Gateway Merchant Services Ltd
Trading as PaymentPlus
Data Protection Notice
This Data Protection Notice is effective as and from 25 May 2018
At PaymentPlus your privacy is very important to us.
It is one of our fundamental responsibilities to ensure that we protect the information entrusted to us by you.
This Data Protection Notice looks to answer your important questions about the processing of personal information by PaymentPlus. Please take some time to read this Data Protection Notice carefully.
In this Data Protection Notice, we use the terms “Gateway Merchant Services”, “GMS”, “PaymentPlus”, “our”, “us” or “we” to refer collectively to Gateway Merchant Services Ltd and its subsidiaries.
1. Introduction. 4
1.1. PaymentPlus and the PaymentPlus Group. 4
1.2. How you can contact PaymentPlus. 4
2. How can you control the personal information you have given to PaymentPlus?. 4
2.1. Access your personal information. 5
2.2. Correct/ restrict /delete your personal information. 5
2.3. Withdraw your consent 5
2.4. Object to your personal information being used for certain purposes. 5
2.5. Request your personal information to be transferred in electronic form.. 5
2.6. How to exercise your rights. 6
3. Why does PaymentPlus collect and use your personal information?. 6
3.1. To comply with legal obligations. 6
3.2. To enter into and perform a contract for a product or service. 6
3.3. To enable PaymentPlus to function as a business. 6
3.4. Where you have provided consent 7
4. What kind of personal information does PaymentPlus collect and how it is used?. 8
5. How do we use personal information for direct marketing?. 10
6. How does PaymentPlus make use of Automated Decision Making?. 10
7. What about Security and Confidentiality?. 11
7.1. Who can access your personal information within PaymentPlus. 11
7.2. Security measures to safeguard your personal information. 11
7.3. Other restrictions on use of your personal information. 11
8.Who do we share your personal information with?. 12
9. How long will we retain your personal information?. 13
10. Updates to our Data Protection Notice. 13
1.1. PaymentPlus and Gateway Merchant Services Group
PaymentPlus has been proudly serving our customers in Ireland since 2011. Our head office is situated at Nutgrove Office Park, Dublin 14.
As a leading merchant service provider Gateway Merchant Services Ltd. trading as PaymentPlus provides a range of industry leading payment acceptance solutions to retail merchants and large corporate clients.
• Merchant Services through multiple acquirers, delivering full access to both the Irish and UK markets
• Full range of Card Terminals and PIN Pad devices
• 7-day support and warranty services
• Multichannel gateway services – Online, Mobile, Standalone and Multi-lane
• Consultancy and sourcing services for Domestic and International markets
• Merchant Cash Advance – providing cash advances for small business customers
Our products and services are distributed through the nationwide PaymentPlus Hub and support networks, by telephone via the dedicated Retail Sales Team as well as through our website and online platforms. Gateway Merchant Services is a limited company registered in the Companies Registration Office under Company Number 501551. Our registered office is at Unit F2 Nutgrove Office Park, Rathfarnham, Dublin 14.
More information on the activities of the PaymentPlus Group is available at www.PaymentPlus.ie.
1.2. How you can contact PaymentPlus
If you have any questions about your privacy rights or if you would like to change your privacy preferences, you can contact us in the following ways:
• By contacting one of our Customer Service Representatives:
By phone: +353 (0)1 901 7700
By email: [email protected]
• If you have specific queries about this Data Protection Notice or PaymentPlus’s approach to privacy, you can also contact our Data Protection Officer who will ensure that your query is treated in a confidential manner: – by sending an email to [email protected];
• or by writing to the Data Protection Officer, PaymentPlus, Unit F2 Nutgrove Office Park, Rathfarnham, Dublin 14.
• If you do not agree with the response you receive from PaymentPlus, you are entitled to lodge a complaint with the relevant Data Protection Authorities: –
For the Republic of Ireland:
You can visit the website of the Office of the Data Protection Commissioner at www.dataprotection.ie for more details.
