for merchant
DATA PROCESSING ADDENDUM (C2C)
September 9, 2024
This Data Processing Agreement ("DPA") is an addendum to and is incorporated into the Merchant Agreement ("Agreement") between the Merchant and EBANX, referred to jointly as “Parties” or individually as “Party.” This DPA does not limit the Parties’ obligation under the Agreement and applies to activities involving the Processing of Personal Data (as defined below) performed in connection with the Agreement. The DPA is an integral part of the Agreement for all legal purposes.
Any capitalized terms not otherwise defined in this DPA shall have the meaning given thereto in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
1. GENERAL TERMS AND DEFINITIONS
1.1. The Parties’ performance under the Agreement, including the Processing of Personal Data, shall comply with these terms and all applicable data protection requirements.
1.2. In this Agreement, the following terms shall have the meanings defined below:
a. “Merchant's Personal Data” means any Personal Data shared by the Merchant with EBANX or any of their Processors for processing purposes in the context of the Agreement.
b. “Data Processing” means any operation carried out with Personal Data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction.
c. “Services” means the services and other activities that will be provided or performed by EBANX for the Merchant pursuant to the Agreement;
d. “Subcontractor” means any natural or legal person who, on behalf of EBANX, will process Personal Data on behalf of the Controllers under the Agreement.
e. "Employee(s)” means any employee, worker, including subcontractors or outsourced staff, representatives, or designees, compensated or not, under a full or part-time regime, who act on behalf of the Parties and have access to the Personal Data.
f. “Government Authorities” means any authority, including judicial, vested with powers to enforce, inspect, judge, and apply pertinent laws.
g. “Security Incident” means any adverse security event or set of events, confirmed or suspected that impacts the availability, integrity, confidentiality, or authenticity of an information asset. In the case of this Agreement, the expression will refer to incidents involving Personal Data.
h. “End Date” has the meaning described in this Agreement/Schedule, where applicable.
i. "Data Protection Requirements" means, to the extent applicable: (i) APAC Data Protection Requirements; (ii) European Data Protection Requirements; (iii) LATAM Data Protection Requirements; (iv) AMET Data Protection Requirements; (v) mandatory industry rules and standards including, to the extent applicable, the Payment Card Industry Data Security Standard (“PCI-DSS”); and (vi) any and all other Applicable Law related to data protection, data security, marketing, privacy, or the Processing of Personal Data.
j. “LATAM Data Protection Requirements” means any and all Applicable Laws related to data protection, data security, marketing, privacy, or the Processing of Personal Data in the countries of South America, Central America, and Mexico, including the Brazilian General Data Protection Law.
k. “AMET Data Protection Requirements” means any and all Applicable Laws related to data protection, data security, marketing, privacy, or the Processing of Personal Data in the countries of Africa, the Middle East, and Turkey.
l. “European Data Protection Requirements” means any and all Applicable Laws related to data protection, data security, marketing, privacy, or the Processing of Personal Data in the European Union (“EU”), the European Economic Area (“EEA”), Switzerland, or United Kingdom (“UK”), including, to the extent applicable, the Regulation (EU) 2016/679 (“GDPR”), Directive 2002/58/EC, Directive 2009/136/EC, and UK GDPR, jointly with any local, amending or replacement legislation in any EU Member State or the UK. For the purpose of this DPA, “UK GDPR” means the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018.
m. “APAC Data Protection Requirements” means any and all Applicable Laws related to data protection, data security, marketing, privacy, or the Processing of Personal Data in the countries in Asia (excluding the countries in the Middle East) and the countries that border the Pacific Ocean on the Asian side (including Australia, Hong Kong, Japan, India, Indonesia, Malaysia, New Zealand, Philippines, Singapore, South Korea, Thailand, Taiwan, and Vietnam).
n. "Agreement" means the Merchant Agreement, including its addendums and annexes, containing the general terms for the provision of Services by EBANX to the Merchant.
o. "Jurisdiction-Specific Terms" means all legal or regulatory terms, conditions, or rules that govern privacy and data protection and that apply within a particular geographic area or legal jurisdiction incorporated into this DPA.
p. "Merchant Data" means any and all Personal Data that EBANX Processes from or on behalf of the Merchant in connection with the Agreement, including information derived from or combined with such Personal Data and the Personal Data of Merchant employees, contractors, and personnel, and Merchant Customers.
q. "Applicable Laws" means any applicable law, regulation, directive, or other binding requirements (each as may be implemented, amended, extended, superseded, or re-enacted from time to time), including but not limited to, for the avoidance of doubt, Data Protection Requirements.
