- What is GDPR?
- Is GoCardless compliant with GDPR?
- Does GoCardless comply with other privacy and data protection laws?
- Is GoCardless registered for data protection?
- GDPR requires effective security controls. How does GoCardless meet that requirement?
- What personal data does GoCardless process?
- What do you do with the data you collect?
- Do you get explicit consent for the data you collect?
- Where is the data you collect processed?
- What is GoCardless doing to address the Schrems II Privacy Shield decision and keep international transfers lawful?
- How long does GoCardless retain personal data?
- Can you respond to requests from data subjects to exercise their rights?
- I’m a business using GoCardless to collect payments; how do I make sure I comply with GDPR?
- Does GoCardless have an appointed GDPR representative I can contact?
Our position as data controller:
- Why is GoCardless a controller of end-customer personal data?
- How does it affect me as a merchant using GoCardless?
- How does this affect me as a partner offering an integration with GoCardless?
- How does this affect me when I pay a merchant through GoCardless?
- How can I obtain a copy of your Data Processing Agreement (DPA)?
The General Data Protection Regulation (GDPR) is the European law regulating data protection. It applies across Europe, and it is also enacted into UK law, giving it effect in the UK even after Brexit. It is intended to standardise data protection across EU member countries and post-Brexit UK.
Personal data is being generated by every individual as they use more services and technologies. GDPR grants privacy rights to EU/EEA individuals - the data subjects - and places obligations on organisations who handle the personal data of those individuals, wherever those organisations are based.
It gives EU and UK citizens control over their personal data, providing transparency into how data is used and ensuring that the organisations entrusted with personal data treat it appropriately.
With the General Data Protection Regulation (GDPR) in effect, we welcome the opportunity to deepen our commitment in the areas of data privacy and security. In 2017 and 2018, we conducted a comprehensive review and update of our policies, agreements, processes, products and systems to ensure that we comply with GDPR and continue to put data protection first. We continue to review our operations as privacy law evolves. We operate a global privacy programme that ensures we meet the high standards of privacy law wherever we operate. This includes documented processes, assessing the risk of privacy-impacting business processes and applying industry best practice privacy-by-design protocols for minimising privacy impact. We’re also committed to helping our customers meet their requirements under the law. You can read more about the steps we took to prepare on our blog post here.
We operate in countries around the world with their own privacy and data protection laws, which we monitor for compliance - for example, the Australian Privacy Act, the New Zealand Privacy Act, PIPEDA in Canada, or the US state and federal laws that apply to our operations. Our global privacy programme is built on a GDPR model, the gold standard for compliance, adjusted where necessary for variations in local laws.
GoCardless is headquartered in the United Kingdom, and registered with the UK Information Commissioner’s Office under registration number ZA024862.
Since September 2016, GoCardless has been ISO 27001-certified and is routinely audited by an independent third party to ensure compliance with the certification. To meet ISO27001 standards, we continually review and improve our security management programme, which includes:
- a formal approach to security risk management overseen as part of our enterprise risk management programme
- a dedicated team specialising in security engineering, including product security and security operations
- mandatory security training for all employees
- secure password policies
- security procedures in product development and change control
- information classification and document handling protocols
- access controls based on specific needs and audited regularly
- data centre resilience and business continuity protocols
- security protocols for databases and backups
- physical security for our office environments
- encryption and key management
- formal incident response protocols
As a data controller for personal data relating to payers and merchants who use the GoCardless services, we comply with the law's requirement to provide accurate, complete and clear notice of the personal data we use. You can read the GoCardless privacy notice here, and see our blog post on this topic for further information.
We process personal data to provide our merchants with the GoCardless service. We also use the personal data we hold to improve the GoCardless service, to provide support, to prevent fraud and money laundering, and for other related purposes. We do not share personal data with third parties for their own unrelated purposes, like advertising or other purposes unconnected with the GoCardless services.
You can read more about how GoCardless uses personal data in our privacy notice.
