Data Processing Agreement
1. Purpose
Within the framework of the execution of the present Contract, PayXpert processes Personal Data as a Processor, on behalf of the Merchant acting in the capacity of Controller.
These clauses apply to the processing of personal data as described in Annex I. Annexes I to III form an integral part of the clauses.
The present clauses are without prejudice to the obligations to which the Data Controller is subject under the General Data Protection Regulation (EU) 2016/679 hereinafter “GDPR” and the applicable UK Data Protection Act which implement similar principles to the GDPR.
2. Definitions and interpretation
Where terms defined in the GDPR respectively appear in the clauses, they shall be understood as in the relevant regulation.
The provisions of this clause shall be read and interpreted in light of the provisions of the GDPR. They shall not be interpreted in a manner contrary to the rights and obligations under the GDPR or in a manner that infringes the fundamental rights or freedoms of data subjects.
In the event of any inconsistency between these clauses and the provisions of related agreements existing between the Parties at the time these clauses are agreed or entered into subsequently, these clauses shall prevail.
3. Description of the processing activitie(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex I.
4. Instructions
- The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
- The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.
5. Purpose limitation
The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex I, unless it receives further instructions from the controller.
6. Duration of the processing of personal data
Processing by the processor shall only take place for the duration specified in Annex I.
7. Security of processing
- The processor shall at least implement the technical and organisational measures specified in Annex II to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
- The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.
9. Documentation and compliance
The processor undertakes to demonstrate its compliance with the provisions set out in this clause.
The processor shall deal promptly and adequately with requests from the Controller regarding the processing of data in accordance with these clauses.
The processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in these clauses and arising directly from the GDPR.
At the request of the controller, the processor shall also permit and assist in audits of the processing activities covered by these clauses at reasonable intervals or in the presence of indications of non-compliance. When deciding on a review or audit, the controller may take into account relevant certifications in the possession of the processor.
The controller may decide to conduct the audit itself or to commission an independent auditor. Audits may also include inspections at the processor’s premises or physical facilities and shall, where appropriate, be conducted with reasonable notice.
The parties agree that the controller may, up to once a year, also have an on-site audit of the conditions under which the processor carries out the Processing listed in Annex I.
The controller shall notify the processor in writing of its intention to have an audit carried out, subject to a minimum notice period of 30 working days.
Prior to conducting such an on-site audit, the controller and processor shall agree on the scope, timing and duration of the audit.
Audit costs will be advanced by the controller.
In the event that the audit report reveals substantial non-compliance with the processor’s obligations under this Contract, the processor undertakes to bear the costs of the audit incurred by the controller and to implement, at its own expense, the necessary corrective measures within a period of time to be agreed between the Parties, depending on the seriousness of the breaches and/or non-compliances and/or the risks that they pose to individuals.
In the event that the audit report does not reveal any substantial non-compliance with the processor’s obligations under this Contract, the ontroller shall retain the costs of the audit.
The Parties shall make available to the competent supervisory authority, upon request, the information set forth in this clause, including the results of any audit.
10. Recourse to sub-processors
The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679.
At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.
The processor shall agree a third party beneficiary clause with the sub-processor whereby – in the event the processor has factually disappeared, ceased to exist in law or has become insolvent – the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
11. International transfers
- Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 of Regulation (EU) 2018/1725.
- The controller agrees that where the processor engages a sub-processor in accordance with Clause .10 for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.
12. Information of data subjects
It is the responsibility of the controller to provide information to the data subjects of the processing operations at the time of collection of the personal data.
13. Assistance to the controller
- The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.
- The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions
- In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
- The obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
- the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
- the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
- the obligations in Article 32 of Regulation (EU) 2016/679
- The Parties shall set out in Annex II the appropriate technical and organizational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.
