PayPal Here Agreement

>> View all legal agreements

PayPal Here™ Agreement

Last Update: May 31, 2018

Please note: The version of this document marked “Current PayPal Here™ Agreement” set out immediately below is effective until Aug 31, 2018.  The version of this document marked “Updated PayPal Acceptable Use Policy” further below will take effect and supersede the Current PayPal Acceptable Use Policy on Aug 31, 2018.


Current PayPal Here™ Agreement


This PayPal Here™ Agreement (“PayPal Here Terms”) is a contract between you (“you”) and PayPal (Europe) S.à r.l et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (“PayPal”, “we” or “us”) and applies to your use of the Services to accept payments from PayPal Accounts, credit cards and debit cards into your PayPal Account using the PayPal Here Card Reader and software (“PayPal Here”). You must read, agree with and accept all of the terms and conditions contained in these PayPal Here Terms. By purchasing the PayPal Here Card Reader and/or using PayPal Here, you acknowledge that you have agreed to these PayPal Here Terms. Capitalised terms that are not defined in these PayPal Here Terms, including Section 15 (Definitions), are defined in the PayPal User Agreement.

These PayPal Here Terms, with the PayPal User Agreement and any other agreement in to which you have entered into with PayPal (collectively "PayPal Agreements"), apply to your use of the PayPal Here service. To be clear, the definition of Services under the PayPal User Agreement shall be amended to include PayPal Here. If any inconsistency exists between the terms of the PayPal User Agreement and these PayPal Here Terms, these PayPal Here Terms shall control your use of PayPal Here. We may amend, delete or add to these PayPal Here Terms at any time by posting a revised version on our website (a "Change"). A Change will be made unilaterally by us and you will be deemed to have accepted the Change after you have received notice of it. We will provide you with 2 months' prior notice of the Change by posting notice on the "Policy Updates" page of our website. If you would like to receive notification by email of new Policy Updates then you may do so by changing your notification preferences in your Account Profile. The Change will take effect once the 2 month notice period expires, except it shall take place immediately if the Change relates to the addition of a new service, extra functionality or any other change which we believe in our reasonable opinion neither reduces your rights nor increases your responsibilities. In such instances, the Change will be made without prior notice to you and shall be effective immediately. Once a change takes effect, your continued use of PayPal Here shall be deemed acceptance of this Change. If you do not agree with any Change, you may terminate your use of PayPal Here and uninstall the PayPal Here App at any time.

 

1. Product Description.

PayPal Here is a payment solution for businesses, which allows you to accept payments by PayPal as well as credit cards and debit cards (“Cards”). PayPal Here can only be used to accept the type of Cards that are specified on the PayPal Here website, and this list of Cards could change at any time and without notice. It also allows you to issue PayPal invoices and manage records of the PayPal, cash and cheque payments that you accept. This function is designed to help you manage your records more easily, however PayPal Here is not an accounting solution and PayPal cannot accept any liability arising from the use of this functionality.

In addition to agreeing to these PayPal Here Terms, you will be required to provide certain personal and business information in order for you to register for PayPal Here. You must have a Business Account in good standing and be approved by PayPal to use PayPal Here. If you have a Personal or Premier Account (rather than a Business Account) prior to signing up for PayPal Here, you will be automatically upgraded to a Business Account as part of the application process but no charge will be made for this upgrade.

 

2. The Application and Approval Process.

The application and approval processes will usually be carried out through the PayPal Here App or an appropriate PayPal website. However, in some circumstances, we may need to carry out a manual approval process. (We will let you know during the application process if this applies to you.) Your use of PayPal Here is dependent on your downloading of the PayPal Here App, your acceptance of the end user license agreement associated with the PayPal Here App, (in certain cases) your obtaining a PayPal Here Card Reader, your holding a valid PayPal Account and your approval by PayPal. We will determine at our sole discretion whether you will be approved to use PayPal Here. Your approval will also be relevant to a specific country or jurisdiction, and your use of PayPal Here shall be limited to processing transactions in that country or jurisdiction. PayPal may restrict your use of PayPal Here in another country or jurisdiction outside your country. If you purchased a PayPal Here card reader from us either online, through the PayPal Here App or directly from PayPal in person and your application was declined, contact the Customer Care team on 0800 358 9448 for instructions on how to return the item. We will issue you with a full refund once you have returned the card reader. Make sure it’s undamaged, in good working order and in the original packaging.

There is no fee to download the PayPal Here App. You must download and use the most recent version of the PayPal Here App that is available, including downloading and installing any updates that become available periodically.

 

3. Getting, Using, Returning and Replacing your PayPal Here Card Reader.

Retailers of PayPal Here Card Readers may require evidence that you are pre-approved to use PayPal Here before you can purchase a PayPal Here Card Reader. We reserve the right to limit the number of PayPal Here Card Readers that you can receive at any time.

In addition to the Warranty described below, if you purchase a PayPal Here Card Reader from us either online, through the PayPal Here App or directly from PayPal in person you may return it, for any reason, within 30 days of receipt of delivery; provided that it is returned to us undamaged, in good working order and in the packaging in which you received it. You may arrange for a return of your PayPal Here Card Reader by contacting customer service for return shipping instructions. If you purchase a PayPal Here Card Reader from anyone other than us, then the return policy of that retail outlet will apply, and you should return it to the authorised retailer who sold it to you.

If your PayPal Here Card Reader does not work and it is under Warranty, you may request a new PayPal Here Card Reader by contacting Customer Service. If the device has a fault, Customer Service may arrange for a replacement PayPal Here Card Reader to be sent to you. Unless we say otherwise, you must return your original PayPal Here Card Reader within the time period we specify. This may be either using the prepaid envelope provided with your replacement PayPal Here Card Reader or, in some circumstances, we may also arrange to collect your original PayPal Here Card Reader when the replacement device is delivered. Failure to return the original PayPal Here Card Reader may result in you being charged the cost of the replacement unit. We reserve the right to reasonably limit the number of replacement devices that you can receive under this Warranty, the full terms and conditions of which can be accessed here. For the avoidance of doubt, PayPal reserves the right to change the Warranty on reasonable notice and we will decide within our reasonable judgement the validity of any warranty claims under the terms of the Warranty. In the event of a conflict between the Warranty and this PayPal Here Agreement, these PayPal Here Terms take precedence

 

4. Lost, Stolen or Disabled PayPal Here Card Readers.

We reserve the right to disable use of your PayPal Here Card Reader remotely if we suspect fraud, breach of the Acceptable Use Policy, a breach of these PayPal Here Terms or if we otherwise believe there is an increased risk to us or your PayPal Account associated with your PayPal Here Card Reader. If your PayPal Here Card Reader is lost, stolen or is otherwise no longer necessary, you must contact PayPal customer services to arrange for your device to be disabled.

Your PayPal Here Card Reader may only be associated with an approved PayPal Account. You may not dispose of your PayPal Here Card Reader without it first being disabled and your PayPal Here Card Reader cannot be passed to another person who does not hold an approved PayPal Account, associated with another approved PayPal Account or used in a country other than that in which it is registered without our express consent.

If you purchase a PayPal Here Card Reader using your PayPal Account, you may be able to file a claim under Buyer Protection if the PayPal Here Card Reader is not delivered. You are purchasing your PayPal Here Card Reader directly from PayPal and you would be filing your claim against us. We will decide the validity of any claim submitted under Buyer Protection but we will hold ourselves to the same standard of proof in adjudicating the claim that PayPal uses for its sellers.

 

5. Credit Report.

By signing up for PayPal Here, you are providing us with written instructions and authorisation to obtain your personal and/or business credit report from a credit reference agency. You are also authorising us to obtain your personal and/or business credit report at any time we reasonably believe there may be an increased level of risk associated with your PayPal Account. You agree to allow PayPal to obtain from a third party your credit history and financial information about your ability to perform your obligations under this Agreement in the manner set out in the PayPal Privacy Policy. PayPal will review your credit and other risk factors of your Account (reversals and chargebacks, customer complaints, claims etc.) on an ongoing basis. PayPal will store, use and disclose the information obtained in conformity with PayPal’s Privacy Policy.

You also agree to comply with our requests to verify your identity to allow us to reduce the risk of fraud or otherwise comply with our anti-money laundering or other legal requirements. We reserve the right to deny or restrict your use of PayPal Here or your PayPal Account if you fail to comply with these requests.

 

6. Multiple Devices and Authorised Users.

Through your PayPal Account, you may authorise other eligible users to use PayPal Here Card Readers that are linked to your PayPal Account for the same purpose as your business use. In order to authorise such use, you will have to personally request and purchase the additional devices that you require. You can also request that these devices are sent to multiple different addresses when you do so. You will also have to register each of your authorised users with us and create a password for each user to be able to log-in (with limited access) to your PayPal Account. You can only register authorised users that are 18 years or older and PayPal reserves the right to limit the number of authorised users you may have. Your authorised users will have the ability to perform any action that you select on the PayPal.co.uk website (however please note they will be unable to withdraw funds from your PayPal Account) and must only use the PayPal Here Card Reader for the same business purpose as you do.

It is your responsibility to ensure that your authorised users comply with these PayPal Here Terms in connection with their use of the PayPal Here Card Reader. Prior to issuing a PayPal Here Card Reader to any authorised user, we may have to perform screening in compliance with anti-money laundering or other legislation. In order to assist us in this screening, you agree to provide us with legitimate and accurate information regarding the identity of all authorised users as requested by us. We reserve the right to deny any authorised user access to PayPal Here at any time. You agree that you are at all times liable for the actions or omissions of your authorised users and that you will indemnify and hold us harmless from the actions or inactions of your authorised user in connection with their use or misuse of the PayPal Here service.

 

7. Using PayPal Here.

You may process a card-present transaction using the PayPal Here Card Reader by inserting the card into the PayPal Here Card Reader and obtaining the customer’s PIN code or swiping the card and obtaining the customer’s signature. The PayPal Here App will prompt you as to what verification is necessary, based on a customer’s card, however if a customer’s card includes an electronic chip, you must always look to obtain Chip and Pin authorisation before obtaining a signature.

You may process a Contactless Transaction using the PayPal Here Card Reader, however you may not process a Contactless Transaction with a value exceeding the prevailing amount limit for that transaction set by any Acquiring Bank, Card Companies and/or PayPal from time to time.

You may also use PayPal Here to process Keyed Transactions (i.e. a card not present transaction), however you are not allowed to process a Keyed Transaction when a customer’s card is present. You cannot process a card-present transaction when the customer is not present.