2. JURISDICTION-SPECIFIC TERMS
2.1. Without limiting the foregoing, the Parties shall also comply with the following jurisdiction-specific terms to the extent such terms are applicable:
2.1.1. If LATAM Data Protection Requirements apply to the Data Processing or Personal Data shared by the Parties (as applicable) under the Agreement, then the terms available at Schedule A - LATAM Terms (incorporated into this DPA by this reference) shall apply to such data.
2.1.2. If AMET Data Protection Requirements apply to the Data Processing or Personal Data shared by the Parties (as applicable) under the Agreement, then the terms available at Schedule B - AMET Terms (incorporated into this DPA by this reference) shall apply to such data.
2.1.3. If APAC Data Protection Requirements apply to the Data Processing or Personal Data shared by the Parties (as applicable) under the Agreement, then the terms available at Schedule C - APAC Terms (incorporated into this DPA by this reference) shall apply to such data.
2.1.4. If European Data Protection Requirements apply to the Data Processing or Personal Data shared between Parties (as applicable) under the Agreement, then the terms available at Schedule D - European Region Terms (incorporated into this DPA by this reference) shall apply to such data.
3. PROCESSING OF PERSONAL DATA
3.1. The performance of the Agreement requires the sharing of Personal Data between both Parties. Regarding the activities involving the Processing of Personal Data pursuant to the context of the Agreement, the Parties agree to:
3.1.1. Process the Personal Data in accordance with all applicable Data Protection Laws and Regulations, including those coming into force after the signing of this DPA, ensuring in particular that every Processing activity be duly justified on one of the legal bases established by Data Protection Laws and Regulations.
3.1.2. Process only the Personal Data necessary for the execution and according to the Agreement, and solely for the purposes related to the Agreement, except if the Processing is required to fulfill legal or regulatory obligations to which the Party is subject.
3.1.3. The Parties must retain and disclose documentation and information regarding Processing under the Agreement as deemed reasonably necessary to comply or demonstrate compliance with Applicable Law.
3.1.4. If EBANX has access, in the context of the Agreement, to Personal Data that it considers excessive or not necessary for the execution of the Agreement, it shall immediately notify the other Party and disable such Personal Data.
3.1.5. If any of the Parties performs any Processing activity unrelated to the performance of the Agreement, said Processing activity shall occur outside the context of the Agreement. The Party that executes the processing shall be deemed the sole Controller concerning that activity, and the other Party shall be released from any obligation or liability derived therefrom.
3.1.6. The Parties shall not use any type of tool, technology, reverse engineering, or other method intended to identify the Data Subjects, where Personal Data was shared in a manner that does not permit direct identification of the Data Subjects without cross-checking with other information or with access to the identification key.
4. EMPLOYEE
4.1. The Parties shall ensure that the Processing of Personal Data performed in the context of the Agreement will be restricted to the Employees responsible for the Processing, in accordance with this DPA, and that such Employees:
4.1.1. Have received training in connection with Data Protection principles and processing laws.
4.1.2. Know the Parties' obligations, including those contemplated in this Agreement.
4.1.3. Are subject to confidentiality agreements or professional or statutory confidentiality and data protection obligations.
5. SECURITY REQUIREMENTS
5.1. Each Party shall implement and maintain an information security and privacy program with the appropriate technical, administrative, and organizational measures compatible with the Processing activities performed. To assess the appropriate level of security, the Parties shall consider the risks posed by the Processing activity.
