The EU General Data Protection Regulation ("GDPR") came into force across the European Union on 25th May 2018, and brought with it the most significant changes to data protection law in two decades. Founded on the fundamentals of privacy by design and a risk-based approach, the GDPR was designed to meet the requirements of the digital age.
The 21st century brings with it, the broad use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. GDPR is intended to standardise data protection laws and processing across the EU, affording individuals stronger, more consistent rights to access and control their personal information.
eCOMM Merchant Solutions Ireland Ltd ("EMSI"), and eCOMM Merchant Solutions Ltd ("EMS") ("we" or "us" or "our") are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have a robust and effective data protection framework in place, which is fully compliant with existing laws, and data protection principles, under the GDPR, and domestic Irish Data Protection legislation.
EMSI, and EMS have a Data Protection Process that is effective, fit for purpose, and fully compliant with the requirements of the GDPR. This statement therefore addresses the development and implementation of new data protection roles, policies, procedures, controls and measures to ensure maximum compliance at all times.
Our Data Protection Process
EMSI, and EMS is fully compliant with the GDPR, since its introduction on 25th May 2018.
Our Policy includes: -
Information Review – a company-wide information review mechanism regularly identifies and assesses what personal information we hold, where it comes from, how and why it is processed, and if disclosed, to whom it is disclosed
Policies & Procedures – regular monitoring and revision of data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including: -
Data Protection – our main policy and procedure document for data protection has been overhauled to meet the standards and requirements of the GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities, with focus on the rights of individuals.
Data Retention & Erasure – we have updated our retention policy and schedule to ensure that we meet the ‘data minimisation' and ‘storage limitation' principles and that personal information is stored, archived and destroyed compliantly and ethically. We have dedicated erasure procedures in place to meet the new ‘Right to Erasure' obligation and are aware of when this and other data subject's rights apply; along with any exemptions to this, like ensuring we comply with anti-money laundering obligations to retain data relating to financial transactions for six (6) years, response timeframes and notification responsibilities.
Data Breaches – our breach procedures ensure that we have adequate safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest opportunity. Our procedures are robust and have been distributed to all employees, who are aware of the reporting lines and steps to follow. We have updated the current policies which comply with the requirement to report security breaches within seventy-two (72) hours, to our supervisory authority, the ICO, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
International Data Transfers & Third-Party Disclosures – in limited situations where EMSI, and EMS stores or transfers personal information outside the EEA or the EU, robust procedures and safeguarding measures apply to secure, encrypt and maintain the integrity of the data. EMSI, and EMS will complete continual reviews of the countries with sufficient adequacy decisions, such as the Privacy Shield in the US, and provisions for binding corporate rules, standard data protection clauses or approved codes of conduct. EMSI, and EMS will further perform due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information. EMSI, and EMS undertakes that it shall not transfer Personal Data outside of the EEA or the EU in full compliance with Article 46 of the GDPR, and shall not transfer data outside of the EEA or EU unless the following conditions are fulfilled:
– The data subject has enforceable rights and effective legal remedies;
– EMSI, and EMS shall comply with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations);
– EMSI, and EMS complies with any reasonable instructions notified to it in advance with respect to the processing of the Personal Data; and
– Upon written direction shall delete or return Personal Data (and any copies of it) unless EMSI, and EMS is required by Law to retain the Personal Data.
Where EMSI, and EMS is required to transfer Personal Data to the United States of America, EMSI and EMS shall only send such Personal Data to third-party sub-contractors that meet the minimum requirements contained under the Privacy Shield, or in the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament.
In the event that the Privacy Shield is repealed at any future date, for whatever reason, EMSI and EMS shall only contract with third-party sub-contractors that satisfy the requirements contained in the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Customer.
Subject Access Request – EMSI, and EMS has updated its Subject Access Request procedures to accommodate the revised one (1) month timeframe for providing the requested information and for making this provision free of charge. Our new procedures detail how to verify the data subject, what steps to take for processing an access request and what exemptions apply.
Legal Basis for Processing – we regularly review all processing activities to identify the legal basis for processing and ensure that each basis is appropriate for the activity it relates to. Where applicable, EMSI and EMS also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR (Records of processing activities) are met.
Privacy Notice – we have revised our Privacy Notice to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
Obtaining Consent – we have revised our consent mechanisms on the CCP for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways for data subjects to consent to us processing their information. Our Terms and Conditions currently address the consent to use personal data, but this is changing to ensure we comply with Article 7 of the GDPR (Conditions for consent). We have developed processes for recording consent, ensuring that we can evidence an agreeing opt-in, and a way to withdraw consent at any time for marketing purposes only. Consent cannot be withdrawn for data relating to financial transactions once activity begins. A revised version of the Terms and Conditions is available for distribution to your clients, and for your website. If you use your own platform instead of our ACP/CCP then you will need to make arrangements to gather consent from data subjects before you collect their data. This consent needs to be recordable and auditable to comply with the requirements.
Consent for Children Under 16 – If you are giving consent on behalf of a child under 16 then please be aware that Children need specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned, and also of their rights in relation to the processing of personal data for the purposes of using these services. By consenting to this privacy notice on behalf of a minor you are giving permission for their data to be used for the purposes described above
Direct Marketing – EMSI, and EMS have revised the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out.
Data Protection Impact Assessments (DPIA) – where EMSI, and EMS process personal information that is considered high risk, involves large scale processing or includes special category/criminal conviction data; EMSI and EMS has developed a procedure and assessment template for carrying out impact assessments that is fully compliant with Article 35 of the GDPR (Data Protection Impact Assessments).
Data Subject Rights
In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights. Our Private Notice provides easy to access information of an individual's right to access any personal information that EMSI, and EMS processes about them and to request information about: -
- What personal data we hold about them;
- The purposes of the processing;
- The categories of personal data concerned;
- The recipients to whom the personal data has/will be disclosed;
- How long we intend to store your personal data for;
- If we did not collect the data directly from them, information about the source;
- The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this;
- The right to request erasure of personal data (only where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us; and
- The right to lodge a complaint or seek judicial remedy and who to contact in such instances.
Information Security & Technical and Organisational Measures
EMSI, and EMS takes the privacy and security of individuals and their personal information very seriously and EMSI, and EMS take every reasonable measure and precaution to protect and secure the personal data that EMSI, and EMS process. EMSI, and EMS have dedicated information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and security measures, including: -
- PCI DSS certification;
- Access Controls;
- Encryptions; and
- Pseudonymisation with MIDs, VIDs, TIDs.
GDPR Roles and Employees
EMSI, and EMS has appointed a designated Data Protection Officer (DPO) and has further appointed a GDPR Project team which has developed and implemented EMSI, and EMS's roadmap for complying with the GDPR. The team has promoted awareness of the GDPR across the organisation and its programmes, identifying any gap areas and drafting and implementing the new policies, procedures and measures.
EMSI, and EMS utilises a GDPR checklist designed to assess each business activity, function and process and to ensure that we have implemented a company-wide approach to meeting GDPR requirements.EMSI, and EMS understands that continuous employee and client awareness and understanding is vital to the continued compliance under GDPR.
In the event that you wish to make a complaint about how your personal data is being processed by EMS, or EMSI (or third parties as above), or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and EMSI's, and EMS's Data Protection Officer by email to DPO@ecomm365.com