- What is GDPR?
- What is the purpose of GDPR?
- When does the Regulation come into effect?
- Is GoCardless compliant with GDPR?
- Are you independently audited or ISO27001 certified?
- What personal data do you process?
- What do you do with the data GoCardless collects?
- Where is the data you collect processed?
- How long does GoCardless retain personal data for?
- If the data subject asked to be supplied with the information about them that you hold, could you do this?
- Could you change the personal data you hold if it was incorrect or incomplete?
- I’m a business using GoCardless to collect payments; do I need to put new measures in place with my customers in advance of GDPR coming into effect?
- Does GoCardless have an appointed GDPR representative I can contact regarding any additional queries I have?
Our position as data controller:
- Why is GoCardless a controller of end-customer personal data?
- What is the impact on my business? How does it affect me as the merchant?
- How does becoming a data controller affect my end customers?
- Does becoming a data controller change anything to where my data is processed as per question 8 above?
- Does GoCardless acting as a data controller affect how you handle my data, as a GC merchant?
- I'm a partner - what's the impact on me?
- How does this affect me, as an end customer/someone paying a merchant through GoCardless?
- How can I obtain a copy of your Data Processing Agreement (DPA)?
- I received an email that stated that the Connected Merchant Agreement would become effective on 1 June 2018. Shouldn't this be 25 July (i.e. 2 months' notice, as set out in the Merchant Agreement, from which the Connected Merchant Agreement inherits its notice provisions?
The General Data Protection Regulation (GDPR) is the new European law regulating data protection. It replaces the 1995 EU Data Protection Directive, applies across Europe, and comes into effect on 25 May 2018. On the same day, the UK’s Data Protection Bill will also pass into law, as the Data Protection Act 2018, effectively implementing the GDPR into UK law.
These laws expand the privacy rights granted to data subjects (EU/EEA individuals) and place greater obligations on organisations who handle the personal data of those individuals (data controllers and processors), wherever those organisations are based.
The purpose of the GDPR and the UK’s Data Protection Bill is to provide a set of standardised data protection laws across EU member countries (and post-Brexit UK) which give EU and UK citizens greater control over their personal data. For example, giving you greater transparency into how your data is being used and ensuring that the organisations you entrust with your data are taking care of it. The regulation comes at a time when more and more personal data is being generated by every individual as they use more services and technologies.
25 May, 2018.
With the General Data Protection Regulation (GDPR) coming into effect in May 2018, we welcome the opportunity to deepen our commitment in the areas of data privacy and security. We are making changes to our policies, processes, products and systems to ensure that we comply with the Regulation and continue to put data protection first. We’re also committed to helping our customers meet their requirements under the Regulation. You can read more about the steps we're taking to prepare for the GDPR effective date on our blog post here.
As of 14 May 2018, we have also updated our online contracts, including our Privacy Notice and Merchant Agreement. These can be viewed here.
If you have an offline contract with GoCardless, you will shortly receive a GDPR amendment (if you haven't already) to sign and return. This will be with you before 25 May 2018.
Since September 2016, GoCardless has been ISO27001 certified and is routinely audited by an independent third party to ensure compliance with the certification. To meet ISO27001 standards, we continually review and improve our security processes, which include:
- dedicated security team specialising in application security, operations security and risk management
- mandatory security training for all employees
- secure password policies
- security procedures in product development and change control
- information classification and document handling protocols
- access controls based on specific needs and audited regularly
- data centre resilience and business continuity protocols
- security protocols for databases and backups
- physical security for our office environments
- encryption and key management
- formal incident response protocols
As a data controller for personal data relating to payers and merchants who use the GoCardless services, we comply with the law's requirement to provide accurate, complete and clear notice of the personal data we use in our privacy notice. You can read the GoCardless privacy notice here, and see our blog post on this topic for further information.
We process personal data in order to provide our merchants with the GoCardless service. We also use the personal data we hold to improve the GoCardless service, to provide support, to prevent fraud and money laundering by our merchants and their customers, and for similar related purposes. We do not provide personal data we hold to advertising agencies, or to other parties for other similar, unconnected purposes
For more information, please see our Privacy Notice.
