RE: Payment cards
Received: 26 June 2019
1. Who is the data controller for personal data relating to payment cards?
· If it is the card provider, is there a contract in place covering this data processing?
2. Who has access to the data?
· What data protection training have these staff had?
· What organisational measures ' policies and procedures etc. - are in
place to ensure that data is kept safe and not accessed by anyone
· Please provide a copy of any written policies and procedures.
3. Have payment card users been asked to sign a privacy notice?
· What formats is the privacy notice available in?
· Please provide a copy of the privacy notice.
4. What steps have been taken to keep payment card data secure?
· What protections are in place to guard against fraud?
· How is the cardholders information (including information as to the
account holder as well as any purchases) stored?
· What technical and organisational measures are in place in respect of
the payment card platforms and any associated network and information systems, e.g. to prevent cyber- attacks?
· What action is taken in the event of a data breach?
· What arrangements are in place to enable access to funds in the event
of a system failure?
5. Have you carried out a Data Protection Impact Assessment?
· What risks have you identified? And what mitigating action are you
· If you have identified any high level risks that you are unable to mitigate what action are you taking as a result?
6. What processing operations do you actually carry out on the personal data collected?
· Who reviews the data and how often?
· Are reviews ad hoc or routine?
· If ad hoc, what triggers a review.
· Are card holders notified of a review?
7. Which organisations, if any, is this data shared with?
· Have you drawn up an Information Sharing Agreement (ISA) to govern this sharing activity?
Outcome / Documents
- Response (all information to be supplied) - application/pdf - Download