5.2. EBANX's information security and privacy program must at least:
5.2.1. Protect the unauthorized or unlawful Processing of Personal Data.
5.2.2. Meets the applicable standards of industry practice relevant to EBANX’s activities and the volume and sensitivity of the Merchant Data, including the appropriate physical, technical, and organizational measures that protect against the unauthorized or unlawful Processing of data.
5.2.3. Includes an appropriate network security program.
5.2.4. Complies with Data Protection Requirements applicable to the Processing thereof.
5.3. The Parties undertake to regularly test, assess, and evaluate the effectiveness of the technical, administrative, and organizational measures for ensuring the security of operations involving the Processing of Personal Data.
6. SECURITY INCIDENTS
6.1. When a Party identifies the occurrence of a Security Incident that may cause material damage to the Data Subject, in accordance with the Applicable Laws and any regulations that may be issued by the Government Authorities, this Party shall notify the other Party without undue delay when the data is related to the Agreement.
6.2. The notice shall include sufficient information (containing at least a description of the event, date, cause, possible impacts on the Data Subjects to whom the Personal Data relate, mitigation actions adopted, and next steps) so that the interested Party can comply with any requirements imposed by Data Protection Laws and Regulations.
6.3. The Parties shall investigate the causes and consequences of the Security Incident at their own expense and take the necessary measures to remedy its consequences, promptly informing all measures taken and cooperating with each other whenever necessary to respond to and resolve the Security Incident adequately.
6.4. The Parties shall maintain records on the Security Incident, including at least (a) a description of the nature of the Security Incident, (b) a description of the consequences of the Security Incident, and (c) a description of the measures taken or proposed by the other Party to cope with the Security Incident.
6.5. The Parties shall not disclose any information concerning the Security Incident unless otherwise authorized by the Merchant or required by the Government Authorities' determination, pursuant to the applicable law.
7. SUBCONTRACTORS
7.1. When any Processing Activity is carried out through a Subcontractor, whether Controller or Processor, the Parties must, in relation to this Subcontractor:
7.2. Preserve the integrity and accuracy of Personal Data and must update, correct, or delete such data at the request of the other Party;
7.3. Verify, through due diligence or equivalent procedure, that each Subcontractor is able to guarantee a level of Personal Data protection, at least equivalent to this Term and provide evidence of this verification;
7.4. Enter into a formal Agreement with each Subcontractor, in which the content must include provisions at least equivalent to this DPA and
7.5. Be responsible for all actions and omissions of the Subcontractor concerning the processing of Personal Data.
8. INTERNATIONAL TRANSFERS
8.1. If an international Data transfer is necessary for the performance of the Agreement, and the country of destination does not have an appropriate level of protection for Personal Data following the Government Authorities' determinations, then the Parties shall ensure that the international Data transfer will be made according to one of the mechanisms contemplated in the Applicable Laws.
8.2. These terms may prevail if the Jurisdiction-Specific Terms require a specific cross-border transfer mechanism.
9. DATA SUBJECT RIGHTS
9.1. The Parties must mutually cooperate to ensure proper compliance with the obligations relating to exercising the Data Subject's rights under the Applicable Laws and fulfilling any requests from the Government Authorities within the limit of their activities.
9.2. The Parties shall:
9.2.1. Notify the other Party within 48 (fourth-eight) hours upon receiving a request from the Data Subject when related to any Processing activity performed under the Agreement; and
9.2.2. Refrain from responding to any Data Subject's request related to the Personal Data of the other Party until this Party provides its written agreement with the contents of the response to be presented to the Data Subject, except where the timeframe for responding to the request is shorter than 48 hours, following the Data Protection Laws and Regulations.
10. GOVERNMENT AUTHORITIES
10.1. The Parties shall mutually cooperate in complying with obligations or requests imposed by any competent Government Authority.
10.2. The Parties shall inform the other Party upon receiving requests for information or determinations from the Government Authorities relating to any Processing activity performed within the context of the Agreement. If such requests or determinations are related to the Personal Data shared by the other Party, then the Party subpoenaed shall submit a suggestion of answer for the other Party's validation within the time period prescribed by law or determined by the Government Authorities.
