PAYONEER CONTROLLER TO CONTROLLER DATA PROCESSNG ADDENDUM
PAYONEER CONTROLLER TO CONTROLLER DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) forms part of the agreement (the “Agreement”) entered into by and between you (“Company”) and Payoneer (as defined in the Agreement), and any future amendments thereto or other engagements between the parties (together referred to as the “Parties” and each a “Party”).
In consideration of the mutual obligations set out below, the Parties agree that the terms and conditions set out below are added as an Addendum to the Agreement and shall function as a variation to the Agreement.
- Definitions
Within this Section 1, capitalised terms shall have the meanings set out below:
“Data Protection Laws” means (a) the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”) and laws implementing or supplementing the GDPR, (collectively with the foregoing “EU Data Protection Laws”), and any data protection laws substantially amending, replacing or superseding the GDPR; (b) the GDPR as transposed into the United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the United Kingdom (“UK Data Protection Laws”) (as amended and superseded from time to time); (c) the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act of 2020 (“CCPA”); (d) the Data Security Law of the People’s Republic of China, Cybersecurity Law of the People’s Republic of China, Personal Information Protection Law of the People’s Republic of China; (e) the Singapore Personal Data Protection Act 2012; (f) the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong); and (g) all other applicable laws, rules, regulations, regulatory guidance and regulatory requirements from time to time, in each case in each jurisdiction where the Parties Process Personal Data;
“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data Breach”, “Special Categories of Personal Data” and “Processing” (“Processed” and “Process” shall be construed in accordance with the definition of “Processing”) shall have the same meanings as in the GDPR and equivalent terms shall have the meaning set forth under applicable Data Protection Laws;
“Data Subject Request” means a request from a Data Subject to exercise any right under the Data Protection Laws;
“EU Restricted Transfer” means a transfer of Personal Data by Payoneer to Company where such transfer would be prohibited by EU Data Protection Laws in the absence of the protection for the transferred Personal Data provided by the EU Standard Contractual Clauses or any other mechanism permitted under applicable laws to be established under Section 9 below;
“EU Standard Contractual Clauses” means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws;
“Payoneer Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Payoneer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of Payoneer, whether through ownership of voting securities, by contract or otherwise;
“Personal Data” means any personal data, as defined in any applicable Data Protection Laws, disclosed by one Party (“Discloser”) to the other Party (“Recipient”) in the performance of that Party’s rights or obligations under this Addendum and the Agreement;
“Restricted Transfer” means an EU Restricted Transfer and/or a UK Restricted Transfer as the context dictates;
“Standard Contractual Clauses” means (i) the EU Standard Contractual Clauses or the UK Standard Contractual Clauses (as applicable), as updated, amended, replaced or superseded from time to time by the European Commission or by the UK Supervisory Authority; or (ii) where required from time to time by a Supervisory Authority for use with respect to any specific Restricted Transfer, any other set of contractual clauses or other similar mechanism approved by such Supervisory Authority or by Data Protection Laws for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such regulatory authority or Data Protection Laws;
“Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
“UK Restricted Transfer” means a transfer of Personal Data by Payoneer to Company where such transfer would be prohibited by the UK Data Protection Laws in the absence of the protection for the transferred Personal Data provided by the UK Standard Contractual Clauses or any other mechanism permitted under applicable Data Protection Laws to be established under Section 10 below; and
“UK Standard Contractual Clauses” means the EU Standard Contractual Clauses as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner (the “IDTA”), as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR. - The Parties acknowledge and agree that in respect of any Personal Data which are to be Processed in respect of the matters relating to this Addendum, each Party shall act as an independent Data Controller and shall comply with their respective obligations under Data Protection Laws in relation to any such Processing of Personal Data.
- Where acting as a Discloser, each Party shall:
- only disclose the Personal Data for purposes of performance of the Agreement which are consistent with the terms of this Addendum (“Permitted Purposes”);
- ensure that it has:
(i) procured for a notice to be made available to the relevant Data Subject(s) informing them that their Personal Data will be disclosed to the Recipient or to a category of third party describing the Recipient; and
(ii) obtained any necessary consents or authorisations required under applicable Data Protection Laws, contractual or other obligations to permit the Recipient to Process the Personal Data for the Permitted Purposes; - only disclose any Special Categories of Personal Data to the Recipient where necessary for the Permitted Purposes and then only having obtained the explicit prior consent of the relevant Data Subjects, or established (to the satisfaction of the Recipient) an alternative lawful basis for the disclosure; and
- be responsible for the security of any Personal Data whilst in transmission from the Discloser to the Recipient.
