Protected: PAYONEER DATA PROCESSING ADDENDUM
PAYONEER DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum“) forms part of the agreement («Agreement«) entered into by and between you (“the Supplier“), and Payoneer (as defined in the Agreement) (the Supplier and Payoneer may also be referred to herein as a “Party“, and collectively they may also be referred to as the “Parties“) and any future amendments thereto or other engagements between the Parties. This Addendum reflects the Parties’ agreement with regard to the Supplier’s processing of Payoneer Personal Data (defined below) in connection with providing Services described in the Agreement.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.
This Addendum shall be effective on its incorporation into the Agreement as specified in the Agreement (“Addendum Effective Date“).
- Definitions
In this Addendum, the following terms shall (unless the context otherwise requires) have the meanings set out below and cognate terms shall be construed accordingly:- «Applicable Laws» means (a) UK, European Union or Member State laws with respect to any Payoneer Personal Data in respect of which Payoneer or any Payoneer Affiliate is a Data Controller under EU Data Protection Laws and the UK Data Protection Laws; and (b) any other applicable law with respect to any Payoneer Personal Data in respect of which Payoneer or any Payoneer Affiliate is a Data Controller (or its equivalent) under any other Data Protection Laws;
- «Authorised Subprocessor(s)» means (a) those Subprocessors set out in Annex 3 to this Addendum (Authorised Subprocessors); and (b) any additional Subprocessors consented to in writing by Payoneer in accordance with Section 6.1;
- «Data Protection Laws» shall mean, as applicable, (a) the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR“) and laws implementing or supplementing the GDPR, (collectively with the foregoing “EU Data Protection Laws“), and any data protection laws substantially amending, replacing or superseding the GDPR; (b) the GDPR as transposed into the United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR“), together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the United Kingdom (“UK Data Protection Laws“); (c) the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act of 2020 (“CCPA“) and all applicable local, state, federal, regional, divisional, statutes, rules or regulations, reporting requirements, ordinances, orders, decrees, judgments, consent decrees, settlement agreements and regulations applicable to a respective party (including those related to privacy, data protection, labeling of sponsored content and behavioral advertising) and including, but not limited to compliance with, the Payment Card Industry Data Security Standard, the Federal Trade Commission Guides Concerning the Use of Endorsements and Testimonials in Advertising, the Illinois Biometric Information Privacy Act, the Children’s Online Privacy Protection Act, the Controlling the Assault of Non-Solicited Pornography And Marketing Act, and any state laws requiring notice of breaches involving personally identifiable information, as applicable; or (d) any other data protection or privacy laws as applicable including, without limitation, the Brazilian Law No. 13,709/2018 (Brazilian General Law on Data Protection) (“LGPD“); the Australian Privacy Act 1988 (Cth); the Japanese Act on Protection of Personal Information, the Japanese Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures; the Data Security Law of the People’s Republic of China, Cybersecurity Law of the People’s Republic of China, Personal Information Protection Law of the People’s Republic of China; the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong); the Singapore Personal Data Protection Act 2012; and each data protection or privacy law, respectively, as amended, replaced or superseded from time to time, and any regulations enacted thereunder;
- «Delete» means the removal or obliteration of Personal Data such that it cannot be recovered or reconstructed;
- «EEA» means the European Economic Area;
- “EU Restricted Transfer” means either: (i) a transfer of Personal Data by Payoneer or any Payoneer Affiliate (“Transferor“) to the Supplier or any Supplier Affiliate (“Transferee“); or (ii) an onward transfer from a Supplier to a Subprocessor (also a “Transferee“), in each case, where such transfer would be prohibited by EU Data Protection Laws in the absence of the protection for the transferred Personal Data provided by the EU Standard Contractual Clauses or any other mechanism permitted under Applicable Laws to be established under Section 12 below;
- “EU Standard Contractual Clauses” means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws;
- «Legal Process» means any criminal, civil, or administrative subpoena, mandatory request, warrant or court order issued by a Public Body, including but not limited to subpoenas, warrants and orders authorized under local, regional, state, national or and federal laws or regulations or any other laws applicable to the Supplier or Supplier Affiliate in any Third Country;
