Wir verwenden Cookies, um Ihre Benutzererfahrung zu verbessern. Indem Sie auf einen Link auf unserer Website klicken, stimmen Sie zu, dass wir Cookies setzen.

Mehr Info
Zurück
Loslegen
DPA for EU countries

Data Processing Agreement

This Data Processing Agreement (“Agreement”) is made as of the date of the Corefy Customer Agreement (“Effective Date”) by and between: Data Controller (the Company), being a party to the Corefy Customer Agreement (referred to in the Corefy Customer Agreement as the “Customer”), and Data Processor, being PayCore.io Limited, a legal entity incorporated under the laws of England and Wales, registration number 11654625, located at 25 Cabot Square, Office 11.01, 11th Floor, London, England, E14 4QZ, United Kingdom, registration number at ICO being ZA476916 (together the “Parties”)

WHEREAS

  1. A. The Company acts as a Data Controller.
  2. B. Under the Corefy Customer Agreement (“Services Agreement”) the Company subcontracts certain Services, which imply the processing of personal data as further specified in Annex A, to the Data Processor.
  3. C. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
  4. D. The Parties wish to lay down their rights and obligations.
  5. E. This agreement consists of the following parts:
    1. a. Data Processing Agreement
    2. b. Annex A (Details of Processing Company’s Personal Data), being incorporated in section 15 hereof
    3. c. Annex B (Technical and organizational security measures), being incorporated in section 16 hereof

IT IS AGREED AS FOLLOWS:

  1. 1. Definitions and Interpretation
    Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
    1. 1.1. “Agreement” means this Data Processing Agreement and all Annexes;
    2. 1.2. “Company’s Personal Data” means any Personal Data Processed by a Processor and/or Sub-processor on behalf of Company pursuant to or in connection with the Services Agreement;
    3. 1.3. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
    4. 1.4. “EEA” means the European Economic Area;
    5. 1.5. “EU Data Protection Laws” means the GDPR and laws implementing or supplementing the GDPR;
    6. 1.6. “EU Standard Contractual Clauses” means the terms pursuant to the European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
    7. 1.7. “GDPR” means EU General Data Protection Regulation 2016/679;
    8. 1.8. “Data Transfer” means: a transfer of Company Personal Data from the Company to a Sub-processor; or an onward transfer of Company Personal Data from a Sub-processor to another Sub-processor where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
    9. 1.9. “Services” means the services the Data Processor provides;
    10. 1.10. “Sub-processor” means any person appointed by or on behalf of a Processor to process Personal Data on behalf of the Company in connection with the Agreement.
    11. 1.11. The terms, “Commission”, “Controller”, “(Data) Processor”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
  2. 2. Processing of Company Personal Data
    Processor shall:
    • comply with all applicable Data Protection Laws in the Processing of Company Personal Data;
    • process Company’s Personal Data for the purposes of the Services Agreement. Processing of Company’s Personal Data shall be only in accordance with the written instructions of the Company in respect of such Personal Data, and not for any other purpose, or in any other manner, unless specifically instructed by the Company in writing to do so. The management and administration services provided by the Company under this Agreement reflect the processing instructions of the Company. In the event that Data Processor is required by the Data Protection Laws to process Personal Data for any other purpose or in any other manner, Data Processor shall inform the Company of that legal requirement before processing, unless the applicable law prohibits such information on grounds of public interest;
    • and where applicable, assist the Company in connection with its obligations as regards
      1. a. the security of processing,
      2. b. notification of Company’s Personal Data Breaches to the supervisory authority,
      3. c. communication of a breach to a Data Subject,
      4. d. the conduct of data protection impact assessments (and, where required by Data Protection Laws, consulting with the relevant Privacy Regulation in respect of any such data protection impact assessment);
  3. 3. Reliability and Non-Disclosure
    Processor shall take all the reasonable steps to ensure the reliability of any employee, agent or contractor of any Sub-processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company’s Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with applicable laws in the context of that individual’s duties to the Sub-processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

