This Data Processing Agreement is part of the terms and conditions of the service and will come into force from the moment of acceptance of the Terms and Conditions of the service. This Agreement will apply to personal data that the Processor processes on your behalf.
Hereinafter, the Business shall be referred to as “Data Controller”, and the Processor, as “Data Processor”.
1. Obligations of the Data Processor.
The Data Controller shall provide the Data Processor with access to all Personal Data that may be necessary for the execution of this Agreement and the completion of tasks assigned.
Personal Data shall be always processed as per instructions of the Data Controller and used only for the purposes established in this Agreement, unless otherwise expressly agreed in writing with the Data Controller.
The Data Processor shall not share, transfer, submit or otherwise allow access to third parties of the Personal Data.
Moreover, the Data Processor shall document all data processed on behalf of the Data Controller. In particular, the Data Processor must keep a log containing all the categories of processed Personal Data, including:
- 1. Identification of the Data Processor and the Data Controller, contact information of both or, failing that, Data Protection Delegates.
- 2. The categories of all Data Protection processing actions carried out.
- 3. The transfer of Personal Data to a third-party country or international organisations, including the identification of such third-party country or international organisations.
- 4. General description of the technical and organisational safety measures related to:
- a) Pseudonymisation and encryption of Personal Data.
- b) The ability to ensure the permanent confidentiality, integrity, availability, and resilience relevant to the systems and services of data processing.
- c) The ability to quickly recover the availability and the access to Personal Data, in the event of a physical or technical incident.
- d) The process of regular verification, evaluation, and assessment regarding the efficacy of the technical and organisational measures to ensure the safety of the data processing.
2. Authorised Personnel.
The Data Processor shall appoint those members of their workforce (hereinafter, the “Authorised Personnel”) who shall participate in the rendering of the Services, assuring that such persons shall be the only ones authorised to access the Personal Data subject matter to the process on requested by the Data Controller.
The Data Processor ensures that the authorised personnel acknowledge the security and confidentiality obligations arising from the aplicable Privacy law which they must comply with and that they have provided all the instructions necessary for such compliance.
The Data Processor shall, always, monitor the compliance with all the instructions provided by the Data Controller in connection with the processing of Personal Data, and shall verify the fulfilment of the established procedures by the Authorised Personnel to guarantee the quality, update, and safety of the Personal Data, as well as the compliance with the applicable regulations.
3. Details and purpose of the Personal Data processing.
The purpose of the Personal Data processing by the Data Processor is to facilitate payment transactions on behalf of and at the direction of the Data Controller.
If the Data Processor considers that the Personal Data processing subject matter hereof or the instructions provided by the Data Controller violates in any way whatsoever the provisions set forth by the prevailing legislation on such matters, they shall immediately inform the Data Controller.
The means used by the Data Processor to carry out the processing requested by the Data Controller shall be as follows:
Means of processing:
Means of processing: | ||
X Computational | Physical | Mixed |
For the performance of the subject matter hereof, the Data Controller shall provide access to the following information to the Data Processor:
Categories of the interested parties
– Persons who use the payments services provided by the Data Processor.
Typology of data processed
– Identification data (name, surname, contact email, domicile)
– Place of residence
– Date of Birth
– Nationality
The information described herein may and shall, from time to time, be adapted to the reality of the Data Processing. Any amendment to the processing shall always require prior written agreement between the parties.
4. Security measures.
The Data Processor shall take all the security and organisational measures necessary to guarantee the protection of the Personal Data for which the Data Controller is responsible.
The Data Processor shall adopt mechanisms to:
- a) Ensure the permanent confidentiality, integrity, availability, and resilience relevant to the systems and services of Personal Data processing.
- b) Quickly recover the availability and the access to Personal Data, in the event of a physical or technical incident.
- c) Regularly verify, evaluate, and assess the efficacy of the technical and organisational measures adopted to ensure the safety of the Personal Data processing.
- d) Pseudonymise and encrypt the Personal Data, where possible and appropriate.
5. International transfers.
The Data Controller agrees that the Data Processor may transfer personal data to any country, provided all transfers by the Data Processor of personal data shall be effected by way of Appropriate Safeguards and in accordance with Applicable Privacy Law, such as:
- a) Standard contractual clauses approved by the controlling authority having proper jurisdiction.
- b) Conduct Codes or other certification mechanisms approved by the controlling authority having proper jurisdiction.
- c) Binding Corporate Regulations approved by a controlling authority having proper jurisdiction.
6. Subcontracting.
The Data Controller grants to the Data Processor specific authorization to appoint the Sub-Processors listed in Addenda I, in connection with Data Processor performance of the Services.
The Data Controller grants to the Data Processor general authorization to appoint additional or replacement Sub-Processors for the Data Processor performance of the Services, provided that the Data Processor provides advanced notice of its intention to appoint each Sub-Processor.
In the event of authorised Subcontracting, the Data Processor shall:
- a) Take all measures necessary to verify and assure the Data Controller that the Sub-Processor is capable of rendering the service with maximum guarantees, offering an equal level of protection of the Personal Data to that offered by the Data Processor.
- b) Ensure the execution of a contract between the Data Processor and the Sub-Processor, with the same guarantees as for the Processing subject matter hereof.
- c) In the event of any uncertainty about the security measures adopted by the Sub-Processor in connection with the required Processing, the Data Processor shall communicate this to the Data Controller in order to verify if said measures conform to the minimum requirements demanded by the Company.
