GDPR and Payment Providers for e-commerce websites
Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information.
The GDPR and Payment Providers/Gateways for e-commerce websites
For the purposes of the GDPR, payment providers/gateways like PayPal, Stripe, Braintree or Sagepay are the same as any other third party that you share your customer data with.
In the language of the GDPR third parties are "processors" of your data, whereas you are the "controller" and the GDPR stipulates:
"Whenever a controller uses a processor it needs to have a written contract in place."
Consequently, you are highly encouraged to approach each of the Payment Providers/Gateways you use and ask for a copy of the contract or agreement between you. These contracts need to cover some specific topics regarding data sharing, and these are covered in detail here.
If you are comfortable that these agreements/contracts cover:
- the duration of the processing;
- the nature of the processing;
- that a duty of confidence is in place;
- and that your "processors" understand that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR
- then print each contract and file it away in case of an audit. If you cannot be sure that the contract covers everything specified by the GDPR then you can speak to the ICO helpline or seek legal advice.
Payment Providers / Gateways and Privacy Policies
Within your Privacy Policy list each payment provider you use, by name, explain what they are used for, and link to their Privacy Policy.
Example
Payments
We may provide paid products and/or services within the Service. In that case, we use third-party services for payment processing (e.g. payment processors).
We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.
The payment processors we work with are:
- Stripe: Their Privacy Policy can be viewed at https://stripe.com/us/privacy
- PayPal or Braintree: Their Privacy Policy can be viewed at https://www.paypal.com/webapps/mpp/ua/privacy-full
- Sage Pay: Their policies can be viewed at https://www.sagepay.co.uk/policies
Disclaimer: the above example is provided for informational purposes. No warranty, either expressed or implied, is provided as to its legality or fit for purpose.
Lastly, make sure your Privacy Policy has attention drawn to it alongside any payment collection. As this collection is typically done via web forms see this section. For full advice on your Privacy Policy content please see this section.