PayPal Data Protection Addendum for Card Processing Products
Last update: September 10, 2021
This PayPal Data Protection Addendum for Card Processing Products (this “Addendum”) applies to any product, service or other offering where a member of the PayPal Group (“PayPal”) is providing card processing, gateway and/or fraud protection services (the “Payment Services”) to you, the Merchant (the “Merchant” or “You”). This Addendum does not apply to PayPal wallet services such as pay with PayPal or PayPal’s pay later offers. This Addendum shall form part of the relevant agreement between Merchant and PayPal which governs PayPal’s provision of the Payment Services to you (the “Agreement”). In the event there is any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum shall control. Capitalized terms used but not defined in this Addendum shall have the meaning set out in the Agreement.
This Addendum is effective as of the later of (i) the effective date specified in the Agreement or (ii) the effective date stated in the notice posted or provided to you in connection with this Addendum. We may amend this Addendum from time to time by. The revised version will be effective at the time we post it on our website, unless otherwise noted. If our changes reduce your rights or increase your responsibilities, we will post a notice on the “Policy Updates” page of our website within the timeframe required by the Agreement. If you do not agree with any change to the Addendum, you may discontinue your use of the Payment Services at any time.
The following terms have the below meanings when used in this Addendum:
“Controller” means an entity that determines the purposes and means of the processing of Personal Data, or, if such term (or terms addressing similar functions) in defined in Data Protection Law, “Controller” shall have the meaning as defined in the applicable Data Protection Law.
“Customer” means your customers who use the Payment Services and for the purposes of this Addendum, are data subjects.
“Customer Data” means the Personal Data that (i) the Customer provides to Merchant and Merchant passes on to PayPal through the use by Merchant of the Payment Services and (ii) PayPal may collect from the Customer’s device and browser through use by Merchant of the Payment Services.
“Data Protection Laws” means any applicable data protection laws, regulations, directives, regulatory requirements and codes of practice applicable to the provision of the Payment Services including any amendments thereto and any associated regulations or instruments (e.g., the California Consumer Privacy Act 2018, Cal. Civ. Code § 1798.100 et seq, the General Data Protection Regulation (EU) 2016/679 (GDPR), the Australian Privacy Act 1988 (Cth) the Personal Information Protection and Electronic Documents Act (Canada), the Personal Data (Privacy) Ordinance (Cap.486) (Hong Kong), the Brazilian General Data Protection Law, Federal Law no. 13,709/2018 and the Personal Data Protection Act 2012 (Singapore)).
“PayPal Group” means PayPal, Inc. and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls.
“Personal Data” means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Process” or terms addressing similar functions when used in this Addendum shall have the meaning as defined in the applicable Data Protection Laws.
PayPal As A Controller
PayPal shall comply with the requirements of the Data Protection Laws applicable to Controllers in respect of the Processing of Customer Data under this Addendum (including without limitation, by implementing and maintaining at all times all appropriate security measures in relation to the Processing of Customer Data) and shall not knowingly do anything or permit anything to be done with respect to the Customer Data that likely would lead to a breach by Merchant of the Data Protection Laws. PayPal shall only transfer Customer Data to third parties, sub-processors or members of the PayPal Group who shall sign written agreements which contain terms for the protection of Customer Data, which are no less protective than the terms set out in this Addendum.
Processing of Customer Data in Connection with the Payment Processing Services
The parties acknowledge and agree that Merchant and PayPal are each independent Controllers in respect of all Customer Data Processed in connection with the Payment Services. As such, PayPal independently determines the purpose and the means of the Processing of such Customer Data and is not a joint Controller with Merchant with respect to such Customer Data.
The parties acknowledge and agree that PayPal is permitted to use, reproduce and Process Customer Data and payment transaction data for the following limited purposes:
- as reasonably necessary to provide and improve the Payment Services to Merchant and its Customers, including fraud protection tools;
- to monitor, prevent and detect fraudulent payment transactions and to prevent harm to Merchant, PayPal and to third parties,
- to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which PayPal is subject, including applicable anti-money laundering and identity verification obligations;
- to analyze, develop and improve PayPal’s products and services;
- internal usage, including but not limited to, data analytics and metrics;
- to compile and disclose Customer Data and payment transaction data in the aggregate where your individual or user Customer Data is not identifiable, including calculating your averages by region or industry;
- complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
- any other purpose that it notifies Merchant so long as such purpose is in accordance with Data Protection Laws.
