Data Processing Agreement
Merchant (the "Data Controller")
Transpayrent (the "Data Processor")
(separately referred to as a “Party” and collectively the “Parties”)
have concluded this
DATA PROCESSING AGREEMENT (the "Agreement")
regarding the Data Processor's processing of personal data on behalf of the Data Controller.
The processed personal data
i. This Agreement has been entered into together with, and forms an integral part of, the agreement on payment gateway services entered into between the Parties (the “Main Agreement”).
ii. The Data Processor processes the personal data which is part of the transaction data processed by the Data Processor on behalf of the Data Controller. The data subjects on which personal data is processed on behalf of the Data Controller by the Data Processor are payment service users.
iii. The Data Processor may initiate processing of personal data on behalf of the Data Controller after the Main Agreement enters into force. The processing has the duration of 2 years from the date the personal data is obtained by the Data Processor.
iv. The Agreement and the Main Agreement are interdependent and this Agreement can only be terminated if the Main Agreement is correctly terminated.
v. The personal data to be processed by the Data Processor concerns the categories of data, the categories of data subjects and the purposes of the processing set out in Annex 1.
vi. "Personal data" means any information relating to an identified or identifiable natural person, see article 4(1) of Regulation (EU) 2016/679 of 27 April 2016 (the General Data Protection Regulation "GDPR").
i. The Data Processor must only process personal data for purposes set forth in the Main Agreement.
Obligations of the Data Controller
i. The Data Controller warrants that the personal data is processed for legitimate and objective purposes and that the Data Processor is not processing more personal data than required for fulfilling such purposes.
ii. The Data Controller is responsible for ensuring that a valid legal basis for processing exists at the time of transferring the personal data to the Data Processor. Upon the Data Processor's request, the Data Controller undertakes, in writing, to account for and/or provide documentation of the basis for processing.
iii. In addition, the Data Controller warrants that the data subjects to which the personal data pertains have been provided with sufficient information on the processing of their personal data.
Obligations of the Data Processor
i. All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions to the Data Processor, unless i) EU or EU Member State law to which the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires changes to the instructions, in which case Data Processor will notify the Data Controller of amendments to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement.
ii. The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU GDPR or the data protection provisions of a Member State.
iii. The Data Processor must take all necessary technical and organisational security measures (pursuant to GDPR art. 32), including any additional measures, required to ensure that the personal data is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable personal data legislation under EU law and national law in the relevant EU member states. These measures shall meet and be equivalent to the certificate and security requirements specified by card associations and the authorities, including the PCI DSS (Payment Card Industry – Data Security Standard), for details see https://www.pcisecuritystandards.org.
The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. However, not to the material detriment of the Data Controller.
iv. The Data Processor must ensure that employees (or other persons) authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality.
v. If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legislation, including documentation regarding the data flows of the Data Processor as well as procedures/policies for processing of personal data. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS) is sufficient.
vi. Furthermore, the Data Controller is entitled at its own cost to appoint an independent expert who shall have access to the Data Processor's data processing facilities and receive the necessary information in order to be able to audit whether the Data Processor complies with its obligations under the Agreement, including ensuring that the appropriate technical and organisational security measures have been implemented. The expert shall upon the Data Processor's request sign a customary nondisclosure agreement, and treat all information obtained or received from the Data Processor confidentially, and may only share the information with the Data Controller.
vii. Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the GDPR.
viii. The Data Processor, or another data processor (subdata processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further processing thereof, unless the Data Processor is entitled to handle such request itself. If requested by the Data Controller, the Data Processor must assist the Data Controller in answering any such requests and/or objections.
ix. If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state.
x. The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.11 of the GDPR. The Data Processor’s deadline for notifying the Data Controller of a security breach is 48 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, including preparation of any notification to the Danish Data Protection Agency and/or data subjects.
xi. The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the GDPR and the Agreement. This requirement can be met by the Data Processor demonstrating a valid PCI compliance certification and/or the relevant and required sections (as determined by the Data Processor) from the latest annual PCI DSS compliance audit performed on the Data Processor. Details regarding the audit procedures and scope are available from the PCI Security Standards Council, https://www.pcisecuritystandards.org, or can be obtained from the Data Processor upon request.
xii. In addition to the above, the Data Processor must to the extent reasonable assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 3236 of the GDPR, including impact assessments and prior consultation. This assistance will take into account the nature of the processing and the information available to the Data Processor.
Transfer of data to subdata processors or third parties
i. The Data Processor must comply with the conditions laid down in article 28, paragraph 2 and 4 of the GDPR to engage another data processor (subdata processor).
