Data Protection Controller Addendum for Direct Card Processing Products
This Data Protection Controller Addendum (this “Addendum”) applies to any product where a PayPal Group Entity (“PayPal”) is providing Braintree and other like card payment and gateway services and/or fraud maintenances tools to you, the Merchant (the “Merchant” or “You”). This Addendum does not apply to PayPal branded wallet services such as Express Checkout or paying with the PayPal button. This Addendum shall form part of the relevant agreement between Merchant and PayPal which governs PayPal’s provision of the payment processing services to you (the “Agreement”). In the event there is any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum shall control. Capitalized terms used but not defined in this Addendum shall have the meaning set out in the Agreement.
This Addendum is effective as of the later of (i) the effective date specified in the Agreement or (ii) the effective date stated in the notice given to you in connection with an amendment to the Agreement or this Addendum. We may amend this Addendum at any time by posting a revised version on our website. The revised version will be effective at the time we post it. In addition, if we change the Addendum in a way that reduces your rights or increases your responsibilities, we will provide you prior written notice within the timeframe required by the Agreement by posting notice on the "Policy Updates" page of our website. We may also notify you of the change using email or other means. If you do not agree with any change to the Addendum, you may terminate your use of the Agreement at any time.
The following terms have the below meanings when used in this Addendum:
“Controller” means an entity that determines the purposes and means of the processing of Personal Data, or, if such term (or terms addressing similar functions) in defined in Data Protection Law, “Controller” shall have the meaning as defined in the applicable Data Protection Law.
“Customer” means your customers who use the payment processing services outside of the United States and for the purposes of this Addendum, are data subjects.
“Customer Data” means the Personal Data that (i) the Customer provides to Merchant and Merchant passes on to PayPal through the use by Merchant of the payment processing services and (ii) PayPal may collect from the Customer’s device and browser through use by Merchant of the payment processing services. Customer Data as used in this Addendum does not include Personal Data of Merchant’s U.S. customers.
“Data Protection Laws” means any applicable data protection laws, regulations, directives, regulatory requirements and codes of practice applicable to the provision of the payment processing services including any amendments thereto and any associated regulations or instruments (e.g., the General Data Protection Regulation (EU) 2016/679 (GDPR), the Australian Privacy Act 1988 (Cth) the Personal Information Protection and Electronic Documents Act (Canada), the Personal Data (Privacy) Ordinance (Cap.486) (Hong Kong), the Brazilian General Data Protection Law, Federal Law no. 13,709/2018 and the Personal Data Protection Act 2012 (Singapore)).
“PayPal Group Entity” means PayPal, Inc. and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls.
“Personal Data” means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Process” or terms addressing similar functions when used in this Addendum shall have the meaning as defined in the applicable Data Protection Laws.
PayPal As Data Controller
PayPal shall comply with the requirements of the Data Protection Laws applicable to Controllers in respect of the use of Personal Data under this Addendum (including without limitation, by implementing and maintaining at all times all appropriate security measures in relation to the Processing of Personal Data) and shall not knowingly do anything or permit anything to be done with respect to the Personal Data which might lead to a breach by Merchant of the Data Protection Laws. PayPal shall only transfer Personal Data to third parties, sub-processors or members of the PayPal Group Entity for the purposes of providing the payment processing services and shall have written agreements with such third parties and sub-processors which contain terms for the protection of Customer Data, which are no less protective than the terms set out in this Addendum.
Processing of Personal Data in Connection with the Payment Processing Services
The parties acknowledge and agree that Merchant and PayPal are each independent Controllers in respect of all Personal Data Processed in connection with the payment processing services. As such, PayPal independently determines the purpose and the means of the Processing of such Personal Data and is not a joint Controller with Merchant with respect to such Personal Data.
The parties acknowledge and agree that PayPal is permitted to use, reproduce and Process Customer Data and payment transaction data for the following limited purposes:
- as reasonably necessary to provide and improve the payment processing services to Merchant and its Customers, including fraud protection tools;
- to monitor, prevent and detect fraudulent payment transactions and to prevent harm to Merchant, PayPal and to third parties,
- to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which PayPal is subject, including applicable anti-money laundering and identity verification obligations;
- to analyze, develop and improve PayPal’s products and services;
- internal usage, including but not limited to, data analytics and metrics;
- to compile and disclose Customer Data and payment transaction data in the aggregate where your individual or user Personal Data is not identifiable, including calculating your averages by region or industry;
- complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
- any other purpose that it notifies Merchant so long as such purpose is in accordance with Data Protection Laws.