- “Losses” means all losses, costs, claims, demands, actions, proceedings, fines, penalties, awards, liabilities, damages, compensation, settlements, expenses and/or professional costs and/or charges;
- “Mandated Auditor” has the meaning given to it in Section 11.1;
- “Payoneer Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Payoneer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of Payoneer, whether through ownership of voting securities, by contract or otherwise;
- “Payoneer Personal Data” means (a) the data described in Annex 1 to this Addendum (Description of the Processing of Payoneer Personal Data); (b) any other Personal Data (as defined below) Processed by the Supplier and/or any Supplier Affiliate on behalf of Payoneer and/or any Payoneer Affiliate pursuant to or in connection with the Agreement. As between the Parties and for purpose of (i) the EU Data Protection Laws, the UK Data Protection Laws and LGPD, Payoneer and/or any Payoneer Affiliate is the Data Controller (as defined below) of Payoneer Personal Data and the Supplier shall be deemed Data Processor (as defined below); (ii) CCPA, Payoneer and/or any Payoneer Affiliate is the Business (as defined below) and owner of Payoneer Personal Data and the Supplier shall be deemed Service Provider (as defined below);
- “Personal Data” or “Personal Information” shall either have (a) where applicable, the same meaning as in the GDPR, and/or; (b) where applicable, the same meaning as the term Personal Information has under the CCPA, and/or; (c) the same meaning the term Personal Data or Personal Information has under equivalent definitions in any other Data Protection Laws;
- “Personal Data Breach“ means (i) a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Payoneer Personal Data transmitted, stored or otherwise Processed, as well as any breach of Section 5 of this Addendum, or of the data protection, confidentiality or security provisions of the Agreement; and (ii) any other event defined as a “personal information breach”, “personal data breach” or similar term under applicable law or contractual provision;
- “Process/Processing“, “Data Controller/Controller“, “Data Processor/ Processor“, “Data Subject“, and “Special Categories of Personal Data” shall have the same meaning as in the GDPR or under equivalent definitions in any other Data Protection Laws. “Business“, “Consumer”, «Deidentified» and “Service Provider” shall have the same meaning as in the CCPA or under equivalent definitions in any other Data Protection Laws;
- «Public Body» means any local, regional, state, national or federal law enforcement authority, regulator, government department, agency or court in any Third Country;
- “Relevant Date“ means the date falling on the earlier of (i) the cessation of Processing of Payoneer Personal Data by the Supplier and/or Supplier Affiliates; or (ii) termination of the Agreement;
- “Restricted Transfer“ means an EU Restricted Transfer and/or a UK Restricted Transfer as the context dictates;
- “Services” means the services to be supplied by the Supplier and/or Supplier Affiliates to Payoneer and/or Payoneer Affiliates pursuant to the Agreement;
- “Standard Contractual Clauses” means the EU Standard Contractual Clauses or the UK Standard Contractual Clauses (as applicable), as updated, amended, replaced or superseded from time to time by the European Commission or by the UK Supervisory Authority, as applicable; or (ii) where required from time to time by a Supervisory Authority for use with respect to any specific Restricted Transfer, any other set of contractual clauses or other similar mechanism approved by such Supervisory Authority or by Applicable Laws for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such regulatory authority or Applicable Laws;
- «Subprocessor» means any Data Processor, (including any third party and any Supplier Affiliate), and where CCPA applies, any Service Provider, appointed by the Supplier to Process Payoneer Personal Data on behalf of Payoneer and/or any Payoneer Affiliate for purpose of provision of the Services under the Agreement;
- “Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
- “Supplier Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with the Supplier, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- «Third Country» means a country which is not the UK, not a Member State of the European Union, or is outside the EEA;
- “UK Restricted Transfer” means either: (i) a transfer of Personal Data by Payoneer or any Payoneer Affiliate (“Transferor“) to the Supplier or any Supplier Affiliate (“Transferee“); or (ii) an onward transfer from a Supplier to a Subprocessor (also a “Transferee“), in each case, where such transfer would be prohibited by UK Data Protection Laws in the absence of the protection for the transferred Personal Data provided by the UK Standard Contractual Clauses or any other mechanism permitted under Applicable Laws to be established under Section 12 below; and
- “UK Standard Contractual Clauses” means the EU Standard Contractual Clauses as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner (the “IDTA“), as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.
- Data Processing Terms
In the course of providing the Services to Payoneer and/or Payoneer Affiliates pursuant to the Agreement, the Supplier and/or Supplier Affiliates may Process Payoneer Personal Data on behalf of Payoneer and/or any Payoneer Affiliate and in the course of such Processing, (i) the Supplier guarantees to implement appropriate technical and organisational measures in such manners that Processing of Payoneer Personal Data will meet the requirement of Applicable Laws and ensure the protection of the rights of the Data Subjects; and (ii) the Supplier agrees to comply with the provisions set out in this Addendum with respect to any Payoneer Personal Data submitted by or for Payoneer and/or any Payoneer Affiliate to the Services or otherwise collected and Processed by or for Payoneer and/or any Payoneer Affiliate by the Supplier and/or any Supplier Affiliate. - Processing of Payoneer Personal Data
- The Supplier shall only Process the types of Payoneer Personal Data relating to the categories of Data Subjects for the limited and specific business purposes set forth in the Agreement and in Annex 1 to this Addendum. The Supplier shall not Process, transfer, modify, amend or alter the Payoneer Personal Data or otherwise disclose or permit the disclosure of the Payoneer Personal Data to any third party other than in accordance with Payoneer’s documented instructions (whether in the Agreement or otherwise) unless such Processing is required by Applicable Laws to which the Supplier is subject, in which case the Supplier shall to the extent permitted by Applicable Laws inform Payoneer of that legal requirement before Processing that Personal Data. The Supplier shall (a) not retain, use, disclose, or otherwise Process Payoneer Personal Information outside of the direct business relationship between Payoneer and the Supplier; or (b) “sell” or “share” Payoneer Personal Information, as such terms are defined under the CCPA.
- The Supplier shall not combine or update Payoneer Personal Information that the Supplier receives from, or on behalf of, Payoneer with Payoneer Personal Information that it receives from, or on behalf of, another person, or collects from its own interaction with an individual; provided that the Supplier may combine Payoneer Personal Information to perform the Services.
- The Supplier shall promptly notify Payoneer in writing (in accordance with any notice provision in the Agreement and to privacy@payoneer.com), but in no event later than five (5) business days, if Supplier determines that it can no longer meet its obligations under this Addendum or applicable Data Protection Laws. Payoneer shall have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information by the Supplier.
- For the purposes set out in Section 3.1 above, Payoneer hereby instructs the Supplier to transfer Payoneer Personal Data to the recipients in the countries listed in Annex 4 to this Addendum (Authorised Transfers of Payoneer Personal Data) always provided that the Supplier shall comply with Section 6 and Section 12.
- To the extent that Payoneer discloses or otherwise makes available Deidentified information to the Supplier pursuant to and as permitted by the Agreement, the Supplier agrees to (a) take reasonable measures to ensure that the information cannot be associated with an individual or household; (b) publicly commit to maintain and use the information in Deidentified form and not attempt to reidentify the information; (c) contractually obligate any further recipient permitted by this Addendum to comply with all provisions of this Section 3.5 and (d) ensure that any such information is Deidentified to at least the minimum standard required under applicable law.
- Supplier Personnel
- The Supplier shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Payoneer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Payoneer Personal Data, as strictly necessary for the purposes set out in Section 3.1 above in the context of that individual’s duties to the Supplier, ensuring that all such individuals:
- are informed of the confidential nature of the Payoneer Personal Data and are aware of the Supplier’s obligations under this Addendum and the Agreement in relation to the Payoneer Personal Data;
- have undertaken appropriate training on his or her responsibilities in relation to the Data Protection Laws;
- are subject to confidentiality undertakings; and
- are subject to user authentication and log‑on processes when accessing the Payoneer Personal Data, and to the extent applicable under the Data Protection Laws, such user authentication shall be based on physical means.
- The Supplier shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Payoneer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Payoneer Personal Data, as strictly necessary for the purposes set out in Section 3.1 above in the context of that individual’s duties to the Supplier, ensuring that all such individuals:
- Security
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing Payoneer Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Supplier shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate the measures referred to in Article 32 of the GDPR or equivalent provisions under applicable Data Protection Laws. Without limitation to the generality of the foregoing, and in particular to its obligation to determine the appropriateness of any additional technical and organisational measures, the Supplier shall implement and maintain each of the technical and organisational measures listed in Annex 2 to this Addendum (Technical and Organisational Measures).
- In assessing the appropriate level of security, the Supplier shall take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Payoneer Personal Data transmitted, stored or otherwise Processed.
- Subprocessing
- Subject to Section 6.3, the Supplier shall not engage any Data Processors to Process Payoneer Personal Data other than with the prior written consent of Payoneer, which Payoneer may refuse in its absolute discretion.
