In many of the countries where we operate, data protection law requires us to process personal data only where we have an approved basis under the law. You have the right to understand what our legal bases are, so we explain them here. We use the following bases, depending on the activity we undertake:
Most of the data we collect and the purposes we use it for are necessary for us to provide our services.
Some of the activities we undertake are necessary to comply with our legal and other obligations as a payment provider, for example:
To comply with our anti-money laundering and customer due diligence obligations, we must collect information on merchant criminal history. Where we do so, we comply with the requirements of law for collecting this category of data. In the UK, we collect this data under the "substantial public interest conditions" of Schedule 1 of the UK Data Protection Act 2018.
We use personal data as necessary to meet our legitimate business interests. When we do, we make sure we understand and work to minimise its privacy impact. For example, we limit the data to what is necessary, control access to the data, and where we can, aggregate or de-identify the data.
Some examples of the data processing activities we undertake in our legitimate interests are:
What is legitimate interest? Under GDPR Article 6(1)(f), companies have the ability to engage in activities without consent under a balancing test. Do we have a legitimate interest in engaging in the activity that is not outweighed by the interests or fundamental rights and freedoms of the data subject
We tell you in the service where you can make a choice or grant consent. When you grant consent, you may withdraw it at any time to stop any further processing.
Technology helps us make automatic decisions based on the information we collect about you or a transaction. We routinely test our software to improve the accuracy of these decisions and to prevent unintended bias. These decisions can have effects for you, such as:
If you believe a decision has been made in error, please contact us.
You may have rights under privacy and data protection law. Depending on where you live, these include the right to ask GoCardless for a copy of your personal data, to correct, delete or restrict processing of it, and to obtain personal data in a format you can share with a new provider. You may have the right to object to processing. These rights may be limited in some situations – for example, where we can demonstrate that we have a legal requirement to process your data.
You can contact our privacy team to ask a question about our privacy practices or exercise your rights. If you have unresolved concerns, you have the right to complain to a data protection authority or other regulator where you live or work, or where you believe a breach may have occurred.
GoCardless’ services are offered from our United Kingdom headquarters and from GoCardless offices in France, Germany, Australia and the United States. Our services are available to merchants in a number of countries around the world. If you use our services to pay a merchant in another country, personal data will be transferred as necessary to complete this transaction.
Personal data may also be stored and accessed by service providers located in other countries. For EU individuals, it’s important to note that some of our service providers are located in the United States or other countries that do not provide the same standard of data protection as the EU. Wherever we transfer data, we enter into contracts or seek other ways to ensure service providers treat data as required by law in the country where it was collected.
GoCardless keeps personal data for as long as necessary to provide our services and process payments for our merchants. We also keep personal data for other legitimate business purposes, such as complying with our legal obligations, resolving disputes, preventing fraud, and enforcing our agreements. Because these needs can vary for different data types used for different purposes, retention times will also vary. Here are some of the factors we have considered to set retention times: