The General Data Protection Regulation (GDPR) is designed to provide greater protection for personal data in Europe, how companies use their data and their right to privacy. It requires greater controls by companies who control and process personal data.
Any organization that holds personal data, including smaller businesses or charities are subject to the GDPR if the organization is located in Europe or is offering goods or services to individuals in Europe. Personal data means any information relating to an identifiable person who can be directly or indirectly identified by that particular information. The GDPR will be in effect as of May 25, 2018.
PayPal continuously focuses on how we protect our customer, employee, partner and merchant data. GDPR, considered a fundamental shift in privacy and data protection, will help drive a stronger baseline of requirements for personal data of individuals in Europe.
PayPal has an established Global Privacy Program and Framework and a dedicated team of privacy professionals committed to ensuring that PayPal is ready for the various privacy regulations across the globe, including GDPR. Some of the key enhancements being driven by our Global Privacy Program to prepare for GDPR include:
The GDPR provides for two different relationships for businesses handling personal data. The Data Controller, alone or jointly with others, determines the purposes and means of the processing of personal data, while the Data Processor is processing data on behalf of the Data Controller.
Both Data Controller and Data Processors have an obligation to protect personal data according to GDPR. For Data Processors those obligations should be clearly determined by the various parties with data protection terms in their agreements to make sure that customers’ personal data is lawfully processed.