- What is GDPR?
- Is GoCardless compliant with GDPR?
- Is GoCardless registered for data protection?
- GDPR requires effective security controls. How does GoCardless meet that requirement?
- What personal data does GoCardless process?
- What do you do with the data you collect?
- Where is the data you collect processed?
- How long does GoCardless retain personal data?
- Can you respond to requests from data subjects to exercise their rights?
- I’m a business using GoCardless to collect payments; how do I make sure I comply with GDPR?
- Does GoCardless have an appointed GDPR representative I can contact?
Our position as data controller:
- Why is GoCardless a controller of end-customer personal data?
- How does it affect me as a merchant using GoCardless?
- How does this affect me as a partner offering an integration with GoCardless?
- How does this affect me when I pay a merchant through GoCardless?
- How can I obtain a copy of your Data Processing Agreement (DPA)?
The General Data Protection Regulation (GDPR) is the European law regulating data protection. It replaces the 1995 EU Data Protection Directive, applies across Europe, and came into effect on 25 May 2018 in the EU. It is also enacted into UK law, giving it effect in the UK even after Brexit.
GDPR expands the privacy rights granted to data subjects (EU/EEA individuals) and places greater obligations on organisations who handle the personal data of those individuals, wherever those organisations are based.
GDPR comes at a time when more and more personal data is being generated by every individual as they use more services and technologies. It is intended to standardise data protection across EU member countries and post-Brexit UK. It gives EU and UK citizens greater control over their personal data, providing greater transparency into how data is used and ensuring that the organisations entrusted with personal data treat it appropriately.
With the General Data Protection Regulation (GDPR) in effect, we welcome the opportunity to deepen our commitment in the areas of data privacy and security. In 2017 and 2018, we conducted a comprehensive review and update of our policies, agreements, processes, products and systems to ensure that we comply with the Regulation and continue to put data protection first. We’re also committed to helping our customers meet their requirements under the Regulation. You can read more about the steps we took to prepare on our blog post here.
Yes. GoCardless is registered with the UK Information Commissioner’s Office under registration number ZA024862.
Since September 2016, GoCardless has been ISO27001 certified and is routinely audited by an independent third party to ensure compliance with the certification. To meet ISO27001 standards, we continually review and improve our security management programme, which includes:
- a Director of Security and dedicated team specialising in application security, operations security and risk management
- mandatory security training for all employees
- secure password policies
- security procedures in product development and change control
- information classification and document handling protocols
- access controls based on specific needs and audited regularly
- data centre resilience and business continuity protocols
- security protocols for databases and backups
- physical security for our office environments
- encryption and key management
- formal incident response protocols
As a data controller for personal data relating to payers and merchants who use the GoCardless services, we comply with the law's requirement to provide accurate, complete and clear notice of the personal data we use. You can read the GoCardless privacy notice here, and see our blog post on this topic for further information.
We process personal data to provide our merchants with the GoCardless service. We also use the personal data we hold to improve the GoCardless service, to provide support, to prevent fraud and money laundering, and for other related purposes. We do not share personal data with third parties for their own unrelated purposes, like advertising or other purposes unconnected with the GoCardless services.
You can read more about how GoCardless uses personal data in our privacy notice.
GoCardless relies on a number of component services and providers to deliver payment processing services to our merchants.
All of our main processing for European payments is carried out on servers that are located in the European Economic Area (EEA). GoCardless uses carefully chosen suppliers to perform other discrete tasks which may result in data being transferred outside of the EEA.
Whenever personal data is stored in those services, we ensure that it is protected to EU standards using a GDPR-approved mechanism for the transfer. In our supplier due diligence, we look for a European Commission adequacy finding, Privacy Shield Certification or Binding Corporate Rules. Where they are required, we enter into the EU standard contractual clauses to govern the transfer.
We commit to doing this in the section titled "data protection" in our merchant agreements.
GoCardless operates a formal, GDPR-compliant data retention and deletion programme. It includes a documented data retention and deletion standard, with a defined retention period set for each data category we hold based upon:
- the relationship under which we obtained the data and the type of data subject,
- the category of data, and
- the documented purpose of the processing (including legal, regulatory and payment scheme requirements for retention).
We apply our retention protocols across the business and monitor for compliance.
Actual retention periods will vary. For example, we are required to retain personal data relating to individuals we conduct anti-money laundering checks on (such as directors of businesses that sign up to use our service) for a number of years under the relevant anti-money laundering rules in the countries where we operate. We need to keep data related to payment transactions so that we can process chargeback/indemnity claims under the payment systems that govern our services (for example, UK Direct Debit).
