SPS Data Processing Addendum (DPA)
This Data Processing Addendum (“DPA”) forms part of the Terms and Conditions (“Agreement”) between Southern Payment Systems (“SPS”) and You for the purchase of Payment Service, to reflect the parties’ agreement with regard to the Processing of Personal Data.
By using Pin Payments, you, as the Merchant, accept and agree to our:
It is important that all parties have a clear understanding about what data and whose data is protected under this DPA. The following definitions help identify the scope of this DPA, and interpretations from the Terms of Service apply to this DPA.
“Controller” is the party that determines the purposes and means of the processing of personal data – you are the controller with respect to customer personal data.
“Data Protection Laws” means any applicable data protection or privacy laws of any country, and includes EU Data Protection Laws;
“Processor” is the party that processes personal data on behalf of the controller – Pin Payments is the processor of the personal data we process about your customers.
“Merchant” refers to the company or organization that signs up to use the Payment Service to process transactions on behalf of their customers. The Merchant is the Controller for the purpose of the Agreement
“Sub-processor” means any person (including any Third Party, but excluding our employees, contractors or advisors) appointed by us or on our behalf to process Personal Data;
“Personnel” refers to those individuals who are employed by or are under contract to perform a service on behalf of one of the parties. Personnel may have rights in their personal data (including business contact information) if they reside in the EU. It is important to be clear about how personnel’s rights are protected.
“Data Subjects” refers to those individuals residing in the EU who are customers of a Merchant’s goods or services, as well as any personnel who reside in the EU.
“Personal Data” refers to any data relating directly or indirectly to an identifiable data subject. Personal data does not include any data that is anonymized, aggregated, de-identified and/or compiled on a generic basis and which does not name or identify a specific individual, directly or indirectly.
“Processing” is given the same meaning as in the GDPR, which we summarize as including: collecting, recording, using, storing, amending, adapting, disclosing, transferring or transmitting, structuring, using, combining, deleting or destroying, personal data (“Process” and “Processed” shall have similar meanings).
“Incident” means: (a) a complaint or a request with respect to the exercise of an individual’s rights under the GDPR; (b) an investigation into or seizure of the personal data by government officials, or a specific indication that such an investigation or seizure is imminent; or (c) any breach of the security and/or confidentiality as set out in this DPA leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the personal data, or any indication of such breach having taken place or being about to take place.
2. Processing of Personal Data
2.1 Role of the parties
The parties acknowledge and agree that with regard to the Processing of Personal Data, you (the Merchant) is the Controller, Pin Payments is the Processor and that Pin Payments will engage Sub-processors pursuant to the requirements set forth in Section 3 “Sub-processors” of this Addendum.
2.2 Our obligations
(a) We will comply with the applicable Data Protection Laws in the Processing of Personal Data.
(b) We shall collect, process and use Personal Data only within the scope of Controller’s documented instructions, for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by Controller’s customers, and (iii) Processing to comply with some other documented, reasonable instructions provided by Controller (e.g. through email) where instructions are consistent with the Agreement.
(c) We will only process Personal Data to the extent required to perform our obligations under the Terms of Service, to you, your organisation and staff.
(d) We will not modify, alter, delete, publish or disclose any customer Personal Data to any third party, or allow any third party to process personal data on Pin Payments’ behalf unless the third party is bound to similar confidentiality and data handling provisions.
(d) We will notify you as soon as practicable after we become aware of any Personal Data Breach affecting any of your Personal Data processed by Pin Payments. We will reasonably cooperate so you can perform a thorough investigation into the incident, to formulate a correct response, and to take suitable steps in respect of the incident.
2.3 Your obligations
(a) You warrant that you have the necessary consent to provide Pin Payments the instructions (and authorise us to instruct each Sub-processor) to process Personal Data in relation to the provision of the Payment Service.
