PayPal Website Payments Pro and Virtual Terminal Agreement
PayPal Website Payments Pro and Virtual Terminal Agreement
Last Update: May 19, 2018
This PayPal Website Payments Pro – Hosted Solution / Virtual Terminal Agreement ("Pro/VT Agreement") is a contract between you (also referred to as "Merchant") and PayPal Hong Kong Limited ("PayPal", "we", "us" or "our" as the context may require). You agree that any use by you of the PayPal Services will constitute your acceptance of this Pro/VT Agreement and we recommend that you store or print-off a copy of this Pro/VT Agreement.
This Pro/VT Agreement applies to your use of the Products. To proceed with obtaining one or more of the Products, you must read, agree with and accept all of the terms and conditions contained in this Pro/VT Agreement.
We may make changes to this Pro/VT Agreement by giving notice of such change by posting a revised version of this Pro/VT Agreement on the PayPal website(s). You will be deemed to have accepted the change after you have received notice of it. We will give you 30 days’ notice of any change with the change taking effect once the 30 day notice period has passed. The 30 day notice period will not apply where a change relates to the addition of a new service, extra functionality to the existing PayPal Services or any other change which we believe in our reasonable opinion to neither reduce your rights nor increase your responsibilities. In such instances, the change will be made without notice to you and will be effective immediately upon giving notice of it.
If you do not accept any change, you must close your PayPal Account following the account closure procedure set out in the User Agreement. If you do not object to a change by closing your PayPal Account within the 30 day notice period, you will be deemed to have accepted it. While you may close your PayPal Account at any time and without charge, please note that you may still be liable to us after you terminate this Pro/VT Agreement for any liabilities you may have incurred and are responsible for prior to terminating this Pro/VT Agreement and please further note our rights under the User Agreement.
Capitalised terms are defined below.
1. Setting up and activating your Product
- Getting started. To obtain and use your Product, you must first do all of the following:
- Complete the online application process for your Product, open a PayPal Business Account (if you do not already have one), and follow the instructions provided by PayPal to access and use your Product.
- Integrate your Product into the payment process of your website, if your Product is Website Payments Pro – Hosted Solution. You are not required to integrate your Product into the payment process of your website if you only access and use Virtual Terminal. PayPal is not responsible for any problems that could occur by integrating your Product into your 'live' website. You are solely responsible for choosing, setting, integrating and customising your Product and ensuring that it suits your needs.
- Parity among payment methods. In displaying payment options on your website, you must display the logos of PayPal and the Card Associations with size and prominence equal among themselves and among those of other payment methods. You must not display a preference for one payment method over another. In using PayPal’s logo and buttons, you also agree to comply with the logo usage standards located at: https://www.paypal.com/webapps/mpp/logos-buttons.
- Cancellation. PayPal may decline your application for the Product due to your credit history, PayPal history, or for any other reason in PayPal’s discretion. You agree and acknowledge that we and/or our agents reserve the right in our sole discretion to reject your application and enrolment for the Product and PayPal may limit your access to or use of the Product without any further obligation to you.
In consideration of PayPal providing the PayPal Services to you, you agree to pay the fees in the amount as notified to you by PayPal separately.
3. Information security; Data Protection
- Compliance with Data Security Schedule. You agree to comply with Schedule 1 below, which forms part of this Pro/VT Agreement.
- PCI DSS compliance. You also agree to comply with the PCI Data Security Standard (PCI DSS) as they may apply to you in your specific circumstances. You must protect all Card Data that comes within your control according to PCI DSS, and you must design, maintain and operate your website and other systems in conformity with PCI DSS. PayPal is not responsible for any costs that you incur in complying with PCI DSS.