- Where acting as a Recipient, each Party shall:
- not Process Personal Data in a way that is incompatible with the Permitted Purposes (other than to comply with a requirement of applicable law to which Recipient is subject);
- not Process Personal Data for longer than is necessary to carry out the Permitted Purposes (other than to comply with a requirement of applicable law to which Recipient is subject); and
- taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, have in place appropriate technical and organisational security measures to protect the Personal Data against unauthorized or unlawful Processing, or accidental loss or destruction or damage.
- The Recipient shall notify the Discloser in writing (in accordance with any notice provision in the Agreement and by email (to Payoneer at privacy@payoneer.com; to Company at the address set out in the Agreement)) immediately following any Personal Data Breach involving the Personal Data.
- Each Party shall co-operate with the other, to the extent reasonably requested, in relation to any notifications to Supervisory Authorities or to Data Subjects which are required following a Personal Data Breach involving the Personal Data.
- Each Party shall co-operate with the other, to the extent reasonably requested, in relation to:
- any Data Subject requests under applicable Data Protection Laws;
- any other communication from a Data Subject concerning the Processing of their Personal Data; and
- any communication from a Supervisory Authority concerning the Processing of Personal Data, or compliance with the Data Protection Laws.
- The Parties acknowledge that in Annex 1 they have fairly and accurately recorded the scope of Personal Data Processed under this Addendum.
- In respect of any EU Restricted Transfer, Payoneer and each Payoneer Affiliate (each as “data exporter”) and Company (as “data importer”) hereby enter into Module 1 of the EU Standard Contractual Clauses in respect of any transfer from Payoneer or any Payoneer Affiliate to Company or Company Affiliate, subject to the following changes :
- Clause 7 – Docking clause of Module 1 of the EU Standard Contractual Clauses shall not apply.
- Clause 11(a) – Redress of Module 1 of the EU Standard Contractual Clauses the optional language shall not apply.
- Clause 17 – Governing law of Module 1 of the Standard Contractual shall be that of the Republic of Ireland.
- Clause 18 – Choice of forum and jurisdiction of Module 1 of the Standard Contractual Clauses shall be the Republic of Ireland.
- Annex I of Module 1 shall be deemed completed with the details set out in Annex 1 to this Addendum and Annex II of Module 1 shall be deemed completed with the details set out in Annex 2 to this Addendum.
- In respect of any UK Restricted Transfer, Payoneer and each Payoneer Affiliate (each as “data exporter”) and Company (as “data importer”) hereby enter into the UK Standard Contractual Clauses in respect of any transfer from Payoneer or any Payoneer Affiliate to Company or Company Affiliate, subject to the following changes:
- Clause 7 – Docking clause of Module 1 of the EU Standard Contractual Clauses shall not apply.
- Clause 11(a) – Redress of Module 1 of the EU Standard Contractual Clauses the optional language shall not apply.
- Annex I of Module 1 shall be deemed completed with the details set out in Annex 1 to this Addendum and Annex II of Module 1 shall be deemed completed with the details set out in Annex 2 to this Addendum.
- Additional information for the IDTA shall be as follows:
(i) Table 1: Parties of the IDTA – shall be populated by the information in Annex 1 to this Addendum.
(ii) Table 2: Selected SCCs, Modules and Selected Clauses of the IDTA – the first tick box in the table shall be deemed to be ticked and the “Date” shall be the date on which the relevant transfer commences and the UK Standard Contractual Clauses come into force, pursuant to this Addendum.
(iii) Table 3: Appendix Information of the IDTA – shall be completed as follows:
— Annex 1A: List of Parties shall be populated by the information in Annex 1 to this Addendum.
— Annex 1B: Description of Transfer shall be populated by the information in Annex 1 to this Addendum.
— Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data shall be populated by the information in Annex 2 to this Addendum.
