"Acquiring Bank" means each of the financial institutions PayPal partners with to process your Card payments, including your PayPal Here transactions.
“Business Days” mean(s) Monday through Friday, excluding holidays when PayPal’s offices are not considered open for business in the U.S. Holidays include New Year's Day (January 1), Martin Luther King, Jr.’s Birthday (the third Monday in January), George Washington's Birthday (the third Monday in February), Memorial Day (the last Monday in May), Independence Day (July 4), Labor Day (the first Monday in September), Columbus Day (the second Monday in October), Veterans Day (November 11), Thanksgiving Day (the fourth Thursday in November) and Christmas Day (December 25). If a holiday falls on a Saturday, PayPal observes the holiday on the prior Friday. If the holiday falls on a Sunday, PayPal observes the holiday on the following Monday.
"Card Companies" means a company or group of financial institutions that promulgate rules to govern Card transactions via bankcard and payment networks including MasterCard, Visa, Discover, and American Express.
"Device" means any card reader device your Platform provides to you to use in connection with your use of the Services, which may include capabilities for magnetic swipe, chip and signature, and/or contactless payment acceptance.
"PayPal Platform Seller Account Agreement" means the online agreement you entered into with PayPal before you started using the payment processing services offered by PayPal, as it may have been amended from time to time. The PayPal Platform Seller Account Agreement currently in effect can be accessed via the Legal Agreements link in the footer of nearly every page on the PayPal website.
DATA PROTECTION SCHEDULE
This Data Protection Schedule applies only to the extent that PayPal acts as a Service Provider to you.
Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.
1 DEFINITIONS AND INTERPRETATION; SCHEDULE COMPOSITION1
1.1 Definitions and Interpretation. The following terms have the following meanings when used in this Schedule:
"Customer" means your customers who use the PayPal services in the United States and for the purposes of this Schedule, are data subjects.
"Customer Data" means the Personal Data that the Customer provides to you and you pass on to PayPal through the use by you of the PayPal services.
"Data Protection Laws" means any data protection laws, regulations, and regulatory requirements applicable to PayPal’s provisions of the PayPal services, including without limitation, the California Consumer Privacy Act of 2018 (CCPA), including any implementing regulations issued by the California Attorney General.
"Personal Data". means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
"process", "processes", and "processed" means any operation or set of operations performed upon Personal Data, including collection, recording, retention, sharing, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction.
“Security Incident" means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by PayPal.
“Service Provider” shall have the meaning set forth in the CCPA.
1.2 Schedule Composition. This Schedule 1 is comprised of (i) sections 1 to 2, being the main body of the schedule; and(ii) Attachment 1.
2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES
2.1 PayPal as a Service Provider.
2.1.1 PayPal is your Service Provider with respect to Customer Data, including the Personal Data of Customers and other natural persons, households, and entities only for the purposes specified in the Agreement. You agree to provide to PayPal only the Customer Data that is necessary for PayPal to provide the payment processing services. The parties acknowledge and agree that PayPal is permitted to use, reproduce and process Customer Data and payment transaction data for the following limited purposes:
- as reasonably necessary to provide and improve the payment processing services to you and your customers, including fraud protection tools;
- to monitor, prevent, and detect fraudulent payment transactions, and to prevent harm to you, PayPal, and to third parties;
- to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which PayPal is subject, including applicable anti-money laundering and identity verification obligations;
- to analyze, develop and improve PayPal’s products and services;
- internal usage, including but not limited to, data analytics and metrics;
- to compile and disclose Customer Data and payment transaction data in the aggregate where your individual or user Personal Data is not identifiable, including calculating your averages by region or industry;
- complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
- any other purpose that PayPal notifies you and in accordance with Data Protection Laws.
2.1.2 PayPal shall comply with the requirements of the Data Protection Laws with respect to the use of Personal Data under this Agreement and shall not knowingly do anything or knowingly permit anything to be done with respect to the Personal Data which might lead to a breach by you of the Data Protection Laws.
2.1.3 With regard to any Customer Data to be processed by PayPal in connection with this Agreement, you will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.
2.1.4 The Parties acknowledge and agree that valuable consideration, monetary or otherwise, is being provided for the payment processing services being rendered by PayPal and not in exchange for you providing Personal Data in connection with the payment processing services.
2.1.5 Unless otherwise required or authorized by law and subject to any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA or applicable Data Protection Laws, PayPal is prohibited from collecting, retaining, using, selling or disclosing Personal Information except as necessary for the purpose of performing the payment processing services specified in the Agreement between the parties.
2.2 Customer Requests. PayPal shall, to the extent legally permitted, promptly notify you in the event PayPal receives a request from a Customer for access to, or correction, amendment, or deletion of, that Customer’s Personal Data. PayPal shall not respond to any such Customer request without your prior written consent except to confirm that the request relates to you and you hereby consent to such communication with your Customer by PayPal. PayPal shall provide you with commercially reasonable cooperation and assistance in relation to the handling of a Customer’s request for access to that Customer’s Personal Data, provided that such cooperation and assistance is legally permitted and to the extent you do not have access to such Customer Data through your use of the payment processing services. PayPal and you acknowledge and agree that PayPal is authorized under applicable law to retain and process such Customer Data pursuant to applicable law, including, without limitation, any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA (including without limitation, those exceptions, limitations, exemptions and/or exclusions set forth in California Civil Code § 1798.145).
2.3 PayPal Personnel. PayPal shall ensure that its personnel engaged in the processing of Customer Data are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Such confidentiality obligations shall survive the termination of the applicable personnel’s engagement. PayPal undertakes to provide its personnel with training as necessary from time to time with respect to PayPal's obligations in this Addendum so that PayPal personnel are aware of, and comply with, such obligations. Access by PayPal's personnel to Customer Data is limited to those personnel performing payment processing services in accordance with the Agreement.
2.4 Technical and Organizational Measures. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Addendum to keep Customer Data secure and to protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the payment processing services. You understand and agree that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the payment processing services. In the event of any detrimental change, PayPal shall provide a notification together with any necessary documentation to you by email or publication on a website easily accessible by you.
2.5 Security Incidents. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data and if there is a reasonable likelihood of materially harm to a material part of the PayPal systems relating to the payment processing services provided to you, PayPal will, in accordance with Data Protection Laws: (a) notify you of the Security Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
2.5.1 Details of Security Incident. Notifications made under this Section will describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks.
2.5.2 Communication. PayPal will deliver its notification of any Security Incident to one or more of your administrators via email. You are solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.
2.6 Deletion. Upon termination or expiration of the Agreement, PayPal will delete or return to you all Customer Data processed on behalf of you, and PayPal shall delete existing copies of such Customer Data except where authorized by Data Protection Laws or necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.
2.7 Certification. The Parties will at all times comply with applicable Data Protection Laws. PayPal hereby certifies that it understands and agrees to the terms of this Data Protection Schedule in this Agreement.
2.8 Merchant Notices. You undertake to provide all notices and obtain all consents necessary for PayPal’s use of Personal Data set out above.
Technical and Organizational Measures
The following technical and organizational measures will be implemented:
- Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
- Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
- Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
- Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
- Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
- Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;
- Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
- Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
- Measures taken to safeguard data by creating backup copies.