Obtaining valid authorisation (such as a validly entered PIN) may assist you in defending against a Chargeback in the event that a customer subsequently claims that it did not authorise a transaction. Prior to processing any card-present transaction, You must show the customer the price of the goods or services that you are providing to the Customer.

You must also provide customers with a receipt if they request one. Customers may receive an electronic receipt via email or SMS, rather than a paper receipt. It is your responsibility to obtain your customer’s consent prior to using the PayPal Here App to send them a receipt via email or SMS to them.

You must not use PayPal Here to provide a customer with any form of cash advance. You agree that you shall not provide any false or misleading descriptions of any transaction that you submit through PayPal Here and that the descriptions given within itemised transactions shall be an accurate and true description of the goods and services being purchased. You also agree to comply with any instructions provided to you along with your PayPal Here Card Reader.

If you choose to receive PayPal Transactions through the PayPal Here App, these transactions must be processed on the following basis. To process a PayPal Transaction through the PayPal Here App, you must be able to clearly identify the customer from their photograph and their name, confirm the amount to be charged with them and you shall not process a transaction until the customer has given you a clear verbal instruction to do so. Prior to charging the customer, You must show the customer the amount to be charged for the goods or services that you are providing to the customer on your mobile device using the PayPal Here App. We reserve the right to place a cap on the total value of a PayPal Transaction(s) that can be processed using the PayPal Here App. We will make the size of any such cap clear to you within the PayPal Here App.

PayPal Here will normally allow you to receive payments only in the currency of the country in which you reside.

PayPal Here will normally be available at any time. However, we do not warrant that the PayPal Here service will be free of interruptions, delays or errors. From time to time, we need to perform upgrades and maintenance to our service or PayPal Here which may result in it not being available for a period. We will try to give you notice of any planned maintenance, but you acknowledge and agree that there may be circumstances where this is not possible.

 

8. Mobile Compatibility.

Using the PayPal Here service requires you to have a compatible mobile device. We do not warrant that PayPal Here will be compatible with your mobile device. If you have a compatible mobile device but this has been modified contrary to the manufacturer’s software or hardware guidelines, then you may not use your modified device to use PayPal Here.

 

9. Third Party Services.

Your use of PayPal Here may rely on third-party services (such as those of a mobile network operator, a broadband internet provider, an internet security provider or a wireless (WiFi) network provider). These third parties may charge you fees for accessing PayPal Here (e.g. for service access or data use) and it is your sole responsibility to pay such fees. We cannot accept any responsibility for the operation or security of such services, for your inability to use PayPal Here as a result of their service or for your breach of the terms of your contract with that third party as a result of using PayPal Here.

 

10. Fees.

Except as further provided in this section, you agree to pay the fees prescribed for Business Accounts in the User Agreement.

You agree to pay the following fees for the following payments received via the PayPal Here App:

10.1 Fees for Payments from another PayPal account via PayPal Location Based Payments Functionality

If you receive the payment:

the PayPal Here Standard Rate fee is:

the PayPal Here Merchant Rate is as follows:

where the aggregate monetary amount of payments received in your Account in the previous calendar month:

  1. via the PayPal Here App; and
  2. as Commercial Transaction payments,

is:

the PayPal Here Merchant Rate fee (subject to the further terms and conditions in this section 10) is:

from another PayPal Account via PayPal Location Based Payments Functionality

2.75%

GBP 0.00 - GBP 1,500.00

2.75%

GBP 1,500.01 - GBP 6,000.00

1.75%

GBP 6,000.01- GBP 15,000.00

1.5%

Above GBP 15,000.00

1%

 

10.2 Fees under the Blended Pricing Fee Structure

If you receive the card payment:

the PayPal Here Standard Rate fee is:

the PayPal Here Merchant Rate is as follows:

where the aggregate monetary amount of payments received in your Account in the previous calendar month:

  1. via the PayPal Here App; and
  2. as Commercial Transaction payments,

is:

the PayPal Here Merchant Rate fee (subject to the further terms and conditions in this section 10) is:

from a Visa, MasterCard or Maestro card

  • using your PayPal Here Card Reader’s Chip and PIN, Chip and Signature functionality
  • as a Contactless Transaction

2.75%

GBP 0.00 - GBP 1,500.00

2.75%

GBP 1,500.01 - GBP 6,000.00

1.75%

GBP 6,000.01- GBP 15,000.00

1.5%

Above GBP 15,000.00

1%

from a Visa, MasterCard, Maestro or American Express card:

  • as a Keyed Transaction; or
  • by swiping the card’s magnetic stripe

3.4%

+ GBP 0.20

regardless of the volume of payments you receive

3.4%
+GBP 0.20

from an American Express Card:
 

  • using your PayPal Here Card Reader’s Chip and PIN, Chip and Signature functionality
  • as a Contactless Transaction

2.75%

2.75%

 

10.3 Fees under the Interchange Plus Fee Structure

If you receive the card payment:

the PayPal Here Standard Rate fee is:

the PayPal Here Merchant Rate is as follows:

where the aggregate monetary amount of payments received in your Account in the previous calendar month:

  1. via the PayPal Here App; and
  2. as Commercial Transaction payments,

is:

the PayPal Here Merchant Rate fee (subject to the further terms and conditions in this section 10) is:

from a Visa, MasterCard, or Maestro card

  • using your PayPal Here Card Reader’s Chip and PIN, Chip and Signature functionality
  • as a Contactless Transaction;

Interchange Fee

(approximately ranges from 0.2% to 2.0%)

+ 2.5 %

GBP 0.00 – GBP 1,500.00

Interchange Fee +2.5%

GBP 1,500.01 - GBP 6,000.00

Interchange Fee +1.5%

GBP 6,000.01- GBP 15,000.00

Interchange Fee +1.25%

Above GBP 15,000.00

Interchange Fee +0.75%

from an American Express card

  • using your PayPal Here Card Reader’s Chip and PIN, Chip and Signature functionality
  • as a Contactless Transaction;

2.75 %

regardless of the volume of payments which you receive

2.75 %

from a Visa, MasterCard or Maestro card:

  • as a Keyed Transaction; or
  • by swiping the card’s magnetic stripe

Interchange Fee

+ 3.15%

+ GBP 0.20

Interchange Fee
+ 3.15%

+ GBP 0.20

from an American Express card:
 

  • as a Keyed Transaction; or
  • by swiping the card’s magnetic stripe

3.4% + GBP 0.20

3.4% + GBP 0.20

 

a. Interchange Fees are set by Visa and MasterCard. They approximately range from 0.2% to 2.0% and vary for different types of cards (for example by categories and brand). PayPal shall always charge you the Interchange Fee as set by Visa and MasterCard and as passed on by its Acquirer. Single Interchange fees may change from time to time. For more information on Interchange Fees, please see MasterCard’s and Visa’s website as well as our simplified overview.

b. Percentage-based fees (such as 3.40%) refer to an amount equal to that percentage of the payment amount.


10.4 Blended Pricing or Interchange Plus Transaction Fees?

When you receive card payments using PayPal Here:

  1. The Blended Pricing fee structure shall apply until PayPal implements the Interchange Plus fee structure (which shall be by further notice of the same published by PayPal on a date falling on or after 9 June 2016 on the Policy Updates page accessible via the Legal footer on most PayPal site pages) (“Interchange Plus Launch”).
  2. You may choose the fee structure applicable to you on or after Interchange Plus Launch, by the methods or procedures that PayPal may make available to you before and after Interchange Plus Launch. If you do not make an election, you will stay on your existing fee structure.
  3. You may choose your fee structure for future transactions only, not for past transactions. The fee structure that applies when you receive card payments using PayPal HereTM also applies when you receive card payments under the PayPal Website Payments Pro and Virtual Terminal Agreement. This means that if you opt to be charged under the Interchange Plus fee structure, the respective Interchange Plus fee structure will apply when you receive card payments under the PayPal Website Payments Pro and Virtual Terminal Agreement and this Agreement.

10.5 Conditions for Merchant Rate

The PayPal Here Merchant Rate applies only to Accounts with PayPal Here Merchant Rate status. PayPal Here Merchant Rate status is subject to eligibility, application and approval by PayPal. PayPal may evaluate applications on a case-by-case basis, including, without limitation, on the following criteria: qualifying monthly sales volume, size of average shopping cart and an Account in good standing.

To be eligible to apply for (and retain) PayPal Here Merchant Rate status the Account must:

  • at all times be in good standing and not under investigation; and
  • have received more than £1,500.00 GBP in aggregate monetary amount of payments in the previous calendar month:
    • via the PayPal Here App; and
    • as Commercial Transaction payments.

PayPal may downgrade an Account to the PayPal Here Standard Rate at any time if the above conditions are not met or there are unresolved chargebacks against the Account.

If PayPal downgrades your Account you will need to apply to PayPal again for your Account to get PayPal Here Merchant Rate status.

You may apply to receive PayPal Here Merchant Rate for your Account using the dedicated online application form when logged into your PayPal Account. If your application is rejected, please note that you may only submit an application once every thirty days.

PayPal Here Merchant Rate status entitles you to also benefit from Merchant Rate status for Commercial Transactions under the PayPal User Agreement, with the tier values based on the aggregate monetary amount of payments received in your Account in the previous calendar month:

  1. via the PayPal Here App; and
  2. as Commercial Transaction payments, subject further to the terms and conditions in the PayPal User Agreement.

10.6 Additional Transaction Fees

The fees listed in the above tables are for domestic payments only and shall be increased by the supplemental Cross Border Fee for Commercial Transactions (as outlined in the relevant table in Schedule 1 of the PayPal User Agreement), if the payer’s card or PayPal Account is from outside the United Kingdom.

This Cross Border Fee does not apply to card payments received under the Interchange Plus fee structure. However, the Cross Border Fee always applies to card payments with American Express cards (even if received under the Interchange Plus fee structure).

There is no fee to use the PayPal Here App to manage records of the cash and cheque payments that you accept.

The fees prescribed in this section 10 may be changed by amending this Agreement.

 

11. Settlement of Card Payments within the Interchange Plus Fee Structure.

You agree that, when PayPal receives a card payment for you, PayPal may hold those funds in your Reserve Account and you are thereby giving a Payment Order that instructs PayPal to pay those funds to your Payment Account only on the Business Day on which PayPal receives the information about the interchange fee applicable to the card payment, at which time the funds will then be made available to you in your Payment Account.  While the funds are held in your Reserve Account, the transaction will appear to you as “Pending” in your Account details. PayPal does not consider that the proceeds of the card payment in your Reserve Account are at your disposal until PayPal has received the information on the applicable interchange fee from our Processor (which can be within the next Business Day following the day on which the card payment was initiated by the card holder).