Merchant Notice to Customers
The parties agree to co-operate with each other to the extent reasonably necessary to enable the other party to adequately discharge their responsibility as an independent Controller under Data Protection Laws. The parties agree that to the extent Merchant receives a subject access request or any exercise by a Customer of its rights under Data Protection Laws, Merchant shall respond to such Customer’s access request directly. Merchant also shall inform the Customer that they may exercise their data subject rights in connection with the payment processing services with PayPal according to the instructions described in the Privacy Statement available at www.paypal.com. In addition, if in connection with any security incident, PayPal determines in its sole decision that it must notify affected Customers and PayPal does not have the necessary contact information about an affected Customer to make such communication, then Merchant shall use commercially reasonable efforts to provide PayPal with information about Customer that Merchant may possess for the limited purpose of PayPal’s compliance with applicable notification obligations regarding affected Customers under Data Protection Laws.
Cross Border Data Transfers
The parties agree that PayPal may transfer Personal Data Processed under this Agreement outside the country where it was collected as necessary to provide the payment processing services. If PayPal transfers Personal Data protected under this Addendum to a jurisdiction for which the applicable regulatory authority for the country in which the data was collected has not issued an adequacy decision, PayPal will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with applicable Data Protection Laws. For example, and for purposes of compliance with the GDPR, we rely on Binding Corporate Rules approved by competent supervisory authorities and other data transfer mechanisms for transfers of Customer Personal Data to other PayPal Group Entities.
With respect to your data transfers to PayPal of your Customers located in the European Union, Switzerland, the Europeans Economic Area, and/or their member states and the United Kingdom, we each agree that (i) your signing of the Agreement will be deemed to be signature and acceptance of the Controller to Controller Standard Contractual Clauses approved by EC Commission Decision of 27 December 2004 (C(2004)5721) (“C2C Transfer Clauses”) by Merchant, as the data exporter and (ii) PayPal’s signature of the Agreement will be deemed to be signature and acceptance of the C2C Transfer Clauses by PayPal, as the data importer. In the event the European Commission revises and thereafter publishes new C2C Transfer Clauses or as otherwise required or implemented by the European Commission, the parties agree that such new C2C Transfer Clauses will supersede the present C2C Transfer Clauses. The C2C Transfer Clauses will be incorporated into the Agreement by reference and will be considered duly executed between the parties upon entering into force of this Agreement subject to the following details:
- PayPal agrees it will process the Customer Data in accordance with Set II, clauses II(h)(iii) of the C2C Transfer Clauses and by signing the Agreement it will be deemed to duly initial and accept such clause II(h)(iii); and
- The parties agree that the details required under the C2C transfer Clauses Annex B are as set forth on Attachment 1.
C2C Transfer Clauses Annex B
The Personal Data transferred concern the following categories of data subjects:
The data exporter and its Customers.
Purposes of the transfer(s)
The transfer is made for the following purposes:
Performance of the services provided by data importer to data exporter in accordance with the Agreement.
Categories of data
The Personal data transferred may include the following categories of data:
Customer name, amount to be charged, date/time, bank account details, payment card details, CVC code, post code, country code, address, email address, fax, phone, website, expiry data, shipping details, tax status, unique customer identifier, IP Address, location, and any other data received by PayPal under the Agreement.
The personal data transferred may be disclosed only to the following recipients:
The importer’s service providers, affiliates, and personnel performing services in accordance with the Agreement.
Sensitive data (if appropriate)
The personal data transferred concern the following categories of sensitive data:
Not applicable, unless Merchant configures the service to capture such data.
Data protection registration information of data exporter (where applicable)
Additional useful information (storage limits and other relevant information)
As set forth in the Agreement.
Contact points for data protection enquiries
Data importer: Contact points for Data importer can be found in the Agreement.
Data exporter: Contact points for Data importer can be found in the Agreement.