- Audit. If PayPal receives an indication of a security breach involving your website or of a possible compromise of Card Data, PayPal may require you to have an independent third party auditor, approved by PayPal, conduct a security audit of your systems and facilities and issue a report. You agree to comply with PayPal’s request under this clause at your own expense. You must provide a copy of the auditor’s report to PayPal, and PayPal may provide copies of it to the banks (including, without limitation, Acquiring Institutions) and Card Associations involved in processing card transactions for PayPal. If you do not initiate a security audit within 10 business days of PayPal’s request, PayPal may conduct or obtain such an audit at your expense. PayPal may advise Shared Customers, if PayPal has reason to believe that a fraud or other illegitimate activity may be occurring or may have occurred, and if PayPal reasonably believes that the fraud or other illegitimate activity may affect those Shared Customers’ PayPal Accounts.
- Security of Card Data. Unless you receive and record the express consent of the cardholder:
- You may not retain, track, monitor or store any Card Data, or use Card Data beyond the scope of the specific transaction for which Card Data was given, and
- You must completely remove all Card Data from your systems, and any other place where you store Card Data, within 24 hours after you receive an authorisation decision relevant to that Card Data.
If, with the cardholder’s consent, you retain Card Data, you may do so only to the extent that the Card Data are necessary for processing your payment transactions. You must never give or disclose the retained Card Data to anyone, not even as part of the sale of your business. Moreover, and regardless of anything to the contrary, you must never retain or disclose the CVV2 Data, not even with the cardholder’s consent.
- Price and currency. You may not submit payment transactions in which the amount is the result of dynamic currency conversion. This means that you may not list an item in one currency and then accept payment in a different currency. If you are accepting payments in more than one currency, you must separately list the price for each currency.
Compliance with Data Protection Schedule. You agree (as a “Merchant”) to comply with Schedule 2 below, which forms part of this Agreement. The terms of the Data Protection Schedule prevail over any conflicting terms in this Agreement relating to data protection and privacy.
4. User Agreement
- User Agreement applies. The terms of the User Agreement apply to you and are incorporated by reference into this Pro/VT Agreement. The definition of “PayPal Services” in the User Agreement will be amended to include your Product, and the definition of “Agreement” will include this Pro/VT Agreement. In case of any inconsistency between this Pro/VT Agreement and the User Agreement, this Pro/VT Agreement supersedes the User Agreement, but only to the extent of that inconsistency. The User Agreement includes important provisions which:
- Permit PayPal to take a Reserve to secure your obligation to pay chargebacks, reversals and fees;
- Obligate you to follow PayPal’s Acceptable Use Policy in your use of PayPal Services;
- Permit PayPal to restrict a payment or your PayPal Account in circumstances listed in the User Agreement.
- Failed payments and Product tools. You are responsible for chargebacks, reversals and other invalidated payments as provided in the User Agreement, regardless of how you use and configure your Product, including its fraud filtering technology and similar preventive tools (if any). Those tools can be useful in detecting fraud and avoiding payment failures, but they do not affect your responsibility and liability pursuant to the User Agreement for chargebacks, reversals and payments which are otherwise invalidated.
5. Software Licence
- Licence. PayPal hereby grants to you a non-exclusive, non-transferable, revocable, non-sublicenseable, limited license to
- use your Product in accordance with the documentation provided on the PayPal Website; and to
- use the documentation provided by PayPal for your Product and reproduce it for internal use only within your business. Your Product as licensed is subject to change and will evolve along with the rest of the PayPal system; see clause 8(a). You must comply with the implementation and use requirements contained in all PayPal documentation and instructions accompanying the Product issued by PayPal from time to time (including, without limitation, any implementation and use requirements we impose on you to comply with applicable laws and card scheme rules and regulations).
- ID codes. PayPal will provide you with certain identifying codes specific to you. Use of those codes may be necessary for the PayPal system to process instructions from you (or your website). You agree to follow reasonable safeguards advised by PayPal from time to time in order to protect the security of those identifying codes; see also Schedule 1. If you fail to protect the security of the codes as advised, you must notify PayPal as soon as possible, so that PayPal can cancel and re-issue the codes. PayPal may also cancel and re-issue the codes if it has reason to believe that their security has been compromised, and after notifying you whenever notice can reasonably be given.