We are able to respond to subject access requests and we try to make the process as simple as possible. We have an online portal through which you can submit your request here.
If you believe the personal data we hold is incorrect or incomplete, please email firstname.lastname@example.org with 'Privacy' in the subject line, setting out the details of your request. We will get back to you as soon as possible.
As a merchant, you're also a data controller for the personal data of your customers. That means you are responsible for ensuring that you have proper grounds for processing your customer's personal data and that you take other steps needed to comply with the new law.
Because GoCardless is an independent data controller, we take on the direct responsibility for complying with the law for the processing that we undertake. You can help make sure our role in the services is clear by including our name and privacy notice on your payment pages. We share some guidance on how to make sure we’re both meeting our obligations to transparency in our payment pages guide.
GoCardless has formally appointed a data protection officer to ensure we stay accountable under the law. You can direct any queries to the data protection officer regarding our approach to privacy and data protection, by emailing email@example.com with ‘Privacy’ in the subject line.
Data protection law treats companies who handle personal data as either data controllers or data processors. Under data protection law, most companies who act as suppliers to other companies will be considered data processors. But there are exceptions, and they tend to apply where companies who supply services to other companies act in heavily regulated areas such as payments.
As part of our GDPR preparations, we conducted an in-depth review of our processing activities and came to the conclusion that we needed to act as a data controller under the law, and not as a data processor. We based this decision on:
- guidance from our data protection regulator, the UK Information Commissioner
- court decisions interpreting these requirements
- advice from the Article 29 Working Party, an advisory group for EU data protection law
- Advice from our outside lawyers for data protection.
When we collect and process the personal data relating to individuals who purchase your services or goods via payments powered by GoCardless), we are subject to requirements, rules, laws and regulations we must adhere to, as well as processes that serve to make our payment services to you work more effectively, more efficiently and with appropriate protocols to control fraud and other risks (in the terminology of the law, we are determining the “purposes and means"). For example, we determine how long to retain end-customer data to comply with payment scheme rule requirements.
You can read more about this position, and what it means for our merchants and their customers, in our blog post.
GoCardless’ position as a data controller is a benefit for our merchants. GoCardless takes on direct responsibility for legal obligations related to processing personal data for our payment services. Your end customers have a direct legal relationship with GoCardless in respect of our use of their personal data. This means that they can exercise certain rights against us directly.
To enable us to meet our respective obligations under the law, we do ask that you include a link to our privacy notice at the point of collection or other available interfaces.
If you have any questions about this requirement, please let us know at firstname.lastname@example.org.
As a partner, you will also be a GoCardless merchant, and have entered into a payment services agreement or merchant agreement with GoCardless in addition to the partner agreement, so the points in 2 above will apply to you.
In accordance with terms of the GoCardless Integration Partner Agreement, and as covered in the Connected Merchant Agreement that GoCardless merchants accept before connecting to your system, you must have an agreement in place with each merchant using your service that includes appropriate data protection terms. When a merchant enables your integration, they authorise us to share customer personal data with you, in their capacity as data controller, and you must protect that data and provide sufficient assurances. This has not changed as a result of our controller status - such agreements should already be in place!
Our merchants must ensure that our privacy notice is always available to their end customers. Where you provide them with payment pages, you should include a link to our privacy notice. Our terms updated for GDPR set this requirement out, as well as giving GoCardless the ability to check that you have included our notice.
GoCardless is the payment provider for a business you make payments to on a recurring basis. We are an FCA-regulated organisation, and focus on providing the best available direct debit service.
Following a thorough review in light of the General Data Protection Regulation, we clarified our position as a data controller for individuals that pay businesses via GoCardless. The reasons for this clarification are outlined in our recent blog post, and our privacy notice sets out how, why and when we use your personal data.
GDPR places strict rules on what we can use your data for, how we must protect it, and what we must do if something goes wrong. In addition, we are bound by financial services regulation that also deals with data and security. Please be assured that we will treat your data with respect and in accordance with the law.
Should you have any further questions, please let us or the business you are paying through GoCardless know.
You can review the updated data protection terms that apply to your agreement with us in the section labeled 'Data Protection' in our online Merchant Agreement.
You’ll notice these look different from the list of terms required in GDPR Article 28. That’s because our agreement reflects our relationship as independent data controllers. Article 28 applies only to contracts with data processors, because it imposes by contract the obligations that the law places directly on data controllers.