For the purposes of this DPA, the terms defined below shall have the following meanings.
Data Protection Law means:
(i) the United Kingdom (UK) Data Protection Act 2018;
(ii) the European Union (EU) General Data Protection Regulation (GDPR) as
revised and superseded from time to time;
(iii) EU Directive 2002/58/EC as updated by EU Directive 2009/136/EC;
(iv) the “UK GDPR” as retained in the UK Law after UK’s withdrawal from the
EU, and as amended and supplemented from time to time; and
(v) any other laws and regulations relating to the processing of personal
data which apply to a Party and, if applicable, the guidance and codes of practice issued by
the relevant data protection or supervisory authority.
EEA means the European Economic Area.
UK means England,
Scotland, Wales, and Northern Ireland.
Controller and Processor (or equivalent terms) have
the meanings set forth under Data Protection Law.
Shared Data means the term in Section 5 – Controller to
Controller terms of this DPA.
Processed Data means the term in Section 6 – Controller to
Processor terms of this DPA.
Personal Data means all personal data that is processed by
the Parties pursuant to or in connection with the Terms irrespective of their role,
including Shared Data and Processed Data.
EU SCCs means the European Standard Contractual Clauses of
EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021, incorporated by reference
into this DPA and specified in Appendix 2.
UK Addendum means the UK International Data Transfer
Addendum to the EU SCCs issued by the UK ICO and laid before UK Parliament in accordance
with s119A of the Data Protection Act 2018 on 2 February 2022, incorporated by reference
into this DPA and specified in Appendix 3.
Adequate Country means a country that is recognized by the
European Commission and/or the Secretary of State of the UK under Data Protection Law
providing adequate protection for Personal Data.
Adequacy Decision means a European Commission Decision
and/or a decision of the Secretary of State of the UK that a third country or an
international organization ensures an adequate level of data protection as defined in Data
Appropriate Safeguards means the standard of protection
over the personal data and of data subjects’ rights, which is required by Data Protection
Law when parties are making a third country transfer relying on standard data protection
clauses Data Protection Law.
Lowercase terms used but not defined in this DPA such as
“personal data”, “personal data breach”, “processing”, “data subject”, “data subject
request” have the meanings set out in the Data Protection Law.
2. Changes and Compliance with Data Protection Law
OpenPayd and Customer shall comply with the provisions and obligations
imposed by the Data Protection Law when processing Personal Data in connection with the
Terms. Such processing shall be in respect of the types of Personal Data, categories of data
subjects, nature and purposes, and duration, set out in the Appendix 1 to this DPA.
3. Roles and responsibilities
In providing the services under the Terms and otherwise complying with its
obligations under the Terms, OpenPayd may act as a controller upon Customer’s onboarding and
ongoing monitoring on OpenPayd’s platform, transaction screening, transaction monitoring,
payments initiation, etc., and may also act as a processor of Personal Data in relation to
processing activities performed under Customer’s documented instructions, such as technical
support, user support and any other activities related to Customer’s use of OpenPayd’s
platform that may be requested from Customer to OpenPayd from time to time.
This DPA is divided into the following sections:
- Section 4 Basic Terms – general data protection
principles, applicable irrespective of the role.
- Section 5 Controller Terms – applicable for
controller-to-controller relationship between Customer and OpenPayd.
- Section 6 Processor Terms – applicable for
controller-to-processor relationship between Customer and OpenPayd.
4. Basic Terms
4.1. Contact details
Any queries relating to the protection
of Personal Data shall be sent to OpenPayd’s DPO at [email protected]
4.2. Security of processing
OpenPayd and Customer shall process Personal Data in accordance with the
general privacy principles and in compliance with Data Protection Law. Taking into account
the state of the art, the costs of implementation and the nature, scope, context and
purposes of the processing, they shall implement appropriate technical and organisational
measures and procedures to ensure a level of security for such personal data appropriate to
the risk, including the risks of accidental, unlawful or unauthorised destruction, loss,
alteration, disclosure, dissemination or access to the Personal Data.
OpenPayd and Customer shall adopt and maintain appropriate data protection,
data privacy, information security and operational resilience policies in relation to the
processing of the Personal Data and procure that the staff comply, at all times, with such
policies. All staff shall be subject to confidentiality obligations which cover their
processing the Personal Data.OpenPayd and Customer are solely responsible for determination as to
whether their technical and organisational measures implemented by each are adequate and
meet the requirements of the Data Protection Law.