 

12. Privacy.

The PayPal Privacy Policy applies to your use of PayPal Here. The protection of your information is important to PayPal. Likewise, information you receive from us about your customers must be kept confidential, stored securely and only used for purposes related to PayPal Here and as agreed to in the PayPal Privacy Policy. As a reminder, information you receive may not be used to send unsolicited email or SMS messages to a user without that user’s express consent.

 

13. Reserves and other Protective Actions.

If we believe there may be a high level of risk associated with your PayPal Account, we may take certain actions in connection with your Account and/or your use of the PayPal Services. These are as follows:

  1. Reserves. We may, in our sole discretion, place a Reserve on funds held in your PayPal Account when we believe there may be a high level of risk associated with your PayPal Account. In relation to the PayPal Here service, this may include (without limitation) an unusual level of customer refunds, chargebacks or Keyed Transactions. If your PayPal Account is subject to a Reserve, we will provide you with notice specifying the terms of the Reserve. We may change the terms of the Reserve at any time by providing you with notice of the new terms. The terms may require that a certain percentage of the amounts received into your Account are held for a certain period of time, or that a certain amount of money is held in Reserve, or anything else that we determines is necessary to protect against the risk associated with your PayPal Account. If we place a Reserve on funds in your PayPal Account, they will be shown as "pending" in your PayPal Balance.
  2. Additional Actions. We may take other reasonable actions we determine are necessary to protect against the risk associated with your PayPal Account including requesting additional collateral from you such as a letter of credit or a personal guarantee or limiting the functionality of your PayPal Here Card Reader. We may contact your customers, on your behalf, in the event that we are investigating potential fraud.
  3. Information. In order to determine the risk associated with your PayPal Account, we may request at any time, and you agree to provide promptly any information about your business, operations or financial condition. We reserve the right to reassess your eligibility for any Product if your business is materially different from the information you provided in your application.
  4. Disabling your PayPal Here Card Reader. If we reasonably believe that you have breached the terms of your PayPal Agreements, we may take action to restrict your use of the PayPal Here service, including limiting the functionality of your PayPal Here Card Reader.

 

14. PayPal seller protection.

PayPal Here transactions are not eligible for PayPal seller protection. Please also read section 5.3 (Risk of Reversals, Chargebacks and Claims) of the PayPal User Agreement to understand the risk of Chargebacks arising when you receive a payment.

 

15. License Grant.

If you are using PayPal software such as an API, developer's toolkit or other software application that you have downloaded to your computer, device, or other platform, then PayPal grants you a revocable, non-exclusive, non- transferable license to use PayPal's software in accordance with the documentation. This license grant includes the software and all updates, upgrades, new versions and replacement software for your personal use only. You may not rent, lease or otherwise transfer your rights in the software to a third party. You must comply with the implementation and use requirements contained in all PayPal documentation accompanying the PayPal Services. If you do not comply with our implementation and use requirements you will be liable for all resulting damages suffered by you, us and third parties. You agree not to alter, reproduce, adapt, distribute, display, publish, reverse engineer, translate, disassemble, decompile or otherwise attempt to create any source code which is derived from the software. You acknowledge that all rights, title and interest to PayPal's software are owned by us. Any third party software application you use on the PayPal website is subject to the license you agreed to with the third party that provides you with this software. We do not own, control nor have any responsibility or liability for any third party software application you elect to use on the PayPal website and/or in connection with the PayPal Services. If you are using the PayPal Services on the PayPal website, or other website or platform hosted by us, or a third party, and are not downloading PayPal's software or using third party software applications on the PayPal website, then this section does not apply to your use of the hosted PayPal Services.

 

16. Acceptable Use.

As a reminder, you may not accept payments in violation of the PayPal Acceptable Use Policy.

 

17. Data Security.

  1. General. You are fully responsible for the security of data in your possession or control as a result of using PayPal Here. You agree to comply with all applicable laws and rules in connection with your collection, security and dissemination of any personal, financial, Card, or transaction information (defined as “Data”).

  2. Data Usage. Unless you receive the express consent of your customer, you may not retain, track, monitor, store or otherwise use Data beyond the scope of the specific transaction. Further, unless you get the express consent of PayPal, you agree that you will not use nor disclose the Card Data for any purpose other than to support payment for your goods and services. Card Data must be completely removed from your systems, and any other place where you store Card Data, within 24 hours after you receive an authorization decision unless you have received the express consent of your customer to retain the Card Data for the sole purpose of processing recurring payments. To the extent that Card Data resides on your systems and other storage locations, it should do so only for the express purpose of processing your transactions. All Data and other information provided to you by PayPal in relationship to the PayPal Here service and all Card Data will remain the property of PayPal, its Acquiring Bank or the Card Companies, as appropriate.

  3. Password Security. You agree to restrict use and access to your password and log-on ID to your employees and agents as may be reasonably necessary, and will ensure that each such employee or agent complies with these PayPal Here Terms. You will not give, transfer, assign, sell, resell or otherwise dispose of the information and materials provided to you to utilize the PayPal Here services. You are solely responsible for maintaining adequate security and control of any and all IDs, passwords, or any other codes that are issued to you by us, each Acquiring Bank or the Card Companies.
  4. Audit. If PayPal believes that a security breach or compromise of Data has occurred, PayPal may require you to have a third party auditor that is approved by PayPal conduct a security audit of your systems and facilities and issue a report to be provided to PayPal, the Acquiring Banks and the Card Companies. In the event that you fail to initiate an audit within 10 Business Days of PayPal's request, PayPal may conduct or obtain such an audit at your expense.
  5. Compliance with Data Protection Schedule. You agree (as a “Merchant”) to comply with Schedule 1 below, which forms part of this Agreement. The terms of the Data Protection Schedule shall prevail over any conflicting terms in this Agreement relating to data protection and privacy.

 

18. PayPal's Use of Data.

We will use your information in accordance with our Privacy Policy. For the avoidance of doubt, you authorise us to provide information regarding your business and individual transactions to third parties for the purpose of facilitating the acceptance and settlement of your transactions and in connection with other relevant actions, including Chargebacks, refunds, disputes, adjustments and other enquiries.

 

19. Notice.

We will provide you with notices regarding PayPal Here in accordance with the provisions of the PayPal User Agreement or by sending you a message through the PayPal Here App. Such notice will be considered to be received by you within 24 hours of the time it is posted or emailed to you.

 

20. Indemnity.

You agree to indemnify and hold us harmless from claims that are raised by a third party against us that result from your use of PayPal Here or your PayPal Account in violation of these PayPal Here Terms or the PayPal User Agreement.

 

21. Definitions.

"Account Profile" means the account profile settings that can be accessed within your PayPal Account.

"Acquiring Bank" means each of the financial institutions PayPal partners with to process your Card payments, including your PayPal Here transactions.

"Card Companies" means a company or group of financial institutions that issue rules that govern Card transactions via bankcard and payment networks including MasterCard, Visa, Discover, and American Express.

"Change" has the meaning given in the introductory paragraphs of these PayPal Here Terms.

“Contactless Transaction” means a transaction made using the contactless induction technology in the PayPal Here Card Reader (including, but not limited to, a Card or smart phone/device transaction using near field communication (NFC) technology through the PayPal Here Card Reader).

"Keyed Transaction" means a Card transaction where you do not swipe the Card via the PayPal Here Card Reader, but instead input the Card number and other required information via the PayPal Here App.

"PayPal Here App" means the PayPal Here software application for merchants, which PayPal may make available from time to time in: (i) “off the shelf” format  from the Apple App Store, Amazon Appstore, Google Play or other similar outlets; and/or (ii) other formats, including, without limitation, in software development kit format.

"PayPal Here Card Reader" means the electronic reader device we provide to you to use in connection with your use of PayPal Here.

“PayPal Here Merchant Rate” means the “PayPal Here Merchant Rate” of fees set out in the relevant table in section 10.

“PayPal Here Standard Rate” means the “Standard Rate” of fees set out in the relevant table in section 10.

"PayPal Transaction" means a transaction using a PayPal-issued access method such as the PayPal payment card or a transaction via your PayPal Account.

"PayPal User Agreement" means the online agreement you entered into with PayPal when you opened your PayPal Account, as it may have been amended from time to time. The current version, entitled "User Agreement for PayPal Services", can be accessed via the Legal Agreements link in the footer of nearly every page on the PayPal website.

"Warranty" means the warranty offered to you by PayPal relating to the PayPal Here Card Reader and being independent of the manufacturer's warranty.

 

22. Monthly Reports on Transaction Costs.

PayPal shall make available monthly reports on transaction costs (inclusive of interchange fees) for those card transactions which you process with PayPal Here. These reports will be downloadable from your PayPal Account. The first report will be available from January 2016 (with data on transactions of the previous month). The reports do not include any payments which you receive from another PayPal Account.

 

SCHEDULE 1

DATA PROTECTION

This Data Proection Schedule applies only to the extent that PayPal acts as a processor or Sub-processor to Merchant.

Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.

1 DEFINITIONS AND INTERPRETATION

1.1 The following terms have the following meanings when used in this Schedule:

"Card Information" is defined in Section 2.15 of this Schedule.

"Customer" means a European Union customer of Merchant who uses the PayPal services and for the purposes of this Schedule, is a data subject.

"Customer Data" means the personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Merchant of the PayPal services.

"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data subject" have the meanings given to those terms under the Data Protection Laws.

"Data Protection Laws" means General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to PayPal's provision of the PayPal services.

"Data Recipient" is defined in Section 2.15 of this Schedule.

"PayPal Group" means PayPal and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls.

"personal data" has the meaning given to it in the Data Protection Laws.

"processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.

"Sub-processor" means any processor engaged by PayPal and/or its affiliates in the processing of personal data.

1.2 Schedule. This comprises (i) sections 1 to 2, being the main body of the schedule; (ii) Attachment 1; (iii) Attachment 2; and (iv) Attachment 3 (with its appendixes).

 

2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES

2.1 Merchant data controller. With regard to any Customer Data to be processed by PayPal in connection with this Agreement, Merchant will be a controller and PayPal will be a processor in respect of such processing. Merchant will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.

2.2 Merchant written instructions. PayPal shall only process Customer Data on behalf of and in accordance with Merchant’s written instructions. The Parties agree that this Schedule is Merchant's complete and final written instruction to PayPal in relation to Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between PayPal and Merchant, including agreement of any additional fees payable by Merchant to PayPal for carrying out such additional instructions. Merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with Merchant's instructions will not cause PayPal to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. Merchant hereby instructs PayPal to process Customer Data for the following purposes:

2.2.1 as reasonably necessary to provide the PayPal services to Merchant and its Customer;

2.2.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.

