"Acquiring Bank" means each of the financial institutions PayPal partners with to process your
Card payments, including your PayPal Here transactions.
“Business Days” mean(s) Monday through Friday, excluding holidays when PayPal’s offices are not
considered open for business in the U.S. Holidays include New Year's Day (January 1), Martin Luther King,
Jr.’s Birthday (the third Monday in January), George Washington's Birthday (the third Monday in February), Memorial
Day (the last Monday in May), Independence Day (July 4), Labor Day (the first Monday in September), Columbus Day
(the second Monday in October), Veterans Day (November 11), Thanksgiving Day (the fourth Thursday in November) and
Christmas Day (December 25). If a holiday falls on a Saturday, PayPal observes the holiday on the prior
Friday. If the holiday falls on a Sunday, PayPal observes the holiday on the following Monday.
"Card Companies" means a company or group of financial institutions that promulgate rules to
govern Card transactions via bankcard and payment networks including MasterCard, Visa, Discover, and American
"Cross-Border Transaction" means the following: (1) a transaction using a Card issued outside
the United States, or (2) a PayPal Transaction in which the buyer uses a non-U.S. PayPal account to fund the
"Keyed Transaction" means a Card transaction where you do not swipe the Card via the PayPal
Here Device, but instead input the Card number and other required information via the PayPal Here App.
"PayPal Here Device" means any card reader device we provide to you to use in connection with
your use of PayPal Here, which may include capabilities for magnetic swipe, chip and signature, and/or contactless
"PayPal Transaction" means a transaction using a PayPal-issued access method such as the PayPal
payment card or a PayPal Here check-in transaction.
"PayPal User Agreement" means the online agreement you entered into with PayPal when you opened
your PayPal account, as it may have been amended from time to time. The PayPal User Agreement currently in effect
can be accessed via the Legal Agreements link in the footer of nearly every page on the PayPal website.
"Card Present Transaction" means a transaction that you submit to PayPal by swiping a Card
through the PayPal Here Device, inserting a chip Card into the PayPal Here Device, or presenting a physical or
virtual Card via Near Field Communication (“NFC”) to the PayPal Here Device.
DATA PROTECTION SCHEDULE
This Data Protection Schedule applies only to the extent that PayPal acts as a processor or Sub-processor to Merchant.
Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.
1 DEFINITIONS AND INTERPRETATION
1.1 The following terms have the following meanings when used in this Schedule:
"Card Information" is defined in Section 2.15 of this Schedule.
"Customer" means a European Union customer of Merchant who uses the PayPal services and for the
purposes of this Schedule, is a data subject.
"Customer Data" means the personal data that the Customer provides to Merchant and Merchant passes
on to PayPal through the use by the Merchant of the PayPal services.
"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data
subject" have the meanings given to those terms under the Data Protection Laws.
"Data Protection Laws" means General Data Protection Regulation (EU) 2016/679 (GDPR) and any
associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and
codes of conduct of EU Member States applicable to PayPal's provision of the PayPal services; and California Consumer Privacy Act of 2018 (CCPA) and any other data protection laws applicable to the PayPal services in the United States of America.
"Data Recipient" is defined in Section 2.15 of this Schedule.
"PayPal Group" means PayPal and all companies in which PayPal or its successor directly or
indirectly from time to time owns or controls.
"personal data" has the meaning given to it in the Data Protection Laws.
"processing" has the meaning given to it in the Data Protection Laws and "process",
"processes" and "processed" will be interpreted accordingly.
"Sub-processor" means any processor engaged by PayPal and/or its affiliates in the processing of
1.2 Schedule. This comprises (i) sections 1 to 2, being the main body of the schedule; (ii)
Attachment 1; (iii) Attachment 2; and (iv) Attachment 3 (with its appendixes).
2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES
2.1 Merchant data controller. With regard to any Customer Data to be processed by PayPal in
connection with this Agreement, Merchant will be a controller and PayPal will be a processor in respect of such
processing. Merchant will be solely responsible for determining the purposes for which and the manner in which
Customer Data are, or are to be, processed.
