GDPR & Payment Processing: What You Need to Know

The General Data Protection Regulations (GDPR) is a new, European Union privacy and data protection law that came into effect on May 25, 2018. The main focus of the GDPR is the protection of personal data and digital privacy. The GDPR significantly tightens existing rules on data handling, placing greater obligations on organizations that handle data. The GDPR also sets out guidance for organizations on appropriate levels of data security.

What is GDPR

The GDPR establishes new rules for how companies collect, process, or store data of data subjects residing in the EU, regardless of the company’s location.

Who is impacted by GDPR

The GDPR applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.

The GDPR applies to any business that does one or both of the following:

  • Offers products or services to residents of the EU
  • Collects personal information from residents of the EU

The GDPR applies to the processing of personal data of data subjects in the EU by a controller or processor (such as Forte) not established in the EU, where the activities relate to: offering goods or services to EU residents (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU.

What Constitutes Personal Data?

Personal data means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifiers.

What Constitutes Processing of Personal Data?

Processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In practical terms, this means any process that stores or consults personal data is considered processing.

What is the difference between a Data Processor and a Data Controller?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

GDPR categorizes the data roles as follows:

  • The data subject: The consumer
  • The data controller: The business (that’s you)
  • The data processer: A third party processor instructed by the data controller (i.e. Forte)

As data controller, you’re responsible for the relationship with the data subject. You may instruct a third party (like Forte) to process the data but it’s your responsibility to determine the purpose (or objectives) and legal basis for the processing.

All third parties have to abide by the terms agreed by the data controller and the data subject. To be sure of this, the data controller must have Data Processing Agreements (DPA) with each one. Our DPA has been designed to protect you; it’s strongly aligned with payment transactions, so it proves you’re compliant with GDPR (at least from a payments perspective).

For certain data processing activities, Forte could be both the data controller and the data processor. For example, when processing credit card transactions, Forte maintains a dual role as both data processor and data controller. Credit card transactions requires the processing of personal data, such as the cardholder’s name, credit card number, the credit card expiry date, and CVC code. The cardholder’s data is sent from the Forte user to Forte via the Forte API. Forte uses the data to complete the transaction within the systems of the credit card networks, which is a function that Forte performs as a data processor. However, Forte also uses the data to comply with its regulatory obligations (such as Know Your Customer (“KYC”) and Anti Money Laundering (“AML”)), and in this role Forte is a data controller.

How We Use the Information We Collect

Personal consumer information is used to process payment transactions and for no other purpose.

Personal information is shared with third party banks to the extent necessary for Forte Payment Systems to complete the e-check transaction. We also may release personal information when we believe release is appropriate to comply with law or verify information with other companies for fraud protection and risk reduction.

How Does GDPR Relate to Data Security?

Organizations like Forte must ensure that they have sufficient technical and organizational measures in place to guarantee the security of data processing. These measures should be appropriate to the nature, scope and purpose of the organization’s data processing, but should be sufficient to safeguard against the risk of data breaches, particularly accidental or unlawful loss, alteration, disclosure or unauthorized access. The GDPR requires organizations like Forte to implement measures to ensure that anyone with access to personal information processes it only in accordance with the rules of the GDPR.

GDPR does lay down some helpful guidelines which includes:

  1. Encryption and pseudonymization of personal information
  2. Measures to ensure that processing systems and processing services are resilient to attack, system failure or human error, and that they adequately maintain confidentiality.
  3. A robust set of procedures for restoring access to personal information as quickly as possible in the event of a technical or physical incident.
  4. A process to ensure that all existing technical and organizational measures are regularly tested and evaluated for their effectiveness in ensuring data security.

Forte and GDPR

Privacy, data protection and data security are very important to Forte. Forte is constantly working to ensure that our services are GDPR Compliant. We are enhancing our documentation and agreements to align with the GDPR requirements and enhancing our internal policies and procedures to adhere to the GDPR standard.

Legal Basis for Processing Data (Lawfulness of Processing)

Processing shall be lawful only if and to the extent that at least one of the following applies:

  • The data subjects has given consent to the processing of his or her personal data for one or more specific purposes. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. It must be as easy to withdraw consent as it is to give it;
  • The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • The processing is necessary for compliance with a legal obligation to which the controller is subject;
  • The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Rights of Data Subjects

The GDPR references individuals as data subjects. The GDPR establishes certain rights for data subjects which include:

Right to Access

You have the right to obtain to obtain from the data controller confirmation as to whether or not personal data concerning you is being processed, where and for what purpose. Forte is under a legal obligation to assist the data controller to provide this information.

Right to be Informed

You have the right to be informed regarding the collection and use of your Personal Data. Forte’s Privacy Policy serves that purpose. You should also review the Privacy Policies of any data controllers to which you may have provided your Personal Data.

Right to Erasure

You have the right to erasure which entitles you to have Forte erase your personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdraws consent however Forte may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.

Right to Data Portability

In certain circumstances, you may have the right to receive the personal data concerning you, in a structured, machine readable and commonly used format and to request that we transmit that data to another data controller.

Right to Rectification

You have the right to obtain from the data controller and without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed.

Right to Restrict Processing

You may have the right to request that we restrict processing of your Personal Data in certain circumstances (for example, where you believe that the Personal Data we hold about you is inaccurate or unlawfully held).

Breach Notification

  • Forte will notify Data Protection Authorities(“DPAs”) of personal data breaches likely to present a risk to data subjects without undue delay, and within 72 hours if feasible, after becoming aware of the breach; and
  • Communicate high-risk breaches to affected data subjects without undue delay.

Penalties of Non-Compliance

Non-compliance could result in potentially huge fines “up to €20 Million, or up to 4 % of the total annual global turnover of the preceding financial year, whichever is higher”. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors.

This GDPR Guide is for informational purposes only. It is not legal advice. Please reach out to your legal counsel to receive tailored guidance on how the GDPR may impact your business.

  • See the entire product suite

Related Posts

facial recognition
What’s Next in Facial Recognition?
cybercrime prevention
3 Ways Cybercriminals Threaten Your Business
e2e encryption
What You Need to Know About E2E Encryption