- No warranty. Your Product and all accompanying documentation are provided to you on an “as is” basis. PayPal does not give or offer any warranty, express or implied, by operation of law or otherwise, in relation to your Product, the licensed software or user documentation provided. Nothing provided by PayPal under this Pro/VT Agreement or otherwise for your Product has PayPal’s authorisation to include a warranty, and no obligation or liability will arise or grow out of PayPal’s rendering of technical, programming or other advice or service in connection with any Product, licensed software and user document provided (including, without limitation, services that may assist you with the customisation of your Product). PayPal recommends that you test the implementation of your Product thoroughly as PayPal is not responsible for any loss caused by a defect in it.
6. Banking terms for Card Transactions
PayPal utilises services from banking (including, without limitation, acquiring) partners in processing Card Transactions, including both direct payments to you from a card as well as Card Transactions that fund a PayPal payment to you. Schedule 3 below applies in relation to those services. In accepting this Pro/VT Agreement, you also accept the terms for Card Transactions in Schedule 3, the terms of which form part of this Pro/VT Agreement.
7. Termination and suspension
- By you. You may terminate this Pro/VT Agreement by doing either of the following:
- Cancelling your billing agreement in the Preferences section of your PayPal Account or giving 10 days notice to PayPal Customer Service of your intent to terminate this Pro/VT Agreement. PayPal Customer Service will confirm termination via email. This option lets you stop using your Product and paying for it, but your PayPal Account remains open and its User Agreement remains in effect.
- Closing the PayPal Account that you use with your Product (see the User Agreement for more information).
- By PayPal. PayPal may terminate this Pro/VT Agreement by doing any of the following:
- Giving you 30 days’ notice by email to your registered email address associated with your PayPal Account of PayPal’s intent to terminate this Pro/VT Agreement. Unless otherwise notified, this option does not affect your User Agreement and your PayPal Account remains open.
- Terminating the User Agreement that applies to the PayPal Account used with your Product.
- By events. PayPal may terminate this Pro/VT Agreement immediately without notice if you:
- Breach this Pro/VT Agreement or the User Agreement;
- Become unable to pay or perform your obligations as they fall due;
- Become unable to pay your debts, admit your inability to pay your debts or otherwise become insolvent;
- Have any execution, attachment or similar action taken, levied or enforced against you or your assets, or if any garnishee order is issued or served on you;
- Become the subject of any petition presented, order made or resolution passed for the liquidation, administration, bankruptcy or dissolution of all or a substantial part of your business, except where solvent amalgamation or reorganisation is proposed on terms previously approved by PayPal;
- Lose full and unrestricted control over all or part of its assets because of the appointment of a receiver, manager, trustee, liquidator or similar officer;
- Enter into or proposes any composition or arrangement concerning your debts with your creditors (or any class of its creditors);
- A material adverse change occurs in your business, operations, or financial condition; or
- You provide inaccurate information in applying for your Product or in your dealings with us.
- Effect of termination. When this Pro/VT Agreement terminates, you must immediately stop using your Product, and PayPal may prevent or hinder you from using it after termination. If you nevertheless use a Product after termination of this Pro/VT Agreement, then this Pro/VT Agreement will continue to apply to your use of that Product until you give effect to the termination by stopping your use of that Product. The following clauses in this Pro/VT Agreement will survive termination of this Pro/VT Agreement and continue in full force and effect: Clauses 2, 4(a), 8(b), 8(d). Termination of this Pro/VT Agreement will not affect any rights, remedies or obligations of the parties that have accrued or become due prior to termination, and you will not be entitled to a refund of any Monthly Fee paid prior to termination.
- Breach and suspension. If you breach this Pro/VT Agreement, the User Agreement, or a security requirement imposed by PCI DSS, PayPal may immediately suspend your use of your Product. PayPal may require you to take specified corrective actions to cure the breach and have the suspension lifted, although nothing in this Pro/VT Agreement precludes PayPal from pursuing any other remedies it may have for breach. In addition, if PayPal reasonably suspects that you may be in breach of this Pro/VT Agreement or PCI DSS, PayPal may suspend your use of your Product pending further investigation.
