PayPal & General Data Protection Regulation (GDPR)

What is the GDPR?

The General Data Protection Regulation (GDPR) is designed to strengthen controls that individuals have over their personal data and their right to privacy. It requires greater controls by companies that collect and process personal data.

Any organization that holds personal data, including smaller businesses or charities, are subject to the GDPR if the organization is located in Europe or is offering goods or services to individuals in Europe. Personal data means any information relating to an identifiable person who can be directly or indirectly identified by that particular information.

PayPal’s Readiness for GDPR

PayPal continuously focuses on how we protect our customer, employee, partner and merchant data. The GDPR, considered a fundamental shift in privacy and data protection, will help drive a stronger baseline of requirements for personal data of individuals in Europe.

PayPal has an established Global Privacy Program and Framework and a dedicated team of privacy professionals committed to ensuring that PayPal is ready for the various privacy regulations across the globe, including the GDPR. Some of the key enhancements of our Global Privacy Program include:

  • Updates to our User Agreement and Privacy Statement as well as our internal policies and procedures.
  • For the transfer of personal data of European citizens to the U.S., we actively sought approval by the Data Protection Authorities of our Binding Corporate Rules (“BCRs”) for internal transfers of certain types of personal data and Standard Contractual Clauses (“SCCs”) for transfers to and from third parties.
  • Continuing our efforts to support and commit to privacy and data protection, after the effective date, by re-assessing and improving our GDPR capabilities through strategic initiatives and consideration of any regulatory changes along the way.
  • Providing additional ways for our EU customers to manage their preferences in relation to the processing of their personal data, e.g. marketing opt-outs.

PayPal as a Data Controller or Data Processor

The GDPR provides for two different relationships for businesses handling personal data. The Data Controller, alone or jointly with others, determines the purposes and means of the processing of personal data, while the Data Processor is processing data on behalf of the Data Controller.

PayPal is either a Data Controller or Data Processor, dependent upon the PayPal product or service that is being offered to the PayPal customer.

Both the Data Controller and Data Processor have an obligation to protect personal data according to the GDPR. For Data Processors, those obligations should be clearly determined by the various parties with data protection terms in their agreements to make sure that customers’ personal data is lawfully processed.

We regularly review our terms and conditions and assess our data practices to ensure they are up to date with the latest regulatory changes.

Resources