PAYSAFE Group Data Protection and Privacy Standards
The Paysafe Group Data Protection and Privacy Standards set out the minimum rules that apply whenever and wherever the Paysafe Group collects and process personally identifiable information.
All group entities are signatories to an Intra-Group Data Transfer Agreement which ensures that the personally identifiable information that we collect and disclose across the group is treated in a consistent manner and in compliance with the Standards.
Why is compliance with the Standards important?
At Paysafe the lawful and correct handling of personally identifiable information is critical. At its simplest, people need to be able to trust us to respect their privacy and how we handle their personally identifiable information when working with us or doing business with us. Across all of our products and services we are focused on meeting our consumers and merchants’ requirements.
The Data Protection and Privacy Standards reflect the common principles and requirements under Data Protection Legislation in the countries where Paysafe operates.
Our commitment to the Standards
Paysafe will allocate adequate resources to maintain compliance with the Standards. This shall include ensuring appropriate senior management responsibility. All employees at Paysafe receive Data Protection and Information Security training.
Fair and Lawful Processing
In accordance with all relevant Group Policies, Local Policies, we will collect, obtain and process personally identifiably information fairly and lawfully and in compliance with applicable Data Protection Legislation.
We will only collect and obtain personally identifiably information for specified and lawful purposes. We will not further process such personally identifiably information in a way that is incompatible with such purposes.
We limit our collection of personally identifiably information
We will collect and process personally identifiably information which is adequate, relevant and not excessive in relation to the purpose or purposes for which it is collected without consent.
We will take appropriate steps to ensure that personally identifiably information is accurate and, where necessary in accordance with Group and Local Policies and Data Protection Legislation, kept up-to-date.
Where we obtain personally identifiably information from third parties and/or publicly available sources, we will endeavour to use only reliable and reputable sources and/or vendors.
We will retain personally identifiably information for no longer than is necessary and appropriate for the purposes for which it was collected, unless the personally identifiably information is otherwise required to be kept under a contractual requirements and at all times in compliance with Applicable Law and Data Protection Legislation.
We will take appropriate technical and organisational measures to protect against unauthorised or unlawful processing or accidental loss, destruction or damage of personally identifiably information.
Having regard to the state of technological development and the cost of implementing any measures, the measures will ensure a level of security appropriate to the nature of the personally identifiably information to be protected and the harm that might result from any unauthorised or unlawful processing, or accidental loss, destruction, or damage.
We will respect the right of all individuals over their personally identifiably information in accordance with all Applicable Law and Data Protection Legislation.
We will ensure that Data Subject Access Requests are responded to in full in a manner that is compliant with the all Group Policies, Local Policies and Data Protection Legislation. All requests for access to personally identifiably information should be submitted in writing to email@example.com. A fee will be charged for providing copies only when permitted by Data Protection Legislation.
We will respect an individual’s statutory right to object to the way their personally identifiably information is processed. All legitimate objections will be investigated and necessary action taken. Where appropriate, we will amend, update or delete personally identifiably information which is found to be incomplete or inaccurate.
We will take account of an individual’s legitimate interests and require explicit consent and inform them of the logic involved in decisions that are made using their personally identifiably information purely by automatic means and which are intended to evaluate certain personal aspects relating to the individual and /or produce legal effects significantly affecting the individual.
We will not use personally identifiably information to send marketing information to any individual who has not provided consent to receive such material. If an individual requests us to stop processing their personally identifiably information for direct marketing purposes, we will stop processing their personally identifiably information for those purposes within a reasonable period of time and, in any event, in accordance with deadlines specified by Data Protection Legislation.
Transfers of personally identifiably information to third parties
We will only transfer personally identifiably information to third parties if the following conditions are satisfied:
- there is a written contract in place that specifically outlines the obligations and the responsibilities of both parties with regard to the protection of personally identifiably information to ensure compliance with the Standards, Group and Local Policies as appropriate, and at all times in compliance with Applicable Law and Data Protection Legislation; and
- we will choose Data Processors and Data Controllers that provide sufficient guarantees in respect of the technical and organisational security measures and take reasonable steps to ensure compliance with such measures.
- We will ensure that all transfers of personally identifiably information to third parties located outside the European Economic Area to a country that is not deemed to have an adequate level of protection by the European Commission will comply with EU rules on such transfers. For example, where appropriate, we will use Standard Contract Clauses approved by the European Commission.
Data protection & privacy by design
We will give due consideration to data protection and privacy needs prior to the development of any new system or process, and maintain that control throughout the systems lifecycle, from the earliest stages of developing a business case through to the decommissioning of the system.
Having regard to the state of technological development and the cost of implementing any controls, the controls will ensure a level of information security appropriate to the nature of the data to be protected and the harm that might result from any unauthorised or unlawful processing, accidental loss or destruction, or damage.
Notification (or registration)
Group Entities will notify and/or register with all relevant Data Protection Authorities before processing personally identifiably information.
Monitoring & auditing compliance
The group privacy officer is responsible for developing, maintaining and monitoring compliance with the Standards. This process shall be supported by Paysafe’s Internal Auditors who will evaluate, test and report on compliance with the Standards on a regular basis. Information from audit reports will be submitted to the Board.
Where any non-compliance with the Standards is identified in any such Audis, the group privacy officer will work with the relevant Group Entity or department manager to design, implement and monitor remediation measures.
All Group Entities will permit any relevant Data Protection Authority to audit that entity in order that the Authority may obtain the information necessary to demonstrate that Group Entity’s compliance with the Standards and Applicable Law and Data Protection Legislation.
If any Applicable Law and/or Data Protection Legislation requires a higher level of protection of personally identifiably information than the Standards then Applicable Law and Data Protection Legislation shall take precedence in respect of the relevant provision.
We will not be responsible for a breach of the Standards to the extent compliance with the Standards is prevented by Applicable Law and Data Protection Legislation in the relevant jurisdiction.
Updating the Standards
We reserve the right to amend the Standards including, without limitation, the addition of new Group Entities.
Date of publication: 09 November 2015