Data Protection Addendum

Jump to section:


Updated Data Protection Addendum

Effective Date February 18, 2022 for existing Merchants or immediately for Merchants who sign up after December 20, 2021 (the “Effective Date”)

This Data Protection Addendum (“Addendum”) is entered into between Merchant and PayPal (collectively the “Parties”). This Addendum shall form part of the Agreement between Merchant and PayPal (the “Agreement”) in accordance with the “Effect of this Addendum” section below.
Capitalized terms used but not defined in this Addendum shall have the meaning set out in the Agreement.

I. EFFECT OF THIS ADDENDUM

This Addendum amends and forms part of the Agreement, and is effective as of the Effective Date of the Agreement.

II. GENERAL

1. Definitions.
The following terms have the following meanings when used in this Addendum:

    a. “Agreement” means the Services Agreement or Merchant Agreement (as applicable) by and between PayPal and Merchant.
    b. “Controller” (also known as “Data Controller”) means an entity that determines the purposes and means of Processing Personal Data. In the event such term (or a similar term addressing similar functions) is already defined in the applicable Data Protection Laws, then “Controller”, as used herein, shall have the meaning provided in such applicable Data Protection Law, including the meaning of a “Business”, as applicable, as defined in the California Consumer Privacy Act of 2018.
    c. “Merchant Data” means all Personal Data that PayPal receives from the Merchant or Payee relating to the Merchant, a Payee, or otherwise relating to the Merchant’s use of the Hyperwallet Services, whether existing before or after the date of this Agreement.
    d. “Data Protection Laws” means any data protection laws, regulations, directives, regulatory requirements, and codes of practice applicable to the provision of the PayPal Services under this Agreement, including any amendments thereto and any associated regulations or instruments (e.g., which may include, without limitation, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act 2018, Cal. Civ. Code § 1798.100 et seq (“CCPA”), and its implementing regulations, the Australian Privacy Act 1988(Cth), the Personal Information Protection and Electronic Documents Act (Canada), the Personal Data (Privacy) Ordinance (Cap.486) (Hong Kong), the Brazilian General Data Protection Law, Federal Law no. 13,709/2018, and the Personal Data Protection Act 2012 (Singapore)).
    e. “PayPal Group” means PayPal, Inc. and all company entities which PayPal, or its successor(s), directly or indirectly from time to time owns or controls.
    f. “Payee” means an individual or business receiving a payment through Merchant’s use of the Hyperwallet Services.
    g. “Personal Data” means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
    h. “Process” or “Processed” or “Processing” means any operation or set of operations performed upon Personal Data, including collection, recording, retention, sharing, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction.

2. PayPal as a Controller
PayPal shall comply with the requirements of the Data Protection Laws applicable to Controllers with respect to the use of Merchant Data herein (including, without limitation, by implementing and maintaining at all times all appropriate security measures in relation to the Processing of Merchant Data) and shall not knowingly do anything or knowingly permit anything to be done with respect to the Merchant Data which might lead to a breach by Merchant of the Data Protection Laws. PayPal shall only transfer Merchant Data to third parties, sub-processors or members of the PayPal Group who shall sign written agreements which contain terms for the protection of Merchant Data, which are no less protective than the terms set out in this Addendum. In the event Merchant elects a payout solution where a Payee is not required to sign up through the Hyperwallet hosted solution, Merchant agrees to present the Hyperwallet privacy policy (https://pay.hyperwallet.com/hw2web/consumer/page/privacyAgreement.xhtml) to its Payees prior to sharing any Personal Data of its Payees with PayPal.

3. Processing of Merchant Data in Connection with the Hyperwallet Services
The Parties acknowledge and agree that when PayPal provides Hyperwallet Services to Merchant, Merchant and PayPal are each independent Controllers with respect to all Merchant Data Processed in connection with the Hyperwallet Services. As such, PayPal independently determines the purpose and the means of the Processing of such Merchant Data and is not a joint Controller with Merchant with respect to such Merchant Data. The Parties acknowledge and agree that PayPal is permitted to use, reproduce, and Process Merchant Data and payment transaction data for the following limited purposes:

    a. as reasonably necessary to provide and improve the Hyperwallet Services to Merchant and its Payees, including fraud protection tools;
    b. to monitor, prevent, and detect fraudulent payment transactions, and to prevent harm to Merchant, PayPal, and to third parties;
    c. to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which PayPal is subject, including applicable anti-money laundering and identity verification obligations;
    d. to analyze, develop, and improve PayPal’s products and services;
    e. internal usage, including but not limited to, data analytics and metrics;
    f. to compile and disclose Merchant Data and payment transaction data in the aggregate where Merchant’s individual or user Merchant Data is not identifiable, including calculating Merchant’s averages by region or industry;
    g. complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
    h. any other purpose for which PayPal provides notice to Merchant so long as such purpose is in accordance with the applicable Data Protection Laws.

4. Mutual Assistance
The Parties agree to cooperate with each other to the extent reasonably necessary to enable the other Party to adequately discharge its responsibility as an independent Controller under the Data Protection Laws. The Parties agree that to the extent Merchant receives a subject access request or any exercise by a Payee of its rights under Data Protection Laws, Merchant shall respond to such Payee’s access request directly. Merchant shall also inform Payees that they may exercise their data subject rights in connection with the Hyperwallet Services with PayPal according to the instructions described in the Privacy Statement available at https://www.hyperwallet.com/privacy-policy/ (which URL may be amended from time to time). In addition, if in connection with any security incident, PayPal determines in its sole discretion that it must notify affected Payees, and PayPal does not have the necessary contact information about an affected Payees to make such communication, then Merchant shall use commercially reasonable efforts to provide PayPal with information about such Payee that Merchant may possess for the limited purpose of PayPal’s compliance with applicable notification obligations regarding affected Payees under the Data Protection Laws.

5. Cross Border Data Transfers
The Parties agree that PayPal may transfer Merchant Data Processed under this Agreement outside the country where it was collected as necessary to provide the Hyperwallet Services. If PayPal transfers Merchant Data protected under this Schedule to a jurisdiction for which the applicable regulatory authority for the country in which the data was collected has not issued an adequacy decision (an “Adequacy Decision”), PayPal will ensure that appropriate safeguards have been implemented for the transfer of Merchant Data in accordance with the applicable Data Protection Laws. For example, and for purposes of compliance with the GDPR, PayPal relies on Binding Corporate Rules approved by competent supervisory authorities and other data transfer mechanisms for transfers of Merchant Data to other members of the PayPal Group.

    a. With respect to data transfers to a PayPal Group member located in a country that has not received an Adequacy Decision of Payees located in the European Union, Switzerland, the Europeans Economic Area, and/or their member states and the United Kingdom, the Parties agree (i) to the extent applicable, your signing of the Agreement will be deemed to be signature and acceptance of the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR (“EU Transfer Clauses”) by Merchant, as the data exporter and in the role of controller, and will be deemed to be signature and acceptance of the standard data protection clauses specified in regulations made by the Secretary of State under section 17C(b) of the 2018 Data Protection Act and for the time being, in force in the United Kingdom (the “UK Transfer Clauses”), as the data exporter (ii) to the extent applicable, the PayPal Group member’s signature of the Agreement will be deemed to be signature and acceptance of the EU Transfer Clauses by such PayPal Group member, as the data importer and in the role of controller, and will be deemed to be signature and acceptance of the UK Transfer Clauses, as the data importer; and (iii) the parties shall be subject to the Module 1 provisions of the EU Transfer Clauses. In the event the European Commission or the UK Secretary of State (or other applicable UK authorized body) revises and thereafter publishes new EU Transfer Clauses or UK Transfer Clauses, respectively (or as otherwise required or implemented by the European Commission or the UK Secretary of State (or other applicable UK authorized body)), the parties agree that such new EU Transfer Clauses or UK Transfer Clauses, as applicable, will supersede the present EU Transfer Clauses or UK Transfer Clauses, as applicable, and that the parties agree to take all such actions required to effect the execution of the new EU Transfer Clauses or UK Transfer Clauses, as applicable. The EU Transfer Clauses (Module 1) and the UK Transfer Clauses will each be incorporated into the Agreement by reference and will be considered duly executed between the parties upon entering into force of this Agreement subject to the following details:

    A) EU Transfer Clauses

      1. option 1 of Clause 17 (Governing law) shall apply and the laws of Luxembourg shall govern the EU Clauses;
      2. in accordance with Clause 18 (Choice of forum and jurisdiction), the courts of Luxembourg will resolve any dispute arising out of the EU Clauses; and
      3. The parties agree that the details required under the EU Transfer Clauses Appendix are as set forth on Attachment 1.

    B) UK Transfer Clauses

      1. Clause II(h)(iii) is incorporated and signature of the Agreement by PayPal will be deemed the requisite initials from PayPal as the data importer;
      2. The parties agree that the details required under Annex B of the UK Transfer Clauses are as set forth on Attachment 1 (to the extent applicable).