- With respect to each Subprocessor, the Supplier shall:
- provide Payoneer with full up-to-date details of the Subprocessor and the Processing to be undertaken by each Subprocessor, including (a) the names of all Subprocessors; (b) the purpose(s) of the Processing of Payoneer Personal Data by each Subprocessor; (c) the categories of Payoneer Personal Data Processed by each Subprocessor; and (d) any other information reasonably required by Payoneer regarding the Processing of Payoneer Personal Data by any Subprocessor;
- carry out adequate due diligence on each Subprocessor to ensure that it is capable of providing the level of protection for Payoneer Personal Data as is required by this Addendum, including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of applicable Data Protection Laws and this Addendum, and provide evidence of such due diligence to Payoneer where requested by Payoneer or a Supervisory Authority;
- include terms in the contract between the Supplier and each Subprocessor which are the same as those set out in this Addendum, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing of Payoneer Personal Data by the Subprocessor will meet the requirements of any Applicable Laws. Upon request, the Supplier shall provide a copy of its agreements with Subprocessors to Payoneer for its review;
- insofar as that contract involves a Restricted Transfer, procure that each Transferee enter into a contract with the Supplier which contains the EU Standard Contractual Clauses and/or the UK Standard Contractual Clauses as applicable, in each case in order to ensure the adequate protection of the transferred Payoneer Personal Data; and
- remain fully liable to Payoneer for any failure by each Subprocessor to fulfil its obligations in relation to the Processing of any Payoneer Personal Data to the same extent the Supplier would be liable if the Processing of Payoneer Personal Data that is carried out through Subprocessors was performed directly by the Supplier.
- As at the Addendum Effective Date, Payoneer hereby authorises the Supplier to engage those Subprocessors set out in Annex 3 to this Addendum.
- Data Subject Rights
- Taking into account the nature of the Processing, the Supplier shall assist Payoneer by implementing appropriate technical and organisational measures to facilitate the fulfilment of Payoneer’s and/or Payoneer Affiliate’s obligation (as Data Controller/Business in each case) to respond to requests for exercising Data Subject rights laid down in EU Data Protection Laws, UK Data Protection Laws, CCPA, LGPD or equivalent or similar provisions under applicable Data Protection Laws, and at the written request of Payoneer, comply with or respond to requests for exercising Data Subjects’ rights as mentioned.
- The Supplier shall promptly (and in any event within five (5) calendar days) notify Payoneer in writing (in accordance with any notice provision in the Agreement and to privacy@payoneer.com) if it receives a request from a Data Subject under any Data Protection Laws in respect of Payoneer Personal Data and ensure that neither it nor any Subprocessor responds to any such request, except on a written instruction of Payoneer or as required by Applicable Law to which the Supplier or Subprocessor is subject, while in the latter case, unless that Applicable Law prohibits so, the Supplier shall inform, and if applicable, procure that the relevant Subprocessor informs Payoneer of that legal requirement prior to responding to the request.
- The Supplier shall co‑operate as requested by Payoneer to enable Payoneer to comply with any exercise of rights by a Data Subject under the GDPR, UK Data Protection Laws, CCPA, LGPD or any Data Protection Laws in respect of Payoneer Personal Data and comply with any assessment, enquiry, notice investigation, or as otherwise required under any Data Protection Laws in respect of Payoneer Personal Data or this Addendum, which shall include:
- the provision of all data requested by Payoneer within any reasonable timescale specified by Payoneer in each case, including full details and copies of the complaint, communication or request and any Payoneer Personal Data it holds in relation to a Data Subject;
- where applicable, providing such assistance as is reasonably requested by Payoneer to enable Payoneer to comply with the relevant request within the timescales prescribed by the Data Protection Laws; and
- implementing any additional technical and organisational measures as may be reasonably required by Payoneer to allow Payoneer to respond effectively to relevant complaints, communications or requests.
- Personal Data Breach
- The Supplier shall notify Payoneer immediately, and in any case within twenty-four (24) hours, in writing (in accordance with any notice provision in the Agreement and to privacy@payoneer.com) upon becoming aware of or reasonably suspecting a Personal Data Breach providing Payoneer with sufficient information which allows Payoneer to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
- describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
- communicate the name and contact details of the Supplier’s data protection officer or other relevant contact from whom more information may be obtained;
- describe the likely consequences of the Personal Data Breach; and
- describe the measures taken or proposed to be taken to address the Personal Data Breach including measures to mitigate its possible adverse effects.
- The Supplier shall co-operate with Payoneer and take such reasonable commercial steps as are directed by Payoneer to assist in the investigation, mitigation and remediation of each Personal Data Breach.
- Where it is not possible to provide the above information at the same time, the information may be provided in phases, without undue further delays.
- In any case where the Supplier delays in providing any information regarding a Personal Data Breach affecting Payoneer Personal Data to Payoneer as provided above, the information shall be provided together with reasons for the delay.
- The Supplier shall document any Personal Data Breach affecting Payoneer Personal Data (including the facts relating to the Personal Data Breach, its effects and the remedial actions taken) in a sufficient manner to enable Payoneer to demonstrate compliance with any Data Protection Law, including Article 33 of the GDPR.
