Credorax
Data Processing Addendum
(The "Addendum" or "DPA")
February 2022
This DPA will be superseded by the new unified DPA which will take effect as of 1st February 2024.
Data Processing Addendum (“Addendum” or “DPA”) for the processing of personal data between:
• Credorax Bank Ltd. (“Credorax” or “Member”)
AND
• Payment Facilitator (“Partner”) PF (as defined in the Payment Facilitator (“PF”) Agreement)
THIS DPA is deemed to be effective on the date of execution of the Payment Facilitator Agreement, between Credorax and the Partner. The Payment Facilitator Agreement shall be referred to as a Partner Agreement ( “Partner Agreement”) for the purposes of this Addendum between the Credorax and Partner;
hereinafter collectively referred to as the “Parties”
Whereas , the Parties have entered into the Partner Agreement whereby Credorax shall provide the Partner with certain Services (as defined in the Partner Agreement); and
Whereas , in the course of providing the Services, Credorax shall receive or have access to personal data collected by the Partner or on behalf of the Partner; and
Whereas , in accordance with the requirements of applicable Data Protection Laws, the Parties wish to set forth the terms governing the processing by Credorax of such personal data; and
Whereas , this Addendum will be effective, and shall replace any other addendums previously signed by both Parties prior to this Addendum; and
This Addendum defines the data processing relationship between the Parties and sets out the additional terms, requirements and conditions on which Credorax will process personal data for and on behalf of the Partner when providing services under the Partner Agreement. This Addendum contains the mandatory clauses required by Article 28(3) of the GDPR for contracts between controllers and processors.
Now therefore, the Parties have agreed as follows:
1. Definitions
The following capitalized terms shall bear the meaning ascribed thereto: Capitalized terms not defined herein shall have the meaning ascribed to them in the Partner Agreement.
“Addendum” shall mean this Addendum in its entirety, including all schedules and annexes thereto, and any relevant and applicable guidelines, procedures, rules or conditions issued by Credorax, as the same may be amended from time to time.
“Account Data Compromise” or “ADC” definition introduced by the Card Schemes, which means an occurrence that results, directly or indirectly, in the unauthorized access to or disclosure of account data of the unauthorized manipulation of account data controls, such as account usage and spending limits. ADC does not include Personal Data.
“Controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the Controller (or the criteria for nominating the Controller) may be designated by those laws.
“Data Breach” shall mean breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
“Data Protection Laws” shall mean (i) all Maltese Data Protection Laws; (ii) any other EU legislation relating to personal data; and (iii) all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of personal data (including without limitation, the privacy of electronic communications); and (iv) the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a Party; in each case as may be amended, supplemented or replaced from time to time.
“Data Subject” shall have the same meaning as that ascribed to it under Data Protection Laws.
“GDPR” shall mean General Data Protection Regulation (EU) 2016/679 of the European Parliament of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data as in force as amended, replaced or superseded from time to time, including any laws implementing or supplementing GDPR.
“Maltese Data Protection Laws” means all applicable data protection and privacy legislation in force from time to time in Malta, including (i) the Data Protection Act, Chapter 586 of the Laws of Malta; (ii) the GDPR; (iii) all national implementing laws, regulations and secondary legislation applicable in Malta which relate to the processing of personal data, in each case as may be amended, supplemented or replaced from time to time.
“Merchant” shall mean, either an Introduced Merchant, or Introduced Sub-Merchant, or Sub-Merchant, or Merchant, as may be defined in the Partner Agreement.
“Partner Data” shall mean any Personal Data provided to Credorax by the Partner or on its behalf, and it can include Personal Data of cardholders or any other type of shopper emanating from Merchant, and/or of individuals which are part of the Partner’s company, and/or Merchant’s company, including management, for processing in accordance with the terms of the Addendum.
“Personal Data” shall have the meaning set out in the GDPR.
“Potential Account Data Compromise” or “Potential ADC” definition introduced by the Card Schemes, which means an occurrence that could result, directly or indirectly, in the unauthorized access to or disclosure of account data of the unauthorized manipulation of account data controls, such as account usage and spending limits. Potential ADC does not include Personal Data.
“Privacy and Data Protection Requirements” shall refer Data Protection Legislation relating to the processing of personal data and privacy in any relevant jurisdiction, and any orders, guidelines and instructions issued under the relevant Supervisory Authority in Malta or the European Union.
“Processor” shall mean a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Partner.
“Services” means the Services exchanged between Credorax and Partner, as specified in the Partner Agreement.
“Sub-Processor” means any person contracted by the Processor to process Personal Data for the purpose of carrying out a specific processing activity on behalf of the Controller in connection with the Services.
