gipay and GDPR compliance
From 25 May 2018, the General Data Protection Regulation, or GDPR (General Data Protection Regulation), is in force in all member states of the European Union and the European Economic Area. The GDPR aims to harmonize the different data protection laws of the Member States, leading to greater standardization of data protection for all European citizens.
The protection of our customers’ personal data is of the utmost importance to us. Over the past year, we have worked tirelessly to ensure that all GDPR compliance requirements are met well in advance. We also follow all industry procedures and guidelines issued by regulatory authorities in order to adjust our protection measures appropriately and continuously.
All of our employees have received GDPR training under the supervision of our local privacy team, compliance function and our external privacy consultants. Each new employee must attend a mandatory training session on privacy policies and best practices. Thereafter, new training sessions are held annually for all employees on an annual basis. We have appointed our data protection officer, or DPO (Data Protection Officer), who also acts as the head of the privacy team, in accordance with the requirements of the GDPR.
The company’s internal policies are updated in accordance with the new requirements of the GDPR.
All gipay customers are natural or legal persons (businesses / companies). Under the GDPR, data relating to sole proprietorships are personal data. Other companies and enterprises are not included among the interested parties in accordance with the law. However, we are required to verify the identity of the persons and of the entrepreneur / authorized user who opens the account (called “user who opens the account” in the case of a company or other entity). We process personal data relating to this authorized entrepreneur / user. Information relating to the company (with the exception of sole proprietorships), including the risk profile and due diligence checks, is not regulated by the GDPR.
Why do we take photos of authorized persons and their identity documents? Is this a GDPR compliant procedure?
The gipay service has been designed for commercial purposes and can be used by individuals or legal entities. The user who registers or uses the gipay services on behalf of a legal person is treated as an authorized person and may be obliged to disclose the personal data of legal representatives, employees, agents, beneficial owners or any other third party connected to the person. legal.
In compliance with our legal obligations under the relevant anti-money laundering and anti-terrorism regulations, we are required to verify the identity of our customer or the identity of the authorized user who opens the account.
We are legally obliged to identify and verify the account holder (a person authorized by the company) and as people are not always able to upload the necessary information themselves, we do it for them. Following best practices, we have implemented an identification video chat in an online environment. We follow this procedure for the convenience of our customers.
Anti-money laundering and anti-terrorism regulations, in general, oblige financial institutions and other legal entities at risk to be used as a tool to launder money or finance terrorism, to:
identify its customers, i.e. the obliged subject must ask the customer to provide her personal data.
verify their identity, or the obliged party must “check” that the user’s personal data are not falsified, counterfeited, stolen or similar.
When the aforementioned procedure is carried out remotely, for example via the web portal or an app, we must ensure that the verification of the customer’s identity is carried out using at least two technical measures.
The video chat functionality and the obligation to take pictures of our customers and their identity documents is, at this time, the fastest and easiest legal way to use to provide our services.
We have carried out a detailed review of all our data processing procedures, by product and by department. We have analyzed the reasons for the processing, the retention periods, the technical and legal security measures to guarantee the rights and freedoms of our customers and made sure that any data processing activities we carry out are 100% compliant with the law. .
Please note that, as fintech and financial institution partners, we are obliged under the Payment Services Directive and Money Laundering legislation to retain customer data for a period of 5 years after termination of the contract / account of our client.
Our customers can send us a request for correction of inaccurate or incomplete personal data by e-mail, to the address email@example.com
Our customers have the right to receive a copy of the data we hold for them at any time. The request can be sent by e-mail to firstname.lastname@example.org
As a rule, we keep the personal data of customers for the time required for the execution of the contract stipulated between them and us and to fulfill our regulatory obligations. Our customers can request the closure of their gipay account and the termination of the contract at any time. However, in accordance with the regulations, we will keep their data for 5 years after the termination of the contract.
When the regulatory retention periods have expired, we diligently delete customer personal data from our systems. The cancellation request can be sent by e-mail to email@example.com
Our customers have the right to receive a copy of their personal data in a structured format, commonly used, readable by an automatic device, which allows its reuse. They can transfer their personal data from one data controller to another and / or be guaranteed that the personal data are transmitted directly and without hindrance between the data controllers.
If our customers have given their consent to the processing of personal data on our part, they can withdraw their consent at any time by changing their account settings or by sending us a communication indicating which consent they intend to withdraw. Please note that the withdrawal of consent does not affect the lawfulness of any processing activity based on consent prior to the withdrawal.
It should be noted that, pursuant to the GDPR, companies are not included among the interested parties. Business owners who use gipay services and have commercial accounts can exercise their rights, but only with regard to their personal data (or the personal data of the authorized person). Information relating to their company, including risk profile and due diligence checks, is not regulated by the GDPR.
All our current suppliers have undergone an assessment aimed at ensuring their compliance with the security and privacy requirements established by the GDPR. To maintain compliance, these audits will be conducted for all new suppliers. When we transfer, store and process personal data outside the European Economic Area, we ensure that appropriate security measures have been taken to ensure an adequate level of data protection.
For the management of entities established outside the EEA, we always require our suppliers to be registered under the Privacy Shield (or similar) mechanisms or to provide us with an assessment of the adequacy of the privacy protection measures applied.
We are responsible for ensuring that personal data is kept safe, in encrypted form, on servers located within special data centers in class A jurisdictions in Europe. To prevent unauthorized access or disclosure of data, we guarantee physical, electronic and procedural security measures that comply with current regulations for the protection of non-public personal data.
Our Incident Response procedures have been designed and tested to ensure that unexpected security events are detected and reported to the appropriate personnel for resolution, that personnel follow defined protocols for resolving security events, and that the steps performed for resolution are documented and periodically checked by our security team. We are also working to update these policies and procedures in order to include notification of violations if and when an unforeseen security event results in the loss or unauthorized use of personally identifiable information, or PII (Personal Identifiable Information).