14. Processor’s record of processing activities
The processor undertakes to meet its obligation of transparency and traceability by, in particular, keeping a written record of all categories of processing activities carried out on behalf of the controller, including:
- The name and contact details of the controller on whose behalf it acts, and, if applicable, of any subsequent processor and/or the Data Protection Officer (“DPO”);
- the categories of processing carried out on behalf of the controller;
- where applicable, transfers of personal data to a third country or to an international organization, including the identification of such third country or international organization and, in the case of transfers referred to in Article 49, paragraph 1, subparagraph 2 of the GDPR, the documents attesting to the existence of appropriate guarantees;
- to the extent possible, a general description of the technical and organizational security measures implemented to ensure the security of personal data and their processing, including, inter alia, as appropriate:
- pseudonymization and encryption of personal data;
- the means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services
- the means to restore availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a procedure to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of the processing.
The record shall be in written and electronic form.
The processor shall make the record available to the control authority upon request.
15. Notification of personal data breach
In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or under Articles 34 and 35 of Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.
Data breach concerning data processed by the controller
In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:
- in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);;
- In obtaining the following information which, pursuant to Article 33(3) of Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
- the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
- In complying, pursuant to Article 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
Data breach concerning data processed by the processor
In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:
- a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
- the details of a contact point where more information concerning the personal data breach can be obtained;
- its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
16. Liability and termination
The processor shall indemnify the controller against any damage resulting for him from a failure on his part to comply with his own obligations under or arising from this clause and/or the GDPR, including any failure on the part of his affiliates or subsequent processors. In this respect, the processor undertakes in particular to indemnify the controller against any action, challenge, claim or complaint by any third party, as well as any sanction or conviction by any authority or jurisdiction, which would have as its origin, cause or basis such a breach by him of his own obligations provided for by or arising from this clause or the GDPR.
The processor expressly acknowledges that any limitations or exclusions of liability provided for in the service provision contract shall in no case apply to damages suffered by the processor resulting from any breach by the processor of this clause. Such damages include, but are not limited to, any sanctions or convictions suffered by the processor originating from or based on the processor’s breach of its own obligations under this clause or the GDPR.
Without prejudice to the provisions of the GDPR, in the event of a breach by the processor of its obligations under these clauses, the controller may instruct the processor to suspend the processing of personal data until the processor has complied with these clauses or until the contract is terminated. The processor shall promptly inform the controller if it is unable to comply with these clauses for any reason.
The processor is entitled to terminate the contract insofar as it relates to the processing of personal data in accordance with these clauses if:
- the processing of personal data by the processor has been suspended by the controller and compliance with these clauses is not restored within a reasonable period of time and, in any event, within one month of the suspension;
- the processor is in serious or persistent breach of these clauses or its obligations under the GDPR;
- the processor fails to comply with a binding decision of a competent court or the competent supervisory authority(ies) regarding its obligations under these clauses or the GDPR.
The processor shall be entitled to terminate the contract insofar as it relates to the processing of personal data under these clauses where, after informing the controller that its instructions violate the applicable legal requirements in accordance with clause .4 the controller insists that its instructions be followed.
17. Fate of the data at the end of the contract
The processor undertakes, at the end of the processing and at the latest at the end of the contract for any reason whatsoever, to delete all the personal data or to return them to the controller, according to the latter’s choice, as well as to destroy the existing copies, unless the retention of such personal data beyond the term of the Agreement is justified by legal or regulatory provisions applicable to such personal data and/or for the preservation of evidence in any litigation, judicial or extra-judicial, directly or indirectly related to the performance of a party’s obligations under this agreement.
18. Obligations of the controller
The Controller undertakes to:
- provide the processor with the personal data referred to in the contract;
- document in writing any instruction(s) regarding the processing of personal data by the processor;
- ensure, in advance and throughout the processing, that the processor complies with its obligations under the GDPR;
- supervise the processing, including by conducting audits and inspections of the processor.