2.3 PayPal cooperation. In relation to Customer Data processed by PayPal under this Agreement, PayPal shall co-operate with Merchant to the extent reasonably necessary to enable Merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as Merchant requires in relation to:

2.3.1. assisting Merchant in the preparation of data protection impact assessments to the extent required of Merchant under Data Protection Laws; and

2.3.2  responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.

2.4 Scope and Details of Customer Data processed by PayPal. The objective of processing Customer Data by PayPal is the performance of the PayPal services pursuant to the Agreement. PayPal shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 2 (Data Processing of Customer Data).

2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.

2.6 Correction, Blocking and Deletion. To the extent Merchant, in its use of the PayPal services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, PayPal shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent PayPal is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from PayPal’s provision of such assistance.

2.7 Data Subject Requests. PayPal shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. Merchant shall be responsible for responding to all such requests. If legally permitted, PayPal shall provide Merchant with commercially reasonable cooperation and assistance regarding such Customer's request and Merchant shall be responsible for any costs arising from PayPal’s assistance.

2.8 Training. PayPal undertakes to provide training as necessary from time to time to the PayPal personnel with respect to PayPal's obligations in this Schedule to ensure that the PayPal personnel are aware of and comply with such obligations.

2.9 Limitation of Access. PayPal shall ensure that access by PayPal's personnel to Customer Data is limited to those personnel performing PayPal services in accordance with the Agreement.

2.10 Sub-processors.  Merchant specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the PayPal services. In addition, Merchant generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the PayPal services. When engaging any Sub-processor, PayPal will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Schedule PayPal shall make available to Merchant a current list of Sub-processors for the respective PayPal services with the identities of those Sub-processors.

2.11 Audits and Certifications. Where requested by Merchant, subject to the confidentiality obligations set forth in the Agreement, PayPal shall make available to Merchant (or Merchant’s independent, third-party auditor that is not a competitor of PayPal or any members of PayPal or the PayPal Group) information regarding PayPal’s compliance with the obligations set forth in this Schedule in the form of the third-party certifications and audits (if any) set forth in the Privacy Policy set out on our website. Merchant may contact PayPal in accordance with the Agreement to request an on-site audit of the procedures relevant to the protection of personal data. Merchant shall reimburse PayPal for any time expended for any such on-site audit at PayPal’s then-current professional PayPal services rates, which shall be made available to Merchant upon request. Before the commencement of any such on-site audit, Merchant and PayPal shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Merchant shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by PayPal. Merchant shall promptly notify PayPal with information regarding any non-compliance discovered during the course of an audit.

2.12 Security. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Schedule to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the PayPal services. Since PayPal provides the PayPal services to all Merchants uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to PayPal’s entire customer base hosted out of the same data center and subscribed to the same service. Merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the PayPal services.
 
2.13 Security Incident Notification. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data, PayPal will, in accordance with Data Protection Laws: (a) notify Merchant of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d)  deliver its notification to Merchant's administrators by any means PayPal selects, including via email. Merchant is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.

2.14 Deletion. Upon termination or expiry of the Agreement, PayPal will delete or return to Merchant all Customer Data  processed on behalf of the Merchant, and PayPal shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.

2.15 Data Portability. Upon any termination or expiry of this Agreement, PayPal agrees, upon written request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Merchant’s Customers (“Card Information”). In order to do so, Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including Data Protection Laws).

3 EU STANDARD CONTRACTUAL CLAUSES RELATED TERMS

3.1 Application. The EU Standard Contractual Clauses are set out in Attachment 31 (the “EU Standard Contractual Clauses”). The EU Standard Contractual Clauses apply only to Customer Data that is transferred by Merchants established in the European Economic Area (“EEA”) or Switzerland to any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR) in which PayPal may store and process Customer Data.

3.2 Instructions. This Schedule and the Agreement are Data Exporter’s complete and final instructions to Data Importer for the processing of Customer Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the EU Standard Contractual Clauses, the Data Exporter gives the following instructions: (a) to process Customer Data in accordance with the Agreement; and (b) to process Customer Data initiated by Merchants in their use of the Services during the Term. These instructions also describe the duration, object, scope and purpose of the processing.

3.3 Audits and Certifications. The Parties agree that the audits described in Clause 5(f), Clause 11 and Clause 12(2) of the EU Standard Contractual Clauses shall be fulfilled in the following manner: the provisions of paragraph 2.11 of this Schedule shall also apply to the Data Importer as if it were PayPal.

3.4 Certification of Deletion. The Parties agree that the certification of deletion of personal data that is described in Clause 12(1) shall be provided by the Data Importer to the Data Exporter only upon Data Exporter’s request.

3.5 Liability. The Parties agree that all liabilities between them (and in respect of Data Importer, such liabilities shall be aggregated with those of PayPal so that collectively their cumulative joint liability is capped at the level set out in the Agreement) under this Schedule and the EU Standard Contractual Clauses will be subject to the terms of the Agreement (including as to limitation of liability), except that such limitations of liability will not apply to any liability that Data Importer may have to data subjects under the third party rights provisions of the EU Standard Contractual Clauses.

3.6 Exclusion of third party rights. Subject to paragraph 4.6, PayPal shall be granted third party rights in relation to obligations expressed to be for the benefit of the Data Importer or PayPal in this Schedule and Data Subjects are granted third party rights under the EU Standard Contractual Clauses. All other third party rights are excluded.

Merchant
For and on behalf of (insert Merchant legal name)…………………………………
Signature……………………………………………
Name of signatory……………………………………. Title of signatory……………………………………
Date………………………………………………..

PayPal
For and on behalf of PayPal (Europe) S.á.r.l. et Cie, S.C.A.
Signature…………………………………………….
Name of signatory……………………………………..Title of signatory……………………………………. Date…………………………………………………

ATTACHMENT 1
Technical and Organizational Measures

The following technical and organizational measures will be implemented:

  1. Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
  2. Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
  3. Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
  4. Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
  5. Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
  6. Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;
  7. Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
  8. Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
  9. Measures taken to safeguard data by creating backup copies.

ATTACHMENT 2
Data Processing of Customer Data

Categories of data subjects

Customer Data – The personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Customer of the PayPal services.

Subject-matter of the processing

The payment processing services offered by PayPal which provides Merchant with the ability to accept credit cards, debit cards, and other payment methods on a website or mobile application from Customers.

Nature and purpose of the processing

PayPal processes Customer Data that is sent by the Merchant to PayPal for purposes of obtaining verification or authorization of the Customer’s payment method as payment to the Merchant for the sale goods or services.

Type of personal data

Customer Data – Merchant shall inform PayPal of the type of Customer Data PayPal is required to process under this Agreement. Should there be any changes to the type of Customer Data PayPal is required to process then Merchant shall notify PayPal immediately. PayPal processes the following Customer Data, as may be provided by the Merchant to PayPal from time to time:

 

Full name (Optional)  X 
Contact address (Optional)  X
Email address (Optional)  X
Telephone number (Optional)  X
Card or payment instrument type (Optional)  X
Card Primary Account Number (PAN or Device specific Primary Account Number (DPAN)  X
Card Verification Value (CVV)  X
Card expiration date  X
Zip Code  X

 

Special categories of data (if relevant)

The transfer of special categories of data is not anticipated.

Duration of Processing

The term of the Agreement.

ATTACHMENT 3
EU STANDARD CONTRACTUAL CLAUSES

Controller to Processor export of personal data (from EEA countries)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation: ………………………………………..
Address: …………………………………………….
Tel.: ……………………………………………….
fax: ………………………………………………..
e-mail: ……………………………………………..
Other information needed to identify the organisation: …………………………… (the data exporter)
And
Name of the data importing organisation: Paypal, Inc
Address: 2211 North First Street, San Jose, CA 95131
Other information needed to identify the organisation: …………………………… (the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

 


Clause 1
Definitions

For the purposes of the Clauses:

  • (a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  • (b) 'the data exporter' means the controller who transfers the personal data;
  • (c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  • (d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  • (e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  • (f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:

  • (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  • (b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
  • (c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
  • (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  • (e) that it will ensure compliance with the security measures;
  • (f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  • (g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  • (h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  • (i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  • (j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:

  • (a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • (c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
  • (d) that it will promptly notify the data exporter about:

o (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
o (ii) any accidental or unauthorised access, and
o (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

  • (e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  • (f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  • (g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  • (h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
  • (i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
  • (j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

      1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

o (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
o (b) to refer the dispute to the courts in the Member State in which the data exporter is established.

      2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9
Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12
Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

 

 


On behalf of the data exporter:
Name (written out in full): …………………………………………….
Position: …………………………………………….
Address: …………………………………………….
Other information necessary in order for the contract to be binding (if any):
Signature…………………………………………….(stamp of organisation)

On behalf of the data importer (Paypal, Inc):
Name (written out in full): …………………………………………….
Position: …………………………………………….
Address: 2211 North First Street, San Jose, CA 95131
Signature……………………………………………. (stamp of organisation)


 

APPENDIX 1 TO THE EU STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter
The data exporter is: Merchant
An entity that uses the Data importer’s services in respect of its Customers
Data importer
The data importer is: Paypal, Inc
A payment services provider which in relation to the Braintree services provides a payment gateway so that Merchant can provide Customer credit card and other details to banks and other payment service providers to process payments from Customers
Data subjects
The personal data transferred concern the following categories of data subjects:
The data exporter’s Customers
Categories of data
The personal data transferred concern the following categories of data:
Customer name, amount to be charged, card number, CSV, post code, country code, address, email address, fax, phone, website, expiry date, shipping details, tax status
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
Not applicable, unless Merchant configures the service to capture such data.
Processing operations
The personal data transferred will be subject to the following basic processing activities:
The receipt and storage of Personal Data in the performance of the Services during the Term of the Agreement.
 



APPENDIX 2 TO THE EU STANDARD CONTRACTUAL CLAUSES
 

This Appendix forms part of the Clauses.
 

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
 

The technical and organizational measures are set forth at Attachment 1 to this Amendment.

 
 

Back to top

Updated PayPal Here™ Agreement


This version of the document will take effect on Aug 31, 2018.  Changed text is shown underlined.

