Terms for the use PayPal PLUS
The following terms apply for your use of PayPal PLUS and are incorporated into the PayPal User Agreement by reference.
1. General principles
PayPal PLUS is a service providing a merchant an optimized checkout for its online shop. PayPal PLUS includes the payment methods PayPal Services, credit card, and electronic direct debit, and Kauf auf Rechnung, as well as up to five third-party providers of payment methods which may be integrated into the PayPal PLUS checkout. PayPal PLUS also enables such Payers who do not hold a PayPal Account to process payments to the merchant using PayPal PLUS.
Payments received via PayPal PLUS will be credited to the PayPal Account of the merchant as E-Money, irrespective of the payment instrument being used by the payer for payment in an individual case.
PayPal PLUS is only available to eligible merchants and upon prior application by the merchant. Eligibility is at PayPal’s sole discretion and takes numerous variables into account. Eligibility for PayPal PLUS does expressly not include eligibility for Kauf auf Rechnung
Kauf auf Rechnung shall only be provided subject to a prior risk check of the merchant. The criteria of this risk check shall be in the sole discretion of PayPal.
Payments received via PayPal PLUS in the PayPal Account of the merchant are deemed paid with PayPal as set forth in the PayPal User Agreement (see Terms for the use of Kauf auf Rechnung).
For receiving payments via PayPal PLUS Fees as set out on the <Fees page> shall apply.
2. Data Processing Schedule
This Data Processing Schedule applies only to the extent that PayPal acts as a processor or Sub-processor to the merchant. Capitalized terms used but not defined in these Terms for the use of PayPal PLUS shall have the meaning set out in the PayPal User Agreement.
a. Definitions and Interpretation
The following terms have the following meaning when used in these Terms for the use of PayPal PLUS:
"Customer" means a European Union customer of merchant who uses the PayPal Services and for the purposes of this clause 2., is a data subject.
"Customer Data" means the personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Merchant of the PayPal Services.
"Data Controller" (or simply "Controller") and "Data Processor" (or simply "Processor") and "Data Subject" have the meanings given to those terms under the Data Protection Laws.
"Data Protection Laws" means General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to PayPal's provision of the PayPal Services.
"Personal Data" has the meaning given to it in the Data Protection Laws.
"Processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.
"Sub-processor" means any processor engaged by PayPal and/or its affiliates in the processing of personal data.
b. Processing of Personal Data in Connection with the Services
i. Merchant data controller
With regard to any Customer Data to be processed by PayPal in connection with the PayPal User Agreement or these Terms for the use of PayPal PLUS, the merchant will be a controller and PayPal will be a processor in respect of such processing. The merchant will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.
ii. Merchant written instructions
PayPal shall only process Customer Data on behalf of and in accordance with the merchant’s written instructions. PayPal and the merchant agree that this clause 2. is Merchant's complete and final written instruction to PayPal in relation to Customer Data. Additional instructions outside the scope of this 2. (if any) require prior written agreement between PayPal and the merchant, including agreement of any additional fees payable by the merchant to PayPal for carrying out such additional instructions. The merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with the merchant's instructions will not cause PayPal to be in breach of Data Protection Laws. The provisions of this clause 2. are subject to the provisions of clause 2.n. below on Security. The Merchant hereby instructs PayPal to process Customer Data for the following purposes:
- As reasonably necessary to provide the PayPal services to the merchant and its Customer;
- After anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.
c. PayPal cooperation
In relation to Customer Data processed by PayPal under this Agreement, PayPal shall co-operate with the merchant to the extent reasonably necessary to enable the merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as the merchant requires in relation to:
- Assisting the merchant in the preparation of data protection impact assessments to the extent required of the merchant under Data Protection Laws; and
- Responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.
d. Scope and Details of Customer Data processed by PayPal
The objective of processing Customer Data by PayPal is the performance of the PayPal Services pursuant to the User Agreement. PayPal shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in clause 4. (Data Processing of Customer Data) below.
