This Data Processing Agreement (the “DPA”) defines the roles and responsibilities of the Parties for their respective processing of personal data and is integral part of all business terms agreed between the Parties, including but not limited to OpenPayd Terms of Service, Service Specific Terms and/or Country Specific Terms (collectively “the Terms”).
The DPA shall override any other terms and any deviation thereof if and to the extent there is any conflict or inconsistency and shall survive the termination of all agreements between the Parties.
1. Definitions
For the purposes of this DPA, the terms defined below shall have the following meanings.
Data Protection Law means:
(i) the United Kingdom (UK) Data Protection Act 2018;
(ii) the European Union (EU) General Data Protection Regulation (GDPR) as revised and superseded from time to time;
(iii) EU Directive 2002/58/EC as updated by EU Directive 2009/136/EC;
(iv) the “UK GDPR” as retained in the UK Law after UK’s withdrawal from the EU, and as amended and supplemented from time to time; and
(v) any other laws and regulations relating to the processing of personal data which apply to a Party and, if applicable, the guidance and codes of practice issued by the relevant data protection or supervisory authority.
EEA means the European Economic Area.
UK means England, Scotland, Wales, and Northern Ireland.
Controller and Processor (or equivalent terms) have the meanings set forth under Data Protection Law.
Shared Data means the term in Section 5 – Controller to Controller terms of this DPA.
Processed Data means the term in Section 6 – Controller to Processor terms of this DPA.
Personal Data means all personal data that is processed by the Parties pursuant to or in connection with the Terms irrespective of their role, including Shared Data and Processed Data.
EU SCCs means the European Standard Contractual Clauses of EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021, incorporated by reference into this DPA and specified in Appendix 2.
UK Addendum means the UK International Data Transfer Addendum to the EU SCCs issued by the UK ICO and laid before UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, incorporated by reference into this DPA and specified in Appendix 3.
Adequate Country means a country that is recognized by the European Commission and/or the Secretary of State of the UK under Data Protection Law providing adequate protection for Personal Data.
Adequacy Decision means a European Commission Decision and/or a decision of the Secretary of State of the UK that a third country or an international organization ensures an adequate level of data protection as defined in Data Protection Law.
Appropriate Safeguards means the standard of protection over the personal data and of data subjects’ rights, which is required by Data Protection Law when parties are making a third country transfer relying on standard data protection clauses Data Protection Law.
Lowercase terms used but not defined in this DPA such as “personal data”, “personal data breach”, “processing”, “data subject”, “data subject request” have the meanings set out in the Data Protection Law.
2. Changes and Compliance with Data Protection Law
OpenPayd and Customer shall comply with the provisions and obligations imposed by the Data Protection Law when processing Personal Data in connection with the Terms. Such processing shall be in respect of the types of Personal Data, categories of data subjects, nature and purposes, and duration, set out in the Appendix 1 to this DPA.
3. Roles and responsibilities
In providing the services under the Terms and otherwise complying with its obligations under the Terms, OpenPayd may act as a controller upon Customer’s onboarding and ongoing monitoring on OpenPayd’s platform, transaction screening, transaction monitoring, payments initiation, etc., and may also act as a processor of Personal Data in relation to processing activities performed under Customer’s documented instructions, such as technical support, user support and any other activities related to Customer’s use of OpenPayd’s platform that may be requested from Customer to OpenPayd from time to time. This DPA is divided into the following sections:
  • Section 4 Basic Terms – general data protection principles, applicable irrespective of the role.
  • Section 5 Controller Terms – applicable for controller-to-controller relationship between Customer and OpenPayd.
  • Section 6 Processor Terms – applicable for controller-to-processor relationship between Customer and OpenPayd.
4. Basic Terms
4.1. Contact details
Any queries relating to the protection of Personal Data shall be sent to OpenPayd’s DPO at [email protected].
4.2. Security of processing
OpenPayd and Customer shall process Personal Data in accordance with the general privacy principles and in compliance with Data Protection Law. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, they shall implement appropriate technical and organisational measures and procedures to ensure a level of security for such personal data appropriate to the risk, including the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access to the Personal Data.