Attachment 1
Appendix to the EU Transfer Clauses and Annex B of the UK Transfer Clauses

    A) The following is applicable, to the extent required, under the EU Transfer Clauses and the UK Transfer Clauses

Annex 1.A. List of Parties

Data Exporter

  • Name and Address: The data exporter is the Merchant and the address is as provided in the Agreement
  • Contact person’s name, position and contact details: as provided in the Agreement
  • Activities relevant to the data transferred under the Standard Contractual Clause: as provided in the Agreement
  • Signature and date: please see the “Cross Border Transfers” section of this Addendum
  • Role (controller/processor): controller

Data Importer

  • Name and Address: The data importer is the member of the PayPal group providing the services pursuant to the Agreement and the address is as provided in the Agreement
  • Contact person’s name, position and contact details: as provided in the Agreement
  • Activities relevant to the data transferred under the Standard Contractual Clause: as provided in the Agreement Signature and date: please see the “Cross Border Transfers” section of this Addendum
  • Role (controller/processor): controller

Annex 1.B. Description of Transfer

Data Subjects Whose Personal Data is Transferred
The personal data transferred concern the following categories of data subjects:

  • The data exporter’s customers, employees and other business contacts.

Categories of Personal Data Transferred
The personal data transferred may include the following categories of data:

  • Merchant and payee names, transaction amount, date/time, bank account details, payment card details, CVC code, post code, country code, address, email address, fax, phone, website, expiry data, shipping details, tax status, unique customer identifier, IP Address, location, information on customer representatives, beneficial ownership information, business details and other required know your customer information and any other data received by PayPal under the Agreement.

Sensitive Data Transferred (if appropriate) and Applied Restrictions or Safeguards
The personal data transferred concern the following categories of sensitive data:

  • Not applicable, unless Merchant configures the service to capture such data.

Applies restrictions and safeguards:

  • Not applicable, unless Merchant configures the service to capture such data.

Nature of the Processing
As set forth in the Agreement.

Purpose(s) of the Transfer(s)
The transfer is made for the following purposes:

  • Performance of the services provided by data importer to data exporter in accordance with the Agreement.
  • To identify fraudulent activity and risk that is, or may, affect the data importer, the data exporter or other customers of the data importer.
  • To comply with laws applicable to the data importer.
  • As set forth in the Data Protection Addendum

The Period for which the Personal Data will be Retained, or, if that is not Possible, the Criteria Used to Determine that Period
The data importer only retains the personal data for as long as is necessary with regards the relevant purpose(s) it was collected for (please see purposes above). To determine the appropriate retention period for personal data, the data importer considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which the personal data is processed and whether such purposes can be achieved through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

For transfers to (Sub-) Processors, also Specify Subject Matter, Nature and Duration of the Processing
The data importer may share personal data with third-party service providers that perform services and functions at the data importer’s direction and on its behalf. These third-party service providers may, for example, provide an element of the services provided under the Agreement such as customer verification, transaction processing or customer support, or provide a service to the data importer that supports the services provided under the agreement such as storage. When determining the duration of the processing undertaken by the third-party service providers, the data importer applies the criteria provided above in this Annex1.B.

Annex 1.C. Supervisory Authority
In accordance with Clause 13(a) of the EU Transfer Clauses, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated shall act as competent supervisory authority.

Annex II. Technical and Organisations Measures Including Technical and Organisational Measures to Ensure the Security of the Data

  1. Pseudonymization, Encryption and the Protection of Data During Transmission.
    PayPal’s policies ensure compliance with this principle and require the use of technical controls to prevent the risk of disclosure of personal data. PayPal employs encryption in transit and at rest for all personal data. We also employ industry standard pseudonymization techniques, such as tokenization to protect personal data where applicable. PayPal has comprehensive policies that provide key obligations and processes to protect data when it is transferred within the enterprise and externally with third parties.

  2. Change Management and Business Continuity.
    PayPal’s robust change management process protects the ongoing availability and resiliency of data and systems throughout their lifecycle by ensuring that changes are planned, approved, executed, and reviewed appropriately. The Company’s business continuity management process provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders.

  3. Disaster Recovery.
    PayPal’s robust disaster recovery program has processes for recovering information or technology systems in the event of any significant disruption, focusing on the IT systems that support critical business processes and customer activities. PayPal’s technology infrastructure is housed in multiple secure data centers, with primary and secondary capability, each equipped with network and security infrastructure, dedicated application and database servers and storage.

