1. Home
  2. Announcements
  3. Payyo GDPR Compliance

Payyo GDPR Compliance

Ensuring Cardholder Data Protection and Privacy

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) that came into effect on May 25, 2018. It is designed to protect the personal data and privacy of EU citizens and residents, and it applies to all organizations, regardless of location, that process the personal data of individuals within the EU.

The GDPR aims to give individuals greater control over their personal data, ensuring that it is handled transparently, securely, and with their explicit consent. It imposes stringent requirements on organizations to safeguard data and provides significant penalties for non-compliance, including fines of up to €20 million or 4% of the organization’s global annual revenue, whichever is higher.

How Does the GDPR Work?

The GDPR outlines several key principles and requirements for data protection:

  • Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently. Organizations must provide clear information about how data will be used.
  • Purpose Limitation: Data should be collected for specific, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.
  • Data Minimization: Only the data necessary for the intended purposes should be collected and processed.
  • Accuracy: Personal data must be accurate and kept up to date. Inaccurate data should be corrected or deleted promptly.
  • Storage Limitation: Data should be stored only as long as necessary for the purposes for which it was collected.
  • Integrity and Confidentiality: Data must be processed securely to protect against unauthorized access, loss, or damage.
  • Accountability: Organizations must be able to demonstrate compliance with GDPR principles and obligations.

Additionally, the GDPR grants individuals several rights, including the right to access their data, the right to rectification, the right to erasure (the “right to be forgotten”), and the right to data portability.

Data Collection at Payyo

As a payment provider, Payyo plays a crucial role in the online payments industry by strictly complying with PCI and AML regulations. We are committed to safeguarding the data of our end-users, ensuring GDPR compliance as a top priority. In our operations, we collect KYC information. To enhance data protection, one of the key measures we implement is the anonymization of personal data for merchants on our platform. This step is vital in maintaining the privacy and security of all parties involved. 

Processing at Payyo

As a payment provider, Payyo plays a crucial role in the online payments industry by strictly complying with PCI and AML regulations. We are committed to safeguarding the data of our end-users, ensuring GDPR compliance as a top priority. In our operations, we process card data. To enhance data protection, one of the key measures we implement is the anonymization of personal data for end-users (guests) on our platform. This step is vital in maintaining the privacy and security of all parties involved. 

Anonymizing Personal Data Within Payyo

According to our GDPR requirements as a Data Processor under Art. 25: Data protection by design and by default, Payyo applies an automatic data anonymization process affecting all personal guest data on our platform. This automation takes place 1 year after the service date, or 1 year after the cancellation date, whichever comes first. 

Note: The service date is the date the customer is booked to participate, attend or start the service. All data will remain intact from the booking date until 1 year after the service date, allowing ample time for suppliers to complete payments, refunds and disputes. 

In accordance with Art. 17: Right to erasure (‘right to be forgotten’), individual anonymisation requests can be submitted and fulfilled at any time before the 1 year retention period, providing the data isn’t still required in order to complete the contracted booking.

In the Payyo database, the anonymisation process will replace the following personal data fields with an unidentifiable array of letters and numbers.

  • Firstname and lastname: Anonymized
  • IP Address: 0.0.0.0
  • Email address: anonymized@payyo.ch
  • Date of Birth: 1970-01-01
  • Phone Number: 1234567890

This ensures that the Data Subject’s protected information is not stored on our database beyond the minimum required period in order to complete the contracted service. 

All other non-personal transactional data, including booking reference number, dates, etc. remains visible on our platform beyond the 1 year retention period.

Note : It is important to understand that the anonymization process only affects data within Payyo and does not impact any data visibility in the service provider’s booking information. The Data Subject’s personal data will remain available on the service provider’s platform according to their own Data Privacy Policy, and on the booking software platform according to your Data Privacy Policy as a Data Processor, and that of the service provider as a Joint Data Controller.

Summary

  • All personal data will be anonymised 1 year after the service date.
  • Historical data older than 1 year will be anonymised starting from 31/December/2024
  • The data on the service provider’s side is not affected.
  • The data on the integrator’s platform is not affected.

Conclusion

At Payyo, protecting the personal data of our users and clients is of utmost importance. We are committed to complying with GDPR and ensuring that data is handled with the highest standards of security and transparency. If you have any questions or concerns about our data protection practices, please do not hesitate to contact us at support@payyo.ch.

Updated on July 10, 2024

Was this article helpful?

Related Articles

Close Bitnami banner
Bitnami