OpenPayd and Customer shall adopt and maintain appropriate data protection, data privacy, information security and operational resilience policies in relation to the processing of the Personal Data and procure that the staff comply, at all times, with such policies. All staff shall be subject to confidentiality obligations which cover their processing the Personal Data.OpenPayd and Customer are solely responsible for determination as to whether their technical and organisational measures implemented by each are adequate and meet the requirements of the Data Protection Law.
4.3. Data Transfers
OpenPayd and Customer shall not transfer any Personal Data to a country or a territory that is not deemed adequate, unless having in place Appropriate Safeguards.OpenPayd and Customer shall each ensure that the Personal Data they disclose or otherwise transfer is accurate, and they have an appropriate lawful ground as set out in the Data Protection Law.
OpenPayd and Customer shall not disclose or transfer to each other any excessive or irrelevant personal data that is not required in connection with the provision or receipt of the services under the Terms.
4.4. Audits
Parties shall be able to demonstrate compliance and document and maintain accurate, complete, and up to date records of their processing activities in accordance with the requirements of the Data Protection Law.
Any audits and inspections shall be kept strictly confidential unless required otherwise by the relevant regulatory authority, in which case, to the extent legally permissible, OpenPayd and Customer shall give each other a prior notice.
4.5. Purposes of processing of Personal Data
OpenPayd and Customer shall process the Personal Data only for the purposes of provision or receipt of the services under the Terms, including for compliance with their legal and regulatory obligations.Personal Data shall be retained for no longer than is necessary for the above-mentioned purposes.
5. Controller-to-Controller Terms
Where OpenPayd and Customer process the Shared Data as independent controllers under or otherwise in connection with the Terms, the provisions set out this Section 5 will apply to the processing of Shared Data, in addition to Section 4 Basic terms. In case of any conflict between the provisions in Section 4 and in Section 5, Section 5 will prevail.
5.1. Customer represents and warrants to OpenPayd that it has a lawful ground to disclose all Shared Data under or in connection with the Terms.
5.2. Customer and OpenPayd each acknowledge and agree that it acts as independent data controller, or the equivalent under Data Protection Law in relation to the Shared Data it processes under or in connection with the Terms. Each shall comply with its respective obligations under the Data Protection Law.
5.3. Customer and OpenPayd shall each ensure that access to Shared Data is limited to Customer’s or the OpenPayd’s staff, who have a reasonable need to access Shared Data to enable Customer and OpenPayd to perform its respective duties under the Terms.
5.4. If Customer or OpenPayd receive or become aware of any of the following, it shall notify without any undue delay the other Party of:
(i) any breach of security or unauthorised access to Disclosed Personal Data without undue delay after becoming aware of such incident; and
(ii) any complaint, inquiry or request from a data subject or data protection authority regarding Shared Data, unless such notice is prohibited by applicable law.
5.5. Customer and OpenPayd shall refrain from notifying or responding to any data subject or data protection authority on behalf of the other Party unless
(i) specifically requested to do so by the other Party in writing or
(ii) if required by the Data Protection Law.
5.6. Each Party acknowledges and agrees that the other Party, at its sole discretion, may disclose any Shared Data or other transaction-related information to the relevant regulatory authorities or to third parties in order to perform their obligations under the Terms and/or legal/regulatory obligations under the relevant law, including but not limited to anti-money laundering, fraud monitoring, sanctions, or as may otherwise be required by the relevant law or court order, for which the other Party shall be notified in advance that such disclosure has been made, if permitted by law.
Furthermore, such disclosure may be made without a prior notice to any regulatory authority that exercises regulatory or supervisory authority with respect to a Party’s operations, where such disclosure is made to satisfy routine governmental audit or examination requirements or as part of informational submissions required to be made to such regulatory authority in the ordinary course of business.
5.7. In respect of its processing of Shared Data, each Party warrants, represents and undertakes that:
  1. it shall provide data subjects with all of the information, in a concise, transparent, easy to understand format using clear and plain language, required under the Data Protection Law to ensure that the data subjects understand how their personal data will be processed by the respective Party;
  2. it shall take all appropriate technical and organisational measures against unauthorised or unlawful processing of the Disclosed Personal Data and against accidental loss or destruction of, or damage to the Disclosed Personal Data, including (without limitation) by:
    1. taking reasonable steps to ensure the reliability of any staff who have access to the Shared Data;
    2. ensuring a level of security appropriate to the nature of the Shared Data and the risks that are presented by its processing.