    The Processor must ensure that all individuals which have a duty to process controller personal data:
    • Are informed of the confidential nature of the Company’s Personal Data and are aware of Processor's obligations under this Agreement and the Services Agreement in relation to the Company’s Personal Data;
    • Have undertaken appropriate training and/or certifications in relation to the Data Protection Laws or any other training and/or certifications requested by the Company;
    • Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
    • Are subject to user authentication and login processes when accessing the Company’s Personal Data in accordance with this Agreement, the Services Agreement and the applicable Data Protection Laws.
  4. 4. Personal Data Security
    1. 4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
    2. 4.2. Such measures must ensure a level of security appropriate to the risk of processing the Company’s Personal Data, including as appropriate, measures which:
      • include pseudonymisation and encryption of Company’s Personal Data;
      • ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      • enable the availability of, and access to, Company’s Personal Data to be restored in a timely manner in the event of a physical or technical incident or disaster; and
      • incorporate periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of records containing Company’s Personal Data and a process for regularly testing, assessing and evaluating the effectiveness of its security measures;
    3. 4.3. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
  5. 5. Sub-processing
    Data Processor shall be permitted to appoint a Sub-processor to process Company’s Personal Data provided that:
    1. 5.1. Data Processor enters into a written contract with the Sub-processor on equivalent terms to those set out in this Data Processing Agreement;
    2. 5.2. the Processor shall keep updated the list of its Sub-Processors available at https://corefy.com/list-of-sub-processors, agreements with Sub-Processors are published online on the web-sites of respective Sub-Processors;
    3. 5.3. where a Sub-processor fails to fulfil its data protection obligations, Data Processor shall remain fully liable to the Company for the performance of the Sub-processor’s obligations;
    4. 5.4. Data Processor carries out adequate due diligence on each Sub-Processor to ensure that it can provide the level of protection for Company Personal Data, including without limitation, sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR, this Agreement, the Services Agreement and the applicable Data Protection Laws; and
    5. 5.5. insofar as that contract involves the transfer of Company Personal Data outside of the EEA, incorporate the Standard Contractual Clauses or such other mechanism as directed by the Company into the contract between the Processor and each Sub-Processor to ensure the adequate protection of the transferred Company Personal Data.
  6. 6. Data Subject Rights
    The Company is primarily responsible for handling and responding to requests made by data subjects.
    Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights of access, right to rectification, restriction of processing, erasure, data portability, object to the processing of his/her rights not to be subject to an automated individual decision making. With regards to the Data Subject rights, Processor shall:
    • promptly notify the Company if any Processor or Sub-processor receives a request from a Data Subject under any applicable laws with respect to Company’s Personal Data;
    • ensure that Processor or Sub-processor does not respond to that request, except on the documented instructions of the Company, or as required by Data Protection Laws to which Processor or Sub-processor is subject, in which case Processor shall, to the extent permitted by Data Protection Laws,
    • inform the Company of that legal requirement before the Company’s Processor or Sub-processor responds to the request.
  7. 7. Personal Data Breach
    1. 7.1. Processor shall notify Company without undue delay, but not later than twenty-four (24) hours, upon Processor becoming aware of a Company’s Personal Data Breach affecting Company’s Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
      • Describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
      • Describe the estimated risk and the likely consequences of the Personal Data Breach;
      • Describe the measures taken or proposed to be taken to address the Personal Data Breach; and
      • If applicable communicate the name and contact details of the Processor's Data Protection Officer, Privacy Officer or other relevant contact from whom more information may be obtained.
    2. 7.2. Processor shall cooperate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
    3. 7.3. In the event of a Personal Data Breach, the Processor shall not inform any third party without first obtaining the Company’s prior written consent, unless notification is required by Data Protection Laws to which the Processor is subject, in which case the Processor shall, to the extent permitted by such law, inform the Company of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Company before notifying the Personal Data Breach.
  8. 8. Data Protection Impact Assessment and Prior Consultation
    Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Sub-processors.
  9. 9. Erasure or return of Company Personal Data
    Data Processor shall promptly and, in any event within sixty (60) calendar days of the earlier of: (i) cessation of Processing of Company Personal Data by Processor; or (ii) termination of the Services Agreement, at the choice of Company (such choice to be notified to Processor in writing) either:
    • Return a complete copy of all Company Personal Data to the Company by secure file transfer in such format as notified by the Company to the Processor and securely erase all other copies of Company Personal Data Processed by the Processor or any Sub-processor; or
    • Securely wipe all copies of Company Personal Data Processed by Processor or any Sub-processor.
    • The Processor, must provide a written certification to the Company that it has complied fully with the requirements of this section 9 of this Agreement.
  10. 10. Audit rights

    Subject to this section 10, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Sub-processors.

    Information and audit rights of the Company only arise under section 10 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

  11. 11. Data Transfer
    Data Processor may, in performing their obligations under this Agreement, transfer Personal Data to countries outside the EEA only to the extent that
    1. a. the Company has provided its prior written approval; or
    2. b. such country provides an adequate level of protection as contemplated by Data Protection Laws; or iii) where Data Processor has put in place adequate safeguards to protect the Company’s Personal Data, as required by Data Protection Laws, such as by ensuring that any such transfer of Personal Data is governed by the EU Standard Contractual Clauses (as amended/restated and adopted from time to time by the European Commission).