Standard Contractual Clauses (SCC) means the European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to processors established in third countries, as set out in the Annex to Commission Decision 2010/87/EU, and as may be amended or replaced by the European Commission from time to time.
“Supervisory Authority” means the relevant government supervisory authority established by a Member State pursuant to Article 51 of GDPR.
2. General
a. Both Parties warrant that they will comply with their respective obligations under Data Protection Laws and the terms of this Addendum.
b. Subject to the provisions of the Partner Agreement and any instruction that may be given from time to time in writing by the Partner, Credorax is hereby appointed by the Partner to process Partner Data for the purpose of performing and fulfilling the Services as outlined in the same Partner Agreement which, by and large, consists of the provision of payment processing services provided by Credorax to Partner and its Merchants, via the Partner technical platform, according to regulatory and Card Scheme standards and requirements all as described in the Partner Agreement.
c. The Parties therefore acknowledge and agree that:
(a) for the purposes of Data Protection Laws, and unless otherwise specifically stated in the Partner Agreement, the Partner is the Controller and Credorax is the Processor; and
(b) subject to the provisions of the Partner Agreement, the Partner at all times, retains control of the Merchant Data and as the Controller, remains solely responsible for ensuring and maintaining compliance with any and all obligations which may be imposed upon Controllers of personal data under Data Protection Laws. This includes providing any required notices and mandatory information, and obtaining any required consents from data subjects, and for any and all instructions which it may give from time to time.
3. Partner Obligations – Controller
The Partner warrants and represents to Credorax that:
(a) all Partner Data is obtained in accordance with EU Data Protection Laws and in particular, that where it has relied on consent as a means of processing personal data, it has obtained valid consent of the Data Subjects as required in terms of Data Protection Laws;
(b) all instructions given to Credorax in terms of this Addendum and the Partner Agreement shall at all times be in accordance with Data Protection Laws, and that the compliance, performance or execution of any and all such instructions will not, at any point in time, cause Credorax to be in breach of any Data Protection Laws;
(c) Partner hereby grants its express consent to Credorax communicating Transaction data to a payment scheme, issuing bank or other participating bank or a regulator provided it does so in accordance with applicable law and/or as required for the performance of the Agreement;
(d) it ensured, either directly or via agreements with Merchants, that the Data Subjects were provided with all necessary information about the Processing of the Personal Data in the context of the Partner Agreement as required by Data Protection Laws, including without limitation, information relating to the appointment of Processors transferring to, and processing personal information by, third parties which may retain or use the personal information for compliance with legal and regulatory requirements, provided to the Data Subject prior to the moment that the Data Subject provides the Partner Data to the Partner directly;
(e) it shall maintain all necessary policies and processes to authorise the access and processing of the relevant data in the full manner contemplated by this Addendum and the Partner Agreement;
(f) the Partner acknowledges that as Controller, it is solely responsible for determining the lawful processing condition upon which it shall rely in providing instructions to Credorax to process Partner Data for the purposes of carrying out the Credorax Services as set out in the Partner Agreement and that it shall stipulate what this lawful process is to the Processor;
(g) in case of a Data Breach affecting Partner Data, Partner shall notify Credorax immediately of becoming aware of such Breach, including the details of the Data Breach and the affected records. Partner understand and agrees that Credorax is required to inform the Card Schemes of any Data Breach that is reported to Credorax by Partner. Partner shall also provide Credorax any information which may be requested by Credorax, in accordance with the Card Scheme requirements.
(h) in case of an ADC event or a Potential ADC event in or affecting any system or environment of the Partner or Credorax, Partner shall notify Credorax immediately of becoming aware of such event, including the details and the affected system or environment. Partner understands and agrees that Credorax is required to inform the Card Schemes of any ADC event or Potential ADC event that is reported to Credorax by Partner. Partner shall also provide Credorax with the information which may be requested by Credorax, in accordance with the Card Schemes requirements.
4. Credorax Obligations – Processor
(a) Credorax shall only carry out processing of Personal Data in accordance with the written instructions provided by the Partner and any regulatory bodies and only process same for the performance of the Services, including where relevant for transfers of EEA resident Personal Data outside the EEA or to an international organisation (unless it is otherwise required to process Controller Data by European Union, Member State and/or Maltese law to which it is subject, in which case it shall inform the Controller of that legal requirement unless prohibited by that law on grounds of public interest), and shall immediately inform the Partner if, in the opinion of Credorax, any instruction given by the Partner to Credorax infringes Data Protection Laws and Privacy and Data Protection Requirements.
(b) Credorax shall comply with its obligations as Processor the relevant Data Protection Laws.
(c) Credorax shall reasonably cooperate with Partner, at Partner’s cost, with fulfilling Partner’s obligations as Controller in respect of Data Subject rights under the Data Protection Laws.
