General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Transcription

1 General Data Protection Regulation Frequently Asked Questions (FAQ) This document addresses some of the frequently asked questions regarding the General Data Protection Regulation (GDPR), which goes into effect on May 25, General Questions What is personal data? Personal data is any information relating to an identified or identifiable natural person ('data subject'). Identifiers include name, identification number, location data, online identifier, and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. See Appendix for a list of personal data identifiers. Who are the key parties with respect to the GDPR? The key parties in the GDPR landscape are the data subject (natural person), the controller (determines what data is collected, and the purpose and means of processing), the processor (performs activities as instructed by the controller), and the data protection agency (enforces the GDPR). Who are the data subjects covered by the GDPR? Under the GDPR, a data subject is a natural person (not a legal entity) in the European Union (EU), including citizens, residents and visitors. Which organizations are in scope for the GDPR? Generally, the GDPR applies to any organization that falls into one or more of the following categories: Has an establishment in the EU Offers goods or services to data subjects in the EU Monitors the behaviors of data subjects in the EU This includes, for example, tracking an individual online to create a profile, or even to determine or predict the individual's preferences. Always check with legal counsel if unsure of the applicability of the law. Does the GDPR apply to merchants who process credit cards transactions for EU citizens visiting the USA? For organizations that operate solely within the USA (all processing is done in the USA), the GDPR does not apply. What does the processing of personal data mean? Any operation or set of operations which is performed on personal data such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by

2 transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Is Vantiv, now Worldpay the data controller in terms of the personal data it processes? For card transaction processing, Worldpay is typically a Data Processor. However, customers should review their contracts to ensure they understand the full scope of activities Worldpay is authorized to undertake with their personal data. What are customers obligations with respect to GDPR compliance? Worldpay merchants are expected to assess their own compliance requirements under GDPR, and to comply with any contractually agreed upon privacy requirements. This includes providing appropriate privacy notices to end-customers/cardholders, and obtaining any consent that enables Worldpay to use personal data for any agreed upon purposes. What is a personal data breach? Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. How does Worldpay handle personal data breaches? Worldpay has a dedicated security incident response process, managed by the cyber security team in conjunction with other stakeholders. What are the consequences of a personal data breach involving EU data subjects? A data controller must report personal data breach to the regulatory authority within 72 hours of detection. When the breach has a potential impact on the subjects, the organization should notify the data subjects as well. A subsequent investigation, or even the lack of notification, may reveal noncompliance, which can lead to regulatory action. ne Data Life Cycle Collection What personal data does Worldpay collect? Worldpay typically collect data including the following: Customers: contact details, billing, and credit risk data Card transactions: merchant ID, transaction amount, transaction date and time, PANs, name, contact details, and delivery and billing address; and Information gathered as a result of risk management activities Storage Where is personal data physically stored? Currently, all customer data collected in the U.S. is stored in the U.S.

3 Use How does Worldpay use the personal data it collects? Worldpay only uses personal data for the purposes that were agreed up with customers. Data Transfer and Disclosure How does Worldpay protect personal data when it is transferred outside of Europe? Worldpay has implemented appropriate cross-border transfer mechanisms, including standard model contracts and Privacy Shield certifications, to ensure the protection of the data and to comply with EU data privacy laws. Does Worldpay share any personal data with third parties? Worldpay only uses and shares data in order to provide its services and to comply with its legal, regulatory and contractual obligations. Worldpay has established a vendor management program, which includes due diligence prior to onboarding, to minimize risks to our customers. How does Worldpay handle requests for disclosure of personal data from law enforcement agencies? Law enforcement requests are handled by the legal team, in collaboration with compliance and other teams as appropriate. Retention/Deletion How long does Worldpay retain personal data? Worldpay will dispose of or return personal data when either the contract ends, or when the personal data is no longer fit for purposes for which it was collected. Security Does encrypting everything exempt an organization from having to comply with the GDPR? No. Encrypted data usually leads to pseudonymization rather than truly anonymous data. A data breach involving encrypted information should still be monitored, because re-identification and decryption are still a risk. What is the difference between Anonymization and Pseudonymization? Anonymization is the deletion or changing of personal data in such a way that this personal data can no longer be assigned to a certain or ascertainable individual or can only be assigned with a disproportionately high effort in terms of time, cost and work. Anonymized data is not subject to the GDPR. Pseudonymization is the replacement of an individual's name and other identifiable characteristics with a label to prevent identification of the individual using techniques such as masking, redaction, tokenization and/or encryption. Pseudonymized data is in scope for the GDPR.

4 Compliance Who manages compliance with GDPR requirements within Worldpay? While there is a dedicated team to manage compliance with the GDPR, we are embedding the fact that compliance is everyone s responsibility into our culture. What training is provided to employees on compliance with personal data handling requirements? All Worldpay employees and contingent workers must complete mandatory training about the protection of personal data each year. Compliance with training requirements is monitored and tracked our HR compliance team. How will Worldpay address requests related to data subjects rights, such as access, rectification or deletion? Worldpay will support its customers in responding to any requests they received from cardholders, including requests for access, rectification, erasure, and objection to processing of their personal data per contractual obligations.

5 Appendix GDPR Personal Data Identifiers Personal Characteristics Government Issued Identification Numbers Health Information Business Contact Information EU Special Categories Other Sensitive Personal Information Personal Directory Information Financial Related Information Credit Card Information Education Information Children Information Collected from Parent(s)/Guardian(s) or a Child Mobile Device Information Analytics and Digital Content Display Information Name, Age, Date of Birth, Gender, Height, Weight, Marital Status, Nationality Federal Issued Identifier, Driver s License Number, Passport Number Medical Record Number, Medical History, Health Plan Beneficiary Number Position/Job Title, Business Address, Business Phone, Business Race, Religion, Political Beliefs, Genetic Information, Sexual Orientation Criminal Convictions, Account Information/Credentials, Mother s Maiden Name, Big Data Results on Consumer Behaviors and Preferences Home Postal Address, Home Telephone Number, Cell Phone Number, Personal Address, Social Media Handle Financial Transactions History, Credit History or Credit Check, Background Checks Credit/Debit Card Number, Cardholder Name, Expiration Date, PIN Data Degrees or schooling, Licenses and Professional Membership, Academic Record Names, Gender, Address, Location Information, Browsing History or Tracking Data Mobile Device Location (current/past), I.P. Address, Mobile Device Content, Mobile Device Attributes Device Types and Attributes, Computing System Attributes, IP Address, Cookie and Similar IDs, Geolocation Information, Consumer Profiles This document is not intended as legal advice, and is provided for information purposes only. Worldpay makes no warranties of any kind including in relation to the content or relevance/applicability to customers organizations.