GDPR Frequently Asked Questions
The GDPR will have an impact on all companies that process EU personal data, including Grapevine Connect Ltd and our customers. Compliance with the GDPR will require an on-going partnership and continued cooperation with our customers and suppliers. We remain committed to the protection of personal data and take our responsibility to comply with the GDPR seriously.
We believe the GDPR will strengthen overall data protection across the European Economic Area (“EEA”) and we are working to ensure we are GDPR ready prior to the 25 May 2018 effective date. We have prepared this FAQ for informational purposes to help address questions our customers may have about how we are approaching GDPR compliance and the steps we are taking to prepare.
What security measures has Grapevine Connect implemented to protect personal data?
Grapevine Connect monitors and assesses the level of security applied to our facilities and enterprise network. To ensure an adequate level of security, we consider industry standards and practices, the nature, scope, context and purposes of processing activities and the risks to individual privacy.
We maintain appropriate administrative, technical and physical safeguards designed to protect the personal information provided to us against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. Our technical and organisational measures, include: secure user authentication protocols; user access control measures; secure transmission protocols; automated monitoring of systems to detect unauthorised use of or access to personal data; secure storage of data; and education and awareness training of employees on the proper use of computer security systems and the importance of personal data protection.
In addition, Grapevine Connect’s payment related services are subject to PCI-DSS requirements.
Does Grapevine Connect have a process to provide notification of a data breach?
Grapevine Connect has implemented procedures, monitoring and system controls to identify, neutralize and mitigate potential data breaches. The GDPR introduces notification requirements for security incidents or breaches that lead to the loss, destruction, or unauthorized access of personal data. Our formal internal incident response plan was developed to align with these notification requirements.
What personal information does Grapevine Connect collect and store?
A customer may send personal data to Grapevine Connect in order to make purchases, receive services and manage the business relationship. Such personal data may include, but is not limited to, the following categories:
- First and last name
- Job title or position
- Contact information (company, email, phone, physical business address)
- Professional data
- Bank or payment details (e.g., sole proprietor).
In certain circumstances, Grapevine Connect may need to collect additional information, such as government issued ID or national ID number, to complete anti-fraud or anti-money laundering reviews or as required by applicable laws.
Where Grapevine Connect offers payment gateway services, we process payment transactions on behalf of our customers. In providing these services and to facilitate the payment transaction, we need to process certain personal data. The specific categories of personal data processed will depend on the solution or service agreement and instructions from our customer. For example, a payment transaction at the point of sale requires processing of a consumer’s credit card number and the card expiration date.
How does Grapevine Connect use the personal information?
Grapevine Connect uses the personal information provided by our customers to supply products or services and to carry out the terms of our agreements. We use the information to manage the overall business relationship, including setting up accounts, communicating, processing orders, invoicing, providing products, solutions and services and providing technical support. We may also use personal information to help us create, improve, operate, and deliver our products, services, and solutions, and for anti-fraud or anti-money laundering purposes.
Where Grapevine Connect offers payment gateway services, we use the personal data to process payment transactions in accordance with the solution or service agreement, instructions from our customers and applicable laws or regulations (e.g., PCI).
What personal information is shared with external parties?
In order to provide our products, services and solutions to customers, we share certain personal information with service providers and vendors on an as needed basis. For example, Grapevine Connect may need to provide contact information (e.g., name and email address) to an installation or repair vendor in order to schedule and complete a requested service.
Where Grapevine Connect offers payment gateway services, personal data is transferred to third parties in accordance with the solution or service agreement or instructions from our customers. For example, in payment transactions, credit card details are routed as instructed to the customer’s designated acquiring bank.
Where does Grapevine Connect carry out personal data processing?
Grapevine Connect is a legal entity registered in the United Kingdom, which may also manage our business and provide products, services and solutions to our customers worldwide. This includes order entry, invoicing, product development, accounting, customer service and support, order fulfilment and shipping.
In order to manage our business relationships and obligations, personal information provided by our customers may be transferred or accessed by our affiliates, subsidiaries, vendors and services providers worldwide.
Where we offer payment gateway services, processing by Grapevine Connect of payment transactions is carried out within the EU/EEA.
Does Grapevine Connect include newly required GDPR clauses in agreements and standard terms & conditions?
The GDPR introduces a number of new rules and obligations to strengthen the protection of personal data and enhance the privacy rights of individuals. These new rules require the inclusion of additional obligations where Grapevine Connect is processing personal data on behalf of a customer.
Grapevine Connect will issue a GDPR Data Processing Addendum (“DPA”) to existing customers and will update our standard terms and conditions to include GDPR terms for payment solutions. Where required, Grapevine Connect DPAs will be circulated to our customers that have existing payment service agreements.
Grapevine Connect is committed to protection of personal data and will work closely with our customers to prepare for the GDPR.
How long does Grapevine Connect retain personal data?
Personal data provided by customers to purchase products, services and solutions will be retained where there is a legitimate business or legal need to do so. This includes compliance with our legal requirements, dispute resolution, enforcement of our agreements, and for other lawful business purposes.
Where Grapevine Connect offers payment gateway services, we will retain personal data for the duration of the solution agreement, unless otherwise instructed by our customers or as required by applicable law or regulation.
Once the business and legal needs have expired, we securely dispose of, delete or anonymise personal information.
Who do I contact with questions?
Grapevine Connect have appointed an internal Data Protection Officer (DPO) and assigned a data protection team to oversee implementation of requirements under the GDPR. Additional information is provided below.
Data Protection Officer
Grapevine Connect Ltd
10 Yeo Business Park, Clyst St Mary, Nr Exeter, EX5 1DP
Tel: 01392 345678