Source
Data Processing Addendum
(the “Addendum” or “DPA”)
February 14, 2023
This DPA will be superseded by the new unified DPA which will take effect as of 1st February 2024.
THIS ADDENDUM is deemed to be effective as per the Effective Date of the Technical Services Agreement or the Reseller Agreement, as case may be, entered into by the parties:
1. Source Ltd., a company registered and existing under the laws of Malta, bearing company registration number C64916 and having its registered address at Palazzo Homedes, 80 Strait Street, Valletta, Malta (hereinafter “Source” or “Provider” or “the Processor“); and
2. Client, as defined in the Technical Services Agreement or in the Reseller Agreement, as case may be (hereinafter “Client” or “Reseller” or ” the Controller“);
hereinafter collectively referred to as the “Parties“
Whereas:
A. The Parties have entered into the Technical Services Agreement or into the Reseller Agreement on the Effective Date (hereinafter: ” the Agreement“); and
B. This Addendum shall be incorporated into and form an integral part of the Agreement. All other provisions as outlined in the Agreement and/or any other addenda, shall remain in full force and effect and unchanged; and
C. Definitions set out in the Agreement shall also apply in this Addendum unless the context otherwise expressly required; and
D. All references in this Addendum to clauses are to the clauses in this Addendum unless otherwise stated; and
E. This Addendum defines the data processing relationship between the Parties and sets out the additional terms, requirements and conditions on which Source will process personal data for and on behalf of the Client when providing services under the Agreement. This Addendum contains the mandatory clauses required by Article 28(3) of the GDPR for contracts between controllers and processors
The Parties have agreed as follows:
1. Definitions
The following capitalized terms shall bear the meaning ascribed thereto:
“Additional Terms” means the special terms and conditions relating to the use of Processor Data as updated from time to time and as set out in
the appendices and/or addenda to the Agreement which will apply if the Controller has selected to use any additional products as part of the Provider Services which include the use of Processor Data.
“Controller Data” shall mean any Personal Data provided to Processor by the Controller for processing in accordance with the terms of the Agreement.
“Controller” means Client, which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the Controller (or the criteria for nominating the controller) may be designated by those laws.
“Data Protection Laws” means (i) all Maltese Data Protection Laws; (ii) GDPR and (iii) the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a Party; in each case as may be amended, supplemented or replaced from time to time.
“Data Subject” shall mean an identifiable natural person about whom a Controller holds Personal Data. For the purposes of the Agreement and this Data Processing Addendum, this may include an individual whose details are provided to Processor by the Controller as part of the Controller Data or whose details are contained within the Processor Data.
“Data Supplier” shall mean third party data suppliers of the Processor that provide Processor Data for use in Source Services.
“EEA” shall mean European Economic Area.
“GDPR” shall mean General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council 27 of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC as amended, replaced or superseded from time to time, including any laws implementing or supplementing GDPR.
“Maltese Data Protection Laws” means all applicable data protection and privacy legislation in force from time to time in Malta, including (i) the Data Protection Act, Chapter 586 of the Laws of Malta; (ii) the GDPR and (iii) all national implementing laws, regulations and secondary or secondary legislation applicable in Malta which relate to the processing of personal data, in each case as may be amended, supplemented or replaced from time to time.
“Personal Data” shall have the meaning set out in the GDPR.
“Privacy and Data Protection Requirements” shall refer Data Protection Laws relating to the processing of personal data and privacy in any relevant jurisdiction, and any orders, guidelines and instructions issued under the relevant Supervisory Authority in Malta or the European Union.
“Processor” shall mean Source, which processes Personal Data on behalf and upon instruction of the Controller.
“Processor Data” means any Personal Data provided to Processor and/or the Controller by the Data Supplier or used within Source Services in accordance with the terms of the Agreement.
“Services” or “Provider Services” shall mean the Services provided by Source, as defined in the Agreement and the OTC
https://www.sourcepayments.com/legal/otc ;
“Standard Contractual Clauses (SCC)” means the European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to processors established in third countries, as set out in the Annex to Commission Decision 2010/87/, and as may be amended, updated or replaced by the European Commission from time to time.