This PayPal Here™ Agreement (“PayPal Here Terms”) is a contract between you (“you”) and PayPal (Europe) S.à r.l et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (“PayPal”, “we” or “us”) and applies to your use of the Services to accept payments from PayPal Accounts, credit cards and debit cards into your PayPal Account using the PayPal Here Card Reader and software (“PayPal Here”). You must read, agree with and accept all of the terms and conditions contained in these PayPal Here Terms. By purchasing the PayPal Here Card Reader and/or using PayPal Here, you acknowledge that you have agreed to these PayPal Here Terms. Capitalised terms that are not defined in these PayPal Here Terms, including Section 15 (Definitions), are defined in the PayPal User Agreement.

These PayPal Here Terms, with the PayPal User Agreement and any other agreement in to which you have entered into with PayPal (collectively "PayPal Agreements"), apply to your use of the PayPal Here service. To be clear, the definition of Services under the PayPal User Agreement shall be amended to include PayPal Here. If any inconsistency exists between the terms of the PayPal User Agreement and these PayPal Here Terms, these PayPal Here Terms shall control your use of PayPal Here. We may amend, delete or add to these PayPal Here Terms at any time by posting a revised version on our website (a "Change"). A Change will be made unilaterally by us and you will be deemed to have accepted the Change after you have received notice of it. We will provide you with 2 months' prior notice of the Change by posting notice on the "Policy Updates" page of our website. If you would like to receive notification by email of new Policy Updates then you may do so by changing your notification preferences in your Account Profile. The Change will take effect once the 2 month notice period expires, except it shall take place immediately if the Change relates to the addition of a new service, extra functionality or any other change which we believe in our reasonable opinion neither reduces your rights nor increases your responsibilities. In such instances, the Change will be made without prior notice to you and shall be effective immediately. Once a change takes effect, your continued use of PayPal Here shall be deemed acceptance of this Change. If you do not agree with any Change, you may terminate your use of PayPal Here and uninstall the PayPal Here App at any time.

 

1. Product Description.

PayPal Here is a payment solution for businesses, which allows you to accept payments by PayPal as well as credit cards and debit cards (“Cards”). PayPal Here can only be used to accept the type of Cards that are specified on the PayPal Here website, and this list of Cards could change at any time and without notice. It also allows you to issue PayPal invoices and manage records of the PayPal, cash and cheque payments that you accept. This function is designed to help you manage your records more easily, however PayPal Here is not an accounting solution and PayPal cannot accept any liability arising from the use of this functionality.

In addition to agreeing to these PayPal Here Terms, you will be required to provide certain personal and business information in order for you to register for PayPal Here. You must have a Business Account in good standing and be approved by PayPal to use PayPal Here. If you have a Personal or Premier Account (rather than a Business Account) prior to signing up for PayPal Here, you will be automatically upgraded to a Business Account as part of the application process but no charge will be made for this upgrade.

 

2. The Application and Approval Process.

The application and approval processes will usually be carried out through the PayPal Here App or an appropriate PayPal website. However, in some circumstances, we may need to carry out a manual approval process. (We will let you know during the application process if this applies to you.) Your use of PayPal Here is dependent on your downloading of the PayPal Here App, your acceptance of the end user license agreement associated with the PayPal Here App, (in certain cases) your obtaining a PayPal Here Card Reader, your holding a valid PayPal Account and your approval by PayPal. We will determine at our sole discretion whether you will be approved to use PayPal Here. Your approval will also be relevant to a specific country or jurisdiction, and your use of PayPal Here shall be limited to processing transactions in that country or jurisdiction. PayPal may restrict your use of PayPal Here in another country or jurisdiction outside your country. If you purchased a PayPal Here card reader from us either online, through the PayPal Here App or directly from PayPal in person and your application was declined, contact the Customer Care team on 0800 358 9448 for instructions on how to return the item. We will issue you with a full refund once you have returned the card reader. Make sure it’s undamaged, in good working order and in the original packaging.

There is no fee to download the PayPal Here App. You must download and use the most recent version of the PayPal Here App that is available, including downloading and installing any updates that become available periodically.

 

3. Getting, Using, Returning and Replacing your PayPal Here Card Reader.

Retailers of PayPal Here Card Readers may require evidence that you are pre-approved to use PayPal Here before you can purchase a PayPal Here Card Reader. We reserve the right to limit the number of PayPal Here Card Readers that you can receive at any time.

In addition to the Warranty described below, if you purchase a PayPal Here Card Reader from us either online, through the PayPal Here App or directly from PayPal in person you may return it, for any reason, within 30 days of receipt of delivery; provided that it is returned to us undamaged, in good working order and in the packaging in which you received it. You may arrange for a return of your PayPal Here Card Reader by contacting customer service for return shipping instructions. If you purchase a PayPal Here Card Reader from anyone other than us, then the return policy of that retail outlet will apply, and you should return it to the authorised retailer who sold it to you.

If your PayPal Here Card Reader does not work and it is under Warranty, you may request a new PayPal Here Card Reader by contacting Customer Service. If the device has a fault, Customer Service may arrange for a replacement PayPal Here Card Reader to be sent to you. Unless we say otherwise, you must return your original PayPal Here Card Reader within the time period we specify. This may be either using the prepaid envelope provided with your replacement PayPal Here Card Reader or, in some circumstances, we may also arrange to collect your original PayPal Here Card Reader when the replacement device is delivered. Failure to return the original PayPal Here Card Reader may result in you being charged the cost of the replacement unit. We reserve the right to reasonably limit the number of replacement devices that you can receive under this Warranty, the full terms and conditions of which can be accessed here. For the avoidance of doubt, PayPal reserves the right to change the Warranty on reasonable notice and we will decide within our reasonable judgement the validity of any warranty claims under the terms of the Warranty. In the event of a conflict between the Warranty and this PayPal Here Agreement, these PayPal Here Terms take precedence

 

4. Lost, Stolen or Disabled PayPal Here Card Readers.

We reserve the right to disable use of your PayPal Here Card Reader remotely if we suspect fraud, breach of the Acceptable Use Policy, a breach of these PayPal Here Terms or if we otherwise believe there is an increased risk to us or your PayPal Account associated with your PayPal Here Card Reader. If your PayPal Here Card Reader is lost, stolen or is otherwise no longer necessary, you must contact PayPal customer services to arrange for your device to be disabled.

Your PayPal Here Card Reader may only be associated with an approved PayPal Account. You may not dispose of your PayPal Here Card Reader without it first being disabled and your PayPal Here Card Reader cannot be passed to another person who does not hold an approved PayPal Account, associated with another approved PayPal Account or used in a country other than that in which it is registered without our express consent.

If you purchase a PayPal Here Card Reader using your PayPal Account, you may be able to file a claim under Buyer Protection if the PayPal Here Card Reader is not delivered. You are purchasing your PayPal Here Card Reader directly from PayPal and you would be filing your claim against us. We will decide the validity of any claim submitted under Buyer Protection but we will hold ourselves to the same standard of proof in adjudicating the claim that PayPal uses for its sellers.

 

5. Credit Report.

By signing up for PayPal Here, you are providing us with written instructions and authorisation to obtain your personal and/or business credit report from a credit reference agency. You are also authorising us to obtain your personal and/or business credit report at any time we reasonably believe there may be an increased level of risk associated with your PayPal Account. You agree to allow PayPal to obtain from a third party your credit history and financial information about your ability to perform your obligations under this Agreement in the manner set out in the PayPal Privacy Policy. PayPal will review your credit and other risk factors of your Account (reversals and chargebacks, customer complaints, claims etc.) on an ongoing basis. PayPal will store, use and disclose the information obtained in conformity with PayPal’s Privacy Policy.

You also agree to comply with our requests to verify your identity to allow us to reduce the risk of fraud or otherwise comply with our anti-money laundering or other legal requirements. We reserve the right to deny or restrict your use of PayPal Here or your PayPal Account if you fail to comply with these requests.

 

6. Multiple Devices and Authorised Users.

Through your PayPal Account, you may authorise other eligible users to use PayPal Here Card Readers that are linked to your PayPal Account for the same purpose as your business use. In order to authorise such use, you will have to personally request and purchase the additional devices that you require. You can also request that these devices are sent to multiple different addresses when you do so. You will also have to register each of your authorised users with us and create a password for each user to be able to log-in (with limited access) to your PayPal Account. You can only register authorised users that are 18 years or older and PayPal reserves the right to limit the number of authorised users you may have. Your authorised users will have the ability to perform any action that you select on the PayPal.co.uk website (however please note they will be unable to withdraw funds from your PayPal Account) and must only use the PayPal Here Card Reader for the same business purpose as you do.

It is your responsibility to ensure that your authorised users comply with these PayPal Here Terms in connection with their use of the PayPal Here Card Reader. Prior to issuing a PayPal Here Card Reader to any authorised user, we may have to perform screening in compliance with anti-money laundering or other legislation. In order to assist us in this screening, you agree to provide us with legitimate and accurate information regarding the identity of all authorised users as requested by us. We reserve the right to deny any authorised user access to PayPal Here at any time. You agree that you are at all times liable for the actions or omissions of your authorised users and that you will indemnify and hold us harmless from the actions or inactions of your authorised user in connection with their use or misuse of the PayPal Here service.

 

7. Using PayPal Here.

You may process a card-present transaction using the PayPal Here Card Reader by inserting the card into the PayPal Here Card Reader and obtaining the customer’s PIN code or swiping the card and obtaining the customer’s signature. The PayPal Here App will prompt you as to what verification is necessary, based on a customer’s card, however if a customer’s card includes an electronic chip, you must always look to obtain Chip and Pin authorisation before obtaining a signature.

You may process a Contactless Transaction using the PayPal Here Card Reader, however you may not process a Contactless Transaction with a value exceeding the prevailing amount limit for that transaction set by any Acquiring Bank, Card Companies and/or PayPal from time to time.

You may also use PayPal Here to process Keyed Transactions (i.e. a card not present transaction), however you are not allowed to process a Keyed Transaction when a customer’s card is present. You cannot process a card-present transaction when the customer is not present.

Obtaining valid authorisation (such as a validly entered PIN) may assist you in defending against a Chargeback in the event that a customer subsequently claims that it did not authorise a transaction. Prior to processing any card-present transaction, You must show the customer the price of the goods or services that you are providing to the Customer.

You must also provide customers with a receipt if they request one. Customers may receive an electronic receipt via email or SMS, rather than a paper receipt. It is your responsibility to obtain your customer’s consent prior to using the PayPal Here App to send them a receipt via email or SMS to them.

You must not use PayPal Here to provide a customer with any form of cash advance. You agree that you shall not provide any false or misleading descriptions of any transaction that you submit through PayPal Here and that the descriptions given within itemised transactions shall be an accurate and true description of the goods and services being purchased. You also agree to comply with any instructions provided to you along with your PayPal Here Card Reader.