GoCardless relies on a number of component services and providers in order to deliver payment processing services to our merchants.
All of our main processing (the processing of European payments) is carried out on servers that are located in the European Economic Area (EEA). GoCardless uses carefully chosen suppliers and providers to perform other discrete tasks which may result in data being transferred outside of the EEA.
Whenever data is stored in those services, we ensure that the relevant data is protected to EU standards, by using a mechanism for the transfer that has been approved by the EU. For example, we enter into EU standard contractual clauses (or “model clauses”) with providers of those services in respect of the transfer of any personal data, unless there is another approved transfer mechanism present, such as the merchant being certified under the EU-US Privacy Shield framework, in which case, model clauses are not necessary.
We commit to doing this in the section called "data protection" in the agreement that we enter into with each of our merchants.
We retain data for differing periods, based upon the relationship under which we obtained the data, the type of data subject (i.e. whose data it is), the type of data (e.g. email address) and the type of use (for example, is it being used to process payments). Where appropriate, we agree these periods with our customers.
For example, we are required to retain personal data relating to individuals we conduct anti-money laundering checks on (such as directors of businesses that sign up to use our service) for a number of years under the relevant anti-money laundering rules.
On the payment processing side, we need to keep hold of data in order to be able to process chargeback/indemnity claims under the various payment systems (e.g. UK Direct Debit) that we process payments for.
We are able to respond to subject access requests directly where we are controller of the data. In some circumstances, where we initially processed data on behalf of a merchant, we may need to obtain permission of that merchant to share data with you, or redirect you to that merchant. In either case, we will make the process as easy as possible for you: we have an online portal through which you can submit your request here.
If you believe the data we hold on an individual is incorrect or incomplete, please email firstname.lastname@example.org with 'Privacy' in the subject line, setting out the details of your concern/request. We will get back to you individually as soon as possible.
As a merchant, you're also a data controller for the personal data of your customers. That means you are responsible for ensuring that you have proper grounds for processing your customer's personal data in compliance with the GDPR generally and that you take other steps needed to comply with the new law. Because GoCardless is an independent data controller, we take on the direct responsibility for complying with the law for the processing that we undertake.
Our position as data controller
Central to the determination of whether an organisation is a data controller or a data processor, is whether an organisation must process personal data only under the strict instructions and control of another organisation. If so, the organisation is a processor. If instead the organisation determines the ""how"" and the ""why"" in relation to processing a set of personal data, the organisation is likely to be a controller. An important consideration that lends to an organisation being a controller is therefore whether it must decide the how and why of use of the personal data to meet its own independent business needs or legal obligations.
Based on the above, after conducting a detailed review of our systems, policies, procedures and obligations, we have determined that GoCardless is acting as a data controller when it processes process personal data relating to both merchants and payers.
In relation to merchant personal data (i.e. data relating to employees and directors (or any other similar individual you provide us with data on) of you as the GoCardless merchant), GoCardless makes use of this merchant personal data for our own business purposes, such as to communicate with you, assess and improve the service, conduct AML checks, invoice you, and monitor for fraudulent activities.
In relation to customer personal data (i.e. data relating to individuals that are purchasing your services or goods via payments collected by GoCardless), GoCardless is subject to a number of requirements, rules, laws and regulations which it must adhere to (the ""why""). In order to comply with these various rules etc., GoCardless determines how to use the customer personal data to comply. For example, we determine how long to retain end customer data in order to comply with the various payment scheme rule requirements. A good example of this is retention of customer data in relation to Bacs UK Direct Debit collections.
We would not anticipate a negative impact on your business. The key changes are that:
- GoCardless is taking on greater responsibility for processing of data relating to your end customers
- We need to update the data protection terms in our contract with you
If you have any concerns or queries, please let us know.
Your end customers have a direct relationship with GoCardless, in respect of our use of their personal data. This means that we are direclty obligated to them in respect of such usage, and that they can exercise certain rights against us directly.
It also means that going forward, we hope to be able to provide an even better service to customers of businesses using GoCardless to collect payments.
