Data protection
Data protection for General Terms and Conditions
APPENDIX 3 – DATA PROTECTION APPENDIX (DPA)
DEFINITIONS
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the applicable Data Protection Legislation.
Data Protection Legislation: the General Data Protection Regulation ((EU) 2016/679) (the ‘GDPR’); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended, and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a Party.
Domestic Regulation: means any and all applicable laws and regulations relating to the performance of services, including but not limited to laws and regulations applying to or regulating the processing personal data and of electronic payments, criminal laws, e.g. money laundering, tax laws, and other mandatory laws and regulations affecting the performance of obligations under the Agreement.
DATA PROTECTION
The Parties will comply with all applicable requirements of the Data Protection and Domestic Legislation. This Appendix shall implement measures required in accordance with the Data Protection Legislation, but does not relieve, remove or replace, a Party’s obligations or rights under the Data Protection Legislation.
The Parties acknowledge that for the purposes of the Data Protection Legislation, the roles of Controller, Processor and/or Sub-Processor may be dependent on the services actually being provided by the Parties under the Agreement and/or the source of the personal data, amongst other factors, and, as such, these roles shall be assigned on a case by case basis as reflected in the Annex[es] to this Appendix. The provisions below shall apply to each Party as appropriate and in accordance with those Annexes. For processing arrangements, the sections 1.5. to 1.9 of this Appendix 3 shall apply for the processing of Personal Data by the Processor.
Where both Parties are acting as independent Controllers, each Party agrees to comply with the requirements of the Data Protection Laws applicable to Controllers in respect of the Personal Data transferred pursuant to this Agreement.
The Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Processor and/or lawful collection of the Personal Data by the Processor on behalf of the Controller for the duration and purposes of this Agreement.
The Processor shall, in relation to any Personal Data processed in connection with the performance by the Processor of its obligations under this agreement:
process that Personal Data only on the documented written instructions of the Controller which are set out in the Agreement unless the Processor is required by Applicable Law to otherwise process that Personal Data. Where the Processor is required by Applicable Law to process Personal Data, the Processor shall promptly notify the Controller of this before performing the processing required by the Applicable Law unless such Applicable Law prohibits the Processor from so notifying the Controller. Notwithstanding the foregoing, the Processor is entitled to process the Personal Data for the sole purpose of anonymising the data, to enable the Processor to aggregate the data for analysis, service enhancements and reporting;
ensure that it has in place appropriate technical and organisational measures, reviewed by the Controller, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
the Controller or the Processor has provided appropriate safeguards in the meaning of Art. 46 GDPR in relation to the transfer;
the data subject has enforceable rights and effective legal remedies;
the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
the Processor complies with reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data;
For the avoidance of doubt, the Controller hereby grants its consent to those transfers necessary for the provision of the Products and Services under the Agreement. If the parties wish, at a later stage, to add further Products and Services which may require transfer of Personal Data to a country outside of the European Economic Area without an adequate level of protection, the agreement to add said Products and Services shall serve as the necessary authorization required by this clause.
assist the Controller, at the Controller’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
notify the Controller without undue delay on becoming aware of a Personal Data Breach;
at the written direction of the Controller, delete or return Personal Data and copies thereof to the Controller on termination of the Agreement unless required by Applicable Law to store the Personal Data; and
maintain complete and accurate records and information to demonstrate its compliance with this clause.
The Controller hereby consents to the Processor appointing Sub-processors as third-Party processors of Personal Data under this Agreement. The Processor confirms that it has entered or (as the case may be) will enter into written Agreements with its Sub-processors which reflect and will continue to reflect the requirements of the Data Protection Legislation. As between the Controller and the Processor, the Processor shall remain fully liable for all acts or omissions of any Sub-processor appointed by it pursuant to this clause.
If the Processor is located outside the EEA, in a country which has not been considered by the European Commission as providing an adequate level of protection for Personal Data, it shall not be entitled to receive the Personal Data otherwise than on terms that comply with applicable Data Protection Laws, in particular the applicable provisions set out in the European Commission decision of February 5th, 2010, 2010/87/EU (the ‘Standard Contractual Clauses’). At all times the Controller shall retain the right at its sole discretion to refuse access or transmission of the Personal Data to the Processor.
The Parties acknowledge that Personal Data may be processed or transferred to the United Kingdom (UK) for the duration of the Agreement. On 1st February 2020, the Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community 2019/C 384 I/01 (the “Withdrawal Agreement”) entered into force. As such, the UK is no longer part of European Union (EU). However, on June 28, 2021, the European Commission adopted a UK GDPR adequacy decision recognizing an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom. The Parties accordingly further acknowledge that transfers of personal data subject to this Agreement between the EU and the UK do not require any additional safeguards with respect to intra-EU transfer.
Clauses 1.4, 1.5, 1.6, 1.7 and 1.8 shall apply, mutatis mutandis, where one Party is acting as a Processor and the other as a Sub-processor.
ANNEX 1 – TRANSFER OF PERSONAL DATA – PRODUCTS AND SERVICES / PAYMENT PROCESSING SERVICES
1. Data Controller
The Data Controller is Contractual Partner.
2. Data Processor
The Data Processor is, as applicable, PPRO Financial Ltd and/or PPRO Payment Services S.A.
3. Data subjects
The personal data transferred concerns the following categories of data subjects:
- Customer
4. Categories of data
The personal data Processed by the Data Processor concerns the following categories of data:
- Name
- Last name
- Address
- Telephone Number
- Email address
- Internal Protocol (IP) Address
- Identification Number (e.g. Passport number, Tax ID, Personal ID)
- Account Numbers
5. Purposes of the processing
- Provision of Products and Services, and Payment Processing Services when applicable, in accordance with the Agreement.
6. Duration of the processing
- In accordance with the Agreement.
ANNEX 2 TRANSFER OF PERSONAL DATA – REGULATORY REQUIREMENTS
1. Independent Controllers
PPRO Financial Ltd., PPRO Payment Services S.A. and Contractual Partner are independent Controllers.
2. Data subjects
The personal data transferred concerns the following categories of data subjects:
- Directors/UBO of the Contractual Partner
- Directors/UBO of the Merchants
3. Categories of data
The personal data processed concerns the following categories of data:
- Name
- Last name
- Address
- Telephone Number
- Email address
- Identification Number (e.g. Passport number, Tax ID, Personal ID)
4. Purposes of the processing
- Undertake necessary due diligence, in accordance with PPRO’s Regulatory Requirements and Applicable Law.
5. Duration of the processing
- In accordance with the Agreement.