Office of the Data Protection Commissioner Canal House, Station Road, Portarlington, Co. Laois, R32 AP23
Phone: + 353 57 868 4800 / + 353 761 104 800
LoCall: 1890 25 22 31
Fax: + 353 57 868 4757
Email: [email protected]
2. How can you control the personal information you have given to PaymentPlus?
When your personal information is handled in connection with a PaymentPlus product or service, you are entitled to rely on a number of rights. These rights allow you to exercise meaningful control over the way in which your personal information is processed. You may execute any of these rights free of charge (in certain exceptional circumstances a reasonable fee may be charged or PaymentPlus may refuse to act on the request) and we may ask you to verify your identity prior to proceeding with your instruction by way of requesting additional information/documentation from you. Once we are satisfied that we have effectively verified your identity, we will respond to the majority of requests without undue delay and within a one month period i.e. 30 calendar days of receipt of the request. PaymentPlus will action your request to have your personal information corrected within 10 working days. These periods may be extended in exceptional circumstances and we will inform you where the extended period applies to you along with an explanation of the reasons for the extension. Further information in relation to how you may execute these rights is outlined in the Data Protection section of www.PaymentPlus.ie or alternatively by contacting us using the channels outlined in [Section 2.6] below..
For example, you are entitled to:-
2.1. Access your personal information
You can look to access the personal information we hold about you by contacting us with a data access request using the channels outlined in [Section 2.6] below. We will endeavour to provide you with as complete a list of personal information as possible. However, it can happen that some personal information from back-up files, logs and stored records may not be included in that list as this information is not processed by PaymentPlus on an ongoing basis and it is not therefore immediately available. For that reason, this personal information may not be communicated to you. However, this personal information remains subject to standard data maintenance procedures and will only be processed and retained in accordance with those procedures.
2.2. Correct/ restrict /delete your personal information
If you believe that certain personal information we hold about you is inaccurate or out of date, you can look for the information to be corrected at any time using the channels outlined in [Section 2.6] below after we have verified the information. If you dispute the accuracy of information held, you can request that we restrict processing this information while your complaint is being examined. If you suspect that we are processing certain information without a legitimate reason or that we are no longer entitled to use your personal information, you can also ask for that personal information to be deleted.
We are not under an obligation to rectify or delete your personal information where to do so would prevent us from meeting our contractual obligations to you, or you from meeting your contractual obligations to us, or where PaymentPlus is required or permitted to process your personal information for legal purposes or otherwise in accordance with our legal or contractual obligations.
We ask that you keep us informed of any relevant change in your personal circumstances to enable us to keep the information on our systems up to date and accurate.
2.3. Withdraw your consent
Whenever you have provided us with your consent to process your personal information, for example, so that we can contact you about one of our products or services, you have the right to withdraw that consent at any time through one of the channels identified at [Section 2.6] below. If you withdraw consent to processing (and if there is no other justification for continuing to process your information), you are also entitled to request that your personal information is deleted. Withdrawing consent does not affect the lawfulness of any processing undertaken by us based on your consent before its withdrawal.
2.4. Object to your personal information being used for certain purposes
If you disagree with the way in which PaymentPlus processes certain information based on its legitimate interest (see [Section 3.3] for further details and examples), you can object to this through one of the channels identified at [Section 2.6] below. In such cases we will provide you with details regarding the rationale for processing your personal information and we will stop processing the personal information under dispute if we cannot legitimately justify the reasons for processing within the agreed timeframe.
Some operations are fully automated, with no human intervention and may include taking decisions based solely on automated processing. For more details on how PaymentPlus uses automated decision making see [Section 6] below. If you disagree with the outcome of a fully automated decision making process, you can speak to a PaymentPlus staff member to express your point of view and contest the decision using one of the contact channels identified at [Section 2.6] below.
2.5. Request your personal information to be transferred in electronic form
You can (in certain cases) request that your personal information is transferred to you or to another service provider so that you can store and reuse your personal information for your own purposes across different services. We will not in any way be accountable or liable for any damage, loss or distress sustained, incurred or suffered by you and/or the designated service provider as a result of improper use of the personal information upon transmission or after receipt by you and/or the designated service provider.
2.6. How to exercise your rights.
You can exercise the rights outlined above by contacting our Customer Service Representatives using any of the channels below:-
By phone: +353 (0)1 901 7700
By email: [email protected]
We recommend that you provide as much detail as possible in your correspondence with us so that we can deal with your query promptly and efficiently. You may be asked to provide proof of identification and/ or additional information in order to validate your identity when making such a request.