If you choose to receive PayPal Transactions through the PayPal Here App, these transactions must be processed on the following basis. To process a PayPal Transaction through the PayPal Here App, you must be able to clearly identify the customer from their photograph and their name, confirm the amount to be charged with them and you shall not process a transaction until the customer has given you a clear verbal instruction to do so. Prior to charging the customer, You must show the customer the amount to be charged for the goods or services that you are providing to the customer on your mobile device using the PayPal Here App. We reserve the right to place a cap on the total value of a PayPal Transaction(s) that can be processed using the PayPal Here App. We will make the size of any such cap clear to you within the PayPal Here App.

PayPal Here will normally allow you to receive payments only in the currency of the country in which you reside.

PayPal Here will normally be available at any time. However, we do not warrant that the PayPal Here service will be free of interruptions, delays or errors. From time to time, we need to perform upgrades and maintenance to our service or PayPal Here which may result in it not being available for a period. We will try to give you notice of any planned maintenance, but you acknowledge and agree that there may be circumstances where this is not possible.

 

8. Mobile Compatibility.

Using the PayPal Here service requires you to have a compatible mobile device. We do not warrant that PayPal Here will be compatible with your mobile device. If you have a compatible mobile device but this has been modified contrary to the manufacturer’s software or hardware guidelines, then you may not use your modified device to use PayPal Here.

 

9. Third Party Services.

Your use of PayPal Here may rely on third-party services (such as those of a mobile network operator, a broadband internet provider, an internet security provider or a wireless (WiFi) network provider). These third parties may charge you fees for accessing PayPal Here (e.g. for service access or data use) and it is your sole responsibility to pay such fees. We cannot accept any responsibility for the operation or security of such services, for your inability to use PayPal Here as a result of their service or for your breach of the terms of your contract with that third party as a result of using PayPal Here.

 

10. Fees.

Except as further provided in this section, you agree to pay the fees prescribed for Business Accounts in the User Agreement.

You agree to pay the following fees for the following payments received via the PayPal Here App:

10.1 Fees for Payments from another PayPal account via PayPal Location Based Payments Functionality

If you receive the payment:

the PayPal Here Standard Rate fee is:

the PayPal Here Merchant Rate is as follows:

where the aggregate monetary amount of payments received in your Account in the previous calendar month:

  1. via the PayPal Here App; and
  2. as Commercial Transaction payments,

is:

the PayPal Here Merchant Rate fee (subject to the further terms and conditions in this section 10) is:

from another PayPal Account via PayPal Location Based Payments Functionality

2.75%

GBP 0.00 - GBP 1,500.00

2.75%

GBP 1,500.01 - GBP 6,000.00

1.75%

GBP 6,000.01- GBP 15,000.00

1.5%

Above GBP 15,000.00

1%

 

10.2 Fees under the Blended Pricing Fee Structure

If you receive the card payment:

the PayPal Here Standard Rate fee is:

the PayPal Here Merchant Rate is as follows:

where the aggregate monetary amount of payments received in your Account in the previous calendar month:

  1. via the PayPal Here App; and
  2. as Commercial Transaction payments,

is:

the PayPal Here Merchant Rate fee (subject to the further terms and conditions in this section 10) is:

the PayPal Here Merchant Rate fee for Charities (subject to application and pre-approval by PayPal and the further terms and conditions in this section 10) is:

from a Visa, MasterCard or Maestro card

  • using your PayPal Here Card Reader’s Chip and PIN, Chip and Signature functionality
  • as a Contactless Transaction

2.75%

GBP 0.00 - GBP 1,500.00

2.75%

1.5%

GBP 1,500.01 - GBP 6,000.00

1.75%

1.5%

GBP 6,000.01- GBP 15,000.00

1.5%

1.5%

Above GBP 15,000.00

1%

from a Visa, MasterCard, Maestro or American Express card:

  • as a Keyed Transaction; or
  • by swiping the card’s magnetic stripe

3.4%

+ GBP 0.20

regardless of the volume of payments you receive

3.4%
+GBP 0.20

from an American Express Card:
 

  • using your PayPal Here Card Reader’s Chip and PIN, Chip and Signature functionality
  • as a Contactless Transaction

2.75%

2.75%

 

10.3 Fees under the Interchange Plus Fee Structure

If you receive the card payment:

the PayPal Here Standard Rate fee is:

the PayPal Here Merchant Rate is as follows:

where the aggregate monetary amount of payments received in your Account in the previous calendar month:

  1. via the PayPal Here App; and
  2. as Commercial Transaction payments,

is:

the PayPal Here Merchant Rate fee (subject to the further terms and conditions in this section 10) is:

the PayPal Here Merchant Rate fee for Charities (subject to application and pre-approval by PayPal and the further terms and conditions in this section 10) is:

from a Visa, MasterCard, or Maestro card

  • using your PayPal Here Card Reader’s Chip and PIN, Chip and Signature functionality
  • as a Contactless Transaction;

Interchange Fee

(approximately ranges from 0.2% to 2.0%)

+ 2.5 %

GBP 0.00 – GBP 1,500.00

Interchange Fee +2.5%

Interchange Fee +1.25%

GBP 1,500.01 - GBP 6,000.00

Interchange Fee +1.5%

Interchange Fee +1.25%

GBP 6,000.01- GBP 15,000.00

Interchange Fee +1.25%

Above GBP 15,000.00

Interchange Fee +0.75%

from an American Express card

  • using your PayPal Here Card Reader’s Chip and PIN, Chip and Signature functionality
  • as a Contactless Transaction;

2.75 %

regardless of the volume of payments which you receive

2.75 %

from a Visa, MasterCard or Maestro card:

  • as a Keyed Transaction; or
  • by swiping the card’s magnetic stripe

Interchange Fee

+ 3.15%

+ GBP 0.20

Interchange Fee
+ 3.15%

+ GBP 0.20

from an American Express card:
 

  • as a Keyed Transaction; or
  • by swiping the card’s magnetic stripe

3.4% + GBP 0.20

3.4% + GBP 0.20

 

a. Interchange Fees are set by Visa and MasterCard. They approximately range from 0.2% to 2.0% and vary for different types of cards (for example by categories and brand). PayPal shall always charge you the Interchange Fee as set by Visa and MasterCard and as passed on by its Acquirer. Single Interchange fees may change from time to time. For more information on Interchange Fees, please see MasterCard’s and Visa’s website as well as our simplified overview.

b. Percentage-based fees (such as 3.40%) refer to an amount equal to that percentage of the payment amount.


10.4 Blended Pricing or Interchange Plus Transaction Fees?

When you receive card payments using PayPal Here:

  1. The Blended Pricing fee structure shall apply until PayPal implements the Interchange Plus fee structure (which shall be by further notice of the same published by PayPal on a date falling on or after 9 June 2016 on the Policy Updates page accessible via the Legal footer on most PayPal site pages) (“Interchange Plus Launch”).
  2. You may choose the fee structure applicable to you on or after Interchange Plus Launch, by the methods or procedures that PayPal may make available to you before and after Interchange Plus Launch. If you do not make an election, you will stay on your existing fee structure.
  3. You may choose your fee structure for future transactions only, not for past transactions. The fee structure that applies when you receive card payments using PayPal HereTM also applies when you receive card payments under the PayPal Website Payments Pro and Virtual Terminal Agreement. This means that if you opt to be charged under the Interchange Plus fee structure, the respective Interchange Plus fee structure will apply when you receive card payments under the PayPal Website Payments Pro and Virtual Terminal Agreement and this Agreement.

10.5 Conditions for PayPal Here Merchant Rate status

10.5.1 PayPal Here Merchant Rate

The PayPal Here Merchant Rate applies only to Accounts with PayPal Here Merchant Rate status. PayPal Here Merchant Rate status is subject to eligibility, application and approval by PayPal. PayPal may evaluate applications on a case-by-case basis, including, without limitation, on the following criteria: qualifying monthly sales volume, size of average shopping cart and an Account in good standing.

To be eligible to apply for (and retain) PayPal Here Merchant Rate status the Account must:

  • at all times be in good standing and not under investigation; and
  • have received more than £1,500.00 GBP in aggregate monetary amount of payments in the previous calendar month:
    • via the PayPal Here App; and
    • as Commercial Transaction payments.

PayPal may downgrade an Account to the PayPal Here Standard Rate at any time if the above conditions are not met or there are unresolved chargebacks against the Account.

If PayPal downgrades your Account you will need to apply to PayPal again for your Account to get PayPal Here Merchant Rate status.

You may apply to receive PayPal Here Merchant Rate for your Account using the dedicated online application form when logged into your PayPal Account. If your application is rejected, please note that you may only submit an application once every thirty days.

PayPal Here Merchant Rate status entitles you to also benefit from Merchant Rate status for Commercial Transactions under the PayPal User Agreement, with the tier values based on the aggregate monetary amount of payments received in your Account in the previous calendar month:

  1. via the PayPal Here App; and
  2. as Commercial Transaction payments, subject further to the terms and conditions in the PayPal User Agreement.

10.5.2 PayPal Here Merchant Rate for Charities

The PayPal Here Merchant Rate for Charities applies only to Accounts with PayPal Here Merchant Rate for Charities status. PayPal Here Merchant Rate for Charities status is subject to application and pre-approval by PayPal. PayPal may evaluate applications on a case-by-case basis.

The PayPal Here Merchant Rate for Charities only applies to PayPal Here transactions.  Charity rates for other PayPal products are set out in the User Agreement.

10.6 Additional Transaction Fees

The fees listed in the above tables are for domestic payments only and shall be increased by the supplemental Cross Border Fee for Commercial Transactions (as outlined in the relevant table in Schedule 1 of the PayPal User Agreement), if the payer’s card or PayPal Account is from outside the United Kingdom.

This Cross Border Fee does not apply to card payments received under the Interchange Plus fee structure. However, the Cross Border Fee always applies to card payments with American Express cards (even if received under the Interchange Plus fee structure).

There is no fee to use the PayPal Here App to manage records of the cash and cheque payments that you accept.

The fees prescribed in this section 10 may be changed by amending this Agreement.

 

11. Settlement of Card Payments within the Interchange Plus Fee Structure.

You agree that, when PayPal receives a card payment for you, PayPal may hold those funds in your Reserve Account and you are thereby giving a Payment Order that instructs PayPal to pay those funds to your Payment Account only on the Business Day on which PayPal receives the information about the interchange fee applicable to the card payment, at which time the funds will then be made available to you in your Payment Account.  While the funds are held in your Reserve Account, the transaction will appear to you as “Pending” in your Account details. PayPal does not consider that the proceeds of the card payment in your Reserve Account are at your disposal until PayPal has received the information on the applicable interchange fee from our Processor (which can be within the next Business Day following the day on which the card payment was initiated by the card holder).