- In the event of a Personal Data Breach, the Supplier shall not inform any third party without first obtaining Payoneer’s prior written consent, unless notification is required by EU or Member State law, or other Applicable Law to which the Supplier is subject, in which case the Supplier shall to the extent permitted by such law inform Payoneer of that legal requirement, provide a copy of the proposed notification and consider any comments made by Payoneer before notifying the Personal Data Breach.
- For avoidance of doubt, Payoneer, at its sole discretion, shall determine whether, when and what information to notify any Data Subjects or data protection authorities regarding a Personal Data Breach.
- The Supplier shall notify Payoneer immediately, and in any case within twenty-four (24) hours, in writing (in accordance with any notice provision in the Agreement and to privacy@payoneer.com) upon becoming aware of or reasonably suspecting a Personal Data Breach providing Payoneer with sufficient information which allows Payoneer to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
- Data Protection Impact Assessment and Prior Consultation
- The Supplier shall provide reasonable assistance to Payoneer with any data protection impact assessments which are required under Article 35 GDPR and/or under any other Data Protection Law, and with any prior consultations to any supervisory authority of Payoneer or any Payoneer Affiliate which are required under Article 36 GDPR, in each case solely in relation to Processing of Payoneer Personal Data by the Supplier on behalf of Payoneer and taking into account the nature of the Processing and information available to the Supplier.
- The Supplier shall maintain a record of its Processing activities conducted for and on behalf of Payoneer. Such record shall contain:
- the categories of Processing carried out on behalf of Payoneer;
- where applicable, details of any restricted transfers of Payoneer Personal Data including the identification of the country or international organization that Payoneer Personal Data is transferred to and record of the safeguards the Supplier has put in place to ensure that the transfer will be in accordance with Data Protection Laws;
- details of the technical and organizational measures the Supplier has put in place to ensure the security of Payoneer Personal Data.
- Where requested by Payoneer, the Supplier shall make available the record of Processing activities referred to in Section 9.2 above to Payoneer within forty-eight (48) hours of receiving such request.
- The Supplier shall appoint a named individual within the Supplier’s organisation who will be designated as the Supplier’s data protection officer as applicable under Data Protection Laws, or person responsible for data protection within the organisation, and shall be responsible for ensuring that the Supplier complies with its obligations regarding data protection as set out in the Agreement and this Addendum. Such data protection officer shall comply with applicable provisions under Data Protection Laws relating to data protection officers and shall be responsible inter alia for overseeing compliance by the Supplier and Supplier Affiliates with the terms of the Standard Contractual Clauses and this Addendum. The Supplier warrants that such an individual will have appropriate professional qualifications and an expert understanding of Data Protection Laws. The Supplier will make available this individual’s contact details to Payoneer on Payoneer’s written request.
- Where required under the GDPR and/or the UK GDPR, the Supplier shall designate a representative located in the EU (“EU Representative“) and/or the UK (“UK Representative“) and shall make available the EU Representative’s and/or the UK Representative’s contact details on or before the Addendum Effective Date, in accordance with Data Protection Laws.
- Deletion or Return of Payoneer Personal Data
- Subject to Section 10.2 and Section 10.3, and not by way of limitation with respect to the Supplier’s obligations pursuant to Section 7, the Supplier shall promptly and in any event within thirty (30) calendar days of the Relevant Date: (a) return a complete copy of all Payoneer Personal Data to Payoneer by secure file transfer in such format as notified by Payoneer to the Supplier; and (b) Delete and procure the Deletion of all other copies of Payoneer Personal Data Processed by the Supplier or any Authorised Subprocessor.
- At the request of Payoneer and at its sole discretion, the Supplier shall procure that any Subprocessor performs the actions set out in sub-paragraph (a) or (b) of Section 10.1 (according to the written instructions of Payoneer) and ensure the performance of such actions by that Subprocessor.
- Subject to Section 10.2, Payoneer may in its absolute discretion notify the Supplier in writing earlier than the Relevant Date to require the Supplier to Delete and procure the Deletion of all copies of Payoneer Personal Data Processed by the Supplier or any Authorised Subprocessor. The Supplier shall comply with any such written request without undue delay and for the avoidance of doubt where this Section 10.3 applies, the Supplier shall not be required to provide a copy of the Payoneer Personal Data to Payoneer.
- The Supplier may retain Payoneer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that the Supplier shall ensure the confidentiality of all such Payoneer Personal Data in accordance with this Addendum and the Agreement and shall ensure that such Payoneer Personal Data is only Processed in accordance with this Addendum and as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
- The Supplier shall provide written certification to Payoneer that it has fully complied with this Section 10 within thirty (30) days of the Relevant Date.
