GDPR

[Changaco]

This issue is about Liberapay's compliance with the General Data Protection Regulation.

[Changaco]

GDPR, Sentry, and You

[Changaco]

[fr] Désignez en ligne votre délégué à la protection des données auprès de la CNIL

[Changaco]

Mangopay has just sent us a GDPR amendment to the contract we have with them. They request that we sign it before May 21st (6 days from now).

[Changaco]

Here's a text dump of the PDF:

                                      AMENDMENT GDPR
                                TO THE PARTNERSHIP AGREEMENT
                                          MANGOPAY

AGREED BETWEEN:

______________________________, a __________________________ company
with a capital of ____________, whose registered offices are located at _____________________,
listed under Number _____________ on the ___________________________________________ Trade and
Company Register, and represented by Mr/Mrs. ________________ acting as __________________ and
duly authorised for the purpose hereof.

                                      (Hereinafter referred to as the "Partner”)

AND

MANGOPAY SA, a limited liability company incorporated in Luxembourg, with a capital of 2.000.000
euros and registered offices at 10 Boulevard Royal, L-2449 Luxembourg, listed under Number
B173459 on the Luxembourg Trade and Company Register, approved as an electronic money institution
by the Financial Sector Regulator (CSSF) and authorised to carry out its business in Europe,
and represented by Romain Mazeries, Managing Director, duly authorised for the purpose hereof,

                                         (Hereinafter referred to as “MANGOPAY”)



Hereinafter jointly referred to as the "Parties", or individually as a “Party”.


PREAMBLE

The Parties have previously concluded a CONTRACT FOR ELECTRONIC MONEY SERVICES or a
CONTRACT FOR MANGOPAY-PAYMENT ACCOUNT (hereinafter the “Agreement”). Folllowing this
agreement the Partner is appointed by MANGOPAY as a distributor of e-money in accordance with
article 3, (4) of the Directive (EU) 2009/110/CE of 16 september 2009 on the taking up, pursuit and
prudential supervision of the business of electronic money institutions, or as an agent for payment
services in accordance with article 4, 38° of the Directive (EU) 2015/2366 of 25 November 2015 on
payment services in the internal market.


1. Purpose of the Amendment

The purpose of this Amendment is to adapt the provisions of the Agreement to the recent
developments on the regulations applicable to MANGOPAY’s activities, in particular the Regulation
(EU) 2016/679 of 27 April 2016 on personal data protection (“GDPR”), applicable from 25 May 2018.

2. Amendments to the Agreement

2.1. Amendments to article 1 “Definitions”

In article 1 of the Agreement, the definition of “personal data” is hereby amended as follows:

  “Personal Data”: means any information relating to a Data subject and processed under the
  Programme implemented with the Partner.

The following definitions are also added:

  “Data subject”: refers to any identified or identifiable natural person, whose Personal data is
  processed. An identifiable natural person is one who can be identified, directly or indirectly, in
  particular by reference to an identifier such as a name, an identification number, location data, an
  online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
  economic, cultural or social identity of that natural person.


2.2. Amendments to article 22 “Protection of Personal Data”

The purpose of this clause is to define and set the role of each Party, in order to comply with the
provisions of the GDPR. As such, it is hereby agreed that a joint responsibility shall be established
between MANGOPAY and the Partner.

The provisions of article 22 are replaced as follows:

  Article 22. Protection of the Data subjects’ Personal Data

  22.1. Scope and role of the Parties

  MANGOPAY, within the context of the regulated services provided to the Data subjects as an electronic
  money institution, shall in particular process Personal Data for the following purposes: opening and
  managing the wallet; receiving and executing payment transactions; managing customer relation and
  claims; combatting money laundering and the financing of terrorism.

  The Partner acknowledges that it partly determines the means used to make such processing. Indeed,
  the Partner’s Website may be considered as a communication channel with MANGOPAY’s API and
  constitutes the only contact point of the Data subject for the collection of its Personal Data and the
  customer service.

  Furthermore, the Partner uses the services of MANGOPAY in order to generate on its payment page the
  input fields to collect payment data (card data). The purpose of this processing is determined by the
  Partner, as the publisher of the website and payment page. However, MANGOPAY acknowledges that
  it determines on its own some of this processing’s means. Indeed, MANGOPAY’s API allows to generate
  the data input fields and to communicate with the “Payment service provider” selected by MANGOPAY.