“Sub-processor” shall mean a natural or legal person, public authority, agency or any other body contracted by the Processor to process Personal Data for the purpose of carrying out a specific processing activity on behalf of the Controller.
“Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR.
2. General
2.1 Subject to the clauses of this Addendum and any instructions that may be given from time to time in writing by the Controller, Source is hereby appointed by the Controller to process Personal Data solely for the purpose supporting the provision of payment services, without entering at any time within possession of funds). Source shall not process any Personal Data for any reason or purpose that is outside the scope of the Services.
2.2 Both Parties warrant that they will comply with their respective obligations under the Privacy and Data Protection Requirements and the terms of this Data Processing Addendum.
3. Controller Obligations
3.1 The Controller warrants and represents that all instructions provided to Processor in relation to the Processing Data are lawful and shall as a minimum include: (a) The nature and purpose of the processing of the Data; (b) The types of Personal Data to be processed; and (c) The categories of Data Subjects to whom the Personal Data relates.
3.2 The Controller shall only provide instructions to Processor that are in accordance with the terms of the Agreement and this Addendum. Such instructions shall be limited to the subject matter of the Source Services under the Agreement, including any additional addenda or amendments in relation to additional products and services.
3.3 The Controller acknowledges that as Controller, it will determine the lawful processing condition upon which it shall rely in providing
instructions to Processor to process Data for the purposes of carrying out the Services as set out in the Agreement, and that it shall stipulate what this lawful process is to the Processor.
3.4 The Parties acknowledge and accept that processing of Personal Data shall be lawful only if and to the extent that at least one of the
following conditions applies: (a) the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the Controller is subject; (d) processing is necessary in order to protect the vital interests of the Data Subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; or (f) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject
which require protection of Personal Data, in particular where the Data Subject is a minor.
4. Processor Obligations
4.1 To the extent that the performance of the obligations of the Processor, and any supporting and/or ancillary activities, involves processing Personal Data provided by Controller, Source acting as Processor warrants and undertakes that it shall:
(a) only carry out processing of Personal Data in accordance with the written instructions provided by the Controller and only process same for the performance of the Services, including where relevant for transfers of EEA resident Personal Data outside the EEA or to an international organisation (unless Source is otherwise required to process Controller Data by European Union, Member State and/or Maltese law to which Source is subject, in which case Source shall inform the Controller of that legal requirement unless prohibited by that law on grounds of public interest), and shall immediately inform the Controller if, in the opinion of Source, any instruction given by the Controller to Source infringes Privacy and Data Protection Requirements;
(b) assist the Controller by taking appropriate technical and organisational measures, insofar as this is possible, with fulfilling its obligations in respect of Data Subject rights under Privacy and Data Protection Requirements;
(c) take all security measures required in accordance with Privacy and Data Protection Requirements (including where relevant, Article 32 GDPR).
(d) where relevant for the processing of Personal Data provided by Controller and taking into account the nature of the processing and the information available to Source, use all measures to assist the Controller in ensuring compliance with the obligations of the Controller to; (i) keep Personal Data secure at all times; (ii) implement and maintain appropriate technical and organizational measures to protect against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of the Personal Data and against accidental or unlawful loss, destruction alteration, disclosure or damage to the Personal data, including but not limited to, the security measures as set out in the Agreement. The Processor shall document such measures in writing and periodically review them to ensure they remain current and complete; (iii) notify and inform the Controller if it becomes aware of: (a) any accidental, unauthorised or unlawful processing of the Personal Data, (b) any personal data breach affecting or involving any Personal Data or (c) any security breach, network compromise, data leak or other such event (each a “Customer Data Breach“); and in case of a Data Breach by no later than thirty-six (36) hours after having become aware of the incident or breach as well as provide a written report containing any and all information necessary for compliance with data breach notifications to the Supervisory Authority and Data Subjects in accordance with Data Protection Laws;
(e) immediately following any incident or breach mentioned in Clause 4.1(d), the Parties shall co-ordinate with each other to investigate the matter;
(f) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller as set out in clause 6;
(g) in addition to the confidentiality obligations contained within the Agreement, ensure that persons authorised to process the Controller Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
4.2 on expiry or termination of the Agreement, Processor shall cease to use Personal Data provided by Controller and shall arrange for its safe return or destruction as shall be required by the Controller (unless European Union, Member States and/or Maltese Law requires storage of any Personal Data contained within the Controller Data, or an exemption under GDPR applies).
