Background & Scope
Regulation 206/679, known as the General Data Protection Regulation (GDPR), applies to any organization, regardless of whether it is based in or outside the European Union (EU), that processes personal data of individuals residing in the EU.
With this document, Lyra undertakes to inform its customers of their new obligations in the framework of the implementation of the GDPR and to show how Lyra as a service provider meets its obligations while complying with the regulations specific to its role of a payment service provider.
What are our responsibilities?
Lyra is responsible for the personal data it processes. The regulation requires proof of sound management and protection of data.
In this respect, Lyra has appointed a DPO in charge of data monitoring and management who is the single point of contact for his clients. The DPO has been declared to the CNIL (French National Commission on Informatics and Liberty, N° DPO-1797).
As a payment service provider, Lyra acts as a subcontractor, as defined in the GDPR. This subcontracting is carried out in the context of a contractual relationship with Lyra’s customers, who are in turn responsible for data processing within the meaning of the GDPR.
Henceforth, the Terms of Service between Lyra and its customers include specific clauses dedicated to the processing and protection of personal data.
What are our security measures?
Lyra Network is certified PCI DSS Level-1 V3.2 and implements the following security actions:
- Information Systems Security Policy;
- Monitoring and protection of buildings by access control;
- Secure servers and data backup;
- Regular audit of information systems;
- Highly secure hosting centers;
- Highly secure firewalls;
- Backup redundancy;
- Highly available servers;
- File transfer encryption;
- Protection by authentication;
- Restrictive default permissions;
- Database backup procedures.
What personal data do we process?
We collect and use only the personal data that enables us to offer you products and services.
We may collect different categories of your personal data, including:
- information related to your identity and that of the legal representative necessary for getting in touch with you (first and last name, professional e-mail address, professional phone number, signature within the framework of a contract);
- identification and authentication data, in particular during the use of your back office (technical logs, digital evidence, safety information);
- transaction data, necessary for providing the service and technical analysis of these operations (first and last name, e-mail, encrypted card number, card expiry date, shopping cart, payment amount, IP address).
The personal data we use may be collected directly from you or obtained from the following sources for the purpose of verifying or enriching our databases:
- publications/databases provided by official authorities;
- our partners or service providers;
- third parties, such as business intelligence and anti-fraud organizations, in accordance with data protection regulations.