  Thus, the Parties each intervene for the determination of either the purposes or the means, of the
  above mentioned processing. The Parties agree that they jointly take the responsibility for the
  processing, in accordance with article 26 of the GDPR.
  Each Party acknowledges that it has to respect all the provisions of the GDPR applicable to data
  controllers.

  Each Party acknowledges that any personal data processing carried out for other purposes than those
  subject to the joint responsibility is carried out under its own responsibility, outside of its relation with
  the other Party.

  22.2. Provision of compulsory information to the Data subjects

  In accordance with articles 13 and 14 of the GDPR, some information shall be provided to the Data
  subjects by the data controllers. The collection of Personal Data being carried out exclusively through
  the Partner, the Parties agree that all the compulsory information under articles 13 and 14 of the GDPR
  shall be provided by the Partner. The latter shall communicate this information in a manner that
  complies with the GDPR and with the WP260 guidelines of the article 29 working party on
  transparency.

  The Partner shall inform the Data subjects of the main features of this Agreement, in accordance with
  article 26, 2° of the GDPR. The Partner shall also indicate to the Data subjects, in a clear and easily
  accessible manner, that they may consult the privacy policy of MANGOPAY, accessible at the following
  address: www.mangopay.com.

  22.3 Exercising of their rights by the Data subjects

  The Parties agree that the Partner shall be the main contact point of the Data subjects concerning the
  requests to exercise their rights (the right to request from the controller access to and rectification or
  erasure of personal data or restriction of processing concerning the data subject or to object to
  processing as well as the right to data portability). For this purpose, the Partner shall provide to the
  Data subjects the modalities permitting the exercising of these rights in a clear and accessible manner.

  If the Partner is unable to process on its own the request of a Data subject, MANGOPAY shall cooperate
  with the Partner. For this purpose, the Partner shall contact MANGOPAY as soon as possible in order
  for the Parties to comply with the response times listed under article 12 of the GDPR.

  22.5. Breach of Personal Data

  In case of a breach of Personal Data, each Party shall inform the other without undue delay, and at the
  latest forty-eight (48) hours after having become aware of it. The notification shall include the
  information listed under article 33 of the GDPR.

  Each Party notifies on its own the breach to its competent authority.

  The Parties shall cooperate in order to determine if the breach needs to be communicated to the Data
  subjects, that is, if the breach may result in a high risk to the rights and freedom of a natural person.
  If so, the Parties shall meet in order to determine the modalities and the content of the communication
  to be conducted with the Data subjects.

  22.6. Relation with the supervisory authorities

  Each Party is responsible with its own competent authority. The Partner is informed that MANGOPAY
  falls under the competence of the Luxembourg authority, the National Commission for Data Protection
  (1, avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette ; Grand-Duché du Luxembourg).

  22.4. Personal Data security

  The Parties acknowledge that they shall protect the Personal Data against any unauthorised or
  unlawful processing and against the accidental loss, destruction or damage. Each party is responsible
  on its own for the implementation of appropriate technical and organisational measures in order to
  guarantee the integrity and confidentiality of Personal Data, in accordance with article 32 of the GDPR.

  22.5. Accuracy and storage of Personal Data

  The Personal Data collected and processed shall be accurate and, where necessary, kept up to date.
  The Partner shall inform MANGOPAY of any modification on the Personal Data that it is aware of and
  that had not been communicated to MANGOPAY through the API, in order for the latter to correct or
  delete them without delay.

  The Partner shall not be authorised to store the Personal Data transmitted by the Data subjects. The
  Partner is informed that MANGOPAY implements a storage policy compliant with the applicable
  regulations.



3. Unchanged provisions

With the exception of the modifications made by this Amendment, all the other provisions of the
Agreement remain unchanged.


4. Applicable law

This Amendment is subject to French law. Any dispute concerning the validity, the interpretation, the
execution or the termination of this Amendment shall, preferably, be resolved through good faith
negotiations between the Parties. If the Parties cannot reach an amiable settlement on the claim, the
dispute shall be referred to the courts located in France.