5. Use of Processor Data
Where the Controller uses or receives Data relating to Processor or provided by Processor, the Controller acknowledges that: (a) the Controller will take the same obligations as Processor towards Processor Data on reciprocal terms as those set out in Clause 4; (b) where relevant for the provision of Source Services under the Agreement, the Controller shall comply with the Additional Terms.
6. Audit Rights
6.1 Upon the Controller’s reasonable request, once a year, Source agrees to provide the Controller with any documentation or records (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) which will enable it to verify and monitor Source’s compliance with its data protection and security obligations under the terms of this Addendum, not less than sixty (60) Business days of receipt of such request, and to notify the Controller of the person within Source’s organisation who will act as the point of contact for provision of the information required by the Controller. Any costs incurred with respect to an audit will be borne by the Client, depending on the effort estimated by Source.
6.2 Where, in the reasonable opinion of the Controller, such documentation is not sufficient in order to meet the obligations of Article 28 of the GDPR, the Controller will be entitled, upon providing thirty (30) days prior written notice to Source and upon reasonable grounds, to conduct an on-site audit of Source’s premises used in connection with the Service, solely to confirm compliance with its data protection and security obligations under this Data Processing Addendum. Any such audit will be limited in time and shall last no longer than three (3) business days, during business hours.
6.3 Any audit carried out by the Controller will be conducted in a manner that does not disrupt, delay or interfere with Source’s performance of its business. The Controller shall ensure that the individuals carrying out the audit fulfil the confidentiality obligations as, inter alia, set out in the Agreement and in this Addendum. Any costs incurred with respect to such an audit will be borne by the Client.
6.4 Source shall be entitled to carry out an audit of the Controller on reciprocal terms as those set out in clauses 6.1, 6.2 and 6.3.
7. Use of Sub-processors
7.1 The Controller provides their consent for Processor to use Sub-Processors in the delivery and performance of the Service. Where Processor uses third party Data Suppliers and where they are acting as a Sub-Processor in relation to the Controller Data, the Processor shall, where required by law, inform the Controller of any changes concerning the addition or replacement of a Sub-Processors and allow Controller fifteen (15) days to object such changes. Should Controller object Processor’s changes, it shall allow Processor to address Controller’s concerns and mitigate them. Where Controller’s objection persists, it may terminate its Agreement with Processor.
7.2 The Processor warrants and undertakes to be liable to the Controller in the event that the Sub-Processor fails to fulfil its data protection obligations and for all other actions and omissions of the Sub-Processor.
7.3 The Processor shall bind its Sub-Processors, validly appointed by the Processor in terms of this clause by means of a written contract that contains processing clauses and obligations substantially the same as those set out and imposed in this Addendum.
8. Transfers of EEA Resident Personal Data to Third Countries or International Organisations.
8.1 Processor shall not cause or permit any Controller Data belonging to an EEA resident to be transferred outside of the EEA unless such transfer is necessary for the purposes of Processor carrying out its obligations under the Agreement in which case, the provisions of this clause 8 shall apply.
8.2 Transfer subject to adequate safeguards: Subject to clauses 8.2 and 8.3, if an EEA resident’s Personal Data is to be processed outside of the EEA, Processor agrees to provide and maintain appropriate safeguards as set out in Article 46 GDPR to lawfully transfer the Personal Data to a third country.
