Paysley is a US-based B2B payment technology service provider. Paysley offers its services to businesses registered in the United States and Canada; however, we acknowledge that any of those businesses, including your business, may receive payments from clients in the EU. We are therefore committed to complying with the GDPR through our robust privacy and security protections. We provide our policy in the public domain so that any of our business customers and any of their customers can be informed and knowledgeable of our GDPR compliance.
What is GDPR and who does it affect?
On May 25, 2018, the European privacy law called the General Data Protection Regulation (GDPR) took effect in the European Union (EU). The GDPR brings in new data protection rules and expands the privacy rights of EU individuals. It applies to all companies who collect, store, or use the personal data of EU individuals, wherever that company is based in the world.
Paysley is committed to complying with the GDPR through our robust privacy and security protections.
Paysley’s GDPR Readiness Activities
What changes did GDPR make to existing data protection rules and practices?
The GDPR is designed to build on existing data protection laws and modernize practices to cater to changes in technology and consumer preferences. There are a few important changes that we believe are particularly relevant to you as a Paysley customer. In addition to broadening the scope of existing laws beyond EU borders and the expanded definition of ‘personal data’, the GDPR introduces:
Expansion of individual rights: Individuals in the EU now have new rights under the GDPR such as:
Stricter processing requirements: The GDPR now requires you to be completely transparent about the data you process, including:
There are many other principles and requirements brought about by the GDPR, so it is important to review the GDPR thoroughly with legal experts to ensure you have a full understanding of how these requirements apply to you.
Does the GDPR address cross-border data transfers?
Yes, the GDPR requires certain conditions are met before personal data is transferred outside the EU — identifying a number of different legal grounds that organizations can rely on to perform cross-border data transfers.
One legal ground for transferring personal data set out in the GDPR is an “adequacy decision.” The Privacy Shield framework constitutes one such example of an adequacy decision. Paysley participates in and has certified its compliance with the Privacy Shield framework, and we are committed to treating all personal data received from EU member countries in accordance with the Privacy Shield framework’s applicable principles. Generally speaking, it means we expect that Paysley’s customers, using our payment technology will be able to continue to rely on Paysley’s Privacy Shield certification in order to transfer your lawfully obtained EU customer data to Paysley in compliance with GDPR.
Does it matter whether you are a controller or a processor?
Yes, there are different requirements and obligations depending on which category you are in.
Data Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor as well.
In the context of Paysley’s solutions and related services, in the majority of circumstances, our customers are acting as the “data controllers”. Our customers, for example, decide what information from their contacts is uploaded or transferred to Paysley. As a SaaS provider, Paysley typically has the role of a “data processor” who processes personal data on behalf of the data controller.
As our customers’ processor, one important feature of compliance with EU data protection law is our Data Processing Addendum (DPA). This contract addendum governs the relationship between our customer (as data controller of the Customer Data) and Paysley (acting as a data processor).
Does Paysley comply with the GDPR?
Yes, the all the gateways we connect to are in compliance with GDPR. As part of the compliance process, we reviewed (and updated where necessary) our internal processes, procedures, data systems, and documentation, as well as our third-party vendor contracts and Data Processing Agreements to ensure that we were in compliance with GDPR. This ensures that you can continue to lawfully transfer EU personal data to Paysley to process on your behalf.
How can Paysley assist in your GDPR compliance efforts?
There are several ways in which Paysley can help. Most importantly, Paysley can help you promptly respond to Individual Rights requests from your customers or contacts to:
If we are contacted by any of your customers regarding their data, we will always advise that individual to contact you directly to ensure that you always have full control and retain any correspondence with your customer.
Do you still have questions?
You can submit questions or requests to Paysley via email or our website contact form. To help route quickly, please add GDPR to the subject line.To understand and learn more about the GDPR, visit the EU GDPR webpage.