The General Data Protection Regulation (GDPR) standardizes the handling of personal data across the EU and EEA. This new regulation goes into effect on May 25, 2018 and is intended to give individuals more control over their data and protect their right to privacy. All companies that handle the personal data of EU residents – regardless of whether the actual data processing takes place in Europe or not - must comply with the GDPR requirements.

GDPR is a fundamental shift in personal data regulation, so it's important to understand how it will impact your business. Being non-compliant could result in significant fines.

Key concepts

Here are some important concepts as defined by GDPR:

  • Personal data: Any information relating to an individual
  • Data processing: Any operation or set of operations that is performed with personal data  
  • Data controller: The party that determines why and how personal data will be processed
  • Data processor: The party that is responsible for handling personal data based on the controller's determination

In the GDPR ecosystem, Braintree acts either as a processor or controller, depending on the context.

Braintree as a data controller

Braintree functions as a data controller for our merchants’ individual representatives. We may use merchant personal data to share messaging with the employees and contractors of our merchants, or in other situations of which the individual has been informed in advance and the actions taken are compliant with Data Protection Laws.

Braintree as a data processor

When processing transactions with merchants as part of our Payment Services Agreement, our merchants are the controller and we function as the data processor on behalf our merchants. In this case, our merchants will be solely responsible for determining the purposes and means for processing personal data. As a data processor, Braintree will only process customer data in accordance with our merchants' Privacy Policies.

What we've done to prepare

We've taken steps to ensure we'll be GDPR ready as both a controller and processor.

Payment Services Agreement updates

We've made some changes to our Payment Services Agreement (PSA) to reflect the requirements of GDPR that will be applicable to all merchants. Our updated agreement will become effective on May 25, 2018 for existing merchants, and immediately for any newly onboarded merchants. Review the Braintree PSAs on our website. For changes specific to GDPR, refer to Exhibit A (Data Protection Addendum) in our Updated Payment Services Agreement.

Privacy Policy updates

We've also updated our Privacy Policy to pertain specifically to Braintree – replacing our previous PayPal Privacy Policy. This new policy details the personal data we collect as a data controller, when we collect the personal data of our merchants’ individual representatives, and how we use this data across our services. We encourage you to familiarize yourself with our new Privacy Policy, which can be found under the Legal section of our website.

Additional resources

For more information about GDPR and how you may be affected, see our blog post on getting GDPR ready. There you'll find more background on the regulation and a list of helpful resources for understanding and preparing for GDPR changes.