- Future of the Products. PayPal retains sole and absolute discretion in determining
- the future course and development of the Products,
- which improvements to make in them and when, and
- whether and when defects are to be corrected and new features introduced.
PayPal welcomes feedback from users in planning the future of the Product but is not required to act in accordance with any feedback received. In giving us feedback, you agree to claim no intellectual property interest in your feedback.
- Indemnity. You agree to indemnify PayPal and keep PayPal fully indemnified on a continuing basis from any direct loss, damage and liability, and from any claim, demand or cost (including reasonable lawyers’ fees) incurred in relation to any third party (including a Shared Customer) and arising out of your breach of this Pro/VT Agreement, the User Agreement and the documents incorporated in it by reference (including the Acceptable Use Policy), or the violation of any law.
- Web Payments Pro – Hosted Solution and your intellectual property. You hereby grant to PayPal a royalty-free, worldwide non-exclusive licence to use your or any of your affiliates’ names, images, logos, trademarks, service marks, and/or trade names as you may provide to PayPal when using the Products (“Your Marks”) for the sole purpose of enabling your use of the Products. Title to and ownership of Your Marks and all goodwill arising from any use hereunder will remain with you. You represent and warrant that you have the authority to grant PayPal the right to use Your Marks and you will indemnify PayPal and keep PayPal fully indemnified on a continuing basis from any claims or losses suffered by it arising from the use of Your Marks in connection with the Products.
- Assignment, amendment and waiver. You may not assign this Pro/VT Agreement without first obtaining PayPal’s written consent. PayPal may assign, novate or otherwise transfer this Pro/VT Agreement without your consent by notifying you. Neither party may amend this Pro/VT Agreement or waive any rights under it except in a written document signed by both parties.
- Governing law and jurisdiction. This Pro/VT Agreement is governed by the laws of Hong Kong. The parties submit to the non-exclusive jurisdiction of the courts of Hong Kong.
Capitalised terms not listed in this clause are defined in the User Agreement or above in this Pro/VT Agreement.
- Acquiring Institution: means a financial institution or bank that provides services to you to enable you to (a) accept payment by cardholders using cards; and (b) receive value in respect of Card Transactions.
- Card Association: A company or consortium of financial institutions which promulgates rules to govern Card Transactions that involve the card that carries the company’s or the consortium’s brand. Examples may include (where applicable) Visa USA, Visa Europe, and the other Visa regions; MasterCard International Incorporated; American Express Company and similar organisations.
- Card Data: All personal or financial information relevant to a Card Transaction, including information recorded on the card itself (whether in human-readable form or digitally).
- Card Transaction: A payment made using a credit or debit card or any other payment method using a physical data-carrying item intended to be held in the payor’s possession. The Products support only certain types of Card Transactions; see the PayPal Website for more information.
- CVV2 Data: The three-digit number printed to the right of the card number in the signature panel area on the back of the card. (For American Express cards, the code is a four-digit unembossed number printed above the card number on the front of the American Express card.) The CVV2 Data are uniquely associated with each individual plastic card and ties the card account number to the plastic.
- Monthly Fee: A fee payable on a monthly basis as required in clause 2 above.
- PayPal Website: means www.paypal.com.hk or www.paypal.com/hk.
- PCI DSS: Payment Card Industry Data Security Standard, i.e. specifications prescribed by Card Associations to ensure the data security of Card Transactions. A copy of PCI DSS is available online from https://www.pcisecuritystandards.org.
- Product(s): Website Payments Pro – Hosted Solution and/or Virtual Terminal.
- Shared Customer: A person who both has a PayPal Account and is also your customer.
- Virtual Terminal: Functionality provided by PayPal to enable you to receive a card payment by manually entering Card Data given to you by the cardholder.