  4. Regular Testing, Assessment and Evaluating Effectiveness of Technical and Organizational measures.
    PayPal regularly plans, executes and reports on the results of the Company’s testing program to assess and evaluate the effectiveness of its technological and organizational measures. The program is managed through our enterprise risk and compliance team who work with relevant stakeholders to obtain and evaluate information required for testing, reporting and remediating as necessary.

  5. User Identification and Authorization.
    PayPal’s access management processes require users to log into the corporate network using a unique corporate network account ID and password for user identification and authentication before accessing any other in-scope applications. Automated policies regarding password composition, length, change, reuse, and lockout are applied. Role-based access and approvals, which are certified quarterly, are implemented across all in-scope systems to enforce least privileged principle.

  6. Physical Security of Locations Where Personal Data is Processed.
    PayPal global safety and security policies and processes set forth the requirements necessary to facilitate sounds safety and security processes, including physical security, in accordance with applicable laws, regulations and partner requirements. Special emphasis is placed on security systems and safeguards when constructing special or sensitive areas such as mail rooms, equipment storage, shipping and receiving areas, computer/server rooms, communications vaults or classified document/information storage areas in accordance with the Company’s information security handling standard.

  7. Events Logging and Configuration.
    PayPal has outlined and defined event logging and monitoring types and attributes. The Company collects and aggregates several types of logs to the centralized security monitoring system. Standard configuration management control is in place to ensure logs are collected from the systems, and then forwarded to our centralized security monitoring system. PayPal policies and supporting processes set forth that system configuration and hardening baselines must be implemented across all systems.

  8. IT Governance and Management; Certification and Assurance of Processes and Products.
    PayPal promotes a strong security philosophy across the Company. Our Chief Information Security Officer oversees information security across our global enterprise. As part of our Enterprise Risk and Compliance Management Program, our Technology Oversight and Information Security Program is designed to support the Company in managing technology and information security risks and identifying, protecting, detecting, responding to and recovering from information security threats. PayPal certifies and assures its processes and products through a variety of enterprise programs, including (i) audits and assessments of PayPal’s technical industry standard obligations including but not limited to, ISO 27001, Payment Card Industry’s (PCI) applicable standards (DSS, PIN, P2PE, etc.) and the American Institute of Certified Public Accountants (AICPA) SOC-1 and SOC-2, (ii) Risk Control Identification Process (RCIP) which ensures early engagement and a standard approach to the measurement, management, and monitoring of risk associated with the development and release of product solutions, (iii) privacy impact assessments which are integrated into the early stages of the product and software development processes, and (iv) a comprehensive third party management program, which provides assurance through continuous management of risks throughout the lifecycle of an engagement with a third party.

  9. Data Minimization.
    Our policies require, through technical controls, that data elements collected and generated are those which are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. PayPal’s privacy impact assessment processes ensure compliance with these policies.

  10. Data Quality and Retention.
    PayPal’s access and quality policy ensures that all personal data is correct, complete, and up to date, enabling individual users to access the system to correct and modify their particulars (e.g., address, contact details etc.), and, where a request for correction is received from a data subject, to provide a service which delivers their right to correction. Our data governance program monitors data quality, issues and remediations, as necessary. We require that all data be classified according to its business value with assigned retention periods, which is based upon PayPal’s legal, regulatory, and business recordkeeping requirements. Upon expiration of the retention period, data and information is disposed, deleted, or destroyed.

  11. Accountability.
    PayPal has developed a set of information security, technology, data governance, third party management and privacy policies and principles that are aligned to industry standards and designed to engage stakeholder collaboration and partnership in awareness and compliance with such policies and controls across the organization to ensure participation and accountability from the top down across the organization. Each program defines accountabilities for cross-functional data related decisions, processes and controls. As a data controller, PayPal is responsible for and demonstrates compliance with the relevant articles carrying an accountability obligation in the GDPR and other applicable data protection laws through the implementation of a privacy program policy and an underlying layered organizational and technical control structure to ensure enterprise-wide compliance with privacy law, regulation, policy, and procedures. These include being able to demonstrate compliance with the data protection laws through: 1) a strong culture of compliance, 2) an enterprise risk and compliance governance structure which includes management committees, oversight roles, privacy reporting, 3) business function accountability for compliance with the privacy program including establishment, documentation and maintenance of business processes and controls, 4) a global privacy department within the Enterprise Compliance Organization to oversee business compliance with the privacy program and define policies, standards, procedures, and tools which are operationalized by business functions, 5) communications to the enterprise by the global privacy function to promote awareness and understanding of privacy, 6) Enterprise Risk and Compliance Management Framework to ensure the use of consistent processes including privacy impact assessments, privacy monitoring and testing, privacy issue management, privacy training, annual privacy plan, and 7) reporting and analysis to management committees which oversee the Privacy Program.