(d) Credorax shall take all technical and security measures required pursuant to Article 32 of the GDPR.
(e) Where relevant for the processing of Personal Data provided by the Partner and taking into account the nature of the processing and the information available to Credorax, use all measures to assist the Partner in ensuring compliance with the obligations of the Partner to; (i) keep Personal Data secure at all times; (ii) implement and maintain appropriate technical and organizational measures to protect against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of the Personal Data and against accidental or unlawful loss, destruction alteration, disclosure or damage to the Personal data, including but not limited to, the security measures as set out in the Agreement. Credorax shall document such measures in writing and periodically review them to ensure they remain current and complete.
(f) In case of a Data Breach, Credorax shall within thirty-six (36) hours of becoming aware, inform the Partner of any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access or any other form of unauthorized processing, or of any disruptions endangering the security of the Data Subject’s Personal Data, or Partner Data transmitted, stored or otherwise processed. Credorax accepts and acknowledges that the Partner may take steps and measures to remedy a breach by Credorax under Data Protection Laws, including but not limited to any communications with a Supervisory Authority, unless otherwise required by law.
(g) On expiry or termination of the Partner Agreement, Credorax shall cease to use Partner Data and shall arrange for its safe return or destruction as shall be required by the Partner (unless European Union, Member States and/or Maltese Law requires storage of any Personal Data contained within the Partner Data or an exemption under GDPR applies).
(h) Credorax shall make available to the Partner all information necessary to demonstrate compliance with the obligations under Data Protection Laws and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
5. Audit Rights
(a) Upon the Partner’s reasonable prior written request, once a year, Credorax agrees to provide the Partner with any documentation or records (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) which will enable it to verify and monitor Credorax’s compliance with its data protection and security obligations under the terms of this Addendum. Credorax shall provide such information within sixty (60) days of receipt of such request, and notify the Partner of the person within Credorax’s organization who will act as the point of contact for provision of the information required by the Partner.
(b) Where, in the reasonable opinion of the Partner, such documentation is not sufficient in order to meet the obligations of Article 28 of the GDPR, the Partner will be entitled, upon providing thirty (30) days prior written notice to Credorax and upon reasonable grounds, to conduct an on-site audit of Credorax’s premises used in connection with the Service, solely to confirm compliance with its data protection and security obligations under this Addendum. Any such audit will be limited in time and shall last no longer than three (3) business days, during business hours.
(c) Any audit carried out by the Partner will be conducted in a manner that does not disrupt, delay or interfere with Credorax’s performance of its business. The Partner shall ensure that the individuals carrying out the audit are under the same confidentiality obligations as set out in the Partner Agreement. Any costs incurred with respect to such an audit will be borne by the Partner.
(d) Any audit right granted to Credorax under the Partner Agreement shall remain in full force and effect. In the event that there is no audit right in favour of Credorax or the audit right contained in the Partner Agreement in favour of Credorax is not sufficient to enable it to verify and monitor the Partner’s compliance with its data protection and security obligations under the terms of this Addendum, then, Credorax shall be entitled to carry out an audit of the Partner on reciprocal terms as those set out in this clause.
6. Use of Sub-Processors
(a) The Partner hereby authorises and grants Credorax a general written authorization to appoint (and permit each Sub-Processor appointed in accordance with this provision to appoint) Sub-Processors in accordance with this provision and any restrictions contained in the Partner Agreement.
(b) Credorax shall notify the Partner of any changes concerning the addition or replacement of Sub-Processors, and allow Partner fifteen (15) days to object such changes. Should Partner object Credorax’s changes, it shall allow Credorax to address Partner’s concerns and mitigate them. Where Partner’s objection persists, it may terminate its Agreement with Credorax.
(c) Credorax warrants and undertakes to be liable to the Partner in the event that the Sub-Processor fails to fulfil its data protection obligations and for all other actions and omission of the Sub-Processor.
(d) Credorax shall bind its Sub-Processors, validly appointed by Credorax in terms of this clause by means of a written contract that contains processing clauses and obligations substantially the same as those set out and imposed in this Addendum.
7. Credorax’s Employees
(a) Credorax shall ensure that all employees and other personnel who are given access to the Personal Data and or Partner Data is adequality and responsibly informed of the confidential nature of the Personal Data and has committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
(b) Furthermore, such employees shall be aware of Credorax’s duties and their personal duties and obligations under the relevant Data Protection Laws and this Addendum.
8. International Transfers of Personal Data
(a) The Parties hereby agree that Credorax may transfer personal outside the EEA (i) on the basis of an adequacy decision; or (ii) subject to appropriate safeguards, both as contemplated under GDPR.