3. Why does PaymentPlus collect and use your personal information?
We gather and process your personal information for a variety of reasons and rely on a number of different legal bases to use that information, for example, we use your personal information to process your applications, to help administer your products and services, to ensure we provide you with the best service possible, to prevent unauthorised access to your accounts and to meet our legal and regulatory obligations.
3.1. To comply with legal obligations
We are required to process your personal information to comply with certain legal obligations, for example:-
3.1.1. to report and respond to queries raised by regulatory authorities, law enforcement and other government agencies such as the Central Bank of Ireland, the European Central Bank and An Garda Siochana.
3.1.2. to respond to requests from Irish Revenue in accordance with relevant tax legislation and under Notices of Attachment issued by Irish Revenue;
3.1.3. to verify the personal information provided to us and meet our legal and compliance obligations, including to prevent money laundering, tax avoidance, financing of terrorism and fraud. For example, we are required to identify you, verify your identity, check your activity and transactions and ascertain your money laundering risk profile;
3.1.4. to pass details of the originator or the payee to the receiving or transferring financial institution;
3.1.5. to supply information to credit check organisations such as Experian and Vision-net when considering applications to determine your repayment capacity;
3.1.6. to cooperate and provide information requested in the context of legal and/or regulatory investigations or proceedings; and
3.1.7. to investigate allegations of fraud and prevent fraud by third parties or customers.
3.2. To enter into and perform a contract for a product or service
3.2.1. Before PaymentPlus provides you with products or services, we have to gather some personal information to process your application and to assess the terms upon which we can enter into the contract with you. This includes, for instance, gathering and processing personal information for a merchant application.
3.2.2. In order to manage your accounts, policies and any other products or services, we have to process your personal information. Examples of processing include the administration of accounts, payments, deposits, lending, credit decisions. As part of this process, we may be required to pass some personal information to an intermediary or counterparty.
3.2.3. We also share your information in accordance with the requirements as laid by the acquiring organisations, which are regulated by the Central Bank of Ireland for Ireland in order to be able to provide you with the relevant merchant service agreements. Finally, we also use third party service providers to establish credit checks which means that we may share your personal information with the service provider to facilitate these transactions or to comply with a legal obligation.
3.3. To enable PaymentPlus to function as a business
3.3.1. In certain circumstances, we process your personal information on the basis of the legitimate interests of PaymentPlus. In doing so, we ensure that the impact of the processing on your privacy is minimised and that there is a fair balance between the legitimate interests of PaymentPlus and your privacy rights. If you disagree with your information being processed in this manner, you are entitled to exercise your right to object. Examples of situations in which your personal information is processed based on our legitimate interests, include:-
• to enable us to manage, on a holistic basis, our relationship with you by maintaining a single view of your accounts and any products or services that we provide to you and any interaction with us. This enables us to create a profile for you and to assess your needs better;
• to carry out statistical analysis, market research and to develop predictive and analytical models for different purposes including risk analysis, process improvements, marketing and fraud analysis. By combining information available to us from different sources such as transaction information and publicly available data (for example the Central Statistics Office) to develop analytical models PaymentPlus can obtain data-driven insights which help to make strategic choices about the functioning of our relationship with you as our customer and the products and services which we believe will be of interest to you;
• to establish, exercise and safeguard our rights, including where necessary to take enforcement action (e.g. debt collection) and to respond to claims made against PaymentPlus;
• to undertake system testing to guarantee software code quality, in particular:
• to test software code changes;
• to validate the stability of software changes and accept the software code changes;
• to run technical tests, like performance, resilience, operational proving testing;
• to create efficiencies in our processes for PaymentPlus and for our customers, to measure our performance and to deliver other organisational benefits;
• to ensure appropriate information security and fraud prevention protections are in place and to safeguard customer accounts; and
• to provide aggregated reports to departments inside PaymentPlus, to the Gateway Merchant Services Group or to other associated third parties. These reports contain grouped information, such as the average number of transactions. No individual information is shared as part of these reports. Aside from these aggregated reports, we also use more detailed reports internally within PaymentPlus which may contain personal information when dealing with customer applications for products and services in order to help us effectively manage our workflow of applications and customer requests.
3.4. Where you have provided consent
3.4.1. Marketing Consent:- We use your personal information to make you aware of products and services which may be of interest to you. If you take a look at [Section 5] below, you can find out more about how we would like to provide you with customised offers and personalised customer service. To be able to do this, we will ask you for your consent. You can at any time withdraw that consent through the contact channels set out in [Section 2.6] above.