  12. Data Subject Rights.
    PayPal has a program in place to ensure data subject rights are fulfilled, including access, correction and erasure. Data erasure requests are fulfilled unless PayPal has a legal, regulatory obligation or other legitimate business reason to retain it. PayPal’s policies ensures that erasure occurs throughout the customer lifecycle.

  13. Processors.
    PayPal has a comprehensive third-party management program, which provides assurance through continuous management of risks throughout the lifecycle of an engagement with a third party. We have contractual controls in place to require our processors and their subprocessors to put in place comprehensive data security and privacy standards throughout the processing chain. All subprocessors must require our advance approval before being engaged.

B) The following is applicable to UK Transfer Clauses only
Recipients
The personal data transferred may be disclosed only to the following recipients:

  • The data importer’s service providers (as further detailed above), affiliates, and personnel performing services in accordance with the Agreement.

Data protection registration information of data exporter (where applicable)
Not applicable.

Additional useful information (storage limits and other relevant information)
As set forth in the Agreement and above in this Attachment 1.


Prior Data Protection Addendum

Ceases to be effective on December 20, 2021

This Data Protection Addendum (“Addendum”) is entered into between Merchant and Hyperwallet (collectively the “Parties”). This Addendum shall form part of the Services Agreement between Merchant and Hyperwallet (the “Agreement”) in accordance with the “Effect of this Addendum” section below.

Capitalized terms used but not defined in this Addendum shall have the meaning set out in the Agreement.

EFFECT OF THIS ADDENDUM

This Addendum amends and forms part of the Agreement, and is effective as of the Effective Date of the Agreement.

1 DEFINITIONS AND INTERPRETATION

1.1 The following terms have the following meanings when used in this Addendum

“data controller” (or simply “controller”) and “data processor” (or simply “processor”) and “data subject” have the meanings given to those terms under the Data Protection Laws.

“Data Protection Laws” means EU Directive 95/46/EC or Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to Hyperwallet’s provision of the Services.

“Hyperwallet” means the entity that is a party to the Agreement, being PayPal, Inc., a Delaware corporation; Hyperwallet Systems Inc., a corporation incorporated in British Columbia; PayPal (Europe) S.à r.l. et Cie, S.C.A., established under the laws of Luxembourg; or Hyperwallet Systems Australia Pty. Ltd., an Australian proprietary limited company, and any of their respective successors and assignees..

“Merchant Data” means any personal data relating to business contact details of Merchant or its employees, officers or contractors provided to or obtained by Hyperwallet in the provision of the Services.

“PayPal Group” means PayPal and all companies in which PayPal, its parent, or their successors directly or indirectly from time to time own or control.

“Payee” means a European Union Payee of Merchant who uses the Services and for the purposes of this Addendum, is a data subject.

“Payee Data” means the personal data that the Payee provides directly or indirectly to Merchant and Merchant passes on to Hyperwallet through the use of the Hyperwallet Services.

“personal data” has the meaning given to it in the Data Protection Laws.

“processing” has the meaning given to it in the Data Protection Laws and “process”, “processes” and “processed” will be interpreted accordingly.

“Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Payee Data on systems managed by or otherwise controlled by Hyperwallet.

“Services” means the “Hyperwallet Services” as defined in the Agreement.

“Sub-processor” means any processor engaged by PayPal and/or its affiliates in the processing of personal data.

“Standard Contractual Clauses” means unmodified standard contractual clauses approved and recognized by all relevant legal authorities of the European Union.

1.2 This Addendum comprises (i) sections 1 to 4, being the main body of the Addendum; (ii) Attachment 1; and (iii) Attachment 2.

2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES

2.1 Hyperwallet is the controller in respect of Merchant Data and may use it for the following purposes:

2.1.1 as reasonably necessary to provide the Services to Merchant and its Payee;

2.1.2 to conduct anti-money laundering, know your customer and fraud checks on the Merchant

2.1.3 to market to the employees of Merchant; and

2.1.4 any other purpose that it notifies (or Merchant agrees to notify on its behalf) to the employees of Merchant in accordance with Data Protection Laws.

