# GDPR ## Introduction The E-Commerce Payment Gateway (EGW) fully complies with the General Data Protection Regulation (GDPR), ensuring that personal data is handled securely and transparently. Compliance covers both Managed Service and On-Premises delivery models, addressing data protection, processing, and retention standards. ### Managed Service GDPR Compliance Tieto delivers a GDPR-compliant service for EGW when hosted as a Managed Service. The Data Processing Agreement (DPA), supplemented by Processing Specification Appendices, clearly defines data handling practices. The DPA outlines: * **Data Processing Roles and Responsibilities**: Clearly defining the roles of the data controller (client) and data processor (Tietoevry). * **Data Retention Policies**: Ensuring that personal data is stored only as long as necessary. * **Data Subject Rights**: Enabling data access, rectification, and erasure upon request. * **Incident Management**: Immediate response plans for data breaches. ## On-Premises GDPR Compliance When EGW is deployed on-premises, the client (bank, PSP, or processing center) assumes full responsibility as the data controller. Tieto provides guidelines and best practices to ensure that local installations remain GDPR-compliant: * **Data Encryption**: Use of encryption at rest and in transit to secure personal data. * **Data Minimization**: Store only the data necessary for processing. * **Access Control**: Role-based permissions to restrict data access. * **Audit Logging**: Maintain detailed logs of data access and processing activities. ### Data Protection Measures * **Encryption**: All personal data is encrypted using AES-256 for data at rest and TLS 1.3 for data in transit. * **Anonymization and Pseudonymization**: Reduce data exposure in case of unauthorized access. * **Access Controls**: Granular role-based access to sensitive information. * **Data Integrity**: Regular data validation and integrity checks. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doc.ecomm.api.tietoevry.com/security-and-compliance/gdpr.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.