3.4.2. Biometric Consent:- We can use image recognition software to verify your ID when you are looking to open an account through the PaymentPlus Mobile App. This involves us using optical character technology to extract relevant information from your ID documents. In such cases, we will ask you for consent to process this biometric data. An alternative channel will be made available to you should you choose not to give your consent. We will only use your biometric data to fulfil this request. Depending on your device, you may choose to enable Touch ID within the PaymentPlus Mobile App. PaymentPlus does not store or otherwise use this fingerprint ID for any purpose.
3.4.3. Sensitive Information Consent:- We do not collect and process other Sensitive information.
3.4.4. Geolocation Consent:- If you choose to use the PaymentPlus Office Locator service, you will be asked to consent to the use of your geolocation information to find the PaymentPlus Office nearest to you. In order to offer you this service, we use in device location services. Your geolocation information will only be used on a once off basis to indicate the PaymentPlus Office nearest to you. This information will not be used for any other purpose.
4. What kind of personal information does PaymentPlus collect and how it is used?
The information we hold about you can vary depending on the products and services you use. This includes personal information which you give to us when you are looking for a quote for a product or service, personal information we collect automatically, for instance, your IP address and the date and time you accessed our services when you visit our websites or apps; and personal information we receive from other sources like credit reference agencies.
Here is a more detailed look at the information we hold about you and how it is used by us:-
|Types of information||Examples of how the information is used by PaymentPlus|
|Name, sex, date of birth, nationality, proof of address e.g. Electric bill, forms of photographic identification e.g. driving licence and/or passport, a self-portrait picture (or ‘selfie’) when uploaded to the PaymentPlus Mobile App.||We use this type of information to identify you and to help us combat fraud and other illegal activity.|
|Telephone number, e-mail address.
Technical information such as an IP address, unique identifier for your device.
|Your contact information is needed to manage and administer your accounts, products or services; to send you service, support and administrative messages, reminders, technical notices, updates, security alerts and information requested by you; and to notify you about either important changes or developments to the features and operation of those products and services. We also use this information to respond to your enquiries and complaints.|
Information to help us service your needs
Your client profile includes :
• Your account numbers
• Details of the PaymentPlus products you hold
• Webchats and the results of surveys you have completed.
Based on a review of the information contained in your client profile, we can, for example, effectively analyse which product or service might work best for you or which products you may need and offer these products to you.
If you provide information about other people (e.g. joint account holders, business partners, other directors or office holders within your business), please ensure that those persons have agreed to us using this information or that you are otherwise allowed to give us this information.
Account activity, including your transactions and your card turn over.
These details can be used for a variety of purposes including to prevent or detect money laundering, billing, to identify particular needs or usage patterns based on your transaction details, which when used in conjunction with your marketing preferences, can assist us to provide you with a better, personalised service.
Information gathered from simulations, applications, competition entries etc.
When you look for a quote, enter a competition or fill out an application with us, the personal information which you provide is processed and assessed by us to fulfil that purpose. That information will also be stored and used to pre-populate the form if you are interrupted during the process and/ or wish to start again at a later point. We may also contact you where your application is incomplete or interrupted to support you to complete that application or to answer any queries you may have.
Interactions with PaymentPlus staff in a PaymentPlus Office or elsewhere, by phone, email or through our digital channels etc.
Whenever a PaymentPlus staff member meets with you or contacts you this interaction is logged to retain a note of the interaction so that staff can deal with your queries and satisfy your requests. PaymentPlus may record phone conversations with you to train staff, improve security, resolve complaints and to improve our services generally. You will be informed when calls with our staff members are being recorded.
Events like contract renewals etc.
We may use these events to determine which services or products are most relevant to you.
Types of information
Examples of how the information is used by PaymentPlus
Your comments and suggestions, past complaints
We collect this information to analyse, assess and improve our services to customers, and also for training and quality control purposes. For example, we may monitor or record any communications between you and us including telephone calls.
Information made available by another party or in a public domain
Publicly available information including information on your social media profile where it is publicly accessible.
Information about you which is obtained from other parties, for example, joint account holders or people appointed to act on your behalf.