In short - we don’t! Privacy and data protection laws don’t always require consent, and in fact, it wouldn't be appropriate for us to ask for it. To understand why, it helps to take a look at the law.
GDPR requires companies to have a "lawful basis" for processing personal data. We wouldn't be able to handle personal data in the ways we do if we couldn't rely on one of the listed bases. There are six bases listed in the law, under Article 6:
(a) the individual has given consent
(b) the processing is necessary to execute a contract or transaction for the individual
(c) the processing is necessary to comply with a legal obligation
(d) the processing is necessary to protect an individual's vital interests (for example, to save a life)
(e) the processing is necessary for public interest or official authority (generally for public sector controllers)
(f) the processing is necessary to meet legitimate interests that are not overridden by the interests or rights of the individual
To provide our services, we rely on three of these bases: (b) necessary to execute the transaction - for example, when we provide our payment services, (c) necessary to comply with a legal obligation - for example, when we conduct AML screening, and (f) necessary to meet our legitimate interests - for example, when we apply our fraud models. Consent wouldn't be appropriate for any of these activities; we wouldn't be able to allow an individual to grant or revoke consent to process data after submitting a transaction, or to opt out of fraud prevention, without serious consequences for the safety and compliance of our services.
Where no other basis applies, or where we are required by law, we capture consent. For example, we’re required by payment regulations like PSD2 to capture a consent for payers to authenticate their bank account using Open Banking, and we have built that into our payment pages.
You can read more about our lawful bases for processing in our privacy notice at gocardless.com/privacy/details
GoCardless relies on a number of component services and providers to deliver payment processing services to our merchants.
All of our main processing for European payments is carried out on servers that are located in the European Economic Area (EEA). GoCardless uses carefully chosen suppliers to perform other discrete tasks which may result in data being transferred outside of the EEA. Read more about our material suppliers and their locations in the GoCardless global privacy notice.
Whenever personal data is stored in those services, we ensure that it is protected to EU standards using a GDPR-approved mechanism for the transfer. We conduct supplier due diligence, where we look for a mechanism like a European Commission adequacy finding or Binding Corporate Rules. Where they are required, we enter into standard contractual clauses to govern the transfer.
We commit to doing this in the section titled "data protection" in our merchant agreements.
10. What is GoCardless doing to address the Schrems II Privacy Shield decision and keep international transfers lawful?
In July 2020, the European Court of Justice invalidated Privacy Shield, one of the legal instruments that made data transfers to the United States lawful.
As a European company, GoCardless has never held a Privacy Shield certification. However, we know that many of our suppliers rely on it to provide services to us from the United States. We keep an inventory of these suppliers, and we enact appropriate transfer mechanisms and additional safeguards as part of our supplier due diligence.
We know that supplier rules are changing rapidly in the EU and UK. We are keeping a close eye on the advice of our data protection authorities and other European regulatory bodies. We have put safeguards in place to help ensure that our suppliers can continue to support our services.
GoCardless operates a formal, GDPR-compliant data retention and deletion programme. It includes a documented data retention and deletion standard, with a defined retention period set for each data category we hold based upon:
- the relationship under which we obtained the data and the type of data subject,
- the category of data, and
- the documented purpose of the processing (including legal, regulatory and payment scheme requirements for retention).
We apply our retention protocols across the business and monitor for compliance.
Actual retention periods will vary. For example, we are required to retain personal data relating to individuals we conduct anti-money laundering checks on (such as directors of businesses that sign up to use our service) for a number of years under the relevant anti-money laundering rules in the countries where we operate. We need to keep data related to payment transactions so that we can process chargeback/indemnity claims under the payment systems that govern our services (for example, UK Direct Debit).
We are able to respond to subject rights requests and we try to make the process as simple as possible. We have an online portal through which you can submit your request here.
If you believe the personal data we hold is incorrect or incomplete, please email email@example.com with 'Privacy' in the subject line, setting out the details of your request. We will get back to you as soon as possible.
To find out more information about how we process personal data and your rights you can read the privacy notice.