2.2 Hyperwallet shall comply with the requirements of the Data Protection Laws applicable to controllers in respect of the use of Merchant Data under this Agreement (including without limitation, by implementing and maintaining at all times all appropriate security measures in relation to the processing of Merchant Data and by maintaining a record of all processing activities carried out in respect of Merchant Data) and shall not knowingly do anything or permit anything to be done with respect to the Merchant Data which might lead to a breach by the Merchant of the Data Protection Laws.

2.3 With regard to any Payee Data to be processed by Hyperwallet in connection with this Agreement, Merchant will be a controller and Hyperwallet will be a processor in respect of such processing. Merchant will be solely responsible for determining the purposes for which and the manner in which Payee Data are, or are to be, processed. Merchant acknowledges that due to Hyperwallet’s independent obligations and responsibilities to or in respect of Data Subjects as may arise in connection with Hyperwallet’s compliance with applicable laws, including but not limited to those arising under any payment services regulation (e.g. Bank Secrecy Act, Proceeds of Crime (Money Laundering) and Terrorist Financing Act, The Payment Regulations Services 2017, Electronic Money Regulations 2011; Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017) and in order to provide, offer, and enhance the services to Merchants and their payees, etc. (together the “Hyperwallet Purposes”), Hyperwallet is the Data Controller of any Personal Data for such Data Subjects for the Hyperwallet Purposes, whether such Personal Data is received from Merchant or directly from the Data Subjects in question (“Hyperwallet Personal Data”). Accordingly, Hyperwallet will comply with the GDPR for Hyperwallet Personal Data in its capacity as a Data Controller for the Hyperwallet Purposes and shall act as a data Processor in respect of any other purposes. Merchant and Hyperwallet do not intend to jointly determine the purposes and means of Processing and shall each act independently as Data Controllers and not as joint controllers (as defined under Data Protection Laws).

2.4 Hyperwallet shall only process Payee Data on behalf of and in accordance with Merchant’s written instructions. The Parties agree that this Addendum is Merchant’s complete and final written instruction to Hyperwallet in relation to Payee Data. Additional instructions outside the scope of this Addendum (if any) require prior written agreement between Hyperwallet and Merchant, including agreement of any additional fees payable by Merchant to Hyperwallet for carrying out such additional instructions. Merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Payee Data in accordance with Merchant’s instructions will not cause Hyperwallet to be in breach of Data Protection Laws. Merchant hereby instructs Hyperwallet to process Payee Data for the following purposes:

2.4.1 as reasonably necessary to provide the Services to Merchant and its Payee;

2.4.2 after anonymizing the Payee Data, to use that anonymized Payee Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.

2.5 In relation to Payee Data processed by Hyperwallet under this Agreement, Hyperwallet shall co-operate with Merchant to the extent reasonably necessary to enable Merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation that Hyperwallet shall cooperate and provide Merchant with such reasonable assistance as Merchant requires in relation to:

2.5.1 assisting Merchant in the preparation of data protection impact assessments to the extent required of Merchant under Data Protection Laws; and

2.5.2 responding to binding requests for the disclosure of information as required by local laws, provided always that where the request is from a non-EEA law enforcement agency Hyperwallet will (a) inform Merchant of the request, the data concerned, response time, the identity of the requesting body and the legal basis for the request; (b) wait for Merchant’s instructions provided the instruction and the opinion are received within a reasonable period of time, which shall be assessed in light of the time period afforded by the law enforcement agency to Hyperwallet; (c) where Hyperwallet is prohibited from informing Merchant about the law enforcement agency’s request, take reasonable steps to have this prohibition waived and to make available relevant information about the request as soon as possible to Merchant (these efforts will be documented); and (d) where the prohibition cannot be waived, compile a list, in compliance with its national law and on an annual basis, of the number of such requests received, the type of Payee Data requested and the identity of the law enforcement agency concerned and make it available to the Payee’s data protection authority annually on request (in which circumstances Hyperwallet will be acting as a controller).

2.6 Scope and Details of Payee Data processed by Hyperwallet. The objective of processing Payee Data by Hyperwallet is the performance of the Services pursuant to the Agreement. Hyperwallet shall process the Payee Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 3 (Data Processing of Payee Data).

2.7 The Parties will at all times comply with Data Protection Laws.

3 DATA PROCESSOR TERMS

This section 3 applies only to the extent that Hyperwallet acts as a processor or Sub-processor to Merchant. It does not apply where Hyperwallet acts as a controller.

