Data Processing Agreement for Payout Merchants
July 13, 2020
This Data Processing Agreement ("Agreement") forms part of the Payout Agreement between EBANX and the Merchant (together as the “Parties”).
(A) The Merchant acts as a Data Controller.
(B) The Merchant wishes to contract international transactions to the Territories (“Services”), which imply the processing of personal data specified in Schedule A.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing.
(D)The Parties wish to lay down their rights and obligations.
It is agreed as follows:
Definitions and Interpretations
Unless otherwise defined herein or in the Payout Agreement, capitalized terms and expressions used in this Agreement shall have the following meaning:
Applicable Laws means the data protection laws applicable to the Payout Agreement or to the Payee in the Territories;
Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Applicable Laws; specifically to the Payout Agreement means the Merchant, pursuant to or in connection with the Payout Agreement;
Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller; specifically, to the Payout Agreement means EBANX, pursuant to or in connection with the Payout Agreement;
Data Transfer means:
a transfer of Payee Personal Data from the Merchant to EBANX; or
an onward transfer of Payee Personal Data from EBANX to a Subprocessor, or between companies of EBANX;
Personal Data means any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person; specifically to the Payout Agreement, means any Personal Data processed by EBANX or Subprocessors on behalf of Merchant pursuant to or in connection with the Payout Agreement;
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Subprocessor means any person appointed by or on behalf of EBANX to process Personal Data on behalf of the Merchant in connection with the Agreement;
Supervisory Authority means an independent public authority which is concerned by the processing of Personal Data because of Applicable Laws.
Processing of Merchant Personal Data
ensure the collection of Personal Data according to the Applicable Laws, taking into account the nature, scope, context and purposes of the Processing;
allow EBANX to process Personal Data for the provision of the Services or on the relevant Merchant’s documented instructions, as provided in the Payout Agreement, in this Agreement or in any other relevant document.
collect by itself or request EBANX to collect Personal Data from Payee in the Territories on Merchant’s behalf in order to remit funds to Payee, pursuant to Merchant’s instructions, the Payout Agreement and Applicable Legislation.
comply with all Applicable Laws in the processing of Personal Data in the Territories; and
not process Personal Data for a purpose other than the provision of the Services or on the relevant Merchant’s documented instructions;
EBANX shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Payout Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, EBANX shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
In assessing the appropriate level of security, EBANX shall take into account the risks that are presented by the processing of Personal Data, in particular from a Personal Data Breach.
EBANX shall not appoint (or disclose any Personal Data to) any Subprocessor unless required or authorized by the Merchant or necessary for the provision of the Services.
Data Subject Rights
Taking into account the nature of the processing, EBANX shall assist the Merchant by implementing appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Merchant obligations to respond to requests to exercise Data Subject rights under the Applicable Laws.
EBANX shall ensure that it does not respond to that request except as required by Applicable Laws to which EBANX is subject or on the documented instructions of Merchant.
Whether EBANX cannot fulfil Merchant’s obligation to respond to request to exercise Data Subject rights under the Applicable Laws, EBANX shall promptly notify Merchant if it receives a request from a Data Subject in respect of Personal Data.
Personal Data Breach
EBANX shall notify Merchant without undue delay upon EBANX becoming aware of a Personal Data Breach affecting Personal Data, providing Merchant with sufficient information to allow Merchant to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Laws.
EBANX shall cooperate with the Merchant and take reasonable commercial steps as are directed by Merchant to assist in the investigation, mitigation and remediation of each Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
EBANX shall provide reasonable assistance to the Merchant with any data protection impact assessments, insofar as possible, and prior consultations with Supervising Authorities, which Merchant reasonably considers to be required whether the processing would result in high risk in the absence of measures taken by EBANX to mitigate the risk, in each case solely in relation to processing of Personal Data by EBANX.
Deletion or Return of Merchant Personal Data
In the event of cessation of the Services involving the processing of Personal Data, EBANX shall, within 15 business days, delete and procure the deletion of all copies of Personal Data.
Clause 9.1 does not apply if EBANX shall continue the processing of Personal Data to comply with purposes for which they were collected or for compliance with a legal or regulatory obligation under Applicable Laws. In this case, EBANX shall delete and procure the deletion of all copies of Personal Data within 15 business days after the cessation of such grounding.
EBANX shall ensure that Personal Data internationally transferred due to the provision of the Services is adequately protected. To achieve this, EBANX shall transfer Personal Data to countries or international organizations that ensure adequate level of protection or rely on standard contractual clauses for the transfer of personal data.
Unless otherwise stated in the Payout Agreement, to the extent that the terms of this Agreement and the Payout Agreement conflict, the terms of the Payout Agreement shall prevail.
Merchant is the Data Controller.
The Data Processor is any company of EBANX Group (as defined in the Merchant Agreement) responsible for facilitating international transactions to Payees located in the Territories.
Data Subjects are the Payee as provided in the Payout Agreement.
Categories of Data and Processing Operations
The following categories of Personal Data may be processed by EBANX on behalf of Merchant, depending on the processing purpose: (1) full name; (2) email; (3) Tax ID Number (4) ID data; (5) address; (6) date of birth; (7) telephone number; (8) scanned documents; (9) biometric photograph; (10) bank details; (11) proof of address; (12) proof of payments.
Personal Data may be processed for the following purposes:
to provide the Services, including, but not limited to the following activities: (1) collection Personal Data in the Territories in order to remit funds to Payee, pursuant to Merchant’s instructions (2) confirmation and validation of Payee’s identity and payment information (3) due diligence and background check performance to ensure the source and reason for the remittance of funds in accordance to international practices set forth in the Anti-Money Laundering laws and regulations;
to monitor, prevent and detect frauds, to verify payment’s authenticity and to prevent harm to Merchant, EBANX and/or third parties;
to respond to Customer and Merchant support request; iv. to comply with legal or regulatory obligations applicable to the processing of Personal Data to which EBANX is subject;
to produce and distribute promotional marketing actions, unless otherwise agreed in the Payout Agreement;
to analyze, develop and improve EBANX’s products and services;
otherwise to fulfill the obligations set out in the Payout Agreement.