The General Data Protection Regulation of the European Union (GDPR), which takes effect on May 25, 2018, is the European Union’s (EU) comprehensive new privacy law that aims to protect the personal data—and rights related to that data—of persons residing within the EU.
The GDPR defines personal data as “any information relating to an identified or identifiable natural person.” Your name and email address are both examples of personal data. Any organization that processes personal data of EU residents will be required to comply with the GDPR, whether or not such companies have any physical or legal presence in the EU. Thus, the GDPR applies globally to any organization which collects personal data or monitors the behavioral activity of persons located within the EU.
How Does the GDPR Affect Billtrust and Its Customers?
For the purposes of the GDPR, Billtrust is a “data processor” (i.e., an organization that processes personal data on behalf of a data controller, typically in the context of providing services to the data controller) and our customers are typically “data controllers” (i.e., individuals or organizations that determine the purposes and means of the processing of personal data). Under the GDPR, individuals whose personal data are being processed are referred to as “data subjects.”
Processors and controllers each have their respective obligations under the law. Therefore, even though Billtrust may be in compliance with the GDPR, it does not mean that our customers are automatically in compliance with the GDPR.
Responsibilities of Data Controllers
Data controllers are individuals or organizations that determine the purposes and means of processing personal data. Data controllers bear the primary responsibility for complying with the rights of data subjects and responding to data subjects’ requests under the GDPR. For example, when a data subject makes a lawful request to access, correct, update, delete, or restrict the processing of his or her personal data, the GDPR obliges the data controller to respond and, presuming the request is reasonable and does not infringe the rights of others, to fulfill that request.
Data controllers are also required to implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data, to provide information about the personal data being processed, the purposes of that processing, and the third parties to which that information will be transferred, among other things. Finally, the GDPR imposes duties of transparency and “data protection by design and by default,” which require the open, intelligible sharing of relevant privacy information and considering the privacy of personal data when undertaking new initiatives or developing new products or services. These are just a few of the various controller-related provisions of the GDPR
Responsibilities of Data Processors
A data processor only processes data according to the documented instructions of a data controller. While a processor does have certain obligations to support and assist the data controller in upholding its own obligations, such as informing the controller of requests it receives from data subjects, its relationship to the personal data and the data subjects themselves is comparatively quite restricted.
Billtrust’s Compliance with the GDPR
Billtrust has engaged VeraSafe, a privacy consulting firm, to assist us with our GDPR compliance efforts, and with their assistance, we are actively engaged in ensuring our own compliance with the GDPR and having solutions to enable our customers to comply with their own obligations as data controllers under the law.
Billtrust has always aimed to maintain the privacy and protection of data subjects in accordance with any applicable data protection laws. This is demonstrated by Billtrust’s participation in the EU-U.S. Privacy Shield Framework (“Privacy Shield”).
In anticipation of the GDPR taking effect on May 25, 2018, Billtrust has undertaken extensive reviews of its data protection policies, security measures and operational processes to ensure our compliance with the GDPR. Unlike the Privacy Shield, there is no certification process currently available for proving compliance with the GDPR. However, Billtrust is taking the GDPR seriously.
Billtrust’s GDPR Compliance Activities
Creation of a Data Processing Addendum
In compliance with Article 28 of the GDPR, Billtrust has added a new Data Processing Addendum (DPA) to our Terms of Service that governs the terms by which Billtrust processes personal data on behalf of our customers. According to Article 28 of the GDPR, data processors must only act upon the documented instructions of the data controller unless otherwise required by law. However, such requirement does not relieve Billtrust of any of our obligations or liabilities under the GDPR. By executing our DPA, you will be able to use Billtrust’s services confident in the knowledge that personal data is being processed according to GDPR requirements.
Billtrust customers are responsible for signing our DPA if transferring personal data from the EU to a country outside the European Economic Area. The Billtrust DPA is available on a self-service basis. To preview the Billtrust DPA please download the PDF version. After previewing the DPA, click the “Ready to Sign” link at the bottom of the page to complete the electronic signature process.
Appointment of an Article 27 EU Representative
In accordance with Article 27 of the GDPR, Billtrust has appointed VeraSafe as our official representative in the European Union. To ensure compliance with the GDPR, supervisory authorities and data subjects whose data are being processed by Billtrust may contact Billtrust through VeraSafe on all issues related to our GDPR compliance. The contact details for our Article 27 EU representatives are as follows:
|VeraSafe Czech Republic s.r.o|
Prague 1, 11002
|VeraSafe Ireland LTD|
Unit 3D North Point House
North Point Business Park
New Mallow Road
Email: [email protected]
Billtrust relies on third-party service providers to help provide the Billtrust services to you, such as payment processing services and cloud storage providers. These service providers are also considered data processors under the GDPR, but since they are only processing data on our instructions, we refer to them as subprocessors. Billtrust is actively engaged in repapering our contracts with our service providers to ensure that each agreement contains privacy terms that meet the standards of the GDPR.
But we don’t stop there: before we entrust your data to one of our service providers, we are required by the GDPR to confirm that each subprocessor is capable of providing state of the art data privacy and data security. Billtrust remains responsible for our customers’ personal data, even when it’s in someone else’s hands.
Protecting Privacy by Design
Billtrust has always been a security-conscious company, and going forward new product development will be designed from inception to implementation with the privacy and security of personal data in mind, a requirement that is central to the GDPR.
Billtrust’s Activities to Make Our Customers’ GDPR Compliance Easier
Easier Response to Data Subjects
As data controllers, our customers have additional obligations under the GDPR, including the responsibility to recognize the rights of the data subject enumerated in Chapter III of the GPDR and to respond to objections of data subjects and requests for information, rectification, access and erasure.
Billtrust’s goal is to improve our service to make it easier and more efficient for our customers to respond to these requests from the individuals whose data they process. We are in the process of developing internal policies to allow a more streamlined approach to our customers’ interaction with data subjects.
The Billtrust service already requires minimal data collection in order to function. The only personal data Billtrust requires in order for our service to function is the email address and/or billing address of each intended recipient, making it easy for our customers to minimize their own personal data processing.
For our customers who are regulated by the GDPR data subjects have the “right be forgotten.” In compliance with that right, Billtrust will remove all personal data for a data subject upon request of our customer. Outside of specific requests, data will be deleted per the terms and conditions of the contractual agreement with our customer.
We are committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across Billtrust’s suite of services, including data submitted by customers to the Billtrust services. This program is executed via a strategic, multi-layered combination of industry best practices, deep industry experience, annual independent audits and partnership with best-in-class providers such as Amazon Web Services. Our systems are tightly controlled on the physical, network, and application levels, and we perform regular security testing and monitoring to ensure consistency and effectiveness.
We hope this information is helpful in understanding the GDPR requirements and Billtrust’s GDPR program efforts.
Billtrust’s Data Processing Addendum
Billtrust provides a data processing addendum to help customers meet their data protection obligations. Billtrust customers are responsible for signing our data processing addendum of the customer transfers personal data from the European Union (EU) to a country outside the European Economic Area. On May 10, 2018, the Billtrust data processing addendum was approved by VeraSafe, our Article 27 representative, and privacy attorneys.
The Billtrust data processing addendum is available on a self-service basis for our customers that are processing personal data via Billtrust services. To preview the Billtrust data processing addendum please download the PDF version. After previewing the data processing addendum, click the “Ready to Sign” link at the bottom of the page to complete the electronic signature process.
If you are a current Billtrust customer with an executed DPA and need to update your Article 27 EU representative or Data Protection Officer information on record, please contact Customer Support by phone or email [email protected] to submit a case.