11. EXCLUSION AND RETURN OF PERSONAL DATA
11.1. When the activities involving the Processing of Personal Data within the context of the Agreement are concluded, each Party shall interrupt the processing of the Personal Data of the other Party and, upon written request, shall delete the Personal Data relating to the completed activities, as well as all existing copies (in digital or physical form), unless maintenance of the Personal Data is necessary for complying with a legal or regulatory obligation. In this case, the Party subject to the legal or regulatory obligation will be the sole Controller responsible for keeping Personal Data, exempting the other Party from any obligations related to such data.
12. INDEMNIFICATION AND LIABILITY
12.1. The Parties shall indemnify, defend and exempt the other Party and/or its affiliates from and against any liability, loss, claim, damage, fine, penalty and expense (including, without limitation, fines, compensation for damage, costs incurred with reparation efforts, and attorneys' fees and costs resulting from or relating to any suit, claim or allegation of third parties, including, without limitation, any regulatory or governmental authority) arising out of noncompliance with this Agreement and/or with the Data Protection Laws and Regulations.
12.2. If the Government Authorities impose sanctions on the Parties in connection with this Agreement, and if verified negligence, willful misconduct, or other liability of the other Party, then this Party shall pay the financial penalty – when applicable - and/or indemnify the innocent Party, including for damage to reputation suffered, in addition to costs and expenses incurred in the course of the administrative proceeding.
12.3. This Agreement does not create joint liability between the Parties for any penalties relating to the Processing activities performed under the Agreement, so each Party shall be held severally liable within the limit of its activities.
12.4. The indemnification obligations agreed on in this DPA shall be additional to, and not in exclusion of, any indemnification obligation imposed by the Agreement.
13. GENERAL PROVISIONS
13.1. Without prejudice to any provisions regarding mediation and jurisdiction:
13.2. The Parties hereto submit to the choice of the jurisdiction stipulated in the Agreement in connection with any disputes or claims that may in any way result from this Agreement, including disputes relating to its existence, validity, or termination or the consequences of its nullity, and
13.3. This Agreement and all extracontractual obligations or other obligations arising out of or relating to it shall be governed by the laws of the country or territory stipulated for this purpose in the Agreement.
13.4. Notwithstanding anything to the contrary in the Agreement, to the extent there is a conflict or inconsistency between the Agreement, the DPA, and any Jurisdiction-Specific Terms, the following order of precedence shall apply to determine the term(s) that govern (unless such term(s) contradict a requirement under Applicable Law in which case such requirement shall prevail): (i) the Jurisdiction-Specific Terms; (ii) the DPA; and (iii) the Agreement.
13.5. If any provision of this Agreement is held void, invalid, or unenforceable, the remaining provisions hereof shall remain in full force and effect. The void, invalid, or unenforceable provision shall be amended to ensure its validity and effectiveness while preserving the intention of the Parties.
13.6. This DPA is performed and becomes an integral and mandatory part of the Contract, with effects from the date hereof. It applies, however, to all activities regarding the processing of Personal Data performed since the date of performance of the Contract.
SCHEDULE A
LATAM TERMS
1.DEFINITIONS: In addition to the defined terms in the DPA, the following definitions apply to the LATAM Terms:
1.1. “controller”, “data subject" and “data protection authority” and their variations shall have the same meanings as in the applicable LATAM Data Protection Requirements.
1.2. "ANPD" means the Brazilian National Data Protection Authority.
2.PROCESSING TERMS: the execution of the Agreement encompasses the mutual sharing of Personal Data. According to the scope of the Agreement, each Party will act as sole Controller and is subject to the LATAM Data Protection Requirements. The Parties agree as follows:
2.1. Each Party shall be individually responsible for ensuring that its Processing of the Personal Data is lawful, fair, and transparent following LATAM Data Protection Requirements, including where applicable on the basis that the data subject has unambiguously given his or her explicit consent, or on the basis of some other valid ground provided for in LATAM Data Protection Requirements.
