PrimeiroPay & GDPR
PrimeiroPay, as well as its service and technology, is compliant with all applicable regulatory and compliance requirements, e.g. PCI DSS and GDPR. Furthermore, the underlying platform that PrimeiroPay uses to provide payment services is fully PCI compliant and provides state-of-the-art encryption protocols.


What is GDPR?
The General Data Protection Regulation (GDPR) is designed to improve individuals’ rights over their personal data and give them further controls to enforce those rights. It requires international companies, such as PrimeiroPay and its international customers, to implement additional privacy frameworks that ensure the protection of personal data. 

Companies are subject to the GDPR if they are located in Europe (e.g. PrimeiroPay S.a.r.l. Luxembourg) or are offering goods or services to customers in Europe (e.g. Google LLC in the USA).


What is “Personal Data” and “Sensitive Data”?
Personal data in this sense are all individual details about personal or factual circumstances of a specific or identifiable natural person, such as name, address or e-mail, as well as IP addresses. Sensitive Data includes personal data that refers to health, religion, financial transactions and certain payment data.

What does PrimeiroPay do as part of GDPR efforts?
PrimeiroPay had already protected data from customers, employees and partners. The GDPR, however, led PrimeiroPay to further improvements in privacy and data protection controls. PrimeiroPay contracted an experienced European Data Protection Officer (DPO) for all applicable entities to ensure a constant contact point for customers, partners and authorities.

In addition, PrimeiroPay established an extensive GDPR framework with a dedicated team (DPO & Legal) committed to fulfilling all corresponding GDPR requirements together with Management. Some cornerstones include:

  • Drafting improved Privacy Policies
  • Integrating Privacy by Design practices to decrease risks of data breaches
  • Implementing a direct contact for all privacy-related questions from customers and partners
  • Improving the overall Data Protection Organization, e.g. providing regular trainings and routines
  • Providing Data Processing Agreements to customers and partners

How are connections secured by default? (Privacy by Design)
The platform uses Transport Layer Security (TLS), an encryption protocol used to communicate between systems, which superseded the Secure Sockets Layer (SSL) protocol in 2000. TLS v1.1 and TLS v1.2 have in turn superseded TLS v1.0.

Per PCI DSS v3.1 and v3.2, SSL and early TLS (TLS v1.0) are no longer considered strong encryption protocols, due to vulnerabilities in these protocols to which there are no fixes. While TLS v1.1 and above are currently PCI compliant, the recommendation is to move to TLS v1.2 as soon as possible.

Companies were required to support TLS v1.2 for their connection to the Open Payment Platform prior to May 14, 2018. After May 14, 2018, we disabled TLS v1.0 and v1.1 protocol for the Open Payment Platform. Companies that do not support TLS v1.2 will no longer be able to connect to the service.


Is PrimeiroPay a Processor or Controller?
The GDPR provides a legal framework for different external constellations of handling personal data, e.g. when transferring data to a service provider. The most common constellation is a Data Processor processing data on behalf of a Data Controller.
PrimeiroPay is considered a Data Processor.

Data Controller and Data Processor both have an obligation to protect personal data in accordance with GDPR. The legal obligations between the parties regarding data protection must be defined in agreements to ensure that customers’ personal data is processed lawfully. These agreements are called “Data Processing Agreements” or “Data Processing Addendum” (DPA).

PrimeiroPay can either provide a DPA template or welcomes their customers and partners to send over their own agreements.