Legal Terms for Merchants
Data Processing Agreement for Cross-border PaymentsUpdated on July 12, 2020
This Data Processing Agreement ("Agreement") forms part of the Merchant Agreement between EBANX and the Merchant (together as the “Parties”).
(A) The Merchant acts as a Data Controller.
(B) The Merchant wishes to contract payment processing services provided by EBANX, which imply the processing of personal data specified in Schedule A.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing.
(D)The Parties wish to lay down their rights and obligations.
It is agreed as follows:
Definitions and Interpretations
Unless otherwise defined herein or in the Merchant Agreement, capitalized terms and expressions used in this Agreement shall have the following meaning:
Applicable Laws means the data protection laws applicable to the Merchant Agreement or to the Customer in the Territories;
Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Applicable Laws;
Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller;
Data Transfer means:
A transfer of Merchant Personal Data from the Merchant to EBANX;
or an onward transfer of Merchant Personal Data from EBANX to a Subprocessor, or between companies of EBANX;
Merchant Personal Data means any Personal Data processed by EBANX or Subprocessors on behalf of Merchant pursuant to or in connection with the Merchant Agreement;
Personal Data means any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person;
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;''
Subprocessor means any person appointed by or on behalf of EBANX to process Personal Data on behalf of the Merchant in connection with the Agreement;
“Supervisory Authority” means an independent public authority which is concerned by the processing of Personal Data because of Applicable Laws.
Processing of Merchant Personal Data
- ensure the collection of Merchant Personal Data according to the Applicable Laws, taking into account the nature, scope, context and purposes of the Processing;
- allow EBANX to process Merchant Personal Data for the provision of the Services or on the relevant Merchant’s documented instructions.
- comply with all Applicable Laws in the Processing of Merchant Personal Data on the Territories; and
- not Process Merchant Personal Data for a purpose other than the provision of the Services or on the relevant Merchant’s documented instructions;
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to Merchant Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Merchant Personal Data, as strictly necessary for the purposes of the Merchant Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, EBANX shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
In assessing the appropriate level of security, EBANX shall take account the risks that are presented by Processing, in particular from a Personal Data Breach.
EBANX shall not appoint (or disclose any Merchant Personal Data to) any Subprocessor unless required or authorized by the Merchant or necessary for the provision of the Services.
Data Subject Rights
Taking into account the nature of the Processing, EBANX shall assist the Merchant by implementing appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Merchant obligations to respond to requests to exercise Data Subject rights under the Applicable Laws.
EBANX shall ensure that it does not respond to that request except as required by Applicable Laws to which EBANX is subject or on the documented instructions of Merchant.
Whether EBANX cannot fulfil Merchant’s obligation to respond to request to exercise Data Subject rights under the Applicable Laws, EBANX shall promptly notify Merchant if it receives a request from a Data Subject in respect of Merchant Personal Data.
Personal Data Breach
EBANX shall notify Merchant without undue delay upon EBANX becoming aware of a Personal Data Breach affecting Merchant Personal Data, providing Merchant with sufficient information to allow the Merchant to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Laws.
EBANX shall cooperate with the Merchant and take reasonable commercial steps as are directed by Merchant to assist in the investigation, mitigation and remediation of each Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
EBANX shall provide reasonable assistance to the Merchant with any data protection impact assessments, insofar as possible, and prior consultations with Supervising Authorities, which Merchant reasonably considers to be required whether the Processing would result in high risk in the absence of measures taken by EBANX to mitigate the risk, in each case solely in relation to Processing of Merchant Personal Data by EBANX.
Deletion or Return of Merchant Personal Data
In the event of cessation of the Services involving the Processing of Merchant Personal Data, EBANX shall, within 15 business days, delete and procure the deletion of all copies of Merchant Personal Data.
Clause 9.1 does not apply if EBANX shall continue the Processing of Merchant Personal Data to comply with purposes for which they were collected or for compliance with a legal or regulatory obligation under Applicable Laws. In this case, EBANX shall delete and procure the deletion of all copies of Merchant Personal Data within 15 business days after the cessation of such grounding.
EBANX shall ensure that Merchant Personal Data internationally transferred due to the provision of the Services is adequately protected. To achieve this, EBANX shall transfer Merchant Personal Data to countries or international organizations that ensure adequate level of protection or rely on standard contractual clauses for the transfer of personal data.
Unless otherwise stated in the Merchant Agreement, to the extent that the terms of this Agreement and the Merchant Agreement conflict, the terms of the Merchant Agreement shall prevail.
Merchant is the Data Controller.
The Data Processor is any company of EBANX Group (as defined in the Merchant Agreement) responsible for providing payment processing services in each of the Territories.
Data Subjects are Merchant’s Customers (Merchant Personal Data).
Categories of Data and Processing Operations
The following categories of Merchant Personal Data may be processed by EBANX, depending on the Processing purpose: (1) full name; (2) email; (3) ID data; (4) address; (5) date of birth; (6) telephone number; (7) scanned documents; (8) biometric photograph; (9) IP address; (10) payment method information; (11) proof of address; (12) proof of payments.
Personal Data may be processed for the following purposes:
- to provide the Services;
- to monitor, prevent and detect frauds, to verify payment’s authenticity and to prevent harm to Merchant, EBANX and/or third parties;
- to respond to Customer and Merchant support request;
- to comply with legal or regulatory obligations applicable to the processing of Personal Data to which EBANX is subject;
- to produce and distribute promotional marketing actions, unless otherwise agreed in the Merchant Agreement;
- to analyze, develop and improve EBANX’s products and services;
- otherwise to fulfill the obligations set out in the Merchant Agreement.