8.3 Transfers based on adequacy decisions: Clause 8.1 shall not apply if the processing of the Personal Data is carried out in a country that the European Commission has considered as offering an adequate level of protection.
8.4 Subject to the above, where Personal Data originating in the EEA is processed by the Processor outside the EEA and in a territory that has not been designated by the European Commission as ensuring an adequate level of protection to data subjects ( adequacy decision), the Processor and the Controller agree that the transfer of such personal data between the Processor and any Sub-Processor shall be subject to the Standard Contractual Clauses. The Client (acting as data exporter) hereby grants a non-revocable general mandate for the Processor to enter into and sign Standard Contractual Clauses for and on its behalf as Controller with any Sub-Processors (acting as data importers) located outside the EEA.
9. Security
For the avoidance of doubt, both Parties acknowledge that any provisions in relation to PCI-DS Standards used in connection with the Source Services under the Agreement shall remain unchanged and in full force and effect.
10. Liability and Indemnification
Subject to the liability clauses in the Agreement, the Parties agree as follows:
10.1 The Processor shall only be acting upon the written instructions of the Controller and therefore the Controller shall be liable for the entire damage which may be incurred by the Processor where the Processor is acting upon the express written instructions of the Controller and in accordance with the provisions of this Agreement. If the Processor is required to pay full compensation for the damage suffered, it is entitled to claim back from the Controller that compensation which has been paid.
10.2 The Controller shall indemnify, defend, and hold the Processor harmless from and against any and all claims, actions, suits, demands, assessments, or judgments asserted, and any and all losses, liabilities, damages, costs, and expenses (including, without limitation, attorneys fees, accounting fees, and investigation costs to the extent permitted by law) alleged or incurred arising out of or relating to any operations, acts, or omissions of the indemnifying party or any of its employees, agents, and invitees in the exercise of the indemnifying party’s rights or the performance or observance of the indemnifying party’s obligations under this agreement. Prompt notice must be given of any claim, and the Controller providing the indemnification will have control of any defence or settlement.
10.3 Processor shall be liable for the damage caused by the processing of Controller Data which infringes Data Protection Laws or this Addendum only where it has not complied with obligations of Data Protection Laws specifically directed to Processors or where it has acted in breach of its obligations under this Agreement. In that context, Source as Processor will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
11. Applicable Law and Jurisdiction
This clause is subject to the conditions stipulated in reciprocal clause in the Agreement.
12. Notice
Any notice or other communication to be given to Provider under or in connection with this Addendum must be in writing to DPO@Credorax.com. This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
13. Miscellaneous
Where applicable, the Parties agree that if, upon review following GDPR coming into force, the provisions of this Data Processing Addendum do not comply with GDPR then both Parties agree to cooperate in good faith to renegotiate the terms of this Data Processing Addendum to ensure compliance with GDPR.
The Parties hereto have caused this Addendum to be accepted and duly executed by the execution of the Agreement.
Annex A – Standard Contractual Clauses
Annex B – Description of Onward Transfer Under Standard Contractual Clauses Between Processor and Sub-Processor
This Annex forms part of the Standard Contractual Clauses and must be completed and signed between Data Exporter [Processor acting on behalf of Client] and Data Importer [Sub-Processors] located outside the EEA.
Data exporter
The data exporter is:
Transferring personal data for the provision of services as detailed in the Agreement.
Data importer
The data importer is:
Processing personal data to enable and facilitate the provision of the services detailed in the Agreement.
Data subjects
The personal data transferred concerns the following categories of data subjects:
Cardholders or shoppers of the Controller.
Categories of data
The personal data transferred concerns the following categories of data:
Encrypted credit card number, name, email, address, IP adress and any other information transferred by the controller.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data:
N/A
Processing operations
The personal data transferred will be subject to the following basic processing activities:
Processing, storing, analyzing, visualizing, and monitoring data.
Annex C – Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
This Annex forms part of the Clauses and must be completed and signed by the Parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Data encryption as required by applicable by the relevant PCI standards Compliance program