Junior Member from GB
joined:May 24, 2006
I sell (memberships to my website) using Paypal and Stripe to take payments.
As I understand it, PSPs are entitled to process personal data "to ensure the performance of a contract", as long as data is
* processed legally and appropriately and with a clear view of how the information will be used;
* collected for specified, explicit and legitimate purposes;
* relevant and limited to the respective purposes;
* accurate and kept up to date;
* retained for no longer than is necessary for the relevant purposes;
* only processed if kept appropriately secure.
As Paypal and Stripe will be regarded as Processors I need to
i) ensure that they are complying with GDPR
ii) have a written contract with each of them setting out obligations etc
Stripe has a comprehensive page on GDPR and states that they are working to comply and update contracts:
I've searched Paypal and find no statement of GDPR compliance as yet, but after much searching I found this, which also takes effect on 25th May and seems to embody GDPR without actually mentioning GDPR!
I guess I will just have to hope that both Stripe and Paypal will come up with some means of getting a "written contract" before 25th May.