    The Company (as "data exporter") and the Data Processor (as "data importer") hereby enter into, as of the Effective Date, the EU Standard Contractual Clauses, as set out in Annex B, attached hereto and which are incorporated by reference and constitute an integral part of this Agreement. The Parties are deemed to have accepted and executed the EU Standard Contractual Clauses in their entirety, including the appendices.

  12. 12. Liability
    Processor shall be fully liable to the Company for any breach of the Services Agreement or this Agreement, and the obligations set out therein, in accordance with the Data Protection Laws.
  13. 13. Indemnification
    Processor agrees to indemnify and hold harmless Company and its officers, directors, employees, agents, affiliates, successors, and permitted assigns against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind which Company may sustain as a consequence of any breach by the Processor (or the Sub-processors, as the case may be) of the provisions of this Agreement and its appendices.
  14. 14. General Terms

    Subject to this section, the Parties agree that this Agreement and the Standard Contractual Clauses shall terminate automatically upon termination of the Services Agreement or expiry or termination of all service contracts entered into by the Processor with the Company, pursuant to the Services Agreement, whichever is later.

    This Agreement, excluding the Standard Contractual Clauses, shall be governed by the governing law of state where the Controller is incorporated. Any breach of this Agreement shall constitute a material breach of the Services Agreement.

    With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the Parties, including but not limited to the Services Agreement, the provisions of this Agreement shall prevail with regard to the Parties’ data protection obligations for Personal Data of a Data Subject from a Member State of the European Union

    Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either

    • amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible,
    • construed in a manner as if the invalid or unenforceable part had never been contained therein.

    Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

    • disclosure is required by law;
    • the relevant information is already in the public domain.

    All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

    Any notice sent by e-mail shall be deemed delivered on the next business day. Any notice sent by registered mail or courier service shall be deemed delivered on the 5 (fifth) business day from dispatching.

  15. 15. Annex A. Details of Processing Company’s Personal Data

    Further details of the Processing, in addition to the ones laid down in the Services Agreement and this Agreement, include:

    1. 15.1. The subject matter of the Processing of Company’s Personal Data pertains to the provision of Services, as requested by the Company.
    2. 15.2. The duration of the processing of Company’s Personal Data is generally determined by the terms of this Agreement and the Services Agreement, respectively, in the context of the contractual relationship between the Company and the Data Processor.
    3. 15.3. The nature and purpose of the Processing of Company’s Personal Data pertain to the provision of Services under the Services Agreement.

    The categories of Data Subjects whose Personal Data will be Processed by the respective Processor include:

    • Client of the Company
    • Consumers (end-users of the Company’s Service)
    • Users of the Company’s account (Client’s employees)

    The types of Data Subjects whose Personal Data will be Processed by the respective Processor:

    • Data provided by the client: full name, date of birth, email, phone number, position, company name, merchant ID.
    • Data provided by the user: name, phone number, email, and company name,
    • Data provided by the consumer: name, surname, geolocation, address, device hash, email, phone number, tax number, payment information.
    • Technical data: IP address, UTM parameters, geolocation, device type, browser type, cookies, and session ID.
      1. a. full name includes name, parental name and surname
      2. b. contact details include phone, address and email
      3. c. payment information includes bank details, bank card details, bank ID.
      4. d. session IDincludes interaction with the site, the name of the site from which user went to our site, the functions were used, the pages viewed on our site, the way of usage of our site, and the actions were taken if such actions are present.

    Processing operations
    The personal data transferred will be subject to the following basic processing activities:

    • Personal data processing:
      1. a. Collection of data via website and customer form
      2. b. Structuring data according to business objectives
      3. c. Database compilation
      4. d. Creating client’s account and sub-accounts
      5. e. Preparation of the necessary documentation
      6. f. Storage of personal data in the terms and conditions prescribed in the privacy policy
    • Administration:
      1. a. Setting up a client’s account
      2. b. Administration of participants in the client's account
      3. c. Training of client's employees, assistance in work tasks
      4. d. End user data monitoring (client’s users)
    • Technical support:
      1. a. Solving technical problems from the client's account
      2. b. Answering questions, checking client account
      3. c. Elimination of deficiencies and problems.
  16. 16. Annex B. Technical and organizational security measures

    Description of the technical and organizational security measures implemented by the data importer (data processor) in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

    • Encryption of personal data
    • Limited access to data
    • Securing working device with a password
    • Signing of the NDA

    Liability
    The Parties agree that if one party is held liable for a violation of the clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.

    Indemnification is contingent upon:

    • the data exporter promptly notifying the data importer of a claim; and
    • the data importer being given the possibility to cooperate with the data exporter in the defence and settlement of the claim.

IN WITNESS WHEREOF, this Agreement is entered into with effect from the Effective date by the Parties to the Corefy Customer Agreement.