2.2. When consent is the basis of Data Processing, the Merchant shall be responsible for obtaining the express, free, unambiguous, and informed consent of the data subject, according to the LATAM Data Protection Requirements.
2.3. EBANX will appropriately assist the Merchant in the event of a Security Incident, a notice, inquiry, audit, or investigation by the ANPD or any other relevant regulator, or of a complaint, inquiry, or request received directly from a data subject, or any third party audit, that relates to the Processing of Personal Data pursuant to the Agreement, by providing information about the relevant Processing as required for the Merchant to fulfill its obligations under the LATAM Data Protection Requirements.
2.4. EBANX shall only process Personal Data as clearly described in EBANX's privacy notice or agreement with the data subject (as applicable) or in accordance with the terms of the Agreement or as permitted by Applicable Law.
3.INTERNATIONAL TRANSFERS: To the extent that EBANX Processes or otherwise transfers Merchant Data or Personal Data (as applicable) outside the jurisdiction in which such data was originally collected or otherwise Processed by, or on behalf of, the Merchant:
3.1. EBANX shall be responsible for complying with any requirement for authorization or registration of transfer outside of the country of origin in accordance with LATAM Data Protection Requirements.
3.2. Such transfer shall be subject to any conditions that may be reasonably imposed by the Merchant, including that EBANX (or any relevant Subcontractor) enters into (and complies with) any data transfer agreement reasonably acceptable to the Merchant and consistent with LATAM Data Protection Requirements.
3.3. Where applicable, the Parties agree that such transfer will be made relying on a proper transfer mechanism, preferably Standard Contractual Clauses following LATAM Data Protection Requirements.
3.3.1 When the Data Subjects are located in Argentina, Mexico, Chile, and Peru, the Model Contractual Clauses of Red Iberoamericana de Protección De Datos (https://www.redipd.org/sites/default/files/2023-02/anexo-modelos-clausulas-contractuales-en.pdf) shall apply:
a. ANNEX A: Accession Forms for New Partners
Not applicable
b. ANNEX B: Description of the Transfer
Categories of Data Subjects whose Personal Data is transferred: Merchant's customers
Sensitive Personal Data transferred (if applicable) and restrictions or safeguards applied:on-applicable.
Transfer Frequency: Ongoing
Purpose(s) of the data transfer and further processing: payment processing, fraud prevention, and identity verification.
ANNEX C: Administrative, Physical, and Technical Measures To Ensure Data Security
According to the Information Security Policy (https://www.ebanx.com/en/legal/ebankers/terms-and-conditions/information-security-policy/), PCI-DSS, ISO/IEC 27001, and ISO 27701 controls.
3.3.2. When the Data Subjects are located in Brazil, the Model Contractual Clauses, Resolução CD/ANPD nº 19/2024 (https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-19-de-23-de-agosto-de-2024-580095396), of ANPD shall apply, according to :
a. CLAUSE 2:
Data Exporter: Merchant and its Affiliates, as defined in the Agreement.
Data Importer: EBANX and its Affiliates, as defined in the Agreement.
Purpose of processing: payment processing.
Category of personal data transferred: identification personal data (name, phone, email address, IP address and device identifier, government identification number, purchase information. Additional data may be transferred according to regulations and the Parties Privacy Notice.
Period of data storage: according to the "Schedule 8.1 - Data Security", 14. Data Deletion.
b. CLAUSE 3: Option B
Purpose of processing: support to the activities set in the Agreement
Category of personal data transferred: identification personal data (name, phone, email address, IP address and device identifier, government identification number, purchase information. Additional data may be transferred according to regulations and the the Parties Privacy Notice.
Data storage period: according to the Schedule 8.1 - Data Security, 14. Data Deletion.
c. CLAUSE 4: Option A
Responsible for publishing the document requested in Clause 14: Exporter and Importer
Responsible for responding to requests from holders referred to in Clause 15: Exporter and Importer
Responsible for carrying out the security incident communication provided for in Clause 16: Exporter and Importer.
