Answers To Your Top 5 Gdpr Questions

« Back to Insights

Today, May 25, 2018, the General Data Protection Regulation (GDPR) takes effect. Aimed at strengthening the security and protection of personal data, GDPR will have a far-reaching impact on companies around the world.

With the compliance date here, below are answers to your most frequently asked GDPR questions.

1. What is the General Data Protection Regulation (GDPR)?

The GDPR (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the EU. Taking effect on May 25, 2018, it establishes a framework of rules to protect the personal data for European Union (EU) data subjects. It also addresses export of personal data outside the EU. 

The GDPR applies to any organization, located inside or outside the EU, if they offer goods or services to, or monitor the behavior of, EU data subjects. It also applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location.

2. Does daVinci Payments Solutions have a GDPR compliance program?

Yes. daVinci has undertaken an enterprise-wide initiative to review and update our processes and procedures to be fully compliant with GDPR.

Together with our issuing partners and the security, privacy and risk auditing services of a third-party firm, daVinci is implementing policies and procedures in the following areas:

  • GDPR inquiry handling, including cardholder requests for data anonymization
  • GDPR complaint handling
  • Breach reporting procedures
  • Privacy Impact Assessments for new services, products and hosting environments 

daVinci’s GDPR compliance program also includes employee training on all new policies and procedures.

Additionally, daVinci holds PCI-Level 1 certification and is audited for the highest level of data security and handling practices as outlined by the Payment Card Industry. While PCI and GDPR are different, many of the data practices daVinci follows for PCI are required under GDPR as well.  

3. Can daVinci determine if a client needs a GDPR-compliant Data Processing Agreement/Addendum (DPA)? 

Each client is responsible for their compliance program and must determine whether the GDPR applies to their business. If you qualify as a “data controller” under the GDPR, the GDPR requires you to include specific provisions in your contract(s) with applicable data processors like daVinci.

daVinci suggests that if a client believes that GDPR may apply to them, a Data Processing Agreement/Addendum (DPA) be executed. A DPA between you and daVinci would contractually require daVinci to comply with relevant portions of the GDPR. The DPA also reaffirms your general consent for daVinci to subcontract. The DPA is not intended to improve or modify either party’s position regarding subcontracting under the agreement. The DPA is designed to cover all the products and services daVinci provides to you.

4. My company needs a GDPR-compliant DPA with daVinci. How do I request an executable copy of the DPA?

If you haven’t entered a DPA with daVinci, and you’ve determined that the GDPR is applicable to your business, request an executable copy of the DPA by sending an email to In your request, include the following information:

  • Legal name of your organization
  • Email address of the person to whom the DPA should be sent; this can be the anticipated signer of the DPA or another person within your organization.

5. Will a new privacy policy be available?

Yes. An updated privacy policy has been posted at

Have more GDPR Questions? Reach out to your daVinci Contact.

Disclaimer: Neither daVinci Payments Solutions nor any affiliate is a provider of legal advice or services, and this FAQ should not be construed as legal advice or counsel.  Should you require legal services regarding GDPR compliance or on any other matter, daVinci encourages you to engage your own legal counsel.