- d) Explicitly prohibit the Sub-Processor to likewise subcontract the requested service either wholly or in part, without prior written authorisation from the Data Controller.
7. Communications.
For the purposes of facilitating the fulfilment of the obligations arising from these terms, the parties provide their contact details established in the Terms and Conditions.
8. Information and collaboration.
The Data Processor shall store, and put at the disposal of the Data Controller, all the necessary information in order to prove the compliance with their obligations, and for the performance of the audits or inspections that the Data Controller or other auditor authorised by them may carry out.
9. Rights of the Interested Parties.
The Data Processor shall communicate to the Data Controller when the interested parties exercised their rights of access, rectification, cancellation/deletion, objection, restriction of the processing or portability.
In light of the above, the Data Processor shall:
- a) Report promptly and in no event later than forty-eight (48) hours after the receipt of any request for the exercise of rights by any interested party, as well as any complaint or grievance relevant to the processing of Personal Data.
- b) Provide full assistance in connection with said exercise of all rights, complaints, or grievances, so that the Data Controller may address them with the necessary diligence and accuracy.
- c) Ascertain that no member of the workforce, or in no event, any Sub-Processor, answers to the interested party without prior express notification in writing by the Data Controller, and where applicable, following the instructions established herein. Where compulsory for the Data Processor, pursuant to the applicable legislation, to answer to the interested party request, they shall communicate to the Data Controller such legal obligation before providing any answer whatsoever, except if prevented by such legislation.
- d) Keep a record of all complaints, grievances, or requests for exercise of rights by the Interested party, including a copy of the request, the measures adopted to answer to said request and any other communication held with the Interested party in connection with the alluded request.
10. Security violations.
The Data Processor shall inform immediately the Data Controller about any security breach that affects or may affect in any way whatsoever the Personal Data under the responsibility of the Data Controller.
This notification shall include, in any event, the information relevant to:
- a) The nature or type of security breach suffered, as well as the way in which it may have affected the Personal Data of the Data Controller.
- b) The details of the measures adopted by the Data Processor, or their proposals of measures to be adopted, in order to prevent such security breach from re-occurring and to prevent any other type of breach, whether similar or not, as long as possible.
- c) A proposal of measures to be adopted by the Data Controller, where possible, to mitigate the effects of the security breach suffered by the Data Processor, as well as, where applicable, those technical or organisational measures that the Data Controller may adopt to prevent future security violations.
Furthermore, the Data Processor shall collaborate with the Data Controller to assist them in the investigation and repair of any security breach whatsoever.
11. Collaboration with the obligation of compliance of the Data Controller.
The Data Processor shall collaborate with the Data Controller to ensure and demonstrate the compliance with the prevailing legislation on Personal Data protection by the Data Controller, and especially but not limited to:
- a) Assisting in the answer to the exercise of rights requested by interested parties.
- b) Collaborating in the maintaining of the Record of processing activities held by the Data Controller, where applicable.
- c) Actively participating and providing as much help or information as needed to determine the causes, risks, consequences, and impact related to any security breach whatsoever, collaborating where necessary with the Controlling Authority with proper jurisdiction.
- d) Drawing up or collaborating with the undertaking of all necessary impact evaluations in connection with the processing of Personal Data related to the Services.
- e) Providing the Data Controller all support necessary for the compliance with any Codes of Conduct relevant to the Services, as well as where applicable, to obtain all appropriate certifications whatsoever that the Data Controller may have an interest in obtaining.
12. Rights of auditing.
The Data Processor shall put at the disposal of the Data Controller all necessary or relevant information in connection with the processing of Personal Data requested, to allow the Data Controller to demonstrate the compliance with the regulations.
13. Termination of the Agreement.
Once the services have been rendered, the Personal Data shall be destroyed or returned to the Data Controller, at their discretion, and the Data Processor shall not keep any copy of such data whatsoever, except to comply with legal obligations contracted by virtue of the provision of services.
If the Data Controller selected the return, the Data shall be restored through systems that may include protocols to ensure the confidentiality of the data (FTPS/SSL or equivalent) and in a format of widespread use or executable with standard software. In the event of non-automated filing systems, the Data Processor shall ensure the confidentiality of the chain of custody or delivery.
If the Data Controller opts for the destruction of the Data, the Data Processor shall ensure that this process is carried out in a confidential way and that said Data, once destroyed, be irrecoverable, undertaking the responsibility to issue all relevant certificates to prove the confidential destruction of such Data.
ADENDA I – LIST OF SUB-PROCESSORS
Third-party sub-processors
Entity name | Entity location | Nature and purpose of the processing |
LexisNexis Risk Solutions FL Inc. | United States | Anti-Money Laundering SaaS |
Cybersource Corporation | United States | Risk management and fraud mitigation services |
Microsoft Corporation | United States | Service hosting, data storing and operations and administrative management SaaS |
Atlassian Pty Ltd | United States | Project management SaaS |
IVXS UK Ltd “ComplyAdvantage” | United Kingdom | Anti-Money Laundering and fraud SaaS |
Payretailers Group sub-processors
Entity name | Entity location | Nature and purpose of the processing |
Payretailers Group S.L.U | Spain | Legal, economic, administrative, commercial, and industrial consultancy |
Payretailers Technologies S.L.U | Spain | Services related to information technology. |
Payretailers Latam Holdings S.L | Spain | Financial advice; services related to information technology; legal, economic, administrative, commercial and industrial consultancy. |
Last update: February 2023