The General Data Protection Regulation (GDPR) is designed to strengthen controls that individuals have over their personal data and their right to privacy. It requires greater controls by companies that collect and process personal data.
Any organization that holds personal data, including smaller businesses or charities, are subject to the GDPR if the organization is located in Europe or is offering goods or services to individuals in Europe. Personal data means any information relating to an identifiable person who can be directly or indirectly identified by that particular information.
PayPal continuously focuses on how we protect our customer, employee, partner and merchant data. The GDPR, considered a fundamental shift in privacy and data protection, will help drive a stronger baseline of requirements for personal data of individuals in Europe.
PayPal has an established Global Privacy Program and Framework and a dedicated team of privacy professionals committed to ensuring that PayPal is ready for the various privacy regulations across the globe, including the GDPR. Some of the key enhancements of our Global Privacy Program include:
The GDPR provides for two different relationships for businesses handling personal data. The Data Controller, alone or jointly with others, determines the purposes and means of the processing of personal data, while the Data Processor is processing data on behalf of the Data Controller.
PayPal is either a Data Controller or Data Processor, dependent upon the PayPal product or service that is being offered to the PayPal customer.
Both the Data Controller and Data Processor have an obligation to protect personal data according to the GDPR. For Data Processors, those obligations should be clearly determined by the various parties with data protection terms in their agreements to make sure that customers’ personal data is lawfully processed.
We regularly review our terms and conditions and assess our data practices to ensure they are up to date with the latest regulatory changes.