 

12. Privacy.

The PayPal Privacy Policy applies to your use of PayPal Here. The protection of your information is important to PayPal. Likewise, information you receive from us about your customers must be kept confidential, stored securely and only used for purposes related to PayPal Here and as agreed to in the PayPal Privacy Policy. As a reminder, information you receive may not be used to send unsolicited email or SMS messages to a user without that user’s express consent.

 

13. Reserves and other Protective Actions.

If we believe there may be a high level of risk associated with your PayPal Account, we may take certain actions in connection with your Account and/or your use of the PayPal Services. These are as follows:

  1. Reserves. We may, in our sole discretion, place a Reserve on funds held in your PayPal Account when we believe there may be a high level of risk associated with your PayPal Account. In relation to the PayPal Here service, this may include (without limitation) an unusual level of customer refunds, chargebacks or Keyed Transactions. If your PayPal Account is subject to a Reserve, we will provide you with notice specifying the terms of the Reserve. We may change the terms of the Reserve at any time by providing you with notice of the new terms. The terms may require that a certain percentage of the amounts received into your Account are held for a certain period of time, or that a certain amount of money is held in Reserve, or anything else that we determines is necessary to protect against the risk associated with your PayPal Account. If we place a Reserve on funds in your PayPal Account, they will be shown as "pending" in your PayPal Balance.
  2. Additional Actions. We may take other reasonable actions we determine are necessary to protect against the risk associated with your PayPal Account including requesting additional collateral from you such as a letter of credit or a personal guarantee or limiting the functionality of your PayPal Here Card Reader. We may contact your customers, on your behalf, in the event that we are investigating potential fraud.
  3. Information. In order to determine the risk associated with your PayPal Account, we may request at any time, and you agree to provide promptly any information about your business, operations or financial condition. We reserve the right to reassess your eligibility for any Product if your business is materially different from the information you provided in your application.
  4. Disabling your PayPal Here Card Reader. If we reasonably believe that you have breached the terms of your PayPal Agreements, we may take action to restrict your use of the PayPal Here service, including limiting the functionality of your PayPal Here Card Reader.

 

14. PayPal seller protection.

PayPal Here transactions are not eligible for PayPal seller protection. Please also read section 5.3 (Risk of Reversals, Chargebacks and Claims) of the PayPal User Agreement to understand the risk of Chargebacks arising when you receive a payment.

 

15. License Grant.

If you are using PayPal software such as an API, developer's toolkit or other software application that you have downloaded to your computer, device, or other platform, then PayPal grants you a revocable, non-exclusive, non- transferable license to use PayPal's software in accordance with the documentation. This license grant includes the software and all updates, upgrades, new versions and replacement software for your personal use only. You may not rent, lease or otherwise transfer your rights in the software to a third party. You must comply with the implementation and use requirements contained in all PayPal documentation accompanying the PayPal Services. If you do not comply with our implementation and use requirements you will be liable for all resulting damages suffered by you, us and third parties. You agree not to alter, reproduce, adapt, distribute, display, publish, reverse engineer, translate, disassemble, decompile or otherwise attempt to create any source code which is derived from the software. You acknowledge that all rights, title and interest to PayPal's software are owned by us. Any third party software application you use on the PayPal website is subject to the license you agreed to with the third party that provides you with this software. We do not own, control nor have any responsibility or liability for any third party software application you elect to use on the PayPal website and/or in connection with the PayPal Services. If you are using the PayPal Services on the PayPal website, or other website or platform hosted by us, or a third party, and are not downloading PayPal's software or using third party software applications on the PayPal website, then this section does not apply to your use of the hosted PayPal Services.

 

16. Acceptable Use.

As a reminder, you may not accept payments in violation of the PayPal Acceptable Use Policy.

 

17. Data Security.

  1. General. You are fully responsible for the security of data in your possession or control as a result of using PayPal Here. You agree to comply with all applicable laws and rules in connection with your collection, security and dissemination of any personal, financial, Card, or transaction information (defined as “Data”).

  2. Data Usage. Unless you receive the express consent of your customer, you may not retain, track, monitor, store or otherwise use Data beyond the scope of the specific transaction. Further, unless you get the express consent of PayPal, you agree that you will not use nor disclose the Card Data for any purpose other than to support payment for your goods and services. Card Data must be completely removed from your systems, and any other place where you store Card Data, within 24 hours after you receive an authorization decision unless you have received the express consent of your customer to retain the Card Data for the sole purpose of processing recurring payments. To the extent that Card Data resides on your systems and other storage locations, it should do so only for the express purpose of processing your transactions. All Data and other information provided to you by PayPal in relationship to the PayPal Here service and all Card Data will remain the property of PayPal, its Acquiring Bank or the Card Companies, as appropriate.

  3. Password Security. You agree to restrict use and access to your password and log-on ID to your employees and agents as may be reasonably necessary, and will ensure that each such employee or agent complies with these PayPal Here Terms. You will not give, transfer, assign, sell, resell or otherwise dispose of the information and materials provided to you to utilize the PayPal Here services. You are solely responsible for maintaining adequate security and control of any and all IDs, passwords, or any other codes that are issued to you by us, each Acquiring Bank or the Card Companies.
  4. Audit. If PayPal believes that a security breach or compromise of Data has occurred, PayPal may require you to have a third party auditor that is approved by PayPal conduct a security audit of your systems and facilities and issue a report to be provided to PayPal, the Acquiring Banks and the Card Companies. In the event that you fail to initiate an audit within 10 Business Days of PayPal's request, PayPal may conduct or obtain such an audit at your expense.
  5. Compliance with Data Protection Schedule. You agree (as a “Merchant”) to comply with Schedule 1 below, which forms part of this Agreement. The terms of the Data Protection Schedule shall prevail over any conflicting terms in this Agreement relating to data protection and privacy.

 

18. PayPal's Use of Data.

We will use your information in accordance with our Privacy Policy. For the avoidance of doubt, you authorise us to provide information regarding your business and individual transactions to third parties for the purpose of facilitating the acceptance and settlement of your transactions and in connection with other relevant actions, including Chargebacks, refunds, disputes, adjustments and other enquiries.

 

19. Notice.

We will provide you with notices regarding PayPal Here in accordance with the provisions of the PayPal User Agreement or by sending you a message through the PayPal Here App. Such notice will be considered to be received by you within 24 hours of the time it is posted or emailed to you.

 

20. Indemnity.

You agree to indemnify and hold us harmless from claims that are raised by a third party against us that result from your use of PayPal Here or your PayPal Account in violation of these PayPal Here Terms or the PayPal User Agreement.

 

21. Definitions.

"Account Profile" means the account profile settings that can be accessed within your PayPal Account.

"Acquiring Bank" means each of the financial institutions PayPal partners with to process your Card payments, including your PayPal Here transactions.

"Card Companies" means a company or group of financial institutions that issue rules that govern Card transactions via bankcard and payment networks including MasterCard, Visa, Discover, and American Express.

"Change" has the meaning given in the introductory paragraphs of these PayPal Here Terms.

“Contactless Transaction” means a transaction made using the contactless induction technology in the PayPal Here Card Reader (including, but not limited to, a Card or smart phone/device transaction using near field communication (NFC) technology through the PayPal Here Card Reader).

"Keyed Transaction" means a Card transaction where you do not swipe the Card via the PayPal Here Card Reader, but instead input the Card number and other required information via the PayPal Here App.

"PayPal Here App" means the PayPal Here software application for merchants, which PayPal may make available from time to time in: (i) “off the shelf” format  from the Apple App Store, Amazon Appstore, Google Play or other similar outlets; and/or (ii) other formats, including, without limitation, in software development kit format.

"PayPal Here Card Reader" means the electronic reader device we provide to you to use in connection with your use of PayPal Here.

“PayPal Here Merchant Rate” means the “PayPal Here Merchant Rate” of fees set out in the relevant table in section 10.

“PayPal Here Merchant Rate for Charities” means the fees labelled as such as set out in the relevant tables in section 10.

“PayPal Here Standard Rate” means the “Standard Rate” of fees set out in the relevant table in section 10.

"PayPal Transaction" means a transaction using a PayPal-issued access method such as the PayPal payment card or a transaction via your PayPal Account.

"PayPal User Agreement" means the online agreement you entered into with PayPal when you opened your PayPal Account, as it may have been amended from time to time. The current version, entitled "User Agreement for PayPal Services", can be accessed via the Legal Agreements link in the footer of nearly every page on the PayPal website.

"Warranty" means the warranty offered to you by PayPal relating to the PayPal Here Card Reader and being independent of the manufacturer's warranty.

 

22. Monthly Reports on Transaction Costs.

PayPal shall make available monthly reports on transaction costs (inclusive of interchange fees) for those card transactions which you process with PayPal Here. These reports will be downloadable from your PayPal Account. The first report will be available from January 2016 (with data on transactions of the previous month). The reports do not include any payments which you receive from another PayPal Account.

 

SCHEDULE 1

DATA PROTECTION

This Data Proection Schedule applies only to the extent that PayPal acts as a processor or Sub-processor to Merchant.

Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.

1 DEFINITIONS AND INTERPRETATION

1.1 The following terms have the following meanings when used in this Schedule:

"Card Information" is defined in Section 2.15 of this Schedule.

"Customer" means a European Union customer of Merchant who uses the PayPal services and for the purposes of this Schedule, is a data subject.

"Customer Data" means the personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Merchant of the PayPal services.

"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data subject" have the meanings given to those terms under the Data Protection Laws.

"Data Protection Laws" means General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to PayPal's provision of the PayPal services.

"Data Recipient" is defined in Section 2.15 of this Schedule.

"PayPal Group" means PayPal and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls.

"personal data" has the meaning given to it in the Data Protection Laws.

"processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.

"Sub-processor" means any processor engaged by PayPal and/or its affiliates in the processing of personal data.

1.2 Schedule. This comprises (i) sections 1 to 2, being the main body of the schedule; (ii) Attachment 1; (iii) Attachment 2; and (iv) Attachment 3 (with its appendixes).

 

2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES

2.1 Merchant data controller. With regard to any Customer Data to be processed by PayPal in connection with this Agreement, Merchant will be a controller and PayPal will be a processor in respect of such processing. Merchant will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.

