Acupay’s Data Privacy Practices

As shared in the Technology Team’s article, October was Cybersecurity Awareness Month in the U.S. A crucial tenet of cybersecurity for businesses is ensuring that collected personal data is kept safe and private. Regulators have taken a particular interest in data privacy with laws like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) being effective for several years. In the U.S. alone, several similar data privacy regulations or updates will be coming into effect in 2023, like the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CDPA), and the California Privacy Rights Act (update to the CCPA), and it is safe to say that many more are on the horizon worldwide.

Compliance with these regulations can be a tricky affair because, despite their similarities, they have their own quirks. For instance, the GDPR applies to entities established in the EU that process personal data and non-EU entities that process personal data of EU individuals to monitor or offer goods and services to them. Meanwhile, in the U.S., the CCPA, VCDPA, and the CPA all apply to entities that “do business” or “conduct business” in their states and meet defined thresholds. These can include:

• annual gross revenues greater than a certain amount

• processing a certain number of consumer data records

• generating a certain percentage of revenue from sharing/selling consumer personal data.

Recent rulings and updates have added complexity. In July 2020, the Court of Justice of the EU issued a judgment that invalidated the EU-U.S. Privacy Shield Framework as a valid mechanism to comply with the GDPR when transferring personal data from the EU to the U.S. Since then, to remain compliant with the GDPR, entities that had relied on the framework for their transfers of EU personal data to the use have instead used model contract clauses, often called the Standard Contractual Clauses (SCC) as the basis upon which data transfers that fall under the GDPR would be conducted.

Some hope remains though. In March 2022, the U.S. and EU Commission announced the Trans-Atlantic Data Privacy Framework, which would replace the EU-U.S. Privacy Shield Framework and restore a critical legal mechanism for the transfer of EU personal data to the U.S. More recently, on October 7th 2022 President Biden signed an Executive Order to implement the Trans-Atlantic Data Privacy Framework. Now, it will have to go through the approval process, which is expected to take about 6 months, but the EU Commissioner for Justice, Didier Renders, has expressed his confidence that the new framework will meet the demands of the court.

While this has been happening, Acupay has continued to monitor for data privacy law updates and comply with the EU-U.S. Privacy Shield Framework during the collection, processing, and retention of EU personal data. You can find our certification here. We keep a Register of Processing Activities for all our services that is reviewed at least annually. We also maintain a Data Protection and Privacy Policy and conduct training with all our staff on data privacy and information security annually.

For more information about the technical security measures that Acupay takes, you can read more here.

You can find more details about Acupay’s processing activities in our Terms of Access and Privacy Policy.

If you have further questions about Acupay’s data privacy practices, please feel free to contact compliance@acupay.com.