3.4. The Parties shall cooperate in carrying out any assessment of such transfer required under LATAM Data Protection Requirements.
SCHEDULE B
AMET TERMS
1. DEFINITIONS: In addition to the defined terms in the DPA, the following definitions apply to the AMET Terms:
1.1. “controller”, “data subject" and “data protection authority” and their variations shall have the same meanings as in the applicable AMET Data Protection Requirements.
2. PROCESSING TERMS: the execution of the Merchant Services Agreement encompasses the mutual sharing of Personal Data. According to the scope of the Agreement, each Party will act as sole Controller and is subject to the AMET Data Protection Requirements. The Parties agree as follows:
2.1. Each Party shall be individually responsible for ensuring that its Processing of the Personal Data is lawful, fair, and transparent in accordance with AMET Data Protection Requirements, including where applicable on the basis that the data subject has unambiguously given his or her explicit consent or on the basis of some other valid ground provided for in AMET Data Protection Requirements.
2.2. When consent is the basis of Data Processing, the Merchant shall be responsible for obtaining the data subject's express, free, unambiguous, and informed consent, according to the AMET Data Protection Requirements.
2.3. EBANX will appropriately assist the Merchant in the event of a Data Incident, a notice, inquiry, audit, or investigation by a data protection authority or relevant regulator, or of a complaint, inquiry, or request received directly from a data subject, or any third party audit, that relates to the Processing of Personal Data pursuant to the Agreement, by providing information about the relevant Processing as required for the Merchant to fulfill its obligations under the AMET Data Protection Requirements.
2.4. EBANX shall only Process Personal Data as clearly described in its privacy notice or agreement with the data subject (as applicable) or in accordance with the terms of the Agreement or as permitted by Applicable Law.
3. INTERNATIONAL TRANSFERS: To the extent that EBANX Processes or otherwise transfers Merchant Data or Personal Data (as applicable) outside the jurisdiction in which such data was originally collected or otherwise Processed by, or on behalf of, the Merchant:
3.1. EBANX shall be responsible for complying with any requirement for authorization or registration of transfer outside of the country of origin in accordance with AMET Data Protection Requirements.
3.2. Such transfer shall be subject to any conditions that may be reasonably imposed by the Merchant, including that EBANX (or any relevant Subcontractor) enters into (and complies with) any data transfer agreement reasonably acceptable to the Merchant and consistent with AMET Data Protection Requirements.
3.3. Where applicable, the Parties agree that such transfer will be made relying on a proper transfer mechanism, preferably data protection adequacy decisions or, when not applicable, Standard Contractual Clauses, in accordance with AMET Data Protection Requirements.
3.4. When consent is required as a transfer mechanism, the Merchant is responsible for obtaining the data subject's express, free, unambiguous, and informed consent, according to the AMET Data Protection Requirements.
3.5. The Parties shall cooperate with in carrying out any assessment of such transfer required under the AMET Data Protection Requirements.
SCHEDULE C
APAC TERMS
1.DEFINITIONS: In addition to the defined terms in the DPA, the following definitions apply to the APAC Terms:
1.1. "Controller” means the Merchant, EBANX, and its Affiliates that act as Controller of Personal Data Processed in connection with the Agreement or in the performance of the Services.
1.2. "Data subject” and “data protection authority” and their variations shall have the same meaning as the applicable APAC Data Protection Requirements.
2.PROCESSING TERMS. The Merchant and EBANX will act as sole Controllers according to the scope of the Agreement, and Personal Data will be exchanged between the Merchant and EBANX, applying the APAC Data Protection Requirements. The Parties agree as follows:
2.1. Ensure that the Processing of the Personal Data is following APAC Data Protection Requirements, including where applicable, on the basis that the data subject has unambiguously given his or her explicit consent or on the basis of some other valid ground provided for in APAC Data Protection Requirements;
2.2. Only Process the Personal Data as clearly described in EBANX's privacy notice or agreement with the Data Subject (when applicable) or by the terms of the Agreement or as permitted by Applicable Law;
2.3. To the extent required under APAC Data Protection Requirements, make a reasonable effort to ensure that the Personal Data is accurate and complete if the Personal Data is likely to be: (i) used by EBANX to make a decision that affects the relevant data subject; or (ii) disclosed by EBANX to another controller, processor or third party; and
2.4. Cease to retain the Personal Data when no longer reasonably necessary for the relevant purposes in accordance with EBANX privacy notice or agreement with the data subject (as applicable) or in accordance with the terms of the Agreement or as permitted by Applicable Law;
2.5. For the purposes of the APAC Data Protection Requirements, the description of the Processing is specified in the Agreement.
