The General Data Protection Regulation (GDPR) standardizes the handling of personal data across the EU and EEA. This new regulation goes into effect on May 25, 2018 and is intended to give individuals more control over their data and protect their right to privacy. All companies that handle the personal data of EU residents – regardless of whether the actual data processing takes place in Europe or not - must comply with the GDPR requirements.
GDPR is a fundamental shift in personal data regulation, so it's important to understand how it will impact your business. Being non-compliant could result in significant fines.
Here are some important concepts as defined by GDPR:
- Personal data: Any information relating to an individual
- Data processing: Any operation or set of operations that is performed with personal data
- Data controller: The party that determines why and how personal data will be processed
- Data processor: The party that is responsible for handling personal data based on the controller's determination
In the GDPR ecosystem, Braintree acts either as a processor or controller, depending on the context.
Braintree functions as a data controller for our merchants’ individual representatives. We may use merchant personal data to share messaging with the employees and contractors of our merchants, or in other situations of which the individual has been informed in advance and the actions taken are compliant with Data Protection Laws.
When processing transactions with merchants as part of our Payment Services Agreement, our merchants are the controller and we function as the data processor on behalf our merchants. In this case, our merchants will be solely responsible for determining the purposes and means for processing personal data. As a data processor, Braintree will only process customer data in accordance with our merchants' Privacy Policies.
We've taken steps to ensure we'll be GDPR ready as both a controller and processor.
We've made some changes to our Payment Services Agreement (PSA) to reflect the requirements of GDPR that will be applicable to all merchants. Our updated agreement will become effective on May 25, 2018 for existing merchants, and immediately for any newly onboarded merchants. Review the Braintree PSAs on our website. For changes specific to GDPR, refer to Exhibit A (Data Protection Addendum) in our Updated Payment Services Agreement.
For more information about GDPR and how you may be affected, see our blog post on getting GDPR ready. There you'll find more background on the regulation and a list of helpful resources for understanding and preparing for GDPR changes.