    3. any data transfers of Shared Data to a country or a territory not deemed as an Adequate Country will be subject to Appropriate Safeguards.
5.8. Breach Notification
OpenPayd and Customer shall promptly notify, if required as per Data Protection Law, each other if they become aware of a personal data breach and provide a reasonable assistance to each other to comply with their reporting obligations under the Data Protection Law.
6. Controller-to-Processor Terms
Where OpenPayd acts as a Processor in relation to the Processed Data under or otherwise in connection with the Terms, the provisions set out in this Section 6 will apply, in addition to Section 4 Basic terms. In case of any conflict between the provisions in Section 4 and in Section 6, Section 6 will prevail.
6.1. Documented instructions
OpenPayd shall, unless required to do otherwise by applicable law, process the Processed Data only on and in accordance with the Terms and any other documented instructions from Customer.
6.2. Confidentiality and Security
OpenPayd shall implement and maintain appropriate technical and organisational measures as defined in our Information Security Statement, and incorporated by reference to this DPA, to ensure a level of security of Processed Data appropriate to the risk required pursuant to Data Protection law and adequate protection of the Processed Data, having regard to the state of technological development and the cost of implementing any measures. Any subsequent versions of the Information Security Statement shall be applicable to this DPA and its content will be no less stringent than its previous version.
OpenPayd shall keep Processed Data confidential and will ensure its staff and Subprocessors are bound by the same confidentiality obligation.
6.3. Audits and Cooperation
OpenPayd shall reasonably co-operate and assist the Customer to comply with its obligations under the Data Protection Law, such as forwarding any data subject requests relating to Processed Data to Customer without undue delay, providing information for the processing of Processed Data in relation to data protection impact assessments, inspections, and notifications to data protection authorities.
On reasonable request and notice, OpenPayd will co-operate in the conduct of any audit or inspection, reasonably necessary to demonstrate OpenPayd’s compliance with its obligations as a processor under this DPA. Customer shall avoid causing any damage, injury, or disruption to OpenPayd’s equipment, staff and business in the course of such audit or inspection.
6.4. Breach Notification
In the event of a personal data breach concerning Personal Data processed by OpenPayd, OpenPayd shall notify the Customer without undue delay, after OpenPayd having become aware of the breach. Such notification shall contain, at least:
(a) description of the nature of the personal data breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned);
(b) likely consequences of the personal data breach;
(c) measures taken or proposed to be taken to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects;
(d) the details of a contact point where more information concerning the personal data breach can be obtained.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay. OpenPayd shall fully assist the Customer in assessing and notifying the personal data breach to the competent supervisory authority, and in complying with the obligation to communicate the personal data breach to the data subjects, where relevant.
6.5. Sub-processors
Customer generally agrees that OpenPayd may engage third party providers with regards to the Processed Data (“Sub-processors”). OpenPayd shall make available to Customer the current list of Sub-processors, attached as an Appendix 1 to this DPA.If OpenPayd engages a new Sub-processor, OpenPayd must inform Customer of the intended engagement and Customer may object to the intended engagement of such new Sub-processor by notifying OpenPayd within 10 (ten) business days of the notification, provided that such objection must be on reasonable, substantial grounds, directly related to such new Sub-processor’s ability to comply with substantially similar obligations to those set out in this DPA. If Customer does not object, the engagement of the new Sub-processor shall be deemed accepted by Customer. OpenPayd shall ensure that the contract with each new Sub-processor shall impose obligations on the new Sub-processor that are substantially equivalent to the terms of this DPA.
With respect to each Sub-processor, OpenPayd shall enter into a written contract with the Sub-processor to ensure that at least the same level of protection will be given to Personal Data as that required by the Terms and this DPA and, in substance, the same data protection obligations as those binding OpenPayd under this DPA;
6.6. Data Transfers
OpenPayd may process Processed Data globally as necessary to perform the services under the Terms. To the extent such global access involves a third country transfer of Processed Data subject to cross-border transfer obligations under Data Protection Law within the OpenPayd group, OpenPayd’s Intragroup Data Transfer Agreement will apply.