(b) In relation to point (ii) above, namely transfers of personal data subject to adequate safeguards, the Partner (acting as data exporter) hereby grants a non-revocable general mandate for Credorax to enter into and sign Standard Contractual Clauses for and on its behalf as Controller, or where applicable as Data Subject, with any Sub-Processors (acting as data importers) located outside the EEA.
(c) Subject to the above, where Personal Data originating in the EEA is processed by the Processor outside the EEA and in a territory that has not been designated by the European Commission as ensuring an adequate level of protection to data subjects (adequacy decision), the Processor and the Controller agree that the transfer of such personal data between the Processor and any Sub-Processor shall be subject to the Standard Contractual Clauses which shall be deemed to apply in respect of any and all such processing carried out by the Processor outside the EEA. The Processor shall ensure and hereby undertakes that it shall not commence or permit the commencement of any processing of Personal Data outside the EEA until both the relevant parties have confirmed that they have obtained any approvals required from relevant data protection authorities.
9. Security
(a) For the avoidance of doubt, both Parties acknowledge that any provisions in relation to PCI-DS Standards used in connection with the Credorax Services under the Partner Agreement shall remain unchanged and in full force and effect.
(b) Both Parties warrant and agree that each shall carry out and implement any all security measures (technical and organisational) which may be necessary or otherwise mandated under Data Protection Laws (specifically with respect to article 32 of the GDPR) to safeguard the privacy and security of the Personal and Partner Data, and that these measures shall remain in place for the duration of the Partner Agreement. This will include ensuring that there are sufficient technical and organisational measures to ensure data protection by default and by design.
10. Liability & Indemnity
Subject to the liability clauses in the Partner Agreement, the Parties agree that they will be held liable for violations of EU Data Protection Laws towards Data Subjects as follows:
(a) The Partner shall be liable for the damage caused by the processing of Partner Data which infringes EU Data Protection Laws or this Addendum only where it has not complied with obligations of EU Data Protection Laws specifically directed to Controllers.
(b) Credorax shall be liable for the damage caused by the processing of Partner Data which infringes Data Protection Laws or this Addendum only where it has not complied with obligations of Data Protection Laws specifically directed to Processors or where it has acted outside of or contrary to Partner’s lawful instructions. In that context, Credorax as Processor will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
(c) The Partner shall indemnify, defend, and hold Credorax harmless from and against any and all claims, actions, suits, demands, assessments, or judgments asserted, and any and all losses, liabilities, damages, costs, and expenses (including, without limitation, attorneys fees, accounting fees, and investigation costs to the extent permitted by law) alleged or incurred arising out of or relating to any operations, acts, or omissions of the indemnifying party or any of its employees, agents, and invitees in the exercise of the indemnifying party’s rights or the performance or observance of the indemnifying party’s obligations under this agreement. Prompt notice must be given of any claim, and the Controller providing the indemnification will have control of any defence or settlement.
11. Applicable Law and Jurisdiction
This clause is subject to the conditions stipulated in reciprocal clause in the Agreement.
12. Notice
Any notice or other communication relating directly to this Addendum are to be given in writing to DPO@Credorax.com. This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
13. Miscellaneous
Where applicable, the Parties agree that if, upon review following GDPR coming into force, the provisions of this Data Processing Addendum do not comply with GDPR then both Parties agree to cooperate in good faith to renegotiate the terms of this Data Processing Addendum to ensure compliance with GDPR.
The Parties hereto have caused this Addendum to be duly executed by accepting it under the terms of the Partner Agreement.
Annex A – Standard Contractual Clauses
Annex B – Description of Onward Transfer Under Standard Contractual Clauses Between Processor and Sub-Processor
This Annex forms part of the Standard Contractual Clauses which will be completed and signed between Data Exporter [Processor acting on behalf of Partner] and Data Importer [Sub-Processors] located outside the EEA
Data exporter
The data exporter is:
Processing payment transactions data that includes Partner Data to provide the settlement services to Controller.
Data importer
The data importer is:
Processing payment transactions data that includes Partner Data to provide the settlement services to Controller.
Data subjects
The personal data transferred concern the following categories of data subjects:
Cardholders or buyers who are customers of Merchants.
Categories of data
The personal data transferred concerns the following categories of data:
1) Primary Account Number + CVV
2) Card type
3) Card Expiration Month
4) Card Expiration Year
5) Card Holder Full Name
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data:
N/A
Processing operations
The personal data transferred will be subject to the following basic processing activities:
1) Processing
2) Storing
3) Clear text data access
4) Transfer of personal data to Card Schemes
5) Transfer of encrypted Personal Data to anti-fraud monitoring service
Annex C – Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of The Data
This Annex forms part of the Clauses and must be completed and signed by the Parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Data encryption as required by applicable by the relevant PCI standards
Compliance program