- Website Payments Pro – Hosted Solution: Functionality for performing credit and debit card transactions, where the card details are entered online by the cardholder. This solution is hosted by PayPal. You do not have to capture or store credit card information on your website..
Data Security Requirements
- Ownership of PayPal Website Payments Pro Hosted Solution information and materials
- As part of Merchant’s access to, and utilisation of PayPal Website Payments Pro– Hosted Solution, Merchant will be provided with certain information and materials (the “Pro Materials”) which are to be used by Merchant to use PayPal Website Payments Pro– Hosted Solution.
- All intellectual property rights associated with the Pro Materials remain the property of PayPal, or the relevant Acquiring Institution (as the case may be).
- Merchant agrees to not give, transfer, assign, novate, sell, resell (either partly or in whole) the Pro Materials to any person.
- Merchant’s Security Codes obligations
- Merchant acknowledges and agrees that it is solely responsible for maintaining adequate security and control of any and all IDs, passwords or other security codes (collectively, the “Security Codes”) that are issued to Merchant by PayPal or the Acquiring Institution.
- Merchant agrees to restrict use of, and access to, Merchant’s Security Codes to Merchant’s employees, agents or contractors as may be reasonably necessary to allow Merchant to use the Product and to ensure that such persons comply with the provisions set out in this Schedule or the other security advice provided to Merchant by PayPal or the Acquiring Institution (as the case may be).
- Merchant’s obligations to comply with Data Security requirements
- Merchant acknowledges and agrees that it is fully responsible for the security of data on its website or otherwise within its possession or control.
- Merchant agrees to do the following with respect to its processing of its customers’ personal identifiable information and the collection, security and dissemination of data on Merchant’s website:
- comply with all applicable laws and regulations;
- comply with the applicable obligations, rules and guidelines issued by Visa USA, Europe, Asia Pacific, Canada and all Visa regions, MasterCard International Incorporated or other applicable card associations (the “Associations” and the “Association Rules”), including, without limitation, the Visa Cardholder Information Security Program (CISP), Visa Account Information Security Program (AISP), the MasterCard Site Data Protection Program and the Payment Card Industry Data Security Standard (“PCI DSS”). Further information can be found by visiting the following URLs: www.visabrc.com, www.visaeurope.com/accepting visa/ais.html and https://sdp.mastercardintl.com.
- PCI/DSS include the requirements that Merchant must, without limitation:
- install and maintain a firewall configuration to protect data;
- not use vendor supplied defaults for system passwords and other security parameters;
- protect stored data;
- encrypt transmission of cardholder data and sensitive information across public networks;
- use and regularly update anti-virus software;
- develop and maintain secure systems and applications;
- restrict access to data by business need-to-know;
- assign a unique ID to each person with computer access;
- Restrict physical access to cardholder data;
- Track and monitor all access to network resources and cardholder data;
- regularly test security systems and procedures; and
- maintain a policy that addresses information security.
At PayPal’s request, Merchant must provide PayPal with evidence to PayPal’s satisfaction that it is in compliance with PCI DSS. Merchant acknowledges and agrees that nothing in this Pro/VT Agreement nor PayPal providing the Product will constitute compliance by Merchant to the PCI DSS whether via a third party “Qualified Security Assessor” and such compliance services are not provided under the scope of this Pro/VT Agreement. Merchant agrees to independently arrange evidence from a Qualified Security Assessor or otherwise to PayPal’s satisfaction.
- undertake non penetrative scans (either quarterly or annually depending on the volume of Merchant’s annual transactions as notified by either PayPal or the Acquiring Institution to Merchant) of Merchant’s web accessible ports and an on site audit if Merchant processes six million Visa and/or MasterCard/Maestro transactions annually which must be completed by a Qualified Security Assessor. For details of Visa and MasterCard Qualified Security Assessors log onto: http://www.mastercard.com/us/sdp/serviceproviders/compliant_serviceprovider.html or https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.