3.INTERNATIONAL TRANSFERS: To the extent that EBANX Processes or otherwise transfers Personal Data outside the jurisdiction in which such data was originally collected or otherwise Processed by, or on behalf of, the Merchant:
3.1. EBANX shall Process Personal Data only in accordance with the Agreement, the DPA, and this APAC Term, to the extent applicable, and the Merchant's documented instructions, including with regard to any transfers of Personal Data to a jurisdiction outside the jurisdiction of EBANX's operations in which such Personal Data was originally collected or otherwise Processed by, or on behalf of the Merchant.
3.2. EBANX must comply with the APAC Data Protection Requirements in respect to such transfer and ensure that any such transfer does not cause the Merchant to be in breach of any APAC Data Protection Requirements. The description of the Processing will be specified in the Agreement.
3.3. Without limiting clauses 3.1 and 3.2, EBANX shall ensure that any transfer of Merchant Data is made in accordance with a valid transfer mechanism, as applicable, in accordance with Applicable Law (including the APAC Data Protection Requirements).
SCHEDULE D
EUROPEAN REGION TERMS
1. DEFINITIONS AND APPLICABILITY: In addition to the defined terms in the DPA, the following definitions apply to these European Region Terms:
1.1. The terms “controller”, “data subject”, “processor”, and “supervisory authority” shall have the same meanings as in the GDPR or the UK GDPR (as applicable), and the terms “processed” and “process” shall be construed in accordance with the definition of “processing” described below. The terms “personal data” and “processing” in these European Region Terms shall have the same meanings as in the GDPR or the UK GDPR (as applicable) and not, for the avoidance of doubt, the definitions of “Personal Data” and “Processing” as set out in the DPA.
1.2.“Approved Purpose” means the purpose(s) for which Company may process the personal data it receives from the Merchant as a controller following the Agreement, including as may be expressly specified in the Agreement.
1.3."Controller" means the Merchant, EBANX, and its Affiliates, which act as controllers of personal data subject to the GDPR or UK GDPR and processed in connection with the Agreement or in the performance of the Services.
1.4."SCCs" means the European Commission’s standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in annex to Commission Decision 2021/914, which, as of the Last Updated date, are available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, and which are incorporated herein by reference.
1.5."UK Addendum" means the UK Information Commissioner's Office's International Data Transfer Addendum to the SCCs, which, as of the Last Updated date, is available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf, and which is incorporated herein by reference.
2.CONTROLLER TERMS
2.1.The Merchant and EBANX will act as sole Controllers according to the scope of the Agreement, and Personal Data will be exchanged between the Merchant and EBANX, applying the European Data Protection Requirements. The Parties agree as follows:
2.2. If personal data is exchanged between the Merchant and EBANX in connection with the Agreement or the provision of the Services):
a. To the fullest extent permitted by applicable European Data Protection Requirements, the Parties shall each be independent controllers of the personal data and, as such shall independently determine the purposes and the means of the processing of that personal data;
b. Each Party shall be individually responsible for ensuring that its processing of the personal data is lawful, fair, and transparent in accordance with applicable European Data Protection Requirements, including where applicable on the basis that the data subject has unambiguously given his or her consent, or on the basis of some other valid ground provided for in applicable European Data Protection Requirements; and
c. Each Party shall implement and maintain appropriate technical and organisational measures to protect any such personal data in their possession or control from: (i) accidental or unlawful destruction; and (ii) loss, alteration, or unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by any processing and the nature of the personal data to be protected.