3.1 Correction, Blocking and Deletion. To the extent Merchant, in its use of the Services, does not have the ability to correct, amend, block or delete Payee Data, as required by Data Protection Laws, Hyperwallet shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent Hyperwallet is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from Hyperwallet’s provision of such assistance.

3.2 Data Subject Requests. Hyperwallet shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Payee for access to, correction, amendment or deletion of that Payee’s personal data. Hyperwallet shall not respond to any such Payee request without Merchant’s prior written consent except to confirm that the request relates to Merchant to which Merchant hereby agrees. Hyperwallet shall provide Merchant with commercially reasonable cooperation and assistance in relation to handling of a Payee’s request for access to that person’s personal data, to the extent legally permitted and to the extent Merchant does not have access to such Payee Data through its use of the Services. If legally permitted, Merchant shall be responsible for any costs arising from Hyperwallet’s provision of such assistance.

3.3 Confidentiality. Hyperwallet shall ensure that its personnel engaged in the processing of Payee Data are informed of the confidential nature of the Payee Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Hyperwallet shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

3.4 Training. Hyperwallet undertakes to provide training as necessary from time to time to the Hyperwallet personnel with respect to Hyperwallet’s obligations in this Addendum to ensure that the Hyperwallet personnel are aware of and comply with such obligations.

3.5 Limitation of Access. Hyperwallet shall ensure that access by Hyperwallet’s personnel to Payee Data is limited to those personnel performing Services in accordance with the Agreement.

3.6 Data Protection Officer. Members of the PayPal Group have appointed a data protection officer where such appointment is required by Data Protection Laws. The appointed person may be reached at PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.

3.7 Sub-processors. Merchant specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the Services. In addition, Merchant generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the Services. When engaging any Sub-processor, Hyperwallet will execute a written contract with the Sub-processor which contains terms for the protection of Payee Data which are no less protective than the terms set out in this Addendum.

3.7.1 List of Current Sub-processors and Notification of New Sub-processors. Hyperwallet shall make available to Merchant a current list of Sub-processors for the respective Services with the identities of those Sub-processors (“Sub-processor List”). The Sub-processor List is available by Hyperwallet (“Sub-Processor Site”) or otherwise provided from time to time. Where a Sub-processor is proposed to be changed Hyperwallet shall provide prior notice by email to Merchant before implementing such change.

3.7.2 Objection Right for new Sub-processors. If Merchant has a reasonable basis to object to Hyperwallet’s use of a new Sub-processor, Merchant shall notify Hyperwallet promptly in writing within two (2) months after receipt of Hyperwallet’s notice. In the event Merchant objects to a new Sub-processor(s) and that objection is not unreasonable Hyperwallet will use reasonable efforts to make available to Merchant a change in the affected Services or recommend a commercially reasonable change to Merchant’s configuration or use of the affected Services to avoid processing of personal data by the objected-to new Sub-processor without unreasonably burdening Merchant. If Hyperwallet is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Merchant may terminate the Agreement in respect only of those Services which cannot be provided by Hyperwallet without the use of the objected-to new Sub-processor, by providing no less than sixty (60) days’ written notice to Hyperwallet. Merchant shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Services.

3.8 Audits and Certifications. Where requested by Merchant, subject to the confidentiality obligations set forth in the Agreement, Hyperwallet shall make available to Merchant (or Merchant’s independent, third-party auditor that is not a competitor of Hyperwallet or any members of PayPal or the PayPal Group) information regarding Hyperwallet’s compliance with the obligations set forth in this Addendum in the form of the third-party certifications and audits (if any) set forth in the Privacy Policy set out on our website.

3.9 Security. Taking into account the state of the art and the costs of the implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Hyperwallet shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Merchant Data.

3.10 Security Incident Notification. If Hyperwallet becomes aware of a Security Incident in connection with the processing of Payee Data, Hyperwallet will: (a) notify Merchant of the Security Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Payee Data.

3.11 Details of Security Incident. Notifications made under section 3.10 (Security Incident Notification) will describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks.

3.12 Communication. Hyperwallet will deliver its notification of any Security Incident to one or more of Merchant’s administrators by any means Hyperwallet selects, including via email. Merchant is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.