Merchant Notice to Customers
The parties agree to co-operate with each other to the extent reasonably necessary to enable the other party to adequately discharge their responsibility as an independent Controller under Data Protection Laws. The parties agree that to the extent Merchant receives a subject access request or any exercise by a Customer of its rights under Data Protection Laws, Merchant shall respond to such Customer’s access request directly. Merchant also shall inform the Customer that they may exercise their data subject rights in connection with the Payment Services with PayPal according to the instructions described in the Privacy Statement available at www.paypal.com. In addition, if in connection with any security incident, PayPal determines in its sole decision that it must notify affected Customers and PayPal does not have the necessary contact information about an affected Customer to make such communication, then Merchant shall use commercially reasonable efforts to provide PayPal with information about Customer that Merchant may possess for the limited purpose of PayPal’s compliance with applicable notification obligations regarding affected Customers under Data Protection Laws.
Cross Border Data Transfers
The parties agree that PayPal may transfer Customer Data Processed under this Agreement outside the country where it was collected as necessary to provide the Payment Services. If PayPal transfers Customer Data protected under this Addendum to a jurisdiction for which the applicable regulatory authority for the country in which the data was collected has not issued an adequacy decision, PayPal will ensure that appropriate safeguards have been implemented for the transfer of Customer Data in accordance with applicable Data Protection Laws. For example, and for purposes of compliance with the GDPR, we rely on Binding Corporate Rules approved by competent supervisory authorities and other data transfer mechanisms for transfers of Customer Data to other members of the PayPal Group.
With respect to your data transfers to PayPal of your Customers located in the European Union, Switzerland, the Europeans Economic Area, and/or their member states and the United Kingdom, we each agree that (i) your signing of the Agreement will be deemed to be signature and acceptance of the Controller to Controller Standard Contractual Clauses approved by EC Commission Decision of 27 December 2004 (C(2004)5721) (“C2C Transfer Clauses”) by Merchant, as the data exporter and (ii) PayPal’s signature of the Agreement will be deemed to be signature and acceptance of the C2C Transfer Clauses by PayPal, as the data importer. In the event the European Commission revises and thereafter publishes new C2C Transfer Clauses or as otherwise required or implemented by the European Commission, the parties agree that such new C2C Transfer Clauses will supersede the present C2C Transfer Clauses. The C2C Transfer Clauses will be incorporated into the Agreement by reference and will be considered duly executed between the parties upon entering into force of this Agreement subject to the following details:
- PayPal agrees it will process the Customer Data in accordance with Set II, clauses II(h)(iii) of the C2C Transfer Clauses and by signing the Agreement it will be deemed to duly initial and accept such clause II(h)(iii); and
- The parties agree that the details required under the C2C transfer Clauses Annex B are as set forth on Attachment 1.
C2C Transfer Clauses Annex B
The personal data transferred concern the following categories of data subjects:
The data exporter and its Customers.
Purposes of the transfer(s)
The transfer is made for the following purposes:
Performance of the services provided by data importer to data exporter in accordance with the Agreement.
Categories of data
The personal data transferred may include the following categories of data:
Customer name, amount to be charged, date/time, bank account details, payment card details, CVC code, post code, country code, address, email address, fax, phone, website, expiry data, shipping details, tax status, unique customer identifier, IP Address, location, and any other data received by PayPal under the Agreement.
The personal data transferred may be disclosed only to the following recipients:
The importer’s service providers, affiliates, and personnel performing services in accordance with the Agreement.
Sensitive data (if appropriate)
The personal data transferred concern the following categories of sensitive data:
Not applicable, unless Merchant configures the service to capture such data.
Data protection registration information of data exporter (where applicable)
Additional useful information (storage limits and other relevant information)
As set forth in the Agreement.
Contact points for data protection enquiries
Data importer: Contact points for Data importer can be found in the Agreement.
Data exporter: Contact points for Data exporter can be found in the Agreement.