Information obtained through agreements with third parties, for example, credit reference agencies such as Experian or Vision-Net or fraud prevention agencies. These companies are responsible for gathering and maintaining that information lawfully.
We sometimes use this type of information to verify that the information we hold on our databases is correct.
We also use this information to help us understand our relationship with you and to help us to offer you products and services we believe will be of interest to you.
Information about your location
Location details from your mobile or other devices, including specific geographic locations through the use of GPS, Bluetooth, or WiFi signals, when you install or access our products or services and when location-based products or features are enabled.
If you choose to use the PaymentPlus Office finder service, you will be asked to consent to the use of your geolocation data to find the PaymentPlus Office nearest to you. We may also use your location information to develop anonymised analytical models to improve our products and services. The analysis is never personal and you will never be identifiable.
Images from security cameras in and around the PaymentPlus office premises.
We may use CCTV to monitor and collect images. We have a strict retention period for security cameras images but in certain limited circumstances, the recordings may be kept for longer, for instance, to provide evidence to the Gardai or the Police for investigations for fraud purposes or criminal proceedings.
PaymentPlus uses “cookie” technology on our website and mobile app.
Cookies are small pieces of information, held in simple text files, stored on your computer or mobile device when you visit a website or use a mobile app.
The PaymentPlus Privacy Statement for Online Media gives you more information on this technology, how and where we use them and how you can control them.
5. How do we use personal information for direct marketing?
We would like to make you aware of products and services which may be of interest to you. We can do this by using some of the personal information we hold about you to better understand your needs.
5.1. For example:-
ads in apps can be tailored to your interests or based on information you have shared with us;
based on your behaviour and/or the type of transactions in your account, we might offer you an alternative product or service that better suits your needs; or
based on your industry or other personal information we may offer you products or services which are widely used by others in the same industry group.
5.2. You can review and make changes to your marketing preferences at any time through the following:-
• via the customer contact channels outlined in [Section 1.2] above;
6. How does PaymentPlus make use of Automated Decision Making?
We use automated decision making to enable us to deliver decisions within a shorter time frame and to improve the efficiency of our processes. Some PaymentPlus operations are fully automated, with no human intervention and may include taking decisions based solely on automated processing. If you disagree with the outcome of a fully automated decision making process, you can speak to a PaymentPlus staff member to express your point of view and contest the decision using the customer contact channels outlined in [Section 1.2] of this Data Protection Notice.
6.1. An example of where we use automated decision making is as part of our credit decision process, which involves assessing your application for credit, taking account of your current circumstances and evaluating your ability to meet the required repayments.
The decision process takes into account different types of information, for example:-
information you have provided in your application such as the amount requested, the repayment period, the type of facility, your industry, etc.;
your credit history with credit reference agencies such as Experian or Vision-Net; and
details of other credit facilities you may have (with PaymentPlus or other financial institutions) such as loans, overdrafts, credit cards, etc.
PaymentPlus uses this information to apply internal credit assessment rules in a consistent manner. This ensures that your application for funding is treated fairly, efficiently and that we believe you can afford the required repayments. PaymentPlus reviews the automated credit decision making process on an ongoing basis to ensure that it remains fair, efficient and unbiased in order to better serve our customers. To ensure that our systems remain secure, we need to keep the finer details of how we apply the PaymentPlus funding assessment rules confidential.
7. What about Security and Confidentiality?
PaymentPlus uses a variety of security technologies and procedures to help protect your personal information from unauthorised access, use or disclosure. We also take steps to ensure that only persons with appropriate authorisation can access your personal information.
7.1. Who can access your personal information within PaymentPlus and the Gateway Merchant Services Group
7.1.1. Only staff members who are suitably authorised can access your personal information if that information is relevant to the performance of their duties, whether it be in connection with the delivery of products or services or in accordance with legal or regulatory obligations. This may include, for example, staff members working in our Credit Department, Marketing Department, in any of the PaymentPlus Offices or customer services representatives you have dealings with.
7.1.2. As a member of the Gateway Merchant Services Group, PaymentPlus sometimes shares personal information relating to its customers with other members of the Gateway Merchant Services Group in order to carry out a number of key functions, for instance we use the services of the PaymentPlus Shared Services Centre, an Irish branch of the Gateway Merchant Services Group, for information technology support services.