2.2 Merchant written instructions. PayPal shall only process Customer Data on behalf of and in accordance with Merchant’s written instructions or as otherwise required or authorized by applicable law. The Parties agree that this Schedule is Merchant's complete and final written instruction to PayPal in relation to Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between PayPal and Merchant, including agreement of any additional fees payable by Merchant to PayPal for carrying out such additional instructions. Merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with Merchant's instructions will not cause PayPal to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. The Parties agree that valuable consideration, monetary or otherwise, is being provided for the services being rendered and not for personal data. Merchant hereby instructs PayPal to process Customer Data for the following purposes:
2.2.1 as reasonably necessary to provide the PayPal services to Merchant and its Customer;
2.2.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.
2.3 PayPal cooperation. In relation to Customer Data processed by PayPal under this Agreement, PayPal shall co-operate with Merchant to the extent reasonably necessary to enable Merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as Merchant requires in relation to:
2.3.1. assisting Merchant in the preparation of data protection impact assessments to the extent required of Merchant under Data Protection Laws; and
2.3.2 responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.
2.4 Scope and Details of Customer Data processed by PayPal. The objective of processing Customer Data by PayPal is the performance of the PayPal services pursuant to the Agreement. PayPal shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 2 (Data Processing of Customer Data). Unless otherwise required or authorized by law, and subject to any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA, PayPal is prohibited from collecting, retaining, using, selling, or disclosing personal data except as necessary for specific purposes of performing the services specified in this Agreement.
2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.
2.6 Correction, Blocking and Deletion. To the extent Merchant, in its use of the PayPal services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, PayPal shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent PayPal is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from PayPal’s provision of such assistance.
2.7 Data Subject Requests. PayPal shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. Merchant shall be responsible for responding to all such requests. If legally permitted, PayPal shall provide Merchant with commercially reasonable cooperation and assistance regarding such Customer's request and Merchant shall be responsible for any costs arising from PayPal’s assistance. If Merchant receives a data deletion request, under CCPA, from a Customer whose Personal Data PayPal processes on behalf of Merchant, Merchant shall inform such Customer that PayPal shall delete such Personal Information unless further storage of such Personal Information is required or authorized by applicable law, including any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA (including without limitation, those exceptions, limitations, exemptions, and/or exclusions set forth in California Civil Code § 1798.145). PayPal and Merchant acknowledge and agree that PayPal is authorized under applicable law to retain such information.
2.8 Training. PayPal undertakes to provide training as necessary from time to time to the PayPal
personnel with respect to PayPal's obligations in this Schedule to ensure that the PayPal personnel are aware of and
comply with such obligations.
2.9 Limitation of Access. PayPal shall ensure that access by PayPal's personnel to Customer Data is
limited to those personnel performing PayPal services in accordance with the Agreement.
2.10 Sub-processors. Merchant specifically authorizes the engagement of members of the PayPal
Group as Sub-processors in connection with the provision of the PayPal services. In addition, Merchant generally
authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the
PayPal services. When engaging any Sub-processor, PayPal will execute a written contract with the Sub-processor,
which contains terms for the protection of Customer Data which are no less protective than the terms set out in this
Schedule PayPal shall make available to Merchant a current list of Sub-processors for the respective PayPal services
with the identities of those Sub-processors.
2.11 Audits and Certifications. Where requested by Merchant, subject to the confidentiality
obligations set forth in the Agreement, PayPal shall make available to Merchant (or Merchant’s independent,
third-party auditor that is not a competitor of PayPal or any members of PayPal or the PayPal Group) information
regarding PayPal’s compliance with the obligations set forth in this Schedule in the form of the third-party
PayPal in accordance with the Agreement to request an on-site audit of the procedures relevant to the protection of
personal data. Merchant shall reimburse PayPal for any time expended for any such on-site audit at PayPal’s
then-current professional PayPal services rates, which shall be made available to Merchant upon request. Before the
commencement of any such on-site audit, Merchant and PayPal shall mutually agree upon the scope, timing, and
duration of the audit in addition to the reimbursement rate for which Merchant shall be responsible. All
reimbursement rates shall be reasonable, taking into account the resources expended by PayPal. Merchant shall
promptly notify PayPal with information regarding any non-compliance discovered during the course of an audit. To the extent required by applicable data protection laws, PayPal hereby certifies compliance with the Data Protection Schedule in this Agreement.