3.13 Deletion. Upon termination or expiry of the Agreement, Hyperwallet will delete or return to Merchant all Payee Data processed on behalf of the Merchant, and Hyperwallet shall delete existing copies of such Payee Data except where necessary to retain such Payee Data strictly for the purposes of compliance with applicable law.

3.14 Standard Contractual Clauses. The Standard Contractual Clauses are incorporated herein in the event Merchant transfers Personal Data from a country outside the Europe Union that is not recognised by the European Commission as having adequate protection of Personal Data.

3.14.1 Clause 1 of the Standard Contractual Clauses (“data importer”). The term “data importer means Hyperwallet.

3.14.2 Clause 1 of the Standard Contractual Clauses (“data exporter”). The term “data exporter means Merchant.

3.14.3 Appendix 2. Attachment 2 shall form Appendix 2 of the Standard Contractual Clauses.

4 LEGAL EFFECT

This Addendum shall take effect between, and become legally binding on the Parties on the date determined by “Effect of this Addendum” section above.

 

Attachment 1

Data Processing of Payee Data

 

Categories of data subjects

Payee Data – The personal data that the Payee provides to Merchant and Merchant passes on to Hyperwallet through the use by the Payee of the Hyperwallet Services.

Subject-matter of the processing

The payment processing services offered by Hyperwallet allow a Payee to receive payments from and as directed by the Merchant through one of several methods, each as determined by the Merchant, such as a transfer to the Payee bank account, load to a prepaid card issued to Payee by a third-party issuer, load to a Payee existing debit card, issuance of e-money account (where available), check, cash pickup at collection locations provided by third-party money transfer providers (e.g. Western Union), and other payment methods.

Nature and purpose of the processing

Hyperwallet processes payment transactions on a Merchant’s behalf. Hyperwallet processes Payee information for the following reasons:

  • To operate the Sites and provide the Services, such as to evaluate a Payor’s application to use our Services or to establish a user’s identity for compliance purposes, authenticate user’s access to Payee’s Account; and to process payment transactions on a Payor’s behalf;
  • To manage Hyperwallet’s business needs, such as monitoring, analyzing, and improving the Services and the Sites’ performance and functionality.
  • To manage risk and protect the Sites, the Services and You from fraud by verifying Your identity and helping to detect and prevent fraud and abuse of the Sites or Services.
  • To market to Payors by delivering marketing materials about Services.
  • To provide You with location-specific options, functionality or offers if You elect to share Your Geolocation Information through the Services. We will use this information to enhance the security of the Sites and Services and provide You with location-based Services, such as advertising, search results, and other personalized content.
  • To comply with our obligations and to enforce the terms of our Sites and Services, including to comply with all applicable laws and regulations.
  • For the performance of a contract, such as where necessary to carry out payment services.
  • For our legitimate interests:
    • to enforce the terms of our Sites and Services;
    • manage our everyday business needs; and
    • provide aggregated and anonymized statistical data to third parties, including other businesses and members of the public, about how, when, and why Users visit our Sites and use our Services;
  • With Your consent: to: respond to Your requests, for example to contact You about a question You submitted to our customer service team. You can withdraw Your consent at any time and free of charge.

We may also use information that we collect in aggregate form to further develop and improve the Sites and Services, and for our own business analyses that will allow us to make informed decisions.

Type of personal data

This information may be obtained from the Merchant and/or Payee and include Payee’s name, nationality, home address, telephone number, personal e-mail address, Payee forwarding address (e.g. during a vacation), previous address(es), billing and account information (such as credit or debit card number, or bank account number), Payee mailing preferences, delivery instructions, transaction history, IP address, and service preferences, as well as other information defined as non-public or private information about Payee pursuant to applicable law.

Special categories of data (if relevant)

The transfer of special categories of data is not applicable to the services Hyperwallet provides.

Duration of Processing

The term of the Agreement.

 

Attachment 2

Technical and Organisational Measures of The Processor

 

The following technical and organizational measures will be implemented:

  1. Commercially reasonable measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
  2. Commercially reasonable measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
  3. Commercially reasonable measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
  4. Commercially reasonable measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
  5. Commercially reasonable measures taken to ensure that authorized persons when using an automated data processing system may access only data that are within their competence;
  6. Commercially reasonable measures taken to ensure the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;
  7. Commercially reasonable measures taken to ensure that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
  8. Commercially reasonable measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
  9. Commercially reasonable measures taken to safeguard data by creating backup copies.

Corporate Sales

Canada/US: 1-877-969-7411
Australia: +61 1800 952 928
Other Countries: +1-604-900-2318