7.2. Security measures to safeguard your personal information
Further information regarding Security and Fraud Awareness please visit https://www.fraudsmart.ie/personal/fraud-scams.
7.3. Other restrictions on use of your personal information
PaymentPlus does not collect personal information on individuals aged under 18. PaymentPlus will not sell or hire your personal information to third parties for their own use.
8.Who do we share your personal information with?
PaymentPlus sometimes shares your personal information with trusted third parties who perform important functions for us based on our instructions and applying appropriate confidentiality and security measures. For example, we use third party service providers to send out marketing material on a product or service you may be interested in. We also use third parties to help us detect, prevent, or otherwise address fraud, security or technical issues. We go into more detail below about the reasons we share personal information with third parties.
8.1. We have set out below some examples of where PaymentPlus shares your personal information:-
• We use specialist third party acquiring partners to help us process your payments;
- We use third party service providers to collect monthly payments from you;
- We use third party service providers to provide despatch, delivery, helpdesk and swap-out services;
• We undertake credit checks and report to credit reference agencies such as Vision-Net and Experian. Through these agencies we can check your credit history and debts. We also provide them with details regarding the products and services you have with us and we update them about your repayment record.
• We use printing and distribution agencies such as MailChimp to communicate with you about our products and services;
• We undertake market research in conjunction with agencies such as Core Research;
• We engage the services of solicitors, accountants, auditors, valuers, debt collection agencies and other consultants to act on our behalf and work with advisors you have instructed to represent you, or any other person you have informed us is authorised to give instructions or to use the account or products or services on your behalf (such as under a power of attorney);
• We work with certain relationship partners and agents, such as our approved panel of agents, under a strict code of confidentiality.
• We are required to cooperate by law or otherwise through a legal process with Irish and EU regulatory and enforcement bodies such as an Garda Siochana, the relevant courts, fraud prevention agencies or other bodies.
• We use the services of innovative and artificial intelligence led document, recognition and interrogation services providers, to identify you for anti-money laundering purposes. We also use third parties for document extraction services for the PaymentPlus Mobile App to present customers with a quick and efficient method of completing part of an application form by extracting that information directly from identification documents.
• We work with companies that support PaymentPlus to identify and analyse your user behaviour in our app and on our website, for example, Google Analytics.
• We may use specialist third parties to provide real-time customer engagement and appointment scheduling solutions on the PaymentPlus website.
• We engage the services of ICT and information security service providers, such as Microsoft.
8.1.1. We sometimes need to share information with organisations which are located or who otherwise undertake processing outside the EEA. This may mean, for example, that some of your personal information may be processed in countries such as the United States. We will however only transfer personal information to a country or territory outside of the EEA if that country provides an adequate level of protection for personal information as set down by the European Commission or where the transfer is made under a legally binding agreement which covers the EU requirements for the transfer of personal information to data processors outside of the EEA such as the model contractual clauses approved by the European Commission, or other approved mechanism or model approved by the European Commission. For more information about the European Commission’s decisions on the adequacy of the protection of personal information in countries outside the EEA, please visit: https://ec.europa.eu/info/law/law-topic/data-protection_en
8.1.2. We may disclose personal information relating to our customers to any third party in the event of a sale, transfer, assignment, disposal (or potential sale, transfer, assignment or disposal), merger, liquidation, receivership, of all, or substantially all or any part of the assets of PaymentPlus.
9. How long will we retain your personal information?
How long certain personal information is stored depends on the nature of the information we hold and the purposes for which they are processed. PaymentPlus determines appropriate retention periods having regard to any statutory obligations imposed on us by law. For example, we retain some customer information for 6 months after the end of the customer relationship. If the purpose for which the information was obtained has ceased and the personal information is no longer required, the personal information will be deleted or anonymised which means that your personal information is stripped of all possible identifying characteristics. PaymentPlus has put in place procedures to ensure that files are regularly purged and that personal information is not retained any longer than is necessary.
10. Updates to our Data Protection Notice
We keep this notice under regular review and from time to time will look to amend it to reflect changes to the way in which we are processing personal information. The most recent version will always be available at for www.PaymentPlus.ie/data-protection-notice . We will inform you of material changes to the content of the Data Protection Notice through a notification posted on our website, PaymentPlus Mobile App or other communication channels. You will also find more information about European data protection legislation at https://ec.europa.eu/info/law/law-topic/data-protection_en