WHEREAS: The Parties wish to conclude an agreement on the protection of personal data, which is in line with the requirements of the existing legislation on the protection of personal data and Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data of natural persons and on the free movement of such data (General Data Protection Regulation).
In accordance with the above requirement, the Parties conclude this Data Processing Agreement to settle in writing their rights and obligations regarding the protection of personal data. The Parties agreed on the following:
1. Definitions 1.1. Unless otherwise indicated, the terms in this Data Processing Agreement have the following meanings:
1.1.1.
"DPA" means the present Data Processing Agreement and any additional annexes thereto, if any;
1.1.2.
"Regulation" means Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
1.1.3.
"Personal data" means any information relating to an identified or identifiable natural person;
1.1.4. "Categories of data subjects":
- private individuals, related to customers;
- legal entities/arrangements – directors/managers, signatories, shareholders, ultimate beneficial owners, influencers, contact persons;
- cardholders – that make to or receive payments from the customers of the Controllers.
1.1.5.
"Personal Data Controller" is a natural or legal person, public body, agency or other entity which, alone or jointly with others, defines the purposes and means of processing personal data; where the purposes and means of such processing are determined by EU law or the law of a Member State, the Controller or the specific criteria for its determination may be established in EU or national law;
1.1.6.
"Processing of personal data" is any operation or set of operations performed with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or changing, retrieving, consulting, using, disclosing by transmission, dissemination or other means by which data becomes available, arranged or combined, restricted, deleted or destroyed.
1.2. The Merchant to this DPA provides to PAYNETICS to store and to process personal data received by the Merchant throughout the transaction processing and in connection with KYC/AML, monitoring & dispute processes, for the purposes of fulfilling the Merchant Agreement for acquiring services and PAYNETICS legal obligations and legitimate interests closely related to the acquiring activity as a whole.
1.3. The recipients of the Personal Data are the following companies, agents, subcontractors and their respective employees: PSP/MSP, authorized 3
rd parties connected to the PSP/MSP, Paynetics, equensWorldline (authorized processor for Paynetics), international card schemes (VISA and MasterCard), any other entities to which it may be reasonably necessary to disclose and transfer Personal data (for example: law enforcement agencies, anti-terrorism or organized crime agencies, fraud monitoring agencies, central banks etc.).
1.4. The Parties shall provide their personal data for processing for the period of validity of this DPA and these data will be stored and processed in accordance with art.2.1 and art. 8.3. herein below.
1.5. The Merchant must not misrepresent itself as being a card scheme Member.
2. Duration and Termination 2.1. The present DPA shall survive the duration of the Merchant Agreement by remaining in force for a term of 5 (five) years from the date of termination of the Merchant Agreement.
3. Basics 3.1. The Controller undertakes to comply with all legal requirements concerning the protection of personal data.
3.2. The Controller undertakes to process personal data in accordance with the purpose and conditions set forth in the Merchant Agreement and this DPA.
3.3. The Controller agrees not to use the personal data for any other purposes than the one specified and in accordance with the Merchant Agreement and this DPA.
3.4. The Parties shall provide each other with access to all the information necessary to demonstrate the fulfillment of the data protection obligations.
4. Technical and organizational measures 4.1. The Controller undertakes to take all necessary technical and organizational measures to ensure the protection of the processing of personal data.
4.2. The Controller undertakes to cooperate to meet the legal requirements concerning the protection of personal data, when notifying supervisors and interested parties following a data breach.
4.3. The Controller guarantees, that:
- that all of their staff are appropriately trained in line with their responsibilities under applicable data protection law;
- that aggregated, anonymized data may be created based on Personal Data;
- that data subjects are not identifiable from the Personal Data;
5. Breach of the security of personal data 5.1. The Controller shall notify the Merchant immediately and in writing of any breach of legal provisions concerning the protection of personal data or of any of the obligations specified in this DPA in the event of a personal data breach.
5.2. The Controller must report to Merchant without undue delay but not later than 24 hours after having become aware of the data breach. In this regard, the party concerned shall notify the type of infringement and the extent of the violation and shall advise on measures to protect against future violations.
6. Return and deletion of personal information 6.1. Upon expiry of the period of time provided for in art. 2.1 or art. 8.3, as the case may be, of the DPA, the Parties shall return and/or destroy all personal data and their existing copies, attesting to the other Parties, unless their storage is legally required.
7. Transfer of personal data 7.1. The Parties agree, that the transfer and disclosure of Personal Data may take place worldwide and that transfer of Personal Data outside of the EEA shall be made only on the basis of either:
7.1.1. Decision of the European Commission that a third party offers an adequate level of protection ("adequate level of protection decision").
7.1.2. In the absence of a decision on an adequate level of protection, the transfer can be done by providing appropriate safeguards and provided there are applicable rights and effective legal remedies for the protection of individuals.
7.1.3. Finally, if transfer of personal data to a third party not subject to an adequate level of protection is envisaged, and if appropriate safeguards are not available, a transfer may be made on the basis of a number of exceptions for specific situations, for example when subject expressly agreed to the proposed transfer after having been provided with all the necessary information regarding the risks involved in the transfer.
7.2. Personal data may be used and/or shared where deemed applicable with third parties for:
- Billing purposes;
- Product enablement and build;
- KYC verification services;
- Transaction Investigation;
- Transaction Monitoring;
- Disputes processing;
- Testing or product improvement purposes;
- To reply to requests from public authorities.
8. Amendment and termination of this Data Processing Agreement 8.1. The DPA shall be concluded for the period of validity referred to in art. 2.1 herein above.
8.2. The DPA may be terminated:
- by mutual consent, expressed in writing;
- in the event of non-compliance with the obligations of either party, and in the event of a breach of the General Regulation, in which case each party has the right to notify the supervisory authority of the breach committed.
8.3. Without prejudice to art. 2.1 of the present DPA, in the cases as per art. 8.2 above, the already provided personal data shall be stored and may be processed for a period of 5 (five) years as of the date of termination of the DPA on any of the grounds enumerated above.
8.4. This data processing agreement may only be modified by the Parties by mutual agreement expressed in writing.
9. Contact point for data protection enquiries Paynetics - using our website contact/ inquiry form at
www.paynetics.digital - by telephone, on the contact number published on our website (+359 2 806 5615)
- by the following email –
dpo@paynetics.digital - by post, to postal address - bul. James Bourchier 76A, Hill Tower, Sofia, PO 1407, Bulgaria.
10. Additional provisions 10.1. All data rights are available to the Merchant, taking into account the relevant services provided, including the right of the Merchant to lodge a complaint with an authority and where applicable, the right to erasure and/ or correction of Personal data and data portability.
10.2. All disputed matters relating to clauses of this data processing agreement shall be settled by mutual agreement in writing. If no agreement is reached, the interested party may refer the dispute to the competent Bulgarian court. Bulgarian substantive and procedural law is applicable with the exception of conflict of laws provisions.
This Agreement has been signed in two identical copies, one for each of the Parties, and shall apply from date of Merchant Agreement.