General Data Protection Regulation (GDPR) Compliance
The GDPR provides a legal framework for different external constellations of handling personal data, e.g. when transferring data to a service provider. The most common constellation is a Data Processor processing data on behalf of a Data Controller.
E1Pay is considered a Data Processor.
Data Controller and Data Processor both have an obligation to protect personal data in accordance with GDPR. The legal obligations between the parties regarding data protection must be defined in agreements to ensure that customers’ personal data is processed lawfully. These agreements are called “Data Processing Agreements” or “Data Processing Addendum” (DPA).
E1Pay is fully committed to complying with the new European data protection law called the General Data Protection Regulation (GDPR). The purpose of this regulation is to harmonize data privacy laws in the European Union and establish high standards of protection to the personal data of European citizens.
OUR GDPR COMMITMENT
We are committed to GDPR compliance across our operations which includes our service and technology. We are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and agreements.
WHAT IS GDPR?
As of the 25th of May 2018, the EU General Data Protection Regulation (GDPR) strengthens the rights of individuals regarding their personal data and seeks to unify local data protection laws across Europe. GDPR requires new or additional obligations on organizations in the EU processing personal data and organizations outside the EU processing personal data of EU residents.
WHAT DOES GDPR MEAN TO OUR CUSTOMERS?
Whenever GDPR applies to our customers, they must implement appropriate measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR requirements. These requirements relate to principles such as lawfulness, fairness and transparency, accuracy, purpose limitation, data minimization, storage limitation, integrity and confidentiality. They also relate to fulfilling individuals’ rights with respect to their personal data.
Our customers must furthermore ensure that the service providers they select to process personal data on their behalf guarantee their ability to implement appropriate measures so that the processing meets the GDPR requirements.
WHAT DOES GDPR MEAN TO US IN RELATION TO OUR CUSTOMERS?
The measures we foresee assist our customers to meet the GDPR requirements when personal data, as part of business data, are processed through our services. Our GDPR assurances are summarized on this webpage.
This assists our customers in demonstrating their compliance with GDPR.
OUR GDPR ASSURANCES
1. WE ARE ON TOP OF IT
We are conducting an extensive GDPR compliance program. The program was initiated in 2016 and will be completed by the 25th of May 2018. It is run by the E1Pay Data Protection Team that consists of privacy and security experts. The Team identifies our data processing activities, maintains our process register, performs data protection impact assessments, builds compliance documentation and is following up on compliance improvement actions. We are appointing a data protection officer where legally required. External experts audit and verify our GDPR compliance program. The Team also ensures that staff members processing personal data are trained to comply with our data processing policies and bound to confidentiality.
2. WE FOLLOW CUSTOMERS’ INSTRUCTIONS
We process personal data contained in business data transmitted to us, only on behalf of our customers, to the extent necessary for our services and in accordance with our customers’ instructions. In legal terms, we are data processor and our customers are data controllers.
3. OUR WORLDWIDE SUBPROCESSORS ARE QUALIFIED
We select qualified subprocessors to support cloud technology. Currently We are using Alibaba Cloud for our cloud technology solution, which is fully GDPR qualified. We are responsible for appropriate data processing arrangements. We make information available about our current subprocessors if require by the law.
4. SECURITY OF DATA IS CORE
Through our information security program, we maintain appropriate technical and organizational security measures designed to protect the security and integrity of data. Our security measures are based on globally accepted standards and described in a separate notice, available upon request. We audit our security measures. We notify our related customers in the unlikely event of a security breach on our systems of which we become aware.
5. WE ASSIST
Our services allow our customers to respond to legitimate requests from individuals, mainly to rectify, block or erase their personal data. If this is not possible, we will assist. When our customers perform security and data protection assessments, security incident notifications or reply to consultations of supervisory authorities that relate to our services, and think we can be of any help, we will assist where we can. We also assist customers wanting to audit our compliance.