PROTECTING PERSONAL DATA IS A MAJOR COMPLIANCE ISSUE, KEY TO THE RELATIONSHIP OF TRUST BETWEEN A COMPANY AND ITS CUSTOMERS.

Since the entry into force of the General Data Protection Regulation on May 25, 2018, a precise and original framework has been imposed in parallel with and in addition to PSD2.
Combined with the Payment Services Directive, the GDPR cumulates two major effects:

  • payment data is personal data: it must be processed in compliance with the RGPD.

  • sensitive payment data requires enhanced protection, according to special rules that impose specific procedures, strict monitoring and mandatory reporting requirements.


  UNDERSTANDING AND OPTIMIZING THE RELATIONSHIP BETWEEN RGDP AND PAYMENT IS ESSENTIAL FOR ANY PAYMENT
 SERVICE PROVIDER.

As soon as the application for approval is submitted, the subject of RGPD compliance becomes imperative.  Like any organization processing personal data, it must first of all demonstrate at all times its compliance with the main principles of lawfulness, fairness, quality, security, transparency, and purpose limitation, Privacy by Default, Privacy by Design…
 
  As a manager of sensitive payment data, it is also subject to a set of rules laid down by regulators, notably the new “technical regulation standards” issued by the EBA.
 
  For merchants, there are also contractual requirements arising from the acceptance of numerous payment methods: the PCI-DSS rules for payment cards are the best-known example.
 
  One of the tools required for successful compliance is a privacy impact assessment, which is mandatory in a large number of cases. The role of the Data Protection Officer, formerly known as the Correspondant Informatique et Libertés, has been strengthened, and his or her appointment is now mandatory in a large number of cases.

GDPR

MEETING THE MULTIPLE PERSONAL DATA PROTECTION REQUIREMENTS OF A PSP

ACPR and CNIL continue to play a central role at national level. The Banque de France also plays a key role in the security and smooth operation of payment systems. The arrival of the AMLA, the new European authority now responsible for preventing money laundering, an area in which the most sensitive data are at stake, completes this rapidly changing landscape.
 
  These national and European authorities are cooperating ever more closely, within the framework of the coordination mechanisms of the ESCB and the European Data Protection Board. And while before, the maximum financial penalty that the CNIL could impose was just 150,000 euros, fines for non-compliance can now be as high as 4% of a company’s worldwide sales or 20 million euros, whichever is higher. In addition to this RGPD issue, there are possible penalties under financial regulations specific to PSPs.
  Non-compliance on personal data linked to payment can therefore be very costly.

CANTON HAS LONG-STANDING EXPERTISE IN THE PROTECTION OF PAYMENT-RELATED PERSONAL DATA IN SEVERAL EUROPEAN COUNTRIES

CANTON has acquired unique knowledge and know-how in this field, having worked in some ten European countries on subjects as diverse as obtaining approval, managing sanctions procedures, optimizing anti-money laundering vigilance, controlling reporting procedures and internal auditing.
 Combining a mastery of legal frameworks, an understanding of the issues and technological constraints involved, and business practices, our experts can provide you with a high level of theoretical and practical knowledge to offer you solutions tailored to your data protection needs in the highly specific world of payments.