Bambora’s general position on data security
This text serves to provide any existing customer of Bambora, or any company considering becoming a customer of Bambora (irrespectively if Bambora acts as payment service provider, payment acquirer or in any other role or combination of roles) with general information on Bambora’s position on the General Data Protection Regulation (the “GDPR”) and what Bambora does to comply with the requirements in the GDPR.
At Bambora, security has always been a core principle and as an actor in the payment industry, we comply with the strict industry requirements as well as our own internal regulations on information security. Based on this, Bambora was already prior to the adoption of the GDPR, to a large extent compliant with the requirements. This regards not only security measures of our systems used to process each payment transaction, but also the services we provide to our merchants such as the merchant portal MyBambora. Notwithstanding the above and based on the requirements of the GDPR, we have even further improved our data security, including internal policies and regulations covering data security, to ensure that personal data always is protected.
Bambora is always working on improving our security and compliance with data protection laws. Therefore, new measures and/or functions may be implemented over time as technology evolves, in order to further strengthen the security of personal data and payment data.
Data controller or data processor
The GDPR includes the concepts of “data controller” respectively “data processor”. The data controller is a party (organization) determining the purposes and means of a particular processing of personal data whereas a data processor is a party (organization) processing the personal data on behalf of the data controller. Bambora provides several different types of services and may take different roles in the payment transaction industry. For example, Bambora may act as a payment service provider and/or a payment acquirer. Depending on Bambora’s role and the services provided, Bambora may either be acting as a data controller or a data processor. Where Bambora acts as payment acquirer, Bambora will be the data controller of the payment transaction information such as the card data. This is for example due to the facts that Bambora determines what kind of data that needs to be collected and that Bambora is subject to legal requirements and/or requirements of the payment transaction industry to which Bambora needs to adhere.
Irrespective of for what purposes you contract Bambora, you as a merchant will not process personal data on behalf of Bambora and Bambora will not process personal data on behalf of you. Therefore, it is normally not necessary for merchants to sign so-called “data processing agreements” with Bambora*.
Other requirements under the GDPR
Naturally, Bambora is aware of that the GDPR contains far more requirements than those relating to technical and organizational security measures, respectively the concept of data controller and data processors. Bambora, therefore, has a continuous GDPR compliance project in place in order to align the business as a whole to all requirements emanating from the GDPR and to improve all aspects of the business from a GDPR perspective. Bambora has implemented a number of measures as a part of this project, and will continue to do so as privacy legislation evolves. Bambora has also appointed a Data Protection Officer to ensure that the protection of card-holders’ personal data is always a prioritized issue going forward. You may contact the Data Protection Officer by sending an e-mail to email@example.com.* There are a few exceptions to this rule. It does not apply to DevCode Payment AB, who acts as a data processor when providing its services. Neither does it apply to PayByWay Oy who has integrated functionality in its service which means that PayByWay Oy will process personal data on behalf of its customers. Finally, the rule does not apply when a company contracts Bambora as a payment service provider and uses invoice functionality. In such case, Bambora will need to process personal data on behalf of its customer to forward it to Bambora’s invoicing partner. Therefore, data processing agreements are necessary in these cases.