GDPR Compliance Statement
2Checkout will be GDPR compliant by May 25th
What is GDPR Compliance?
The General Data Protection Regulation (GDPR) is an EU-wide regulation for the protection of European citizens' data that comes into force on 25th of May 2018 and all companies that collect such data will need to comply with it. It establishes a set of compliance and security processes around managing personally identifiable information so that it is not misused. Currently there is no certification or license required or available for GDPR.
Our Commitment Towards GDPR
Our customers' right to privacy is a main priority for 2Checkout and because of this, compliance with and to international law and regulations are core values. Our focus is to process payments securely and efficiently whilst adhering to the latest changes and updates within the payments industry and EU regulations.
How are We Preparing for GDPR?
2Checkout is currently in the process of becoming compliant with GDPR. Since it is a complex process it takes time and involves mapping, assessing, planning and implementing changes throughout the company. We are working with subject matter experts from the field and consultancy firms to support us in the process. Here's an overview of our analysis and the steps that we are taking to ensure compliance:
Establishing the Governance Structure
Completed
- Build the GDPR compliance initiative with a dedicated focus group
- Appoint a Data Protection Officer (DPO) in an independent role
- Conduct an assessment on product and business impact
- Initiate the internal Privacy and Security Awareness program
- Conduct Data Protection Impact Assessment (DPIA) [Internal]
- Conduct Data Protection Impact Assessment [External]
Updating Policies and Procedures
Completed
- Data protection policy
- Data retention policy
- Information security policy
- Cookie policy
- Data breach and incident response plan
- Risk management framework to assess and manage threats across the organization that also takes into account personal data
- Embedding of personal data protection requirements within contracts and agreements with third-party service providers and merchants
Embedding and Implementing Data Privacy into Operations
Completed
- Conduct a data mapping inventory and analysis of data in our systems
- Establish procedures and policies to restrict processing of personal data
- Set up automatic mechanisms to automatically track the flow of personal data within and outside our systems
- Set up privacy dashboard for shoppers
Going Forward
We are committed to transparency, control and accountability. For any questions regarding GDPR please forward your inquiries to dpo@2checkout.com.
On May 25th 2Checkout will be GDPR compliant. Please note that for the data you collect outside of our systems - 2Checkout or Avangate Platforms - you must be GDPR compliant as well.
We will keep you informed on the GDPR compliance process.
GDPR Compliance FAQs
We have compiled a list of questions that we have noted that our clients and partners are frequently asking when evaluating their own GDPR compliance program.
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU-wide regulation for the protection of European citizens' data that comes into force on 25th of May 2018 and all companies that collect such data will need to comply with it. It establishes a set of compliance and security processes around managing personally identifiable information so that it is not misused. Currently there is no certification or license required or available for GDPR.
Is 2Checkout compliant?
2Checkout will be GDPR compliant both in terms and technology once GDPR kicks in on May 25th, 2018.
Where is personal data stored?
Our primary datacenter is in the Netherlands and our secondary one is in the United States of America.
Is personal data processed outside EU countries? If so on what legal basis and where outside of the EU?
We process personal data in USA and 2Checkout is registered for Privacy Shield there.
Are there any technical and security measures for the protection of PII data?
2Checkout has been for many years PCI level 1 certified for the payment data and we will apply the same level of care and similar security measures for PII data.
Lead management/ abandoned cart
According to GDPR regulations we have a legitimate business interest in enabling it, however a mouse over message will be implemented to inform potential shoppers.
Do we need to sign additional agreements or any additional addendum to contracts?
No, this is not mandatory. We will send out 2 updated documents: Privacy Policy and Data Privacy Provision for your acknowledgement.
Are you going to send any notifications to shoppers, our clients?
No, this is not mandatory under GDPR as we have a legitimate interest to collect and use the data for transactions.
What shopping cart updates will 2Checkout make GDPR compliant?
We will update the Privacy Policy and add the age verification. All other controls are already present in the shopping cart.
Do we need to add the age consent to all carts?
Yes, 2Checkout will implement this change to all shopping carts.
How will GDPR impact auto renewal?
Autorenewal is not regulated by GDPR and since we were already compliant with shopper protection rules we will not make changes to it due to GDPR.
Can a shopper / end-user correct any of their data via myAccount?
Yes, this is possible based on a written request. Currently, a shopper can send an email contact request at support@2checkout.com and request the changes. After GDPR will be in force we will have a dedicated channel and dedicated email address: dpo@2checkout.com for all GDPR inquiries.
If a shopper asks to be forgotten what will 2Checkout do? Can their data be erased?
No. It is collected for a legitimate interest and we need to retain it for up to 10 years for legal and financial reasons.
How long will 2Checkout retain the shopper/end-user data?
We keep the data for 10 years.