entrust with your data are taking care of it. The regulation comes at a time when more and more personal data is being generated by every individual as they use more services and technologies.
25 May, 2018.
GoCardless is continuing to work to ensure we are compliant with GDPR by May 2018. This work includes updating all our customer-facing materials and agreements. As we finalise these, we will proactively contact our customers to provide relevant updates. We will also be providing further updates via our blog, and would invite you to keep an eye out for that information once it is available.
Since September 2016, GoCardless has been ISO27001 certified and is routinely audited by an independent third party to ensure compliance with the certification. GoCardless also provides mandatory information security training to all employees.
To meet ISO27001 standards, we continually review and improve our security processes. Our security programme is managed by a dedicated committee of managers and specialists from across the business, and headed by our Chief Technology Officer. This committee assesses and audits our security policies and practices on a quarterly basis and produces a detailed annual report, for review by the Chief Executive Officer and the senior management team.
The personal data we use to provide the GoCardless service includes: name, home address, email address and financial details (such as account holder name, account number, sort code) of the GoCardless end-customer (i.e. the purchaser of services/goods from a merchant using GoCardless to collect payments).
GoCardless also collects personal data relating to merchants and partners of GoCardless. Such information is collected for the purposes of carrying out anti-money laundering and know-your-customer checks and to store the contact details of the merchant against the merchant's GoCardless account. Examples of this personal data include: name, home address, date of birth, photographic identification documents (such as a copy of a company director's passport), payout bank account information (such as account holder name, account number and sort code).
We process personal data in order to provide our merchants with the GoCardless service. We also use the personal data we hold to improve the GoCardless service, to provide support, to prevent fraud and money laundering by our merchants and their customers, and for similar related purposes. We do not provide personal data we hold to advertising agencies, or to other parties for other similar, unconnected purposes
GoCardless relies on a number of component services and providers in order to deliver payment processing services to our merchants.
All of our main processing (the processing of European payments) is carried out on servers that are located in the European Economic Area (EEA). GoCardless uses carefully chosen suppliers and providers to perform other discrete tasks which may result in data being transferred outside of the EEA.
Whenever data is stored in those services, we ensure that the relevant data is protected to EU standards, by using a mechanism for the transfer that has been approved by the EU. For example, we enter into EU standard contractual clauses (or “model clauses”) with providers of those services in respect of the transfer of any personal data, unless there is another approved transfer mechanism present, such as the merchant being certified under the EU-US Privacy Shield framework, in which case, model clauses are not necessary.
We commit to doing this in the section called "data protection" in the agreement that we enter into with each of our merchants.
We retain data for differing periods, based upon the relationship under which we obtained the data, the type of data subject (i.e. whose data it is), the type of data (e.g. email address) and the type of use (for example, is it being used to process payments). Where appropriate, we agree these periods with our customers.
For example, we are required to retain personal data relating to individuals we conduct anti-money laundering checks on (such as directors of businesses that sign up to use our service) for a number of years under the relevant anti-money laundering rules.
On the payment processing side, we need to keep hold of data in order to be able to process chargeback/indemnity claims under the various payment systems (e.g. UK Direct Debit) that we process payments for.
Any such query should be shared with the ‘data controller’ of your personal data. This may be the merchant providing you with services or goods (if they collected payment from you via GoCardless) or GoCardless. If you send through your query, we can direct you to the appropriate party.
Where appropriate, GoCardless will be in a position to action such requests in time for when GDPR becomes effective.
As a data controller, you are responsible for ensuring that you have proper grounds for processing your customer's personal data in compliance with the GDPR generally. GoCardless will contact you with updates relating to our relationship with you and any changes we need to make to our relationship with you as part of GDPR. Meanwhile, we recommend that you speak to an expert if you have more wide-ranging queries.