4.3. Data Transfers
OpenPayd and Customer shall not transfer any Personal Data to a country or
a territory that is not deemed adequate, unless having in place Appropriate Safeguards.OpenPayd and Customer shall each ensure that the Personal Data they
disclose or otherwise transfer is accurate, and they have an appropriate lawful ground as
set out in the Data Protection Law.
OpenPayd and Customer shall not disclose or transfer to
each other any excessive or irrelevant personal data that is not required in connection with
the provision or receipt of the services under the Terms.
Parties shall be able to demonstrate compliance and document and maintain
accurate, complete, and up to date records of their processing activities in accordance with
the requirements of the Data Protection Law.
Any audits and inspections shall be kept
strictly confidential unless required otherwise by the relevant regulatory authority, in
which case, to the extent legally permissible, OpenPayd and Customer shall give each other a
4.5. Purposes of processing of Personal Data
OpenPayd and Customer shall process the Personal Data only for the purposes
of provision or receipt of the services under the Terms, including for compliance with their
legal and regulatory obligations.Personal Data shall be retained for no longer than is necessary for the
5. Controller-to-Controller Terms
Where OpenPayd and Customer process the Shared Data as independent controllers under or otherwise in connection with the Terms, the provisions set out this Section 5 will apply to the processing of Shared Data, in addition to Section 4 Basic terms. In case of any conflict between the provisions in Section 4 and in Section 5, Section 5 will prevail.
5.1. Customer represents and warrants to OpenPayd that it has a lawful ground to disclose all Shared Data under or in connection with the Terms.
5.2. Customer and OpenPayd each acknowledge and agree that it acts as independent data controller, or the equivalent under Data Protection Law in relation to the Shared Data it processes under or in connection with the Terms. Each shall comply with its respective obligations under the Data Protection Law.
5.3. Customer and OpenPayd shall each ensure that access to Shared Data is limited to Customer’s or the OpenPayd’s staff, who have a reasonable need to access Shared Data to enable Customer and OpenPayd to perform its respective duties under the Terms.
5.4. If Customer or OpenPayd receive or become aware of
any of the following, it shall notify without any undue delay the other Party of:
(i) any breach of security or unauthorised access to Disclosed Personal Data without undue delay after becoming aware of such incident; and
(ii) any complaint, inquiry or request from a data subject or data protection authority regarding Shared Data, unless such notice is prohibited by applicable law.
5.5. Customer and OpenPayd shall refrain from notifying or responding to any data subject or data protection authority on behalf of the other Party unless
(i) specifically requested to do so by the other Party in writing or
(ii) if required by the Data Protection Law.
5.6. Each Party acknowledges and agrees that the other Party, at its sole discretion, may disclose any Shared Data or other transaction-related information to the relevant regulatory authorities or to third parties in order to perform their obligations under the Terms and/or legal/regulatory obligations under the relevant law, including but not limited to anti-money laundering, fraud monitoring, sanctions, or as may otherwise be required by the relevant law or court order, for which the other Party shall be notified in advance that such disclosure has been made, if permitted by law.
Furthermore, such disclosure may be made without a prior notice to any regulatory authority that exercises regulatory or supervisory authority with respect to a Party’s operations, where such disclosure is made to satisfy routine governmental audit or examination requirements or as part of informational submissions required to be made to such regulatory authority in the ordinary course of business.
In respect of its processing of Shared Data, each
Party warrants, represents and undertakes that:
5.8. Breach Notification
- it shall provide data subjects with all of the information, in a concise, transparent, easy to understand format using clear and plain language, required under the Data Protection Law to ensure that the data subjects understand how their personal data will be processed by the respective Party;
- it shall take all appropriate technical and organisational measures against unauthorised or unlawful processing of the Disclosed Personal Data and against accidental loss or destruction of, or damage to the Disclosed Personal Data, including (without limitation) by:
- taking reasonable steps to ensure the reliability of any staff who have access to the Shared Data;
- ensuring a level of security appropriate to the nature of the Shared Data and the risks that are presented by its processing.
