The General Data Protection Regulation (GDPR) is a new EU-based privacy and data protection law that came into effect on the 25th May, 2018. The law strengthens and unifies existing EU data privacy laws and provides sweeping new protections for individuals within the European Union and the European Economic Area (encompassing some countries, such as Switzerland for example, which aren’t part of the EU).

The GDPR aims primarily to give citizens and residents control over their personal data, and to simplify the regulatory environment for international business by unifying the data protection legislation across the EU.

The text of the GDPR defines Personal Data as:

“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

For practical reasons, we are defining two levels of personal data within CWIE.  Tier-1 data is considered personal in and of itself.  Tier-2 data is considered personal when it is stored in conjunction with (combined, or alongside) tier-1 data.

Tier-1 personal data (i.e. data that can/should be considered to be personal all by itself) includes:

  • First and Last Name

  • National ID / Passport Number / Driver’s License

  • National Insurance Number / Social Security Number / Tax Number

  • Personal E-Mail Address

  • Landline Number / Mobile Number

  • Bank Account Number / Credit Card Number / BIC / SWIFT

Tier-2 personal data items are probably too numerous to list (since they will grow over time as technology expands its reach) but I’ll drop a few to give an idea of what we’re talking about:

  • IP Addresses

  • MAC Address

  • Web Cookies

  • Session Data (including Session ID’s)

  • RFID Data (i.e. Tags)

  • Audit Trail / Logs (that may contain one or more of the above mentioned Tier-2 data within them)

  • Location / GPS data

  • Personal Address (Includes home address and/or billing address - Address Line 1, Address Line 2, Apartment Number, City/Town Name, Post Code, Country)

Absolutely. Privacy, data protection, and data security are three of the core principals CCBill follows when dealing with any data, especially the personal kind.

As a payment services provider, CCBill has been securely processing transactions for over 20 years. GDPR hasn’t changed that. What GDPR has done is ensure that, at every point throughout your relationship with us, CCBill is as transparent as possible with how it stores and processes your personal data.

As an organization, one of our foundational principles was to only process personal data for the purposes for which it was collected.

If your data was collected as part of a marketing campaign/initiative, then we will only use that data for the purposes of that campaign/initiative and for nothing else. If, on the other hand, your data was collected for the purposes of processing a payment transaction then that is the sole purpose for which it will be used.

Our marketing teams share data with our marketing partners (HubSpot, Google AdSense & SalesForce.com), but only for specific campaigns. Data is not shared between campaigns and you will never receive marketing messages for which you did not provide us with explicit consent to send you. Our transaction processing systems only share data with websites to which you have subscribed as part of your transaction and nowhere else.

The simple answer is – we’ll do it for you.

A core concept of the GDPR is the ‘basis for consent’ to process personal data. There are multiple forms of consent and the one CCBill uses for its transaction processing is called ‘contractual obligation’. The basic idea behind this consent is that you, the end-consumer, give us your permission to process your data as part of processing of a transaction on your behalf. This transaction is an explicit contract between us and you.

CCBill is legally bound to store your data securely until certain obligations have been fulfilled:

  • While a data owner (customer) has a valid transactional contract with CCBill their data must remain within our system

  • While a data owner (customer) has the potential to chargeback, request a refund, or somehow challenge a financial transaction their data must remain within our system

  • While a data owner’s (customer’s) financial transaction can/could form part of any financial business reporting which CCBill needs to make to any of the government agencies in the jurisdictions which it operates their data must remain in our system

Once the transaction has been processed your data is stored securely within our systems until all of these obligations under the law have been satisfied. Once our obligations have been met our system automatically performs a process called ‘data anonymization’. This is a technical term that means our system replaces your sensitive data with scrambled and unrecognizable, non-personal information – effectively purging your data from our system.

Yes, it does. Our DPO will work within the organization and with its various department heads to ensure that CCBill complies with data privacy laws, uses data protection as a business enabler, addresses data privacy requirements early on in new technologies, and manages reputational risk that can arise from data protection mistakes.

All GDPR queries can be directed to our DPO email address (dpo@ccbill.com).

Yes, it does.

GDPR requires these protections to be extended to all transactions that occur within the EU, regardless of the nationality of the personal making the transaction. At CCBill, we feel these protections should be extended to all customers, no matter where they reside across the globe. Safety, security, and discreetness are automatic extended to anyone making a purchase from a website powered by CCBill.