What merchants outside the EU need to know about GDPR

by Nadja van der Veer, Co-Founder of PaymentCounsel and Managing Partner at Pytch Ventures

The European General Data Protection Regulation (GDPR) came into effect on May 25, 2018,  ushering in a new era of digital privacy across Europe. Although the legislation has been in place for almost a year, there are still many uncertainties and misconceptions around it, particularly among merchants based outside of the EU.

GDPR sets the ground rules for lawful and fair processing of personal data, transparency to data subjects, data minimisation, storage limitation, integrity and confidentiality, with data controllers responsible for demonstrating compliance.

For non-EU companies, however, it is difficult to know whether GDPR applies to them, and what to do if it does – which may be the case for those actively targeting European customers.

Guidelines for non-EU merchants

The European Data Protection Board (EDPB) recently issued draft guidelines on the subject, which provide a non-exhaustive list of factors that may indicate an intention of offering goods or services to individuals in the EU.

These include running marketing campaigns aimed at EU audiences; using EU-related URLs; providing local contact telephone numbers for individuals in the EU; providing a website in a local language and offering payments in a local EU currency, among others.

The guidelines go some way towards addressing the confusion surrounding GDPR for non-European companies, but they have also raised more questions. For example, the EDPB has stated that meeting one of the factors alone is not necessarily a clear indication that a merchant is selling into the EU.

Without a clear threshold in place, you may be wondering whether this will lead to various local interpretations of how many EDPB criteria factors need to be met to conclude if a merchant is selling into the EU. We will need to wait and see how this will play out.

Data controller versus data processor

Another challenging factor for non-EU merchants is the fact that so many parties are involved in a single payment, meaning it is not always clear who is the data controller and who is the data processor.

Current European guidelines lean towards classifying almost all financial institutions as data controllers rather than processors, which may have significant implications for merchants, who hold the relationship with the relevant data subject. At the same time, the concept of a ‘co-controller’ – where two parties are both controllers, but not liable for each other’s actions – is emerging within the industry. However, it is yet to be seen if this will stand up in court.

To provide some clarity on these issues, together with Ingenico I asked their key customers outside the EU what they want to know about GDPR and how it applies to them.

The resulting whitepaper – A Merchant’s View: The Complexity of GDPR Unraveled in the World of Payments – answers the 10 most common GDPR questions, providing insight into compliance, server locations, hosting, documentation, as well as the involvement and compliance of the many different parties within a payment transaction chain.

Merchants should read the report now to understand their own position and whether their compliance measures are up to standard.

Nadja van der Veer is a payments lawyer with over 10 years of experience in the international Payments industry and a legal expert in rules and regulations involving PSD, AML and CDD and Card Schemes. As Co-Founder of PaymentCounsel (www.paymentcounsel.com) and one of the Managing Partners of Pytch Ventures (www.pytchventures.com) she consults Merchant Acquirers, Payment Services Providers (PSPs/MSPs), other Fintech companies and Merchants in their startup phases that want to expand their business internationally, while mitigating risk.