- notify PayPal of any agent, including any web hosting service, gateway, shopping cart or other third party provider, that has access to cardholder data and ensure that such agent is compliant with PCI DSS and all current legal obligations associated with the collection, security and dissemination of data and the processing of personal information. Merchant will be liable to PayPal for any and all damages, losses, costs, expenses and/or claims made to, or suffered by, PayPal as a result of a breach by such third parties obligations under this sub-paragraph;
- provide PayPal with all information or access to records as needed by PayPal to ensure Merchant’s compliance with this paragraph 3; and
- notify PayPal immediately of any security breach to Merchant’s records or system as it relates to Merchant’s access to, and/or utilisation of the Product.
- Merchant agrees not to store any personal identification number data, AVS (address verification service) data or card validation codes (for example, the three digit values printed in the signature panel of most cards and the four digit code printed on the front of the American Express card) of any cardholder or any other payment method information of any cardholder (whether received electronically, verbally, by fax, hardcopy or otherwise) and will be liable for any fines associated with the breach of any relevant Association rule or guidance.
- Merchant acknowledges and agrees that if PayPal receives notice of a security breach or compromise of cardholder data in connection with Merchant, Merchant will allow a third party forensic auditor certified by the Associations to conduct a security review of Merchant’s systems, controls and facilities and to issue a report to PayPal and the Associations. If Merchant fails to initiate such a process after PayPal’s requesting it to do so, Merchant authorises PayPal to take such action at Merchant’s expense.
- PayPal may immediately suspend Merchant’s access to or use of the Product or terminate without notice this Pro/VT Agreement upon notice of Merchant potentially breaching or breaching any provision set out in this paragraph 3.
- If PayPal suspends your access to or use of the Product, PayPal will set out in a notice to Merchant and explain the basis of PayPal’s actions in suspending Merchant, including measures reasonably calculated to rectify the breach. PayPal’s suspension of Merchant’s access or use of the Product will remain in effect and until such time as PayPal is satisfied that Merchant has remedied the applicable breach(es).
- PayPal’s obligations to keep data secure
When processing the personal data of cardholders whose transaction data Merchant submits to PayPal, PayPal will only carry out processing on the instructions of Merchant, and at all times, ensure, or procure that any third party who processes data on our behalf ensures, that the security measures employed in respect of the storage, transmission or any other processing of such personal data employ industry standard or better encryption and security methods as being appropriate for use by financial institutions.
- Merchant's use of cardholder information
- Merchant agrees to only use, disclose or process, any cardholder information obtained in connection with a card transaction (including the names, addresses and card account numbers of cardholders) including for the purposes of authorising, completing and settling card transactions and resolving any chargeback or reversal disputes, retrieval requests or similar issues involving card transactions. Merchant will only be able to process cardholder information differently than set out in this paragraph if Merchant obtains the prior written consent from PayPal and each applicable Association, card issuing bank and cardholder or as otherwise pursuant to a court order or otherwise required by law.
- Merchant agrees to:
- establish and maintain sufficient controls for, limit access to and render unreadable prior to discarding, all records containing cardholder account numbers and card imprints;
- not sell or disseminate any cardholder information obtained in connection with a card transaction held in a database or otherwise (including the names, addresses and card account numbers of cardholders);
- not retain or store magnetic stripe data or hardcopies containing cardholder data (including faxes) after a transaction has been authorised; and
- not reproduce any electronically captured signature of a cardholder except on PayPal’s specific request (upon such a request Merchant agrees to comply).
- Merchant acknowledges that Association rules prohibit the sale or disclosure of databases containing Cardholder account numbers, personal information or other Association transaction information to third parties as an asset of a failed business. In such cases, Merchant agrees that transaction information is to be returned to the Acquiring Institution or acceptable proof of destruction of this data is provided.
- Merchant agrees that it is responsible and liable for compliance with this paragraph 5 by any third party processor, hosting service or other agent of Merchant engaged in the processing or storage of cardholder data. Merchant agrees to notify PayPal in writing of any third party engaged by any third party processor, hosting service or other agent prior to Merchant engaging them and further immediately notify PayPal in writing of any access to transaction data by any unauthorised person.
