GDPR and PI: what’s the verdict one year after the entry into force of this regulation?

12 June 2019

Business Insight

A year after the General Data Protection Regulation (GDPR) went into effect, Rachelle Abi Lahoud, Data Protection Officer (DPO) at Lemonway, looks back on the changes this new regulation brought for the payment institution’s business.

On 25 May 2018, a new European regulation on the protection of personal data went into effect. Until that point, this matter was governed in France by Act No. 78-17 of 6 January 1978 known as the ‘loi informatique et liberté’ on information technology, data files and civil liberties’.

Few people have never heard of the GDPR. Extensively publicised, the document raised many questions and required a number of adjustments! Lemonway—which collects and processes personal data pertaining to its own employees and to its partners—is directly concerned by the provisions of the GDPR (General Data Protection Regulation), which it must apply on a daily basis in conjunction with the regulations governing payment institutions.


Standardising, structuring and strengthening the legal framework for data protection

On the legal side, the GDPR has standardised regulations governing personal data at the European level; it has also structured and strengthened the legal framework covering everything from data collection to processing. For users, the GDPR affords them—as its primary objective—greater control and monitoring of their data.

As a result, different levels of formalities and procedures have been imposed:

  1. for the purpose of identifying the objective of data collection
  2. for the purpose of establishing the necessary procedures to ensure the right to erasure (”the right to be forgotten”) , the right to restrict processing the right to rectification
  3. for ensuring the right to data portability

The GDPR required that Lemonway adopt new procedures to ensure operational processing of these obligations: impact studies, contractual adaptation, mapping, formalising processing sheets, etc.


GDPR compliance: a double challenge for payment institutions

Lemonway faced a major challenge during this first year of implementation: reconciling the GDPR with various other applicable regulations governing payment institutions, such as the 4th AML/CFT Directive, the PSD2 and the provisions of the Monetary and Financial Code. The latter emphasise on the need for strong authentication and therefore require extensive data collection, whereas the GDPR tries to minimise this. For instance, and in accordance with the provisions of the GDPR, the period for which data must be kept should not exceed the time necessary for the purposes for which they are processed. However, the Monetary and Financial Code requires personal data to be kept for 5 years from closure of the account or termination of the relationship with the client in the context of AML/CFT (AML/CFT—L.561-12 CMF) obligations.

Furthermore, Lemonway conducts payment activity in several European Union countries. As the GDPR may be combined with existing legislation governing personal data and interpreted by the ‘local CNIL’, provisions may differ from one country to another, which requires a detailed knowledge of local regulatory constraints and clear communication with our customers.

To ensure efficient processing of requests, Lemonway has set up an email address to provide a direct channel for all requests relating to personal data: [email protected].

To learn more, visit: