Appendix 1: April 2018 / Addendum to the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR)
2. The private limited company MultiSafepay BV, with its registered office in Amsterdam, and place of business in (1033 SC) Amsterdam, at Kraanspoor 39, hereinafter referred to as: MSP,
hereinafter collectively referred to as: Parties
- Merchant/Partner has entered into an Agreement with MSP (hereinafter referred to as: the "Agreement");
- Personal Data are processed as defined in the DPA and the GDPR for the performance thereof;
- Pursuant to the provisions of the DPA and the GDPR, Merchant/Partner is the Data Controller regarding these Personal Data;
- for the assignment to provide the payments to MSP, Merchant/Partner makes Personal Data available to the Recipient within the meaning of the DPA and the GDPR;
- MSP is a payment institution under the supervision of De Nederlandsche Bank and due to the specific activities, MSP is also the independent Data Controller within the meaning of the DPA and the GDPR;
- the information management systems of MSP are certified in accordance with the ISAE 3402 principles and criteria. In addition, MSP is certified according to the PCI DSS 3.2 Level 1 Service Provider standard;
- MSP has a Data Protection Officer;
- In accordance with the DPA and the GDPR, the Parties wish to record the agreements they made regarding the processing of the Personal Data in this Agreement.
- AGREE AS FOLLOWS:
The capitalised terms mentioned above and below in this Agreement shall have the following meanings:
1.1 Data Subject: the person to whom the Personal Data relate.
1.2 Data Breach: a breach of security referred to in the DPA and GDPR leading to the significant risk of serious adverse consequences or which has serious adverse consequences for the protection of the processed Personal Data.
1.3 Third Party: anyone other than the Data Controller, the Data Processor, or any person authorised under the direct authority of the Data Controller or the Data Processor to process Personal Data.
1.4 Data Protection Officer (DPO): the officer as referred to in the DPA and the GDPR.
1.5 Recipient: the person to whom the Personal Data are provided.
1.6 Agreement: the Agreement between the Merchant and MSP regarding activities relating to the execution of payment services.
1.7 Personal Data: any information relating to an identified or identifiable natural person, which can be traced to the Merchant's portfolio.
1.8 Data Controller: the natural person, legal person or any other person, or the administrative body which alone or jointly with others, determines the purpose and the means for the processing of Personal Data.
1.9 Processing: any operation or set of operations concerning Personal Data, including in any case the collection, recording, organisation, storage, updating, modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, joining, linking as well as protecting, deleting, or destruction of data.
1.10 Addendum: this Agreement, including considerations and appendices.
2. Establishment, duration and termination of the Addendum
2.1 This Addendum shall remain in force for the duration of the Agreement. Once the Agreement ends, this Addendum will automatically be terminated.
2.2 The Parties cannot terminate this Addendum prematurely.
3. Obligations of MSP
3.1 The primary objective of MSP is to process payments. MSP makes payment on behalf of Merchant and can accept payment orders on behalf of Merchant, for which MSP, as Recipient, receives Personal Data from Merchant.
3.2 MSP is an independent Data Controller.
3.3 MSP will process the Personal Data in a proper and careful manner and in accordance with the DPA and other applicable regulations regarding the processing of Personal Data. MSP has appointed a Data Protection Officer who supervises application and compliance with the DPA and the GDPR.
3.4 If MSP, based on a legal obligation and outside the regular service provision, must provide Personal Data to a Third Party, MSP will verify the basis of the request and the identity of the applicant and immediately inform Merchant thereof, within the legal possibilities and, if possible, prior to the provision of the data.