Annex I: Description of the Processing
Categories of data subjects whose personal data are processed
| Merchant’s customers |
Categories of personal data processed
| Identification data Financial transactions data |
The sensitive data processed (if any) and the limitations or safeguards applied that take full account of the nature of the data and the risks involved, such as, for example, strict purpose limitation, access restrictions (including access only to staff with specialized training) personnel only), maintenance of a data access log, and the use of the access logs, restrictions on onward transfers, or additional security measures. |
Sensitive data: Financial data that might be used for payment fraud
Safeguards: PCI DSS certification, security measures listed in Annex II. |
Nature of the processing
| Collection and transmission of Financial data on behalf of the Merchant |
Purpose(s) for which the personal data are processed on behalf of the Data Controller | Provision of PayXpert Services as defined in PayXpert’s Terms & Conditions |
Duration of processing | For the duration of the provision of the Services |
For processing by (sub-) processors, also specify the purpose, nature and duration of the processing. | N/A |
Annex II : Security measures
Risk: According to the data required from users and according to the activity of the Processor, a Risk Analysis/Assessment has been carried out regarding the processing of the data, evaluating them, graduating them and taking those measures for an adequate protection and security.
Scope of Application of Technical and Organizational Security Measures: PayXpert states that it applies the necessary technical and organizational measures for adequate protection, confidentiality, integrity, resilience and security under of the proactivity criteria required by the Data Protection Act 2018 to the functions described in this privacy policy.
Security Document: PayXpert states that it has a Security Document, in accordance with the aforementioned Risk Analysis and the criteria and principles of the Data Protection Act.
Protocols: PayXpert declares that it has and keeps updated a series of protocols and work processes in general and, in particular, regarding the management of Personal Data; Committing to disclose them among all those employees, staff and third parties with whom it works and have access to data. Likewise, PayXpert undertakes not to allow access or processing of files with personal data to personnel who have not received a copy of said documents.
Incident Registry: PayXpert states that it has an Incident Registry that complies with what is specified in the Security Document and the proactiveness principles of the Controller, this registry being used by its personnel for the report of any incident related to the security of the information and personal data as well as any files with processing of personal data.
Access Control: PayXpert states that it complies with the following measures regarding access control:
- Maintains an updated list of authorized users and accesses.
- Allows access only to authorized users according to the functions assigned to each of them.
- Establishes mechanisms that prevent access to data or resources with rights other than those authorized.
- Access are only granted by authorized personnel.
Identification and Authentication: PayXpert in its access to personal data maintains the following security measures regarding the identification and authentication of users who will have access to said data:
- The identification and authentication is personalized.
- There is a procedure for assigning and distributing passwords, which imposes the use of robust passwords. Passwords are stored in an unintelligible way.
- The passwords are confidential (only known by the user).
- Passwords are changed very regularly and with time periods assigned that depend on the data that gets available with such access.
Support Management: PayXpert has adopted the following security measures regarding media with personal data:
- Maintains a media inventory.
- Has established a labelling system according to the inventory system that also allows to identify the type of information they contain.
- Stores the authorized media in a restricted access area.
- Has established an authorization regime for the outputs of supports for its facilities, including outputs through e-mail.
- Adopts specific measures aimed at guaranteeing the confidentiality and security of personal data during transport and disposal of media.
Security copies: PayXpert states that it has a backup system that guarantees the recovery of information (if necessary), and that the same is regularly tested.
Non-Automated Files: Regarding the documents with personal data to which PayXpert has access, adopts the following measures:
- Keeps the documentation in filing cabinets, drawers or cabinets that have a system that hinder its opening.
- During the review or processing of documents, the person in charge of them must be diligent and guard it to avoid unauthorized access. Only authorized personnel have access to documents.
- If a documentation transfer occurs, security measures are adopted that prevent the loss or access by third parties to said documentation.
Third party personnel: PayXpert has duly communicated these obligations to its staff, ensuring compliance with the applicable regulations. Also, and by virtue of the Data Protection Act 2018 , all those responsible for processing on behalf of them have the appropriate contract for the processing signed, where there is the commitment of the latter to comply with the same legal minimums and with the measures outlined by the Controller in terms of management and protection in the processing of Personal Data.