This implies that the Data Processor does not engage another data processor (subdata processor) to performance of the Agreement without prior specific or general written approval from the Data Controller.
ii. The Data Controller hereby specifically authorizes the Data Processor to engage affiliates of the Data Processor as subdata processors. Additionally, the Data Controller hereby grants the Data Processor a general power of attorney to enter into agreements with subdata processors. The Data Processor must inform the Data Controller of any changes concerning the addition or replacements of subdata processors no later than 30 days prior to a new subdata processor commencing processing of the personal data. The Data Processor will notify the Data Controller of any new subdata processor in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. The Data Controller can make reasonable and relevant objections against such changes, provided that such objection is received within 20 days from the Data Processor publishing the updated list of subdata processors. If the Data Processor continues to wish to use a subdata processor that the Data Controller has objected to, the Parties have the right to terminate the Agreement and the Main Agreement with a shorter notice, cf. 7.2. During this period the Data Controller must not require that the Data Processor do not use the subdata processor in question.
iii. The Data Processor must impose the same obligations on the subdata processor as set out in the Agreement. This is executed through a contract or another legal act under EU law or the law of a Member State. The Data Processor shall impose at least the same data protection obligations on the subdata processors as set forth in this Agreement.
iv. If the subdata processor fails to fulfil its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of the subdata processor’s obligations.
v. Disclosure, transfer and internal use of the Data Controller’s personal data to third countries or international organisations may only take place in accordance with documented instructions from the Data Controller – unless stipulated by EU law or the law of a Member State to which the Data Processor is subject. If so, the Data Processor must notify the Data Controller of this legal requirement before processing, unless the law prohibits such notification for important grounds of public interests.
vi. If the personal data stipulated in Annex 1 is transferred to subdata processors in third countries, it must, in the said data processor agreement, be stated that the data protection legislation applicable in the Data Controller's country applies to foreign subdata processors. Furthermore, if the receiving subdata processor is established within the EU, it must be stated in the said data processor agreement that the receiving EU country's specific statutory requirements regarding data processors, e.g. concerning demands for notification to national authorities must be complied with.
As for subdata processors outside the EU/EEA, the Data Processor must enter into standard agreements in accordance with Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries ("Standard Contractual Clauses").
vii. The Data Controller hereby instructs and grants the Data Processor a general power of attorney to enter into Standard Contractual Clauses with subdata processors outside the EU/EEA on behalf of the Data Controller, and instructs the Data Processor to enter into such Agreements provided that the entering into of such an agreement is subject to a Standard Contractual Clauses as described in Section 5.7 above or subject to an alternative solution (”Alternative solution”) that enables the lawful transfer of personal data to a third country in accordance with Chapter V of the GDPR. If the Data Processor has entered into Standard Contractual Clauses as described in Section 5.7 the above authorization will constitute the Data Processor’s prior written consent to the subcontracting by the Data Controller of the processing of the personal data, if such consent is required under the Standard Contractual Clauses.
viii. Upon request from the Data Controller, the Data Processor or a third party selected by the Data Processor shall conduct an audit and provide an audit report, regarding a subdata processors’ compliance with the obligations and requirements in the subdata processor agreement with the Data Processor. A request for such an audit report may be made by the Data Controller once per year, and shall be both conducted and provided at the Data Controllers expense.
ix. On the date of entering into of this Agreement, the Data Processor engages the subdata processors listed in Annex 2. Notwithstanding this section 5, the Data Controller acknowledges and accepts that the Data Processor will not always be able to impose the same data protection obligations on certain subdata processors (eg. Google Cloud Platform). In respect of the processing performed by such subdata processors (but only such processing), the Data Controller acknowledges and accepts that the terms agreed between the Data Processors and such subdata processors (eg. Google Cloud Platform) shall apply. Notwithstanding the foregoing, the Data Processor must ensure and warrants and guarantees that such applicable terms are in all respect complaint with the GDPR. The Data Controller will receive a copy of the Data Processor's agreement with the abovementioned subdata processors as regards to the provisions related to data protection obligations.
i. The Parties’ liability is governed by the Main Agreement.
ii. The Parties’ liability in damages under this Agreement is governed by the Main Agreement.
Effective date and termination
i. This Agreement becomes effective at the same time as the Main Agreement.
ii. In the event of termination of the Main Agreement, this Agreement will also terminate.
However, the Data Processor remains subject to the obligations stipulated in this Agreement, as long as the Data Processor processes personal data on behalf of the Data Controller.
In the situation as described under clause 5.2, the parties have the right to terminate the Main Agreement and the Agreement with a notice of 1 (one) month ending at the end of a month.
iii. Upon termination of the processing services the Data Processor is obliged to, upon request of the Data Controller, delete or return all personal data to the Data Controller, as well as to delete existing copies, unless retention of the personal data is prescribed by EU or national law.
Governing law and jurisdiction
i. Any claim or dispute arising from or in connection with this Agreement must be settled by a competent court of first instance in the same jurisdiction as stated in the Main Agreement.
This Annex constitutes the Data Controllers instruction to the Data Processor in connection with the Data Processor's data processing for the Data Controller, and is an integrated part of the Agreement.
The processing of personal data
a) Purpose and description of the processing operations
The supplier is a payment service provider offering Merchants, operating through e-commerce and m-commerce, the technological platform to facilitate transactions across various payment options, acquiring processors,
b) Categories of data subjects
c) Categories of personal data
i. Name, address, email address, personal identification number, telephone number
ii. Credit card number and expiry date
iii. Name, address, email address, company identification number, telephone number
d) Special categories of data
e) Transfer of personal data to third countries
The Data Controller acknowledges and gives consent to that the Data Processor may transfer personal data to be processed on the Data Controllers behalf to third countries.
f) Location(s), including name of country/countries of processing
Frederikskaj 2, 6. th.
2450 Copenhagen SW