- Audit Rights
- In addition to any audit rights granted pursuant to the Agreement, the Supplier shall make available to Payoneer on request all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by Payoneer or an auditor mandated by Payoneer or any Payoneer Affiliate (“Mandated Auditor“) of any premises where the Processing of Payoneer Personal Data takes place in order to assess compliance with this Addendum. The Supplier shall permit Payoneer or a Mandated Auditor to inspect, audit and copy any relevant records, processes and systems in order that Payoneer may satisfy itself that the provisions of this Addendum are being complied with. Such audits and inspections may include (a) ongoing manual reviews, (b) automated scans of the Provider’s systems, and (c) regular assessments, audits, or other technical and operational testing at least once every twelve (12) months. The Supplier shall provide full co‑operation to Payoneer in respect of any such audit or inspection and shall, on an annual basis, and/or at the request of Payoneer, provide Payoneer with evidence of compliance with its obligations under this Addendum. The Supplier shall immediately inform Payoneer if, in its opinion, an instruction pursuant to this Section 11 infringes the EU Data Protection Laws, the UK Data Protection Laws, CCPA, LGPD or other Data Protection Laws.
- If requested by Payoneer, the Supplier will complete Payoneer’s security and privacy questionnaires and assessments, pertaining, inter alia, to its compliance to the applicable data protection laws in the performance of the Services to Payoneer.
- Restricted Transfers
- With regard to Restricted Transfers of Payoneer Personal Data, the Parties shall assure adequate protection for the Payoneer Personal Data using one or more of the following methods, as decided by Payoneer in its sole discretion:
__X__ Standard Contractual Clauses, and the provisions of Section 13 shall apply.
The EU Standard Contractual Clauses and the UK Standard Contractual Clauses made under Section 13.2 or Section 13.3, as applicable, come into effect on the later of:
– the data exporter becoming a Party to this Addendum;
– the data importer becoming a Party to this Addendum; and
– the commencement of the EU Restricted Transfer or UK Restricted transfer (as applicable) to which the EU Standard Contractual Clauses or the UK Standard Contractual Clauses relate.
_____ The Supplier shall transfer Payoneer Personal Data pursuant to its approved set of Binding Corporate Rules for Data Processors.
_____ The Supplier is either incorporated in the European Economic Area or in a country which the European Commission/UK government, as applicable, recognized as a country which ensures an adequate level of data protection - The Supplier shall not transfer or disclose Payoneer Personal Data to any other person or entity, unless Payoneer’s prior written consent has been obtained, and provided that such recipients are bound by the same conditions set forth in Section 12.1 above (whereas for such purpose, the Supplier shall mean “Subprocessor”) and that Section 6 above shall apply.
- Payoneer may, by at least 14 (fourteen) days written notice to the Supplier, make changes to the Standard Contractual Clauses entered into by and between Payoneer and the Supplier that are required due to a change in, or a decision of a competent authority under, an Applicable Law.
- Upon receipt of Payoneer’s notice as mentioned in Section 12.3 above, the Supplier shall cooperate and procure that each relevant Subprocessor cooperates with Payoneer to ensure that equivalent changes are made to the Standard Contractual Clauses or the agreement(s) incorporating the Standard Contractual Clauses entered into by and between Payoneer and each such Subprocessor.
- In the event that a competent authority or court determines that the Restricted Transfer mechanism(s) selected above is/are no longer an appropriate basis for Restricted Transfers, Payoneer and the Supplier shall promptly take all steps reasonably necessary to demonstrate adequate protection for the Payoneer Personal Data, using another approved mechanism(s). The Supplier understands and agrees that Payoneer may terminate the Restricted Transfers as needed to comply with the Data Protection Laws.
- With regard to Restricted Transfers of Payoneer Personal Data, the Parties shall assure adequate protection for the Payoneer Personal Data using one or more of the following methods, as decided by Payoneer in its sole discretion:
- Standard Contractual Clauses
- Where Payoneer has selected the first option (Standard Contractual Clauses) in Section 12.1 above, this Section 13 shall apply.
- In respect of any EU Restricted Transfer, Payoneer and each Payoneer Affiliate (each as “data exporter”) and the Supplier and each Supplier Affiliate (each as “data importer”) with effect as set out in Section 12.1, hereby enter into Module 2 of the EU Standard Contractual Clauses in respect of any transfer from Payoneer or any Payoneer Affiliate to the Supplier or Supplier Affiliate, subject to the following changes:
- Clause 7 – Docking clause of Module 2 of the EU Standard Contractual Clauses shall not apply.
- Clause 9 – Use of subprocessors of Module 2 of the EU Standard Contractual Clauses “Option 1” shall apply and the “time period” shall be 30 days.