5. Effective date

This Amendment shall take effect from the date of its signature by the Parties. Article 2.2 of the
Amendment is applicable from 25 May 2018.




Made in two original copies,


In _______________________, on ____________



        For MANGOPAY                                          For the Customer

[Changaco]

Article 26 of the GDPR (copied from EUR-Lex):

Joint controllers

1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.

3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.

[Changaco]

The guidelines mentioned by Mangopay are in http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360. The WP260 document is 35 pages long.

[Changaco]

The last paragraph of the new article 22 is too vague/broad, it seems to forbid us from storing any information that we transmit to Mangopay. That's not acceptable so I've emailed Mangopay, asking them to clarify.

[Changaco]

I've received an answer from Mangopay and signed the amendment.

[Changaco]

Next: review and sign Sentry's Data Processing Amendment.

[Changaco]

Done. I've also reviewed and accepted Sentry's Privacy Policy.

[Changaco]

The next task is to keep a record of personal data processing, to comply with Article 30 of the GDPR:

Records of processing activities

1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

  (a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

  (b) the purposes of the processing;

  (c) a description of the categories of data subjects and of the categories of personal data;

  (d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

  (e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

  (f) where possible, the envisaged time limits for erasure of the different categories of data;

  (g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

  (a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;

  (b) the categories of processing carried out on behalf of each controller;

  (c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

  (d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

4. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.

5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

[Changaco]

I've accepted Cloudflare's DPA.

[m-rtijn]

I am not sure if this is the right place for this remark, so please tell me if there is a better place for this. I also want to say beforehand that I only have experience with the GDPR as an amateur with an interest in digital privacy: I have no professional experience with the GDPR nor do I have any related qualifications.

That said, the current privacy statement on the website (at the bottom of the page) is to the best of my knowledge not completely compliant with the GDPR. The privacy statement should have a summery of all personal information that Liberapay processes and for which purpose it processes said data.

[hanswundersam]

Hi @Changaco, I'm a first-time user of Liberapay and love it. I do struggle with the very likely non-compliant privacy notice too though and would strongly recommend to update it to be in compliance with the information requirements of GDPR. Echoing @m-rtijn's comment from 4 years ago, most importantly the notice must list all the kinds of personal data that is being collected and processed by Liberapay, for which purpose it is done and on which legal basis (GDPR provides 6 to choose from).

Not sure how you guys work on things like this or if you have access to legal advice on this?

[Changaco]

You're mistaken. The GDPR requires keeping a record of all data processing, but it does not require providing that document to anyone other than the supervisory authority. (Article 30, already quoted above.)

[hanswundersam]

You are right as regards the data processing register according to Article 30 but this has nothing to do with the data controller's transparency obligations under Article 13 GDPR. This is the place that prescribes what kind of information a public privacy notice needs to include and I'm afraid Liberapay's current policy is not sufficiently detailed. Let me know if there is anything I can do to help or if you already have advice from elsewhere.

[Changaco]

Article 13 does not require publishing a giant privacy notice/policy detailing all data processing. It requires providing information “at the time when personal data are obtained”, and only “insofar as the data subject [doesn't already have] the information”. We probably have things to improve in that area, but those improvements can't be to add details to the existing Privacy page.

[hanswundersam]

Look, I'm not trying to be annoying here or anything, so no need to be defensive. I like Liberapay and simply would prefer you guys don't run into legal troubles down the road.

Article 13 spells out a list of information that is required to be included in a privacy notice. As a bare minimum that includes "the purposes of the processing for which the personal data are intended as well as the legal basis for the processing". So when I was looking for what kind of data (like payment data) Liberapay processes, and which of that is passed on to Stripe for instance, I could not find that information in the current policy.

Anyways, it's not my problem, it is yours, so I'm not going to insist more than this. In case you'd like to look into it, which I highly recommend, the EDPB has issued useful guidance on privacy notices right when GDPR came into effect, and there are other reliable resources too that include a template for such a notice.

Take care.

[rriemann]

I agree with @hanswundersam and wish the privacy policy could be updated. I think this would give more transparency to the users, which would be in line with the values of the project. 🙂