(iv) Table 4: Ending this Addendum when the Approved Addendum Changes of the IDTA – the tick box next to “neither Party” shall be deemed to be ticked.
- To the extent that there is any conflict or inconsistency between the terms of the Standard Contractual Clauses and the terms of this Addendum, the terms of the Standard Contractual Clauses shall take precedence. In the event of any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum shall prevail.
- Each Party shall maintain all necessary documentation to evidence its compliance with this Addendum and applicable Data Protection Laws.
- Each Party (the “Indemnifier”) shall indemnify, defend and/or settle and hold harmless the other (the “Indemnified”) against any loss or damage which the Indemnified may sustain or incur, in relation to any third party claim, to the extent such claim is based upon any breach by the Indemnifier of the provisions of this Addendum.
- For the avoidance of doubt, and to the extent permitted by applicable law, the indemnification in Section 13 applies, without limitation, to regulatory or other actions brought by any Supervisory Authority against the Indemnified to the extent such actions or investigation arises out of the Indemnifier’s breach of this Addendum and shall include any fines or penalties imposed by the Supervisory Authority to the extent such are due to the Indemnifier’s breach.
AS WITNESS this Addendum is entered into and becomes a binding part of the Agreement.
ANNEX 1 – DESCRIPTION OF PROCESSING
A. LIST OF PARTIES
MODULE ONE: Transfer controller to controller
Data exporter(s):
- Name: Payoneer Europe Ltd.
Address: 6th Floor, 2 Grand Canal Square, Dublin, Ireland
Contact person’s name, position and contact details: Nir Friedman – Data Protection Officer DPO@payoneer.com and/or Howard Gibbs – CEO Howardgi@payoneer.com.
Activities relevant to the data transferred under these Clauses: As described in the Agreement
Signature and date: Upon execution of this Addendum by the respective parties, data exporter is deemed to have signed the Standard Contractual Clauses incorporated herein, including their Annexes, as of the Addendum Effective Date
Role (controller/processor): Controller - Name: Payoneer Payment Services (UK) Limited
Trading name if different: N/A
Address: 37 Broadhurst Gardens, London, England, NW6 3QT, Ireland
Official registration number (if any) (company number or similar identifier): 12029160
Contact person’s name, position and contact details: Nir Friedman – Data Protection Officer DPO@payoneer.com and/or James Allum – CEO Jamesal@payoneer.com
Data importer(s):
- Name: As described in the Agreement
Trading name if different: As described in the Agreement
Address: As described in the Agreement
Official registration number (if any) (company number or similar identifier): As described in the Agreement
Contact person’s name, position and contact details: As described in the Agreement
Activities relevant to the data transferred under these Clauses: As described in the Agreement
Signature and date: Upon execution of this Addendum by the respective parties, data importer is deemed to have signed the Standard Contractual Clauses incorporated herein, including their Annexes, as of the Addendum Effective Date
Role (controller/processor): Controller
B. DESCRIPTION OF TRANSFER
MODULE ONE: Transfer controller to controller
Categories of data subjects whose personal data is transferred
Payees.
Categories of personal data transferred
First name, last name, email, phone, address, payee ID.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal Data will be Processed on a continuous basis, as set out in the Agreement and this Addendum
Nature of the processing
Payoneer is engaged to provide services to Company which involves the Processing of Personal Data by Payoneer and by Company, while each party shall act as an independent Data Controller. The scope of the services is set out in the Agreement.
Purpose(s) of the data transfer and further processing
For the performance of the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The personal data will be retained for the term of the Agreement subject to data retention periods under applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
N/A.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE ONE: Transfer controller to controller
Data Protection Commission (DPC) of Ireland.
ANNEX 2 — TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
MODULE ONE: Transfer controller to controller
EXPLANATORY NOTE:
The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
[Examples of possible measures:
- Measures of pseudonymisation and encryption of personal data
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
- Measures for user identification and authorisation
- Measures for the protection of data during transmission
- Measures for the protection of data during storage
- Measures for ensuring physical security of locations at which personal data are processed
- Measures for ensuring events logging
- Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products
- Measures for ensuring data minimisation
- Measures for ensuring data quality
- Measures for ensuring limited data retention
- Measures for ensuring accountability
- Measures for allowing data portability and ensuring erasure]