- Clause 11(a) – Redress of Module 2 of the EU Standard Contractual Clauses the optional language shall not apply.
- Clause 13(a) – Supervision of Module 2 of the EU Standard Contractual Clauses, the following shall be inserted: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
- Clause 17 – Governing law of Module 2 of the EU Standard Contractual Clauses “Option 2” shall apply and the “Member State” shall be the Republic of Ireland.
- Clause 18 – Choice of forum and jurisdiction of Module 2 of the EU Standard Contractual Clauses, the Member State shall be the Republic of Ireland.
- Annex 1 of Module 2 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Annex 1 to this Addendum and the processing operations are deemed to be those described in Annex 1 to this Addendum and/or the Agreement.
- Annex 2 of Module 2 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Annex 2 to this Addendum.
- Annex 3 of Module 2 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Annex 3 to this Addendum.
- In respect of any UK Restricted Transfer, Payoneer and each Payoneer Affiliate (each as “data exporter”) and the Supplier and each Supplier Affiliate (each as “data importer”) with effect as set out in Section 12.1, hereby enter into the UK Standard Contractual Clauses in respect of any transfer from Payoneer or any Payoneer Affiliate to the Supplier or Supplier Affiliate with Module 2 applying between Payoneer (or each Payoneer Affiliate) and the Supplier (or each Supplier Affiliate), subject to the following changes:
- Clause 7 – Docking clause of Module 2 of the EU Standard Contractual Clauses shall not apply.
- Clause 9 – Use of subprocessors of Module 2 of the EU Standard Contractual Clauses “Option 1” shall apply and the “time period” shall be 30 days.
- Clause 11(a) – Redress of Module 2 of the EU Standard Contractual Clauses the optional language shall not apply.
- Annex 1 of Module 2 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Annex 1 to this Addendum and the processing operations are deemed to be those described in Annex 1 to this Addendum and/or the Agreement.
- Annex 2 of Module 2 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Annex 2 to this Addendum.
- Annex 3 of Module 2 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Annex 3 to this Addendum.
- Additional information for the IDTA shall be as follows:
(i) Table 1: Parties of the IDTA – shall be populated by the information in Annex 1 to this Addendum.
(ii) Table 2: Selected SCCs, Modules and Selected Clauses of the IDTA – the first tick box in the table shall be deemed to be ticked and the “Date” shall be the date on which the relevant transfer commences, and the UK Standard Contractual Clauses come into force, pursuant to Section 13.3 of this Addendum.
(iii) Table 3: Appendix Information of the IDTA – shall be completed as follows:
– Annex 1A: List of Parties shall be populated by the information in Annex 1 to this Addendum.
– Annex 1B: Description of Transfer shall be populated by the information in Annex 1 to this Addendum.
– Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data shall be populated by the information in Annex 2 to this Addendum.
– Annex III: List of Sub processors (Modules 2 and 3 only) shall be populated by the information in Annex 3 to this Addendum.
(iv) Table 4: Ending this Addendum when the Approved Addendum Changes of the IDTA –the tick box next to “neither Party” shall be deemed to be ticked.
- Supplier Obligations on Receipt of Legal Process
- If the Supplier or Supplier Affiliate receives a Legal Process requiring disclosure of Payoneer Personal Data to a Public Body, the Supplier shall:
14.1.1 attempt to redirect the Public Body issuing such Legal Process to request that Payoneer Personal Data directly from Payoneer; and
14.1.2 give Payoneer control over the response to the Legal Process unless legally prohibited from doing so. - The Supplier shall promptly notify Payoneer in writing (in accordance with any notice provision in the Agreement and to privacy@payoneer.com) where it is unable to comply with Section 14.1 above.
- If the Supplier or Supplier Affiliate receives a Legal Process requiring disclosure of Payoneer Personal Data to a Public Body, the Supplier shall:
- Appropriate Policies
The Supplier shall adopt and at all times operate appropriate policies and processes for the assessment and handling of Legal Processes, which shall be aligned to the requirements of this Addendum and of the Data Protection Laws and shall provide training to relevant members of the Supplier personnel regarding the same. - Technical Safeguards
- The Supplier warrants and represents that it has not taken any steps to deliberately facilitate access to Payoneer Personal Data (including systems on which Payoneer Personal Data is Processed) by any Public Body, including (without limitation) by:
- creating back-doors or similar programming that provide a mechanism for a Public Body to access Payoneer Personal Data; or
- changing its business processes with the express intention of facilitating access to Payoneer Personal Data, other than to the extent required to do so by Applicable Law.
- The Supplier further warrants and represents that it is not subject to law that would require the Supplier to take any of the steps referred to in Section 16.1 above.