If and to the extent the processing of Processed Data involves a transfer of Processed Data to Sub-processor or other business partners located outside of the UK and the EEA, the Parties agree that Processed Data may only be transferred, if:
(a) the transfer is to a jurisdiction for which an appropriate EU and/ or UK Adequacy Decision has been issued and subject to the terms of that Adequacy Decision;
(b) in the absence of an Adequacy Decision, the transfer is subject to Appropriate Safeguards.
6.7. Return and deletion of data 
On termination of the Terms, and Customer’s written request, OpenPayd will return any Processed Data to the Customer or securely destroy it to the extent legally permissible (i.e. storage of Processed Data is required by the relevant Laws, in which case OpenPayd will be entitled to retain the same in accordance with the relevant Laws).
Appendix 1
Categories of data subjects whose Personal Data is processed by OpenPayd
  • Customer and customer’s clients, directors, shareholders, employees, as applicable, including any other individuals about whom Personal Data is provided by or at Customer’s direction, and anyone whose Personal Data is provided by Customer and/or associated with Customer that OpenPayd processes on behalf of Customer in connection with the services under the Terms
Categories of personal data processed by OpenPayd
  • Identity data, contact data, transaction screening and transaction monitoring data, payments data, user account and credentials data, user location data, as applicable for the services under the Terms Nature and purpose for which the personal data is processed on behalf of the controller
  • Processing of Personal Data such as collection, use, storage, combination, erasure, transmission, disclosure, or otherwise making available, and any other operation necessary for provision of the services under the Terms
Frequency and Duration of the processing
  • On continuous basis for the duration of the Terms
  • For the duration of the Terms and for such time as required by the applicable law.
For processing by (sub-)processors, also specify subject matter, nature and duration of the processing
  • Same as above
Technical and organizational measures, including measures to ensure the security of data
  • As specified in the Information Security Statement
List of Sub-processors:
Appendix 2
To the extent legally required, by signing this DPA, Customer and OpenPayd are deemed to have signed the EU SCCs as an additional safeguard, which form part of this DPA and will be deemed completed as follows: Module 1 of the EU SCCs applies to transfers of Personal Data from Customer (as a Controller) to OpenPayd (as a Controller) and Module 2 applies to transfers of Personal Data from Customer (as a Controller) to OpenPayd (as a Processor). Clause 7 of the EU SCCs (the optional docking clause) is included. For Module 2, under Clause 9 of the EU SCCs, the Parties select Option 2 (General written authorization). OpenPayd shall specifically inform the Customer in writing of any intended changes to the list through the addition or replacement of sub-processors at least 10 (ten) business days in advance, thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). Under Clause 11 of the EU SCCs, the optional language requiring that Data Subjects are permitted to lodge a complaint with an independent dispute resolution body shall be deemed to be included. Under Clause 17 of the EU SCCs, the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland. Under Clause 18 of the EU SCCs (Choice of forum and jurisdiction), the Parties select the courts of Ireland. Annex I(A) and I(B) is completed as set forth in Appendix 1. Under Annex I(C), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission; Annex II is completed as provided in the Information Security Statement. Annex III is completed as provided in Appendix 1 of this DPA for clarity
Appendix 3
With respect to Personal Data transferred from the UK, the UK Addendum to the EU SCCs forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK Addendum. The UK Addendum shall be deemed complete as follows: The Parties’ details shall be the Parties and their Affiliates to the extent any of them are involved in such transfer and are specified in the Terms; The Key Contacts shall be the contacts set forth in the Terms; The Approved EU SCCs referenced in Table 2 of the UK Addendum shall be the EU SCCs as executed by the Parties; Personal data received from the exporter can be combined with personal data collected by the importer. Annex I(A) and I(B) is completed as set forth in Appendix 1. Annex II is completed as provided in the Information Security Statement. Annex III is completed as provided in Appendix 1 of this DPA for clarity. Either Party may end this DPA as set out in Section 19 of the UK Addendum. By entering into this DPA, the Parties are deemed to be signing the UK Addendum.