4. Does becoming a data controller change anything to where my data is processed as per question 8 above? (see here)
No - we have clarified GoCardless' position as being one of a data controller in relation to personal data of merchants and individuals who make payments to merchants via our service. This clarification does not impact our decision to carry out our core service offering, the processing of payments, on servers located in the European Economic Area (EEA). This will continue to be the case. For other discrete tasks, GoCardless will continue to use carefully chosen suppliers and providers to perform those tasks, which may result in data being transferred outside of the EEA.
Whenever data is stored in those services, we will continue to ensure that the relevant data is protected to EU standards, by using a mechanism for the transfer that has been approved by the EU. For example, we enter into EU standard contractual clauses (or “model clauses”) with providers of those services in respect of the transfer of any personal data (and will continue to do so), unless there is another approved transfer mechanism present, such as the supplier being certified under the EU-US Privacy Shield framework, in which case, model clauses are not necessary.
Our commitment to processing and transferring personal data in accordance with the GDPR is in the section called "data protection" in the agreement that we enter into with each of our merchants.
No - we have clarified GoCardless' position as being one of a data controller in relation to personal data of merchants and individuals who make payments to merchants via our service. This clarification does not impact our position in respect of data of our Merchants themselves - for example information you provided on the owners and directors of your business when you signed up for GoCardless. We have always been clear that we are a data controller of such data, as we decide what to collect, how to use the data, and why. For example, we use signup data to carry out anti-money laundering checks that we are required to carry out before we can provide any business with payment services.
However, GDPR has meant that we have been busy working behind the scenes to make changes and improvements to the way we handle all personal data, to ensure that we meet the high standards expected under GDPR.
GoCardless being a controller of end customer data means the following for GoCardless partners (i.e. those offering an integration with GoCardless):
1. As a partner, you will also be a GoCardless merchant, and have entered into a payment services agreement, or merchant agreement, with GoCardless. We will be updating the terms of this agreement to reflect our controller status. We will be sending all details over email.
2. In accordance with terms of the GoCardless Integration Partner Agreement, and as envisaged by the Connected Merchant Agreement (which GoCardless merchants must accept before connecting to a partners' system, such as you), you must have an agreement in place with each merchant using your service, that includes appropriate data protection terms. When a merchant enables your integration, they are approving us to share all personal data on their customers with you, in their capacity as data controller, and you must protect that data and provide sufficient assurances. This has not changed as a result of our controller status - such agreements should already be in place!
GoCardless is the payment provider for a business you make payments to on a recurring basis. We are an FCA-regulated organisation, and focus on providing the best available direct debit service.
Following a thorough review in light of the General Data Protection Regulation, we have clarified our position as a controller of data relating to individuals that pay businesses via GoCardless, such as you. The reasons for this clarification are outlined in our recent blog post, and our privacy notice sets out how, why and when we use your personal data.
The GDPR places stringent restrictions on what we can use your data for, how we must protect it, and what we must do if something goes wrong. In addition, we are bound by financial services regulation that also deals with data and security. So, please be assured that we will treat your data with respect and in accordance with the law.
Should you have any further questions, please let us or the business you are paying through GoCardless know.
For merchants on our Standard or Plus packages, our updated, GDPR-ready data processing terms can be found within the 'Data Protection' section of our online Merchant Agreement here.
If you have an offline contract with GoCardless, you will shortly receive a GDPR amendment (if you haven't already) to sign and return, which includes our updated data processing terms. This will be with you before 25 May 2018.
1. I received an email that stated that the Connected Merchant Agreement would become effective on 1 June 2018. Shouldn't this be 25 July (i.e. 2 months' notice, as set out in the Merchant Agreement, from which the Connected Merchant Agreement inherits its notice provisions)?
The Connected Merchant Agreement becomes effective for existing merchants on 25 July 2018. You may have been in a small batch of emails that incorrectly stated that the agreement would become effective on 1 June 2018. We apologise for this administrative error - you will only be held to the terms of the updated agreement from 25 July 2018, as set out in the Connected Merchant Agreement on the website.