- The Supplier warrants and represents that it has not taken any steps to deliberately facilitate access to Payoneer Personal Data (including systems on which Payoneer Personal Data is Processed) by any Public Body, including (without limitation) by:
- Further Assurance
- The Supplier shall, at the request of Payoneer, promptly do or procure the doing of all such further acts, and execute and deliver or procure the valid execution and delivery of all such documents, as may from time to time be necessary in Payoneer’s reasonable opinion to give full effect to the provisions of this Addendum including (i) providing Payoneer with such assistance as Payoneer requires in carrying out any assessment as to whether the conditions of transfers made pursuant to this Addendum (including the destination country) offer appropriate safeguards to individuals’ personal data in accordance with Data Protection Laws and to secure to Payoneer the full benefit of the rights, remedies and benefits conferred on it by this Addendum; and (ii) as may be required by Applicable Law, providing Payoneer with such assistance to obtain any certification for the transfers as required by the Supervisory Authority.
- If, at any time, a Supervisory Authority or a court with competent jurisdiction over a Party mandates that transfers from Controllers in the EEA to Processors established outside the EEA must be subject to specific additional safeguards (including, but not limited to, specific technical and organisational measures), the Parties shall work together in good faith to implement such safeguards and ensure that any transfer of Payoneer Personal Data is conducted with the benefit of such additional safeguards.
- Indemnity
The Supplier shall indemnify and hold harmless Payoneer and each Payoneer Affiliate against all Losses arising from any claim by a third party or Supervisory Authority arising from any breach of this Addendum. - Liability
Notwithstanding anything to the contrary in the Agreement, the Supplier’s liability for any breach of this Addendum shall be limited in the aggregate to the sum of ten million United States Dollars (USD $10,000,000). - Miscellaneous
Termination- Subject to Section 20.2, the Parties agree that this Addendum and, if applicable, the Standard Contractual Clauses shall terminate automatically upon (i) termination of the Agreement; or (ii) expiry or termination of all service contracts, statements of work, work orders or similar contract documents entered into by the Supplier with Payoneer and/or Payoneer Affiliates pursuant to the Agreement, whichever is later.
- Any obligation imposed on the Supplier under this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum.
Governing Law of this Addendum - Without, if applicable, prejudice to the provisions of the Standard Contractual Clauses specifying the governing law of such clauses, the governing law of this Addendum shall be New York. For purposes solely of Article 9 of Brazilian Decree-Law No. 4,657 dated September 4, 1942, as amended, the transactions contemplated herein have been proposed by Payoneer to the Supplier.
Choice of Jurisdiction - Without, if applicable, prejudice to the provisions of the Standard Contractual Clauses governing choice of forum for disputes or claims arising in connection with such clauses, and notwithstanding the choice of law under Section 20.3, the Parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum.
Cross-Default - Any breach of this Addendum shall constitute a material breach of the Agreement.
Order of Precedence - With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including but not limited to the Agreement, the provisions of this Addendum shall prevail with regard to the Parties’ data protection obligations for Personal Data of a Data Subject from a Member State of the European Union, the UK or any other Third Country, or, as applicable, an individual whose Personal Information Processing is subject to CCPA. In the event of any conflict or inconsistency between this Addendum and as applicable the Clauses of the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Costs of Compliance - Compliance by the Supplier with the provisions of this Addendum will be at no additional cost to Payoneer.
Third Party Rights - Except to the extent set out in Section 20.9 (and as applicable in the Standard Contractual Clauses), a person who is not a party to this Addendum shall have no right to enforce any term of this Addendum.
- A Payoneer Affiliate may enforce any term of this Addendum which is expressly or implicitly intended to benefit it.
- The rights of the Parties to rescind or vary this Addendum are not subject to the consent of any other person.
Changes in Data Protection Laws - Payoneer may notify the Supplier in writing from time to time of any variations to this Addendum which are required as a result of a change in Data Protection Laws including without limitation to the generality of the foregoing, any variations which are required to take account of any new data transfer mechanisms for the purposes of Section 12.1. Any such variations shall take effect on the date falling thirty (30) calendar days after the date such written notice is sent by Payoneer, and the Supplier shall procure that where necessary the terms in each contract between the Supplier or any Supplier Affiliate and each Subprocessor are amended to incorporate such variations within the same time period.
Severance - Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
- By executing this Addendum, the Supplier certifies that it understands the restrictions on the Supplier’s use, disclosure, retention, and other Processing of any Payoneer Personal Data or Personal Information provided hereunder and will comply with them
Upon execution of the Agreement by the respective parties, this Addendum is entered into as of the Addendum Effective Date and becomes a binding part of the Agreement.