- Merchant’s use of a Technical Service Provider
- Merchant may utilise third parties to perform certain Merchant obligations set out in this Schedule with our express written consent which may contain conditions as to Merchant’s use of such a person (each such a party known as a "Technical Service Provider"). To be eligible for consent, each Technical Service Provider must (among other things) be registered with the applicable Association.
- If Merchant is permitted to utilise a Technical Service Provider, Merchant agrees and will procure that the Technical Service Provider will comply with the provisions relating to data and information security as set out in this Schedule (including, without limitation, PCI DSS requirements) as they apply to storing, processing or transmitting cardholder data to PayPal.
- Prior to, or from the appointment of a Technical Service Provider, Merchant agrees to:
- notify PayPal in writing of the details of the Technical Service Provider that engages in, or proposes to engage in, the processing, storing or transmitting of Cardholder data on Merchant’s behalf, regardless of the manner or duration of such activities;
- provide satisfactory evidence to PayPal that the Technical Service Provider is registered with the applicable Association;
- comply with any requirements of the Technical Service Provider including, without limitation, complying with any requirements relating with respect to the Technical Service Provider’s services, hardware or software and obtaining any required end user consents for transmission of data through the Technical Service Provider; and
- at PayPal’s discretion, provide PayPal with permission to register Merchant with the relevant Technical Service Provider (as required).
- Merchant agrees that it is solely responsible for the relationship with the Technical Service Provider and any data transmitted or made available to the Technical Service Provider. Merchant’s failure to comply with the provisions set out in this paragraph 6, or the failure of the Technical Service Provider or gateway processor to register and/or comply with the applicable data security requirements may result in fines or penalties which Merchant is liable for. PayPal may immediately terminate this Pro/VT Agreement upon Merchant breaching this paragraph 6.
DATA PROTECTION SCHEDULE
This Data Proection Schedule applies only to the extent that PayPal acts as a processor or Sub-processor to Merchant.
Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.
1 DEFINITIONS AND INTERPRETATION
1.1 The following terms have the following meanings when used in this Schedule:
"Card Information" is defined in Section 2.15 of this Schedule.
"Customer" means a European Union customer of Merchant who uses the PayPal services and for the purposes of this Schedule, is a data subject.
"Customer Data" means the personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Merchant of the PayPal services.
"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data subject" have the meanings given to those terms under the Data Protection Laws.
"Data Protection Laws" means General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to PayPal's provision of the PayPal services.
"Data Recipient" is defined in Section 2.15 of this Schedule.
"PayPal Group" means PayPal and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls.
"personal data" has the meaning given to it in the Data Protection Laws.
"processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.
"Sub-processor" means any processor engaged by PayPal and/or its affiliates in the processing of personal data.
1.2 Schedule. This comprises (i) sections 1 to 2, being the main body of the schedule; (ii) Attachment 1; (iii) Attachment 2; and (iv) Attachment 3 (with its appendixes).
2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES
2.1 Merchant data controller. With regard to any Customer Data to be processed by PayPal in connection with this Agreement, Merchant will be a controller and PayPal will be a processor in respect of such processing. Merchant will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.
2.2 Merchant written instructions. PayPal shall only process Customer Data on behalf of and in accordance with Merchant’s written instructions. The Parties agree that this Schedule is Merchant's complete and final written instruction to PayPal in relation to Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between PayPal and Merchant, including agreement of any additional fees payable by Merchant to PayPal for carrying out such additional instructions. Merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with Merchant's instructions will not cause PayPal to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. Merchant hereby instructs PayPal to process Customer Data for the following purposes:
2.2.1 as reasonably necessary to provide the PayPal services to Merchant and its Customer;
2.2.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.
2.3 PayPal cooperation. In relation to Customer Data processed by PayPal under this Agreement, PayPal shall co-operate with Merchant to the extent reasonably necessary to enable Merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as Merchant requires in relation to:
2.3.1. assisting Merchant in the preparation of data protection impact assessments to the extent required of Merchant under Data Protection Laws; and
2.3.2 responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.