As a merchant, you're also a data controller for the personal data of your customers. That means you are responsible for ensuring that you have proper grounds for processing your customer's personal data and that you take other steps needed to comply with the new law.
Because GoCardless is a data controller, we take on the direct responsibility for complying with the law for the processing that we undertake. You can help make sure our role in the services is clear by including our name and privacy notice on your payment pages. We share some guidance on how to make sure we’re both meeting our obligations to transparency in our payment pages guide.
GoCardless has formally appointed a data protection officer to ensure we stay accountable under the law. You can direct any queries to the data protection officer regarding our approach to privacy and data protection, by emailing firstname.lastname@example.org with ‘Privacy’ in the subject line.
Data protection law treats companies who handle personal data as either data controllers or data processors. Under data protection law, most companies who act as suppliers to other companies will be considered data processors. But there are exceptions, and they tend to apply where companies who supply services to other companies act in heavily regulated areas such as payments.
As part of our GDPR preparations, we conducted an in-depth review of our processing activities and came to the conclusion that we needed to act as a data controller under the law, and not as a data processor. We based this decision on:
- guidance from our data protection regulator, the UK Information Commissioner
- court decisions interpreting these requirements
- advice from the Article 29 Working Party, an advisory group for EU data protection law
- Advice from our outside lawyers for data protection.
When we collect and process the personal data relating to individuals who purchase your services or goods via payments powered by GoCardless), we are subject to requirements, rules, laws and regulations we must adhere to, as well as processes that serve to make our payment services to you work more effectively, more efficiently and with appropriate protocols to control fraud and other risks (in the terminology of the law, we are determining the “purposes and means"). For example, we determine how long to retain end-customer data to comply with payment scheme rule requirements.
You can read more about this position, and what it means for our merchants and their customers, in our blog post.
GoCardless’ position as a data controller is a benefit for our merchants. GoCardless takes on direct responsibility for legal obligations related to processing personal data for our payment services. Your end customers have a direct legal relationship with GoCardless in respect of our use of their personal data. This means that they can exercise certain rights against us directly.
To enable us to meet our respective obligations under the law, we do ask that you include a link to our privacy notice at the point of collection or other available interfaces.
If you have any questions about this requirement, please let us know at email@example.com.
As a partner, you will also be a GoCardless merchant, and have entered into a payment services agreement or merchant agreement with GoCardless in addition to the partner agreement, so the points in 2 above will apply to you.
In accordance with terms of the GoCardless Integration Partner Agreement, and as covered in the Connected Merchant Agreement that GoCardless merchants accept before connecting to your system, you must have an agreement in place with each merchant using your service that includes appropriate data protection terms. When a merchant enables your integration, they authorise us to share customer personal data with you, in their capacity as data controller, and you must protect that data and provide sufficient assurances. This has not changed as a result of our controller status - such agreements should already be in place!
Our merchants must ensure that our privacy notice is always available to their end customers. Where you provide them with payment pages, you should include a link to our privacy notice. Our terms updated for GDPR set this requirement out, as well as giving GoCardless the ability to check that you have included our notice.
GoCardless is the payment provider for a business you make payments to on a recurring basis. We are an FCA-regulated organisation, and focus on providing the best available direct debit service.
Following a thorough review in light of the General Data Protection Regulation, we clarified our position as a data controller for individuals that pay businesses via GoCardless. The reasons for this clarification are outlined in our recent blog post, and our privacy notice sets out how, why and when we use your personal data.
GDPR places strict rules on what we can use your data for, how we must protect it, and what we must do if something goes wrong. In addition, we are bound by financial services regulation that also deals with data and security. Please be assured that we will treat your data with respect and in accordance with the law.
Should you have any further questions, please let us or the business you are paying through GoCardless know.
You can review the updated data protection terms that apply to your agreement with us in the section labeled 'Data Protection' in our online Merchant Agreement.
You’ll notice these look different from the list of terms required in GDPR Article 28. That’s because our agreement reflects our relationship as data controllers. Article 28 applies only to contracts with data processors, because it imposes by contract the obligations that the law places directly on data controllers.