GDPR

Introduction

The E-Commerce Payment Gateway (EGW) fully complies with the General Data Protection Regulation (GDPR), ensuring that personal data is handled securely and transparently. Compliance covers both Managed Service and On-Premises delivery models, addressing data protection, processing, and retention standards.

Managed Service GDPR Compliance

Tietoevry delivers a GDPR-compliant service for EGW when hosted as a Managed Service. The Data Processing Agreement (DPA), supplemented by Processing Specification Appendices, clearly defines data handling practices. The DPA outlines:

• Data Processing Roles and Responsibilities: Clearly defining the roles of the data controller (client) and data processor (Tietoevry).

• Data Retention Policies: Ensuring that personal data is stored only as long as necessary.

• Data Subject Rights: Enabling data access, rectification, and erasure upon request.

• Incident Management: Immediate response plans for data breaches.

On-Premises GDPR Compliance

When EGW is deployed on-premises, the client (bank, PSP, or processing center) assumes full responsibility as the data controller. Tietoevry provides guidelines and best practices to ensure that local installations remain GDPR-compliant:

• Data Encryption: Use of encryption at rest and in transit to secure personal data.

• Data Minimization: Store only the data necessary for processing.

• Access Control: Role-based permissions to restrict data access.

• Audit Logging: Maintain detailed logs of data access and processing activities.

Data Protection Measures

• Encryption: All personal data is encrypted using AES-256 for data at rest and TLS 1.3 for data in transit.

• Anonymization and Pseudonymization: Reduce data exposure in case of unauthorized access.

• Access Controls: Granular role-based access to sensitive information.

• Data Integrity: Regular data validation and integrity checks.