2.4 Scope and Details of Customer Data processed by PayPal. The objective of processing Customer Data by PayPal is the performance of the PayPal services pursuant to the Agreement. PayPal shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 2 (Data Processing of Customer Data).
2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.
2.6 Correction, Blocking and Deletion. To the extent Merchant, in its use of the PayPal services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, PayPal shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent PayPal is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from PayPal’s provision of such assistance.
2.7 Data Subject Requests. PayPal shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. Merchant shall be responsible for responding to all such requests. If legally permitted, PayPal shall provide Merchant with commercially reasonable cooperation and assistance regarding such Customer's request and Merchant shall be responsible for any costs arising from PayPal’s assistance.
2.8 Training. PayPal undertakes to provide training as necessary from time to time to the PayPal personnel with respect to PayPal's obligations in this Schedule to ensure that the PayPal personnel are aware of and comply with such obligations.
2.9 Limitation of Access. PayPal shall ensure that access by PayPal's personnel to Customer Data is limited to those personnel performing PayPal services in accordance with the Agreement.
2.10 Sub-processors. Merchant specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the PayPal services. In addition, Merchant generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the PayPal services. When engaging any Sub-processor, PayPal will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Schedule PayPal shall make available to Merchant a current list of Sub-processors for the respective PayPal services with the identities of those Sub-processors.
2.12 Security. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Schedule to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the PayPal services. Since PayPal provides the PayPal services to all Merchants uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to PayPal’s entire customer base hosted out of the same data center and subscribed to the same service. Merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the PayPal services.
2.13 Security Incident Notification. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data, PayPal will, in accordance with Data Protection Laws: (a) notify Merchant of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d) deliver its notification to Merchant's administrators by any means PayPal selects, including via email. Merchant is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.
2.14 Deletion. Upon termination or expiry of the Agreement, PayPal will delete or return to Merchant all Customer Data processed on behalf of the Merchant, and PayPal shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.
2.15 Data Portability. Upon any termination or expiry of this Agreement, PayPal agrees, upon written request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Merchant’s Customers (“Card Information”). In order to do so, Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including Data Protection Laws).
Technical and Organizational Measures
The following technical and organizational measures will be implemented:
- Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
- Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
- Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
- Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
- Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
- Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;
- Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
- Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
- Measures taken to safeguard data by creating backup copies.
Data Processing of Customer Data
Categories of data subjects
Customer Data – The personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Customer of the PayPal services.
Subject-matter of the processing
The payment processing services offered by PayPal which provides Merchant with the ability to accept credit cards, debit cards, and other payment methods on a website or mobile application from Customers.
Nature and purpose of the processing
PayPal processes Customer Data that is sent by the Merchant to PayPal for purposes of obtaining verification or authorization of the Customer’s payment method as payment to the Merchant for the sale goods or services.
Type of personal data
Customer Data – Merchant shall inform PayPal of the type of Customer Data PayPal is required to process under this Agreement. Should there be any changes to the type of Customer Data PayPal is required to process then Merchant shall notify PayPal immediately. PayPal processes the following Customer Data, as may be provided by the Merchant to PayPal from time to time:
|A Billing address||X||X|
|Card or payment instrument type (optional)||X||X|
|Card Primary Account Number (PAN)||X||X|
|Card Verification Value (CVV)||X||X|
|Card expiration date||X||X|
Special categories of data (if relevant)
The transfer of special categories of data is not anticipated.
Duration of Processing
The term of the Agreement.
Terms for processing Card Transactions
PayPal uses services from WorldPay and HSBC Bank as Acquiring Institutions in processing Card Transactions. The relevant agreements are located at https://www.paypal.com/hk/webapps/mpp/ua/ceagreement-full. One of these agreements will apply in relation to a Card Transaction, depending on which Acquiring Institution processes the transaction.