GDPR and Payment Providers for e-commerce websites
Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information.
The GDPR and Payment Providers/Gateways for e-commerce websites
For the purposes of the GDPR, payment providers/gateways like PayPal, Stripe, Braintree or Sagepay are the same as any other third party that you share your customer data with.
In the language of the GDPR third parties are "processors" of your data, whereas you are the "controller" and the GDPR stipulates:
"Whenever a controller uses a processor it needs to have a written contract in place."
Consequently, you are highly encouraged to approach each of the Payment Providers/Gateways you use and ask for a copy of the contract or agreement between you. These contracts need to cover some specific topics regarding data sharing, and these are covered in detail here.
If you are comfortable that these agreements/contracts cover:
- the duration of the processing;
- the nature of the processing;
- that a duty of confidence is in place;
- and that your "processors" understand that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR
- then print each contract and file it away in case of an audit. If you cannot be sure that the contract covers everything specified by the GDPR then you can speak to the ICO helpline or seek legal advice.
Payment Providers / Gateways and Privacy Policies
We may provide paid products and/or services within the Service. In that case, we use third-party services for payment processing (e.g. payment processors).
The payment processors we work with are:
- Sage Pay: Their policies can be viewed at https://www.sagepay.co.uk/policies
Disclaimer: the above example is provided for informational purposes. No warranty, either expressed or implied, is provided as to its legality or fit for purpose.