2.2 Merchant written instructions. PayPal shall only process Customer Data on behalf of and in accordance with Merchant’s written instructions. The Parties agree that this Schedule is Merchant's complete and final written instruction to PayPal in relation to Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between PayPal and Merchant, including agreement of any additional fees payable by Merchant to PayPal for carrying out such additional instructions. Merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with Merchant's instructions will not cause PayPal to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. Merchant hereby instructs PayPal to process Customer Data for the following purposes:

2.2.1 as reasonably necessary to provide the PayPal services to Merchant and its Customer;

2.2.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.

2.3 PayPal cooperation. In relation to Customer Data processed by PayPal under this Agreement, PayPal shall co-operate with Merchant to the extent reasonably necessary to enable Merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as Merchant requires in relation to:

2.3.1. assisting Merchant in the preparation of data protection impact assessments to the extent required of Merchant under Data Protection Laws; and

2.3.2  responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.

2.4 Scope and Details of Customer Data processed by PayPal. The objective of processing Customer Data by PayPal is the performance of the PayPal services pursuant to the Agreement. PayPal shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 2 (Data Processing of Customer Data).

2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.

2.6 Correction, Blocking and Deletion. To the extent Merchant, in its use of the PayPal services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, PayPal shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent PayPal is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from PayPal’s provision of such assistance.

2.7 Data Subject Requests. PayPal shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. Merchant shall be responsible for responding to all such requests. If legally permitted, PayPal shall provide Merchant with commercially reasonable cooperation and assistance regarding such Customer's request and Merchant shall be responsible for any costs arising from PayPal’s assistance.

2.8 Training. PayPal undertakes to provide training as necessary from time to time to the PayPal personnel with respect to PayPal's obligations in this Schedule to ensure that the PayPal personnel are aware of and comply with such obligations.

2.9 Limitation of Access. PayPal shall ensure that access by PayPal's personnel to Customer Data is limited to those personnel performing PayPal services in accordance with the Agreement.

2.10 Sub-processors.  Merchant specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the PayPal services. In addition, Merchant generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the PayPal services. When engaging any Sub-processor, PayPal will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Schedule PayPal shall make available to Merchant a current list of Sub-processors for the respective PayPal services with the identities of those Sub-processors.

2.11 Audits and Certifications. Where requested by Merchant, subject to the confidentiality obligations set forth in the Agreement, PayPal shall make available to Merchant (or Merchant’s independent, third-party auditor that is not a competitor of PayPal or any members of PayPal or the PayPal Group) information regarding PayPal’s compliance with the obligations set forth in this Schedule in the form of the third-party certifications and audits (if any) set forth in the Privacy Policy set out on our website. Merchant may contact PayPal in accordance with the Agreement to request an on-site audit of the procedures relevant to the protection of personal data. Merchant shall reimburse PayPal for any time expended for any such on-site audit at PayPal’s then-current professional PayPal services rates, which shall be made available to Merchant upon request. Before the commencement of any such on-site audit, Merchant and PayPal shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Merchant shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by PayPal. Merchant shall promptly notify PayPal with information regarding any non-compliance discovered during the course of an audit.

2.12 Security. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Schedule to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the PayPal services. Since PayPal provides the PayPal services to all Merchants uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to PayPal’s entire customer base hosted out of the same data center and subscribed to the same service. Merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the PayPal services.
 
2.13 Security Incident Notification. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data, PayPal will, in accordance with Data Protection Laws: (a) notify Merchant of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d)  deliver its notification to Merchant's administrators by any means PayPal selects, including via email. Merchant is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.

2.14 Deletion. Upon termination or expiry of the Agreement, PayPal will delete or return to Merchant all Customer Data  processed on behalf of the Merchant, and PayPal shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.

2.15 Data Portability. Upon any termination or expiry of this Agreement, PayPal agrees, upon written request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Merchant’s Customers (“Card Information”). In order to do so, Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including Data Protection Laws).

3 EU STANDARD CONTRACTUAL CLAUSES RELATED TERMS

3.1 Application. The EU Standard Contractual Clauses are set out in Attachment 31 (the “EU Standard Contractual Clauses”). The EU Standard Contractual Clauses apply only to Customer Data that is transferred by Merchants established in the European Economic Area (“EEA”) or Switzerland to any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR) in which PayPal may store and process Customer Data.

3.2 Instructions. This Schedule and the Agreement are Data Exporter’s complete and final instructions to Data Importer for the processing of Customer Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the EU Standard Contractual Clauses, the Data Exporter gives the following instructions: (a) to process Customer Data in accordance with the Agreement; and (b) to process Customer Data initiated by Merchants in their use of the Services during the Term. These instructions also describe the duration, object, scope and purpose of the processing.

3.3 Audits and Certifications. The Parties agree that the audits described in Clause 5(f), Clause 11 and Clause 12(2) of the EU Standard Contractual Clauses shall be fulfilled in the following manner: the provisions of paragraph 2.11 of this Schedule shall also apply to the Data Importer as if it were PayPal.

3.4 Certification of Deletion. The Parties agree that the certification of deletion of personal data that is described in Clause 12(1) shall be provided by the Data Importer to the Data Exporter only upon Data Exporter’s request.

3.5 Liability. The Parties agree that all liabilities between them (and in respect of Data Importer, such liabilities shall be aggregated with those of PayPal so that collectively their cumulative joint liability is capped at the level set out in the Agreement) under this Schedule and the EU Standard Contractual Clauses will be subject to the terms of the Agreement (including as to limitation of liability), except that such limitations of liability will not apply to any liability that Data Importer may have to data subjects under the third party rights provisions of the EU Standard Contractual Clauses.

3.6 Exclusion of third party rights. Subject to paragraph 4.6, PayPal shall be granted third party rights in relation to obligations expressed to be for the benefit of the Data Importer or PayPal in this Schedule and Data Subjects are granted third party rights under the EU Standard Contractual Clauses. All other third party rights are excluded.

Merchant
For and on behalf of (insert Merchant legal name)…………………………………
Signature……………………………………………
Name of signatory……………………………………. Title of signatory……………………………………
Date………………………………………………..

PayPal
For and on behalf of PayPal (Europe) S.á.r.l. et Cie, S.C.A.
Signature…………………………………………….
Name of signatory……………………………………..Title of signatory……………………………………. Date…………………………………………………

ATTACHMENT 1
Technical and Organizational Measures

The following technical and organizational measures will be implemented:

  1. Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
  2. Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
  3. Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
  4. Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
  5. Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
  6. Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;
  7. Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
  8. Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
  9. Measures taken to safeguard data by creating backup copies.

ATTACHMENT 2
Data Processing of Customer Data

Categories of data subjects

Customer Data – The personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Customer of the PayPal services.

Subject-matter of the processing

The payment processing services offered by PayPal which provides Merchant with the ability to accept credit cards, debit cards, and other payment methods on a website or mobile application from Customers.

Nature and purpose of the processing

PayPal processes Customer Data that is sent by the Merchant to PayPal for purposes of obtaining verification or authorization of the Customer’s payment method as payment to the Merchant for the sale goods or services.

Type of personal data

Customer Data – Merchant shall inform PayPal of the type of Customer Data PayPal is required to process under this Agreement. Should there be any changes to the type of Customer Data PayPal is required to process then Merchant shall notify PayPal immediately. PayPal processes the following Customer Data, as may be provided by the Merchant to PayPal from time to time:

 

 

 

Full name (Optional)  X 
Contact address (Optional)  X
Email address (Optional)  X
Telephone number (Optional)  X
Card or payment instrument type (Optional)  X
Card Primary Account Number (PAN or Device specific Primary Account Number (DPAN)  X
Card Verification Value (CVV)  X
Card expiration date  X
Zip Code  X

 

 

Special categories of data (if relevant)

The transfer of special categories of data is not anticipated.

Duration of Processing

The term of the Agreement.

ATTACHMENT 3
EU STANDARD CONTRACTUAL CLAUSES

Controller to Processor export of personal data (from EEA countries)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation: ………………………………………..
Address: …………………………………………….
Tel.: ……………………………………………….
fax: ………………………………………………..
e-mail: ……………………………………………..
Other information needed to identify the organisation: …………………………… (the data exporter)
And
Name of the data importing organisation: Paypal, Inc
Address: 2211 North First Street, San Jose, CA 95131
Other information needed to identify the organisation: …………………………… (the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

 


Clause 1
Definitions

For the purposes of the Clauses:

  • (a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  • (b) 'the data exporter' means the controller who transfers the personal data;
  • (c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  • (d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  • (e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  • (f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:

  • (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  • (b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
  • (c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
  • (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  • (e) that it will ensure compliance with the security measures;
  • (f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  • (g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  • (h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  • (i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  • (j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:

  • (a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • (c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
  • (d) that it will promptly notify the data exporter about:

o (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
o (ii) any accidental or unauthorised access, and
o (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

  • (e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  • (f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  • (g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  • (h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
  • (i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
  • (j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

      1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

o (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
o (b) to refer the dispute to the courts in the Member State in which the data exporter is established.

      2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9
Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12
Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

 

 


On behalf of the data exporter:
Name (written out in full): …………………………………………….
Position: …………………………………………….
Address: …………………………………………….
Other information necessary in order for the contract to be binding (if any):
Signature…………………………………………….(stamp of organisation)

On behalf of the data importer (Paypal, Inc):
Name (written out in full): …………………………………………….
Position: …………………………………………….
Address: 2211 North First Street, San Jose, CA 95131
Signature……………………………………………. (stamp of organisation)


 

APPENDIX 1 TO THE EU STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter
The data exporter is: Merchant
An entity that uses the Data importer’s services in respect of its Customers
Data importer
The data importer is: Paypal, Inc
A payment services provider which in relation to the Braintree services provides a payment gateway so that Merchant can provide Customer credit card and other details to banks and other payment service providers to process payments from Customers
Data subjects
The personal data transferred concern the following categories of data subjects:
The data exporter’s Customers
Categories of data
The personal data transferred concern the following categories of data:
Customer name, amount to be charged, card number, CSV, post code, country code, address, email address, fax, phone, website, expiry date, shipping details, tax status
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
Not applicable, unless Merchant configures the service to capture such data.
Processing operations
The personal data transferred will be subject to the following basic processing activities:
The receipt and storage of Personal Data in the performance of the Services during the Term of the Agreement.
 



APPENDIX 2 TO THE EU STANDARD CONTRACTUAL CLAUSES
 

This Appendix forms part of the Clauses.
 

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
 

The technical and organizational measures are set forth at Attachment 1 to this Amendment.

Back to top