Passed in 2016 and enforceable beginning on May 25, 2018, the General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It replaces the EU Data Protection Directive introduced in 1995 and all related local laws. The GDPR applies to all entities and individuals based in the EU and to entities and individuals, whether or not based in the EU, that process the personal data of EU individuals. The GDPR defines personal data as any information relating to an identified or identifiable natural person. This is a broad definition, and includes data that is obviously personal (such as an individual’s name or contact details) as well
CellPoint Mobile is in compliance with the new regulation, enforcing data governance and placing the security of consumers' personal data as a top business priority.
Who does the GDPR apply to?
as data that can be used to identify an individual indirectly (such as an individual’s IP address).
What is CellPoint Mobile’s role under GDPR?We act as both a data processor and a data controller under the GDPR.
CellPoint Mobile as a data processor: When people use our products and services to process EU personal data, we act as a data processor. For example, we will be a processor of EU personal data and information that gets used to conduct a payment transaction.
CellPoint Mobile as a data controller: We act as a data controller for the EU customer information we collect on our website. This could include name, email and other contact information.
What have we done to comply with GDPR?We have conducted an extensive analysis of our operations to ensure we comply with the new requirements of the GDPR. With the help of external advisors, we have reviewed our products and services, customer terms, privacy notices and arrangements with third parties for
compliance with the GDPR. We can confirm we are fully compliant with the GDPR by May 25, 2018.
Some of the measures undertaken by CellPoint Mobile to ensure full GDPR compliance included:
- Undergoing a data protection impact assessment to audit services and identify potential risks to the rights and freedoms of individuals users.
- Reviewing solutions to ensure effective data minimization, meaning systems do not store or process any data that is unnecessary for “business as usual” (BAU) working needs.
- Performing a technical evaluation of systems, and of interactions with external systems, to identify risks and prevent threats to the rights of individual users.
- Establishing a process for when customers want their data erased and merchants need to cleanse the storage of any reference (direct or indirect) to the customer data.
- Ensuring the enforcement of end-user rights by implementing internal procedures to assist merchants when facing an end-user request.
- Updating opt-in and consent forms on our website.
How do we protect travel merchant and end user data that is part of a travel transaction?All transactions on our Velocity payment platform are protected at both the system and the transaction level to ensure data
security. Transaction-specific fraud prevention tools include transaction checksum, two/multi-factor and out-of-band authentication, device fingerprinting, HTTP basic authentication, and industry-standard SSL encryption, while system-level data security features include tokenization, real-time monitoring and PCI DSS Level 1 compliance. In addition, role-based access and single sign-on ensure simple but secure access to payment services.
Our booking engine, Voyage, is platform-hosted from an Amazon Web Services (AWS) environment that protects our clients’ and our clients’ end users’ data through security features such as a built-in firewall, encryption (TLS across all services, DDoS mitigation technologies, Man-in-the-Middle Prevention, and traffic flow policies (ACLs). Other security safeguards include:
- Access to production administration interfaces is only granted to employees who have passed a comprehensive pre-employment background check.
- Standard protocols for data security are followed at all times, including TLS 1.2.
- 24/7 monitoring with alarms and alerts set for immediate notification of any potential security breach or server operational issue.
- We have strict policies/procedures and train all staff on security and privacy best practices.
What personal data do we collect and store from our customers?
We act as a data processor when customers use our products and services to process EU personal data, such as saving account details. We may store data that users of our customers’ payment, booking and promotion services have given us voluntarily.
In our separate role as data controller, we may collect and store contact information, including (but not limited to) name, email address or phone number, when customers sign up for marketing communications or request information about a product or service from our website.
What personal data do we collect from visitors to our website?
Do we transfer data internationally?
The GDPR replicates the Data Protection Directive restrictions on transferring data outside the EU and prohibits the export of personal data outside of the EU to non-EU recipients unless the export meets certain criteria.
Although we are headquartered in the United States, CellPoint Mobile has offices, data centers and customers in the EU and in other areas of the world. In certain circumstances, we will process personal data that originates from the EU in the United States and/or India. We provide a level of protection of privacy that complies with the EU rules.
For questions or concerns regarding CellPoint Mobile's GDPR compliance, please contact firstname.lastname@example.org.