- any data transfers of Shared Data to a country or a territory not deemed as an Adequate Country will be subject to Appropriate Safeguards.
OpenPayd and Customer shall promptly notify, if required as per Data Protection Law, each other if they become aware of a personal data breach and provide a reasonable assistance to each other to comply with their reporting obligations under the Data Protection Law.
6. Controller-to-Processor Terms
Where OpenPayd acts as a Processor in relation to the Processed Data under
or otherwise in connection with the Terms, the provisions set out in this Section 6 will
apply, in addition to Section 4 Basic terms. In case of any conflict between the provisions
in Section 4 and in Section 6, Section 6 will prevail.
6.1. Documented instructions
OpenPayd shall, unless required to do otherwise by applicable law, process
the Processed Data only on and in accordance with the Terms and any other documented
instructions from Customer.
6.2. Confidentiality and Security
OpenPayd shall implement and maintain appropriate technical and
organisational measures as defined in our Information Security Statement
, and incorporated
by reference to this DPA, to ensure a level of security of Processed Data appropriate to the
risk required pursuant to Data Protection law and adequate protection of the Processed Data,
having regard to the state of technological development and the cost of implementing any
measures. Any subsequent versions of the Information Security Statement shall be applicable
to this DPA and its content will be no less stringent than its previous version.
shall keep Processed Data confidential and will ensure its staff and Subprocessors are bound
by the same confidentiality obligation.
6.3. Audits and Cooperation
OpenPayd shall reasonably co-operate and assist the Customer to comply with
its obligations under the Data Protection Law, such as forwarding any data subject requests
relating to Processed Data to Customer without undue delay, providing information for the
processing of Processed Data in relation to data protection impact assessments, inspections,
and notifications to data protection authorities.
On reasonable request and notice, OpenPayd
will co-operate in the conduct of any audit or inspection, reasonably necessary to
demonstrate OpenPayd’s compliance with its obligations as a processor under this DPA.
Customer shall avoid causing any damage, injury, or disruption to OpenPayd’s equipment,
staff and business in the course of such audit or inspection.
6.4. Breach Notification
In the event of a personal data breach concerning Personal Data processed
by OpenPayd, OpenPayd shall notify the Customer without undue delay, after OpenPayd having
become aware of the breach. Such notification shall contain, at least:
(a) description of the nature of the personal data breach (including, where possible, the
categories and approximate number of Data Subjects and data records concerned);
(b) likely consequences of the personal data breach;
(c) measures taken or proposed to be taken to address the personal data
breach including, where appropriate, measures to mitigate its possible adverse effects;
(d) the details of a contact point where more information concerning the
personal data breach can be obtained.
Where, and insofar as, it is not possible to provide all this information
at the same time, the initial notification shall contain the information then available and
further information shall, as it becomes available, subsequently be provided without undue
delay. OpenPayd shall fully assist the Customer in assessing and notifying the personal data
breach to the competent supervisory authority, and in complying with the obligation to
communicate the personal data breach to the data subjects, where relevant.
Customer generally agrees that OpenPayd may engage third party providers
with regards to the Processed Data (“Sub-processors”). OpenPayd shall make available to
Customer the current list of Sub-processors, attached as an Appendix 1 to this DPA.If OpenPayd engages a new Sub-processor, OpenPayd must inform Customer of
the intended engagement and Customer may object to the intended engagement of such new
Sub-processor by notifying OpenPayd within 10 (ten) business days of the notification,
provided that such objection must be on reasonable, substantial grounds, directly related to
such new Sub-processor’s ability to comply with substantially similar obligations to those
set out in this DPA. If Customer does not object, the engagement of the new Sub-processor
shall be deemed accepted by Customer. OpenPayd shall ensure that the contract with each new
Sub-processor shall impose obligations on the new Sub-processor that are substantially
equivalent to the terms of this DPA.
