payware and GDPR Compliance
Our commitment to you and the protection of your data
As of May 25, 2018 the ‘General Data Protection Regulation’ or GDPR is enacted across all Member-states of the European Union and the European Economic Area. GDPR aims to harmonize the different data protection laws across the Member-states, leading to more standardized protections for all European citizens. At payware, we welcome this regulatory change because we have always strived to provide our clients with the highest protection of their personal data.
Organizational Readiness at payware
The protection of our customer’s personal data is of utmost importance to us. We’ve worked to ensure all GDPR compliance requirements were met well in advance. We also follow all practices in this area and all issued guidelines of the regulatory bodies in order to adapt our protection measures constantly and adequately.
Privacy Team and GDPR Training
All of our employees have undergone GDPR training, overseen by our on-site Privacy Team, Compliance Department and our outside privacy consultants. Each new employee must participate in a mandatory training session related to privacy regulations and best practices. New training sessions are carried out annually thereafter for all employees.
The company’s internal policies are updated in accordance with the GDPR requirements.
The data we collect
How we use the collected data
payware clients and their related personal data
All of payware clients are legal entities (companies/corporations). The data about the sole traders is personal data under GDPR. The rest of the corporations/companies are not data subjects under the law. However, we are obliged to verify the identity of the business owner/authorized user, who is opening the Account (in case of company or other entity, referred to as “user opening the Account”). We are processing the personal data about this business owner/authorized user. The information regarding the company (with the exception of sole traders), including its risk profile and due diligence checks is not regulated by GDPR.
Data Protection Impact Assessment
We have carried out a detailed review of all our data processing activities, by product and by department. We have analyzed the grounds for processing, retention periods, technical and legal safeguards for our client’s rights and freedoms and we have ensured that any data processing activity that we carry out is 100% compliant with the law.
Our retention periods
Please be aware that, as we provide services to financial institutions, this require from us to keep client’s data for a period of 5 years after the termination of the contract/account of our customer.
Correction (rectification) of client’s personal data
Our customers can send us a request to correct inaccurate or incomplete personal information via email to firstname.lastname@example.org.
Our clients have the right to receive a copy of the data we hold for them at any time. The request can be sent via e-mail to email@example.com.
We generally retain clients’ personal information for as long as is necessary for the performance of the contract between them and us and to comply with our regulatory obligations. Our customers can request the closure of their payware Account and the termination of the contract at any time. However, we are going to keep their data for 5 years after the termination in compliance with the law.
In case the regulatory retention periods have expired, we diligently delete clients’ personal information from our systems. The request for deletion can be sent via e-mail to firstname.lastname@example.org.
Data transfer as our clients’ right
Our clients have the right to receive a copy of their personal data in a structured, commonly used, machine-readable format that supports re-use. They can transfer their personal data from one controller to another and/or have the personal data transmitted directly between controllers without hindrance.
Consent withdraw and restriction of personal data processing
Where our clients have provided their consent to the processing of personal information by us, they may withdraw the consent at any time by sending a communication to us specifying which consent they are withdrawing. Please note that the withdrawal of consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.
Data subjects’ rights and legal entities
Please be informed that corporations are not data subjects under GDPR. Business owners who use payware services and have business accounts can exercise their rights, but only regarding their personal data (or the personal data of the authorized person). The information regarding their company, including its risk profile and due diligence checks is not regulated by GDPR.
With whom we share personal data
Children and our services
Reviews of Vendors and Partners
All our current vendors have been reviewed to ensure they meet security and privacy requirements defined by GDPR. To maintain assurance, these reviews will be conducted for all incoming vendors. Where we transfer, store and process personal information outside of the European Economic Area we guarantee that appropriate safeguards are in place to ensure an adequate level of data protection.
Where we deal with entities outside the EEA, we always require our vendors to be either registered under Privacy Shield mechanisms (or similar) or to provide us with a review of their appropriate privacy safeguards.
Encryption and storage of personal data
We take the responsibility to ensure that your personal information is secure, kept in an encrypted form on servers, collocated in Special data centers in Class A jurisdictions in Europe. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.
Our Incident Response procedures have been designed and tested to ensure potential security events are identified and reported to appropriate personnel for resolution, personnel follow defined protocols for resolving security events, and steps for resolution are documented and reviewed by our Security Team on a regular basis. Additionally we’re working to update these policies and procedures to include breach notification if and when a security incident involves the loss of or unauthorized use of personal identifiable information (PII).
We use “cookies” and other technologies when users visit or use our websites or mobile apps. This usage is based on consent. If our users wish to withdraw their agreement to accept cookies and similar technologies, they can delete the cookies via the browser settings (it is described how to do so in our Cookies Policy. Please find further information on deleting and blocking cookies at http://www.allaboutcookies.org/manage-cookies/clear-cookies-installed.html
We provide services in the entire EU and EEA as payware OOD. You can find our registration number in the relevant infrastructure supervisory authority, i.e. in Republic of Bulgaria you can find us in the Commercial register and register of NPLE, at: