We use cookies to improve and personalise your experience on our website, analyse the statistics and place our advertisements. You can find out more about our use of cookies by reading our Cookie Policy.

Data Processing Agreement

Data Processing Agreement

1. GENERAL CONDITIONS

This Data Processing Agreement (“DPA”) shall regulate the Processing of Personal Data of Data Subjects subject to EU Data Protection Laws for the Purposes specified in clause 3 herein by the Parties in the context of the Services. Annex 1 forms an integral part of this DPA.

2. DEFINITIONS

Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement (“Agreement” as defined in the Terms and Conditions). In this DPA, the following terms shall have the following meanings:

  • 2.1. Controller – a legal person which, alone or jointly with others, determines the Purposes and means of the Processing;
  • 2.2. Data Subject –a User or an employee, beneficial owner/principal, shareholder, representative, or director of the MERCHANT, or other natural person, whose Personal Data are Processed in the context of the Agreement;
  • 2.3. EEA – means the European Economic Area;
  • 2.4. EU Data Protection Laws –the EU General Data Protection Regulation 2016/679 (GDPR) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC, and as amended and replaced from time to time) and their national implementing legislations; the Data Protection Bill of the United Kingdom (as amended and replaced from time to time); and the Data Protection Laws of the EEA countries (as amended and replaced from time to time);
  • 2.5. “Personal Data –any information relating to an identified or identifiable Data Subject, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject; the reference to ‘data’ shall be a reference to Personal Data;
  • 2.6. Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;
  • 2.7. “Processing – any operation which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • 2.8. Processor – a legal person which Processes Personal Data on behalf of the Controller;
  • 2.9. Purposes – Personal Data Processing purposes as specified in clause 3 of this DPA;
  • 2.10. Services – Services provided by ECOMMPAY to the MERCHANT in accordance with the Agreement;
  • 2.11. Sub-Processor – any person appointed by the Processor to Process Personal Data on behalf of the Controller in connection with the Agreement;
  • 2.12. Supervisory Authority – an independent public authority established by a Member State pursuant to Article 51 of the GDPR.

3. ROLES OF THE PARTIES

For the purpose of the DPA, the Parties acknowledge and confirm that:

  • 3.1. The MERCHANT shall be the Controller and ECOMMPAY shall be the Processor for the Purpose of Processing of Personal Data, which is necessary to Process in connection with Transactions, including chargebacks and refunds, in the course of providing the Services;
  • 3.2. ECOMMPAY shall be the Controller in relation to Personal Data where ECOMMPAY determines the purposes and the means of the Processing (specified in detail in Annex 1), including, but not limited to, the following Purposes:
  • 3.2.1. complying with any rule, regulation or law to which ECOMMPAY is subject;
  • 3.2.2. entering into the Agreement with the MERCHANT;
  • 3.2.3. managing authentication and authorisation;
  • 3.2.4. conducting risk management activities including fraud monitoring, prevention and detection;
  • 3.2.5. complying with the Know Your Customer requirements;
  • 3.2.6. complying with requirements for the prevention of money laundering and terrorism financing;
  • 3.2.7. assessing and/or mitigating financial, information security, and other risks arising in connection with the Agreement.

4. OBLIGATIONS OF THE CONTROLLER

The Controller represents and warrants that it:

  • 4.1. Complies with EU Data Protection Laws in respect of Processing of Personal Data, provides lawful Personal Data Processing instructions to the Processor and relies on a valid legal ground under EU Data Protection Laws for Processing Personal Data for each Purpose;
  • 4.2. Provides appropriate privacy notices to the Data Subjects regarding the Processing of Personal Data for the Purposes in line with the requirements of the EU Data Protection Laws;
  • 4.3. Takes reasonable steps to ensure that Personal Data is accurate, complete and current; adequate, relevant and limited to what is necessary in relation to the Purposes for which they are Processed; and kept in a form which permits identification of Data Subjects for no longer than is necessary for the Purposes for which the Personal Data are Processed unless a longer retention is required or allowed under the applicable law;
  • 4.4. Implements appropriate technical and organisational measures to ensure, and to be able to demonstrate, that the Processing of Personal Data is performed in accordance with EU Data Protection Laws, including, as appropriate, appointing a data protection officer, maintaining records of Processing, complying with the principles of the Personal Data protection by design and by default and, where required, performing Personal Data protection impact assessments and conducting prior consultations with Supervisory Authorities;
  • 4.5. Responds to Data Subject requests to exercise their rights of (i) access, (ii) rectification, (iii) erasure, (iv) data portability, (v) restriction of Processing, and (vi) objection to the Processing in accordance with EU Data Protection Laws;
  • 4.6. Cooperates with the Processor to fulfil its respective Personal Data protection compliance obligations in accordance with EU Data Protection Laws.

5. OBLIGATIONS OF THE PROCESSOR

The Processor shall comply with the EU Data Protection Laws when Processing Personal Data for the Purposes in the context of the Principal Agreement and it shall:

  • 5.1. Process Personal Data in accordance with the Controller’s lawful written instructions, including but not limited to the instructions set forth by the Agreement, and not for any other Purposes than those specified in clause 3 of this DPA, unless otherwise agreed by both Parties in writing;
  • 5.2. Provide appropriate privacy notices to the Data Subjects regarding the Processing of Personal Data for the Purposes in line with the requirements of the EU Data Protection Laws;
  • 5.3. Promptly inform the Controller if, in its opinion, the Controller’s instructions infringe the EU Data Protection Law, or if the Processor is unable to comply with the Controller’s instructions;
  • 5.4. Cooperate with the Controller to fulfil the Controller’s Personal Data protection obligations under EU Data Protection Laws, including by providing all information available to the Processor as necessary to demonstrate compliance with the Processor’s own obligations;
  • 5.5. Keep internal records of Processing of Personal Data carried out as a Processor on behalf of the Controller;
  • 5.6. Assist the Controller in fulfilling its obligation to respond to Data Subjects’ requests as provided under EU Data Protection Laws and specified under clause 4.5 herein, and notify the Controller about such requests if the Processor receives it directly from the Data Subject;
  • 5.7. Notify the Controller when local laws prevent the Processor (i) from fulfilling its obligations under this Agreement and have a substantial adverse effect on the guarantees provided by this Agreement, and (ii) from complying with the instructions received from the Controller via the Agreement, except if such disclosure is prohibited by the applicable law;
  • 5.8. According to the choice of the Controller, delete, anonymise or return to the Controller any Personal Data provided by the Controller, as well as any existing copies of such Personal Data, upon the expiration or termination of the Agreement or upon a request to delete or return such Personal Data; The Processor shall duly inform the Controller in the event where the applicable law prevents the Processor from deleting, returning or anonymising all or part of the Personal Data or requires storage of the Personal Data;
  • 5.9. Ensure that any Sub-Processors engaged by the Processor in order to Process Personal Data in the context of the Services shall comply with the EU Data Protection Laws and shall abide with the obligations set out in this Agreement.

6. SUB-PROCESSING

  • 6.1. The MERCHANT hereby generally authorises ECOMMPAY to engage internal and external Sub-Processors in order to Process Personal Data in the context of the Services and to continue using the internal and external Sub-Processors already engaged in the provision of the Services, including but not limited to payment processors.
  • 6.2. The Processor shall conclude a written agreement with the Processor’s internal and external Sub-Processors, wherein the Sub-Processors guarantee to comply with the requirements of EU Data Protection Laws, with the Controller’s lawful instructions, including but not limited to the instructions and obligations set forth by the Agreement.
  • 6.3. The Processor shall provide the Controller with a prior written notice regarding any addition of a Sub-Processor. If within 10 (ten) Working Days after the receipt of such notice the Controller does not inform the Processor in writing of having any objections to the proposed appointment of a Sub-processor, the Processor shall consider that the Controller has authorised such appointment.
  • 6.4. The Processor shall not disclose any Personal Data to the proposed Sub-Processor until reasonable steps have been taken to address the objections raised by the Controller and the Controller has been provided with a reasonable written explanation of the steps taken.

7. PRIVACY NOTICE

  • 7.1. The MERCHANT shall inform the Data Subjects regarding the Personal Data Processing carried out in order to provide Services by inserting either the following statement in the MERCHANT’s privacy notice on the Website and/or Application: “We share certain personal information with third parties who help us to provide our services. Such third parties may include: 1) payment service providers[..]” or by using a similar statement, which shall appropriately reflect the fact that the MERCHANT relies on the services of a payment service provider. Should the MERCHANT decide to use its own wording for the abovementioned statement, the MERCHANT shall prior to inserting such statement in its privacy notice receive the approval of ECOMMPAY for such statement.
  • 7.2. In case if the technical set-up between the MERCHANT and the solution provided by ECOMMPAY for the provision of the Services does not enable ECOMMPAY to customise the payment page and insert a privacy notice with a hyperlink to ECOMMPAY’s privacy policy, the MERCHANT shall insert the relevant privacy notice, provided by ECOMMPAY, and the hyperlink to ECOMMPAY’S privacy policy in the payment confirmation page displayed to the MERCHANT’s Users. In such event ECOMMPAY may assist the MERCHANT, where feasible, by providing technical support.
  • 7.3. The MERCHANT shall inform the relevant categories of Data Subjects listed in Part 1 of Annex 1 regarding the Processing carried out by ECOMMPAY, and the MERCHANT hereby certifies that it relies on a valid legal ground for such processing.
  • 7.4. The Parties shall provide a contact point for the Personal Data protection enquiries and/or Data Subject access requests, including but not limited to designating a special e-mail address, where Data Subjects may address their requests. ECOMMPAY’s contact point shall be dpo@ecommpay.com. MERCHANT’s contact point for Personal Data protection enquiries shall be indicated in the Merchant Application Form.

8. DATA TRANSFERS OUTSIDE THE EEA

  • 8.1. The MERCHANT hereby authorises ECOMMPAY to transfer the Personal Data Processed in connection with the Services to ECOMMPAY’s internal and external Sub-Processors located in the territories outside of the EEA, provided that appropriate safeguards for the Personal Data transfer outside the EEA are in place.
  • 8.2. The MERCHANT hereby authorises Payment Method Providers to transfer the Personal Data to their Sub-Processors located outside the EEA and execute any required legal documentation on behalf of the Controller to adduce adequacy for the data transfer.

9. SECURITY AND CONFIDENTIALITY OF THE PROCESSING

  • 9.1. The Parties shall implement appropriate technical and organisational measures in order to ensure the appropriate level of security. In this regard the Parties shall take into account the state of the art, the costs of implementation and the nature, scope, context and Purposes of Processing of Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and the risks that are presented by the Processing of Personal Data, in particular from Personal Data Breach.
  • 9.2. The Parties shall ensure that any person acting under their authority and having access to Personal Data is subject to a duly enforceable contractual or statutory confidentiality obligation.
  • 9.3. The Parties shall ensure that any person acting under their authority and having access to Personal Data is appropriately trained in line with their responsibilities under applicable data protection law.

10. PERSONAL DATA BREACH

  • 10.1. The Parties shall notify a Personal Data Breach that relates to Personal Data Processed in the context of the Services to the other Party, without undue delay, and no later than 48 hours after having become aware of a Personal Data Breach. The notifying Party shall provide sufficient information to allow the other Party to meet its obligations under the EU Personal Data Protection Laws.
  • 10.2. The Parties shall cooperate to reach an agreement on notifying a Personal Data Breach to the Supervisory Authority and to the Data Subjects and assist in the investigation, mitigation and remediation of each Personal Data Breach. 10.3. The Parties shall thoroughly document all Personal Data Breaches, including all the relevant facts relating to the Personal Data Breach, its effects and the remedial action taken.

11. AUDIT RIGHTS

  • 11.1. Upon prior written request by the Controller, the Processor agrees to cooperate and within reasonable time provide the Controller with information necessary to demonstrate compliance with the EU Data Protection Laws and this Agreement.
  • 11.2. If the information provided is not sufficient to confirm compliance with EU Data Protection Laws or reveals material issues, subject to the strictest confidentiality obligations, the Processor allows the Controller to request an audit of the Processor’s data protection compliance program by external independent auditors, which are jointly selected by the Parties. The Parties shall mutually agree upon the scope, timing, and duration of the audit. The Processor shall make available to the Controller the result of the audit.



ANNEX 1: DESCRIPTION OF THE PROCESSING ACTIVITIES

1. MERCHANTS*

Purposes of the Processing

ECOMMPAY Processes Personal Data pursuant to the Agreement for the performance of the Services as described therein, which may include, without limitation:

  • entering into the Agreement with the MERCHANT;
  • complying with the Know Your Customer requirements;
  • complying with requirements for the prevention of money laundering and terrorism financing;
  • assessing and/or mitigating financial, information/data security, credit and insurance risks arising in connection with the Agreement.

*For the purposes of Annex 1, “MERCHANT” may as well include Affiliates.

Categories of Data Subjects

  • ECOMMPAY may Process Personal Data relating to the following categories of Data Subjects, as applicable:
  • The MERCHANT’s beneficial owners/principals, shareholders, directors;
  • Family members of the MERCHANT’s beneficial owners/principals;
  • The MERCHANT’s staff;
  • ECOMMPAY’s website, applications and platform users.

Types of Personal Data

ECOMMPAY may Process Personal Data, including but not limited to, the following categories of Personal Data:

  • First and last name;
  • Date of birth;
  • Home, work or other physical address;
  • Postal code/zip;
  • Country;
  • Telephone number;
  • Mobile phone number;
  • Email address;
  • IP address;
  • Company name;
  • Company registration number;
  • Current Position;
  • Previous places of employment;
  • Education;
  • Passport or ID data;
  • Credit/financial institution account number;
  • Information regarding the beneficial ownership in other companies.

Duration of the Processing

Personal Data may be Processed and stored for the period necessary to fulfil the agreed Purposes of Processing pursuant to the Agreement, or as otherwise authorised by the Applicable Laws.

2. USERS*

Purposes of the Processing

ECOMMPAY Processes Personal Data pursuant to the Agreement and the Principal Agreement for the performance of the services as described therein, which may include, without limitation:

  • managing authentication and authorisation;
  • conducting risk management activities including fraud monitoring, prevention and detection;
  • complying with the Know Your Customer requirements;
  • complying with requirements for the prevention of money laundering and terrorism financing.

Categories of Data Subjects

ECOMMPAY may Process Personal Data relating to the following categories of Data Subjects, as applicable:

  • Users.

Types of Personal Data

ECOMMPAY may Process Personal Data, including but not limited to, the following categories of Personal Data:

  • User’s first and last name;
  • Primary Account Number (PAN) and/or other account number;
  • Card Expiration Date;
  • Card Validation Code/Value;
  • E-mail address;
  • IP address.

Duration of the Processing

Personal Data may be Processed and stored for the period necessary to fulfil the agreed Purposes of Processing pursuant the Agreement, or as otherwise authorised by the Applicable Laws.

Subscribe to our Newsletter

Sign up to our bi-monthly newsletter to get the latest fintech news, updates and insights.
Email*
Industry*
Business type*
The information you submit to us by filling this contact form will be processed in accordance with ECOMMPAY's Privacy Policy. We kindly encourage you to read our Privacy Policy carefully.
Thank you!
A confirmation message has been sent to your email address. Please click the link in the email to activate your subscription. If you didn't get the email, please check your spam or bulk email folder.