Data Protection Controller Addendum for Direct Card Processing Products
This Data Protection Controller Addendum (this “Addendum”) applies to any product where a PayPal Group Entity (“PayPal”) is providing Braintree and other like card payment and gateway services and/or fraud maintenances tools to you, the Merchant (the “Merchant” or “You”). This addendum does not apply to PayPal branded wallet services such as Express Checkout or paying with the PayPal button. This Addendum shall form part of the relevant agreement between Merchant and PayPal which governs PayPal’s provision of the payment processing services to you (the “Agreement”). In the event there is any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum shall control. Capitalized terms used but not defined in this Addendum shall have the meaning set out in the Agreement.
This Addendum is effective as of the later of (i) the effective date specified in the Agreement or (ii) the effective date stated in the notice given to you in connection with an amendment to the Agreement or this Addendum. We may amend this Addendum at any time by posting a revised version on our website. The revised version will be effective at the time we post it. In addition, if we change the Addendum in a way that reduces your rights or increases your responsibilities, we will provide you prior written notice within the timeframe required by the Agreement by posting notice on the "Policy Updates" page of our website. We may also notify you of the change using email or other means. If you do not agree with any change to the Addendum, you may terminate your use of the Agreement at any time.
The following terms have the below meanings when used in this Addendum:
“Controller” means an entity that determines the purposes and means of the processing of Personal Data, or, if such term (or terms addressing similar functions) in defined in Data Protection Law, “Controller” shall have the meaning as defined in the applicable Data Protection Law.
“Customer” means your customers who use the payment processing services outside of the United States and for the purposes of this Addendum, are data subjects.
“Customer Data” means the Personal Data that (i) the Customer provides to Merchant and Merchant passes on to PayPal through the use by Merchant of the payment processing services and (ii) PayPal may collect from the Customer’s device and browser through use by Merchant of the payment processing services. Customer Data as used in this Addendum does not include Personal Data of Merchant’s U.S. customers.
“Data Protection Laws” means any applicable data protection laws, regulations, directives, regulatory requirements and codes of practice applicable to the provision of the payment processing services including any amendments thereto and any associated regulations or instruments (e.g., the General Data Protection Regulation (EU) 2016/679 (GDPR), the Australian Privacy Act 1988 (Cth) the Personal Information Protection and Electronic Documents Act (Canada), the Personal Data (Privacy) Ordinance (Cap.486) (Hong Kong), the Brazilian General Data Protection Law, Federal Law no. 13,709/2018 and the Personal Data Protection Act 2012 (Singapore)).
“PayPal Group Entity” means PayPal, Inc. and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls. Such entities shall include, without limitation, PayPal (Europe) S.à r. l. et Cie, S.C.A., PayPal do Brasil Serviços de Pagamentos Ltda., PayPal Australia Pty Limited, PayPal Hong Kong Ktd., PayPal Canada Co. and PayPal Pte. Ltd.
“Personal Data” means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Process” or terms addressing similar functions when used in this Addendum shall have the meaning as defined in the applicable Data Protection Laws.
PayPal As Data Controller
PayPal shall comply with the requirements of the Data Protection Laws applicable to Controllers in respect of the use of Personal Data under this Schedule (including without limitation, by implementing and maintaining at all times all appropriate security measures in relation to the Processing of Personal Data) and shall not knowingly do anything or permit anything to be done with respect to the Personal Data which might lead to a breach by Merchant of the Data Protection Laws. PayPal shall only transfer Personal Data to third parties, sub-processors or members of the PayPal Group Entity for the purposes of providing the payment processing services and shall have written agreements with such third parties and sub-processors which contain terms for the protection of Customer Data, which are no less protective than the terms set out in this Addendum.
Processing of Personal Data in Connection with the Payment Processing Services
The parties acknowledge and agree that Merchant and PayPal are each independent Controllers in respect of all Personal Data Processed in connection with the payment processing services. As such, PayPal independently determines the purpose and the means of the Processing of such Personal Data and is not a joint Controller with Merchant with respect to such Personal Data.
The parties acknowledge and agree that PayPal is permitted to use, reproduce and Process Customer Data and payment transaction data for the following limited purposes:
- as reasonably necessary to provide and improve the payment processing services to Merchant and its Customers, including fraud protection tools;
- to monitor, prevent and detect fraudulent payment transactions and to prevent harm to Merchant, PayPal and to third parties,
- to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which PayPal is subject, including applicable anti-money laundering and identity verification obligations;
- to analyze, develop and improve PayPal’s products and services;
- internal usage, including but not limited to, data analytics and metrics;
- to compile and disclose Customer Data and payment transaction data in the aggregate where your individual or user Personal Data is not identifiable, including calculating your averages by region or industry;
- complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
- any other purpose that it notifies Merchant so long as such purpose is in accordance with Data Protection Laws.
Merchant Notice to Customers
The parties agree to co-operate with each other to the extent reasonably necessary to enable the other party to adequately discharge their responsibility as an independent Controller under Data Protection Laws. The parties agree that to the extent Merchant receives a subject access request or any exercise by a Customer of its rights under Data Protection Laws, Merchant shall respond to such Customer’s access request directly. Merchant also shall inform the Customer that they may exercise their data subject rights in connection with the payment processing services with PayPal according to the instructions described in the Privacy Statement available at www.braintreepayments.com for a Braintree customer and www.paypal.com for a PayPal customer. In addition, if in connection with any security incident, PayPal determines in its sole decision that it must notify affected Customers and PayPal does not have the necessary contact information about an affected Customer to make such communication, then Merchant shall use commercially reasonable efforts to provide PayPal with information about Customer that Merchant may possess for the limited purpose of PayPal’s compliance with applicable notification obligations regarding affected Customers under Data Protection Laws.
Cross Border Data Transfers
The parties agree that PayPal may transfer Personal Data Processed under this Agreement outside the country where it was collected as necessary to provide the payment processing services. If PayPal transfers Personal Data protected under this Addendum to a jurisdiction for which the applicable regulatory authority for the country in which the data was collected has not issued an adequacy decision, PayPal will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with applicable Data Protection Laws. For example, and for purposes of compliance with the GDPR, we rely on Binding Corporate Rules approved by competent supervisory authorities and other data transfer mechanisms for transfers of Customer Personal Data to other PayPal Group Entities.