(b) You warrant and represent that you are and will at all relevant times remain duly and effectively authorised to give the instruction set out in clause 2.3(a) on behalf of each of your Organisations, Staff Members or Informants authorised or deemed to be authorised by you to use the Payment Service.
(c) You shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, your instructions for the Processing of Personal Data must comply with Data Protection Laws.
(d) You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which you acquired the Personal Data.
(e) You shall provide relevant privacy notices to Customers as may be required in your jurisdiction, including notice of their rights and provide the means for individuals to exercise those rights.
3.1 You authorise Pin Payments to appoint Sub-processors (and permit each Sub-processor to appoint Sub-processors) in accordance with this clause 3.
3.2 We may continue to use Sub-processors already engaged by us as at the date of this Addendum, subject to us in each case as soon as practicable meeting the obligations set out in clause 3.4.
3.3 We warrant that for any active Sub-processor, we will have entered into a written agreement with the Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.
3.4 We shall make available to Merchant the current list of Sub-processors for the Payment Service, on the Pin Payments website at https://pinpayments.com/sub-processors.
3.5 We will provide you prior written notice of the appointment of any new Subprocessor. If, within 10 business days of receipt of that notice, you notify us in writing of any objections (on reasonable grounds) to the proposed appointment, we will not appoint (or disclose any Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by you and you have been provided with a reasonable written explanation of the steps taken.
4.1 We will implement appropriate technical and organisational measures to secure Personal Data against loss or any form of unlawful Processing.
4.2 Taking into account the state of the art and the costs of their implementation, these measures guarantee an appropriate security level given the risks associated with Processing and the nature of the Personal Data to be protected. The measures are, in part, aimed at preventing unnecessary collection and further Processing.
4.3 On request, we shall immediately provide you with all reasonable information relating to the security of Personal Data.
5. Data and Security Breaches
5.1 We will notify you (and any other party if required by law) without undue delay upon us or any Subprocessor becoming aware of a Personal Data Breach affecting Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
5.2 We will cooperate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
6. Data Subject Requests
6.1 We will fully cooperate, in so far as possible, so that you may comply with your legal obligations in the event that a Data Subject exercises its rights under the GDPR or other applicable Data Protection Laws.
6.2 If a Data Subject contacts us directly in relation to any matter under any Data Protection Laws, we will advise them to address any such request this to the Controller, with a request for further instructions.
(a) our name and address;
(b) the purposes for which Personal Data are processed by us;
(c) the categories of Personal Data processed by us;
(d) any Third Party to whom Personal Data are made accessible;
(e) the countries where Personal Data are collected and Processed;
(f) the Data Subject’s rights to access, correct and delete Personal Data.
6.4 If we receive a request or order from a Supervisory Authority, Government Agency or investigation, prosecution or national security agency to provide (access to) Personal Data, we will immediately notify you.
7. Retention of Data
7.1 We will retain Personal Data to the extent required by law and only to the extent and for such period as required by law and always provided that we will use our reasonable endeavours to ensure the confidentiality of all such Personal Data and to ensure that such Personal Data is only retained as necessary for the purpose(s) specified in the laws requiring its storage and for no other purpose.
7.2 We will not retain Personal Data made available to us any longer than is necessary:
(a) for the performance of the Agreement; or
(b) to comply with any of our obligations at law.
8.1 We shall make available to you informational reasonably necessary to demonstrate compliance with Pin Payments’ obligations under this DPA. At a minimum, upon written request by you, Pin Payments will provide to you a copy of any third-party audit reports regarding the sufficiency of Pin Payments technical security measures.
8.2 You do not have any independent right to audit Pin Payments’ technical and/or organizational security measures.
9. Liability and Indemnity
9.1 Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.
10. Duration and Termination
10.1 This DPA shall come into effect on May 25, 2018 and shall continue until it is changed or terminated in accordance with the Terms and Conditions.
10.2 Termination or expiration of this DPA shall not release the parties from the confidentiality obligations stated in this document.
Our appointed Privacy and Data Protection Officer can be contacted at email@example.com.