Background & Scope
Regulation 206/679, known as the General Data Protection Regulation (GDPR), applies to any organization, regardless of whether it is based in or outside the European Union (EU), that processes personal data of individuals residing in the EU.
With this document, Lyra undertakes to inform its customers of their new obligations in the framework of the implementation of the GDPR and to show how Lyra as a service provider meets its obligations while complying with the regulations specific to its role of a payment service provider.
What are our responsibilities?
Lyra is responsible for the personal data it processes. The regulation requires proof of sound management and protection of data.
In this respect, Lyra has appointed a DPO in charge of data monitoring and management who is the single point of contact for his clients. The DPO has been declared to the CNIL (French National Commission on Informatics and Liberty, N° DPO-1797).
As a payment service provider, Lyra acts as a subcontractor, as defined in the GDPR. This subcontracting is carried out in the context of a contractual relationship with Lyra’s customers, who are in turn responsible for data processing within the meaning of the GDPR.
Henceforth, the Terms of Service between Lyra and its customers include specific clauses dedicated to the processing and protection of personal data.
What are our security measures?
Lyra Network is certified PCI DSS Level-1 V3.2 and implements the following security actions:
- Information Systems Security Policy;
- Monitoring and protection of buildings by access control;
- Secure servers and data backup;
- Regular audit of information systems;
- Highly secure hosting centers;
- Highly secure firewalls;
- Backup redundancy;
- Highly available servers;
- File transfer encryption;
- Protection by authentication;
- Restrictive default permissions;
- Database backup procedures.
What personal data do we process?
We collect and use only the personal data that enables us to offer you products and services.
We may collect different categories of your personal data, including:
- information related to your identity and that of the legal representative necessary for getting in touch with you (first and last name, professional e-mail address, professional phone number, signature within the framework of a contract);
- identification and authentication data, in particular during the use of your back office (technical logs, digital evidence, safety information);
- transaction data, necessary for providing the service and technical analysis of these operations (first and last name, e-mail, encrypted card number, card expiry date, shopping cart, payment amount, IP address).
The personal data we use may be collected directly from you or obtained from the following sources for the purpose of verifying or enriching our databases:
- publications/databases provided by official authorities;
- our partners or service providers;
- third parties, such as business intelligence and anti-fraud organizations, in accordance with data protection regulations.
What are the purposes of processing the personal data we collect?
We use your personal data in order to:
- execute the contract and provide the full range of services to which you have subscribed
- assist you in the follow-up of your contract
- fulfill our legal and regulatory obligations (responses to official requests from duly authorized public or legal authorities)
- enable the performance of our legitimate interests, including:
- optimization of our risk management process;
- legal defense of our interests (proof of transactions or operations);
- IT management and business continuity including personal safety;
- fraud prevention;
- debt recovery / litigation;
- customization of Lyra Group’s commercial offers;
- business development.
Who are the recipients of the collected data?
Your personal data may be shared within the Lyra Group, which we are a part of, for the same purposes as those mentioned above.
They may be communicated to the partners of the Group only for purposes related to the execution and fulfillment of the contract. We make sure that these partners comply with the regulations.
When we call on a supplier, a service provider or a third-party agent, your data remains under our control and means of verification are implemented to ensure the proper protection of your personal information.
It may also be shared with legally authorized administrative and judicial authorities as well as regulated professions, such as statutory auditors.
What data do we archive, and for how long?
We take all necessary measures to ensure the security and confidentiality of your personal data in order to prevent their loss, alteration, destruction or use by unauthorized third parties.
We only archive essential data that is necessary for us to fulfill our responsibilities or to meet our legal or regulatory obligations.
For example, we store personal data related to credit card payments for 15 months.
As regards the customers, most of the information is kept for the duration of the contractual relationship and for 10 years after it ends.
Data breach notification
Lyra Network will notify its customers of any violation of Personal Data within the regulatory period after becoming aware of it. This notification shall be accompanied by all relevant documentation to enable the Merchant (data controller) to inform competent authorities of such violation.
What are your rights?
Within the limits of the regulations and of our legal obligations and when this right is applicable, the GDPR allows you to have a right of access, rectification, opposition, limitation, erasure and portability of your personal data.
These rights only concern the personal data of our customers and not those of the end users (buyers).
Contact LYRA GDPR
If you have any questions regarding this regulation, please contact our DPO at [email protected] or send us a letter to the following address: Lyra Network, Délégué à la Protection des données 109 rue de l’Innovation 31670 Labège
How to file a claim?
In accordance with the applicable regulations, you can file a complaint to the CNIL (National Commission on Informatics and Liberty) in France.