e. Compliance with Laws
PayPal and the Merchant will at all times comply with Data Protection Laws.
f. Correction, Blocking and Deletion
To the extent the merchant, in its use of the PayPal services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, PayPal shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent PayPal is legally permitted to do so. To the extent legally permitted, the merchant shall be responsible for any costs arising from PayPal’s provision of such assistance.
g. Data Subject Requests
PayPal shall, to the extent legally permitted, promptly notify the merchant if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. The merchant shall be responsible for responding to all such requests. If legally permitted, PayPal shall provide the merchant with commercially reasonable cooperation and assistance regarding such Customer's request and the merchant shall be responsible for any costs arising from PayPal’s assistance.
PayPal undertakes to provide training as necessary from time to time to the PayPal personnel with respect to PayPal's obligations in these Terms for the use of PayPal PLUS to ensure that the PayPal personnel are aware of and comply with such obligations.
i. Limitation of Access
PayPal shall ensure that access by PayPal's personnel to Customer Data is limited to those personnel performing PayPal Services in accordance with the PayPal User Agreement.
The merchant specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the PayPal Services. In addition, the merchant generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the PayPal Services. When engaging any Sub-processor, PayPal will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in these Terms for the use of PayPal PLUS. PayPal shall make available to the merchant a current list of Sub-processors for the respective PayPal Services with the identities of those Sub-processors.
k. Audits and Certifications
PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in clause 3. below to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the PayPal Services. Since PayPal provides the PayPal Services to all merchants uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to PayPal’s entire customer base hosted out of the same data center and subscribed to the same service. The merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the PayPal Services.
m. Security Incident Notification
If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data, PayPal will, in accordance with Data Protection Laws: (a) notify the merchant of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d) deliver its notification to the merchant's administrators by any means PayPal selects, including via email. The merchant is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.
Upon termination or expiry of the PayPal User Agreement, PayPal will delete or return to the merchant all Customer Data processed on behalf of the merchant, and PayPal shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.
o. Data Portability
Upon any termination or expiry of the PayPal User Agreement, PayPal agrees, upon written request from the merchant, to provide the merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to the merchant’s Customers (“Card Information”). In order to do so, the merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) The merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including Data Protection Laws).
3. Technical and Organizational Measures
The following technical and organizational measures will be implemented:
- Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
- Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
- Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
- Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
- Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
- Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;
- Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
- Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
- Measures taken to safeguard data by creating backup copies.
4. Data Processing of Customer Data
- Categories of data subjects
Customer Data – The personal data that the Customer provides to the merchant and the merchant passes on to PayPal through the use by the Customer of the PayPal Services.
- Subject-matter of the processing
The payment processing services offered by PayPal which provides the merchant with the ability to accept credit cards, debit cards, and other payment methods on a website or mobile application from Customers.
- Nature and purpose of the processing
PayPal processes Customer Data that is sent by the merchant to PayPal for purposes of obtaining verification or authorization of the Customer’s payment method as payment to the merchant for the sale goods or services.
- Type of personal data
Customer Data – The Merchant shall inform PayPal of the type of Customer Data PayPal is required to process under the PayPal User Agreement or these Terms for the use of PayPal PLUS. Should there be any changes to the type of Customer Data PayPal is required to process the Merchant shall notify PayPal immediately. PayPal processes the following Customer Data, as may be provided by the merchant to PayPal from time to time:
- Full name
- Date of birth
- Home address
- Shipping address
- Work address
- Billing address
- Email address
- Telephone number
- Fax number
- Government ID number
- Bank account number and bank routing number
- Financial account number
- Card or payment instrument type
- Card Primary Account Number (PAN) or Device-specific Primary Account Number (DPAN)
- Card Verification Value (CVV)
- Card expiration date
- Business tax ID
- IP address
- Device Data
- Browser data.
- Special categories of data (if relevant)
The transfer of special categories of data is not anticipated.
- Duration of Processing
The term of the PayPal User Agreement.