3. INTERNATIONAL TRANSFERS
3.1. If personal data is transferred by Merchant to EBANX in connection with the Agreement and EBANX is located outside the European Economic Area (“EEA”), such transfer shall be governed by the SCCs. For the avoidance of doubt, the following clauses or the UK Addendum shall not apply to the extent that personal data is transferred to a country or territory which is, at the time of such transfer, deemed to ensure an adequate level of protection by the European Commission or by the UK Information Commissioner's Office.
3.2. For the purposes of the EU SCCs, the following shall apply:
a. Module One (Controller to Controller) shall apply.
b. Clause 11: The optional clause allowing data subjects to lodge a complaint with an independent dispute resolution body is removed.
c. Clause 17: as defined in the Agreement.
d. Clause 18: The EU Member State where any dispute arising from these Clauses shall be resolved is the courts of the jurisdiction stipulated in the Agreement.
3.3. For the purposes of the Annex I of the SCCs:
a. LIST OF THE PARTIES
Data exporter(s):
Name: Merchant and its Affiliates, as defined in the Agreement.
Address: as defined in the Agreement.
Contact person’s name: as defined in the Agreement.
Activities relevant to the data transferred under these Clauses: All data processing activities agreed under the Agreement.
Signature and date: Signed and dated for and on behalf of the data exporter by execution of the Agreement.
Role: Controller.
Data importer(s):
Name: EBANX and its Affiliates, as defined in the Agreement.
Address: as defined in the Agreement.
Contact person's name: Giovanna Michelato, Data Protection Officer, privacy@ebanx.com
Activities relevant to the data transferred under these Clauses: All data processing activities agreed under the Agreement.
Signature and date: Signed and dated for and on behalf of the data exporter by execution of the Agreement.
Role: Controller.
b. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Merchant's customers.
Categories of personal data transferred: identification personal data (name, phone, email address, IP address and device identifier, government identification number, purchase information. Additional data may be transferred according to regulations and the Parties Privacy Notice.
Sensitive data transferred: not applicable.
The frequency of the transfer: the data transfer is continuous throughout the provision of the services.
Nature and purpose of the processing: EBANX's activity is as described in the Services under the Agreement. These responsibilities are focused on facilitating the Merchant's payment processing. This includes receiving payment information from the Merchant's customers, verifying its accuracy and completeness, obtaining payment authorization, and settling the authorized funds directly with the Merchants.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: EBANX shall process Personal Data during the term of the Agreement and the required by the Applicable Law and not thereafter, except if the Merchant explicitly instructs EBANX to do so.
c. SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: as defined in the Agreement.
3.4. Without prejudice to the provisions set out in Sections 4.2 to 4.6 of these European Region Terms, nothing in the Agreement or this DPA (including these European Region Terms) is intended to vary or modify the SCCs. The Merchant and EBANX agree that the optional Section I, Clause 7, and the optional paragraph in Section II, Clause 11 in the SCCs shall not apply.
3.5. For the purposes of the UK Addendum, as permitted by Clause 17 of such addendum, the parties agree to change the format of the information set out in Part 1 of the addendum so that:
a. the details of the parties in Table 1 shall be as set out above (with no requirement for signature);
b. for the purposes of Table 2, the addendum shall be appended to the EU SCCs (including the selection of modules and the application/disapplication of such optional clauses as specified above); and
c. the appendix information listed in Table 3 is as set out above.
3.6. In the event that the SCCs or the UK Addendum are (i) deemed invalid by the European Commission, the UK Information Commissioner's Office, a relevant regulator, or supervisory authority for whatever reason, or (ii) superseded by other standard contractual clauses issued or approved by the European Commission, the UK Information Commissioner's Office, a relevant regulator or supervisory authority, the Merchant and EBANX shall immediately comply with such other standard contractual clauses or any other valid mechanism under European Data Protection Requirements for transferring and processing personal data outside the EEA and/or the UK (as applicable).