2.12 Security. PayPal shall, as a minimum, implement and maintain appropriate technical and
organizational measures as described in Attachment 1 to this Schedule to keep Customer Data secure and protect it
against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision
of the PayPal services. Since PayPal provides the PayPal services to all Merchants uniformly via a hosted, web-based
application, all appropriate and then-current technical and organizational measures apply to PayPal’s entire
customer base hosted out of the same data center and subscribed to the same service. Merchant understands and agrees
that the technical and organizational measures are subject to technical progress and development. In that regard,
PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the
measures is maintained in relation to the provision of the PayPal services.
Incident Notification. If PayPal becomes aware of a Security Incident in connection with the processing
of Customer Data, PayPal will, in accordance with Data Protection Laws: (a) notify Merchant of the Security Incident
promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c)
describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the
potential risks; and (d) deliver its notification to Merchant's administrators by any means PayPal selects,
including via email. Merchant is solely responsible for maintaining accurate contact information and ensuring that
any contact information is current and valid.
2.14 Deletion. Upon termination or expiry of the Agreement, PayPal will delete or return to Merchant
all Customer Data processed on behalf of the Merchant, and PayPal shall delete existing copies of such
Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with
2.15 Data Portability. Upon any termination or expiry of this Agreement, PayPal agrees, upon written
request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with
any available credit card information including personal data relating to Merchant’s Customers (“Card Information”).
In order to do so, Merchant must provide PayPal with all requested information including proof that the Data
Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to
transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides PayPal
with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI
compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from
a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card
Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of
such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or
regulations (including Data Protection Laws).
Technical and Organizational Measures
The following technical and organizational measures will be implemented:
- Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
- Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
- Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any
unauthorized knowledge, amendment or deletion of the recorded data;
- Measures taken to prevent data processing systems from being used by unauthorized person using data transmission
- Measures taken to guarantee that authorized persons when using an automated data processing system may access
only data that are within their competence;
- Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be
transmitted by transmission facilities;
- Measures taken to guarantee that the identity of the persons having had access to the information system and the
data introduced into the system can be checked and recorded ex post facto at any time and by any authorized
- Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data
are disclosed and data media transported;
- Measures taken to safeguard data by creating backup copies.
Data Processing of Customer Data
Categories of data subjects
Customer Data – The personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the
use by the Customer of the PayPal services.
Subject-matter of the processing
The payment processing services offered by PayPal which provides Merchant with the ability to accept credit cards,
debit cards, and other payment methods on a website or mobile application from Customers.
Nature and purpose of the processing
PayPal processes Customer Data that is sent by the Merchant to PayPal for purposes of obtaining verification or
authorization of the Customer’s payment method as payment to the Merchant for the sale goods or services.
Type of personal data
Customer Data – Merchant shall inform PayPal of the type of Customer Data PayPal is required to process under this
Agreement. Should there be any changes to the type of Customer Data PayPal is required to process then Merchant
shall notify PayPal immediately. PayPal processes the following Customer Data, as may be provided by the Merchant to
PayPal from time to time:
|Full name (Optional)
|Contact address (Optional)
|Email address (Optional)
|Telephone number (Optional)
|Card or payment instrument type (Optional)
|Card Primary Account Number (PAN or Device specific Primary Account Number (DPAN)
|Card Verification Value (CVV)
|Card expiration date
Special categories of data (if relevant)
The transfer of special categories of data is not anticipated.
Duration of Processing
The term of the Agreement.