3.5 MSP shall fully cooperate with the Merchant/Partner in order to comply within the statutory periods with the obligations under, among others, the DPA and the GDPR, in particular, the rights of the Data Subjects, such as, but not limited to, a request for inspection, improvement, addition, removal or protection of Personal Data and the execution of a successfully entered opposition. MSP shall also fully cooperate in providing adequate information to the Dutch Data Protection Authority and the Data Subjects within the context of the Obligation to Report Data Leaks. If MSP identifies (attempts to) unlawful or otherwise unauthorised processing or breaches of the security measures of the Personal Data received from the Merchant/Partner (including the loss of Personal Data), which leads to the significant risk of serious adverse consequences or which has serious adverse consequences for this protection of Personal Data, it will inform the Merchant/Partner thereof immediately, but no later than within 24 hours, and take all reasonably necessary steps to prevent or limit (further) breach the DPA as well as the GDPR or any other regulations concerning the unlawful/unauthorised processing of the Personal Data. Upon the first request, MSP will make all information about the breach available to the Merchant and proactively provide any new information the moment it becomes available.
If the Merchant/Partner itself detects a Data Breach involving Personal Data which were also provided to MSP, it must also notify MSP thereof without delay, but no later than within 24 hours. This notification must take place via e-mail. The e-mail address is: [email protected]
4. Appropriate technical and organisational measures
4.1 MSP shall implement appropriate technical and organisational measures and demonstrably maintain them and adjust them as necessary to protect the Personal Data against destruction, loss or any form of unlawful processing.
4.2 MSP works in accordance with the ISAE 3402 principles and criteria. In addition, MSP is certified according to the PCI DSS 3.2 Level 1 Service Provider standard. MSP is audited annually by external auditors.
4.3 MSP does not store Personal Data in countries outside the European Union.
5. Obligation to Report Data Leaks
5.1 The Parties will immediately - but no later than within eight (8) hours - inform the other Party in detail of any discovery of a Vulnerability (a shortcoming or breach of the security of Personal Data) and/or a Data Breach (a security breach of the security of Personal Data which leads to the significant risk of serious adverse consequences or which has serious adverse consequences for the protection of Personal Data as referred to in Article 4 sub 12 of the GDPR) by means of the Data Breach Notification Form set out in Appendix 3.
5.2 As Data Controllers, the Parties are responsible under the privacy legislation for reporting a Data Breach to the Dutch Data Protection Authority as soon as possible, but no later than within seventy-two (72) hours, to the extent that the seriousness of the Data Breach so requires.
6.1 MSP is bound to confidentiality of all Personal Data and information that it processes under this Addendum, except to the extent that such data or information is not secret or confidential or is already generally known.
6.2 If and insofar as the Merchant/Partner expressly requests so in writing, MSP will, to the extent possible, take special confidentiality measures with regard to the data or information referred to.
6.3 In the written agreements with its personnel, MSP will stipulate that these persons will exercise the same confidentiality as set out in paragraphs 1 and 2 with regard to all data and information that they process for MSP in the context of their work. MSP shall guarantee Merchant/Partner that the stipulations in question will be complied with by the persons involved.
6.4 After termination of the Agreement and this Addendum, this article and the confidentiality specified herein shall remain in effect.
7. Destruction and backup
7.1 At the first request of Merchant/Partner, but no later than within five (5) business days after termination of this Addendum or the end of the service provision, MSP will make all Personal Data available to the Merchant/Partner.
7.2 MSP is required to completely and irrevocably delete all Personal Data at the first request of the Merchant/Partner.
7.3 If, after termination of this Addendum, it has been established that the Merchant/Partner possesses all Personal Data in a technical format accepted in writing by the Merchant/Partner, MSP will completely and irrevocably delete all Personal Data within fourteen (14) days after it has been established that the Merchant/Partner possesses the Personal Data.
7.4 MSP may deviate from the provisions in both previous paragraphs, insofar as a statutory retention period applies to Personal Data or insofar as this is necessary to prove compliance with its obligations to the Merchant/Partner.
8.1 MSP periodically has the operations and compliance with the agreed technical and organisational security measures audited by external auditors.
9. Final provisions
9.1 Deviations from this Addendum are binding only to the extent that they have been expressly agreed by the Parties in writing.
9.2 The provisions of the Agreement apply to this Addendum. This Addendum is a supplement to the Agreement. In the event of contradictions between the provisions of this Addendum and the Agreement, the provisions of the Agreement shall prevail.