With respect to each Sub-processor, OpenPayd shall enter into a written
contract with the Sub-processor to ensure that at least the same level of protection will be
given to Personal Data as that required by the Terms and this DPA and, in substance, the
same data protection obligations as those binding OpenPayd under this DPA;
6.6. Data Transfers
OpenPayd may process Processed Data globally as necessary to perform the
services under the Terms. To the extent such global access involves a third country transfer
of Processed Data subject to cross-border transfer obligations under Data Protection Law
within the OpenPayd group, OpenPayd’s Intragroup Data Transfer Agreement will apply.
to the extent the processing of Processed Data involves a transfer of Processed Data to
Sub-processor or other business partners located outside of the UK and the EEA, the Parties
agree that Processed Data may only be transferred, if:
(a) the transfer is to a jurisdiction
for which an appropriate EU and/ or UK Adequacy Decision has been issued and subject to the
terms of that Adequacy Decision;
(b) in the absence of an Adequacy Decision, the transfer is
subject to Appropriate Safeguards.
6.7. Return and deletion of data
On termination of the Terms, and Customer’s written request, OpenPayd will
return any Processed Data to the Customer or securely destroy it to the extent legally
permissible (i.e. storage of Processed Data is required by the relevant Laws, in which case
OpenPayd will be entitled to retain the same in accordance with the relevant Laws).
Categories of data subjects whose Personal Data is processed by OpenPayd
Categories of personal data processed by OpenPayd
- Customer and customer’s clients, directors, shareholders, employees, as
applicable, including any other individuals about whom Personal Data is provided by or
at Customer’s direction, and anyone whose Personal Data is provided by Customer and/or
associated with Customer that OpenPayd processes on behalf of Customer in connection
with the services under the Terms
Frequency and Duration of the processing
- Identity data, contact data, transaction screening and transaction
monitoring data, payments data, user account and credentials data, user location data,
as applicable for the services under the Terms Nature and purpose for which the personal
data is processed on behalf of the controller
- Processing of Personal Data such as collection, use, storage,
combination, erasure, transmission, disclosure, or otherwise making available, and any
other operation necessary for provision of the services under the Terms
For processing by (sub-)processors, also specify subject matter, nature and duration of the processing
Technical and organizational measures, including measures to ensure
the security of data
- On continuous basis for the duration of the Terms
- For the duration of the Terms and for such time as required by the
List of Sub-processors:
- As specified in the Information Security Statement
To the extent legally required, by signing this DPA, Customer and OpenPayd
are deemed to have signed the EU SCCs as an additional safeguard, which form part of this
DPA and will be deemed completed as follows:
Module 1 of the EU SCCs applies to transfers of Personal Data from Customer
(as a Controller) to OpenPayd (as a Controller) and Module 2 applies to transfers of
Personal Data from Customer (as a Controller) to OpenPayd (as a Processor).
Clause 7 of the EU SCCs (the optional docking clause) is included.
For Module 2, under Clause 9 of the EU SCCs, the Parties select Option 2
(General written authorization). OpenPayd shall specifically inform the Customer in writing
of any intended changes to the list through the addition or replacement of sub-processors at
least 10 (ten) business days in advance, thereby giving the Customer sufficient time to be
able to object
to such changes prior to the engagement of the sub-processor(s).
Under Clause 11 of the EU SCCs, the optional language requiring that Data
Subjects are permitted to lodge a complaint with an independent dispute resolution body
shall be deemed to be included.
Under Clause 17 of the EU SCCs, the Parties choose Option 1 (the law of an
EU Member State that allows for third-Party beneficiary rights). The Parties select the laws
Under Clause 18 of the EU SCCs (Choice of forum and jurisdiction), the
Parties select the courts of Ireland.
Annex I(A) and I(B) is completed as set forth in Appendix 1.
Under Annex I(C), the Parties shall follow the rules for identifying such
authority under Clause 13 and, to the extent legally permissible, select the Irish Data
Annex II is completed as provided in the Information Security Statement.
Annex III is completed as provided in Appendix 1 of this DPA for clarity
With respect to Personal Data transferred from the UK, the UK Addendum to
the EU SCCs forms part of this DPA and takes precedence over the rest of this DPA as set
forth in the UK Addendum.
The UK Addendum shall be deemed complete as follows:
The Parties’ details shall be the Parties and their Affiliates to the
extent any of them are involved in such transfer and are specified in the Terms;
The Key Contacts shall be the contacts set forth in the Terms;
The Approved EU SCCs referenced in Table 2 of the UK Addendum shall be the
EU SCCs as executed by the Parties; Personal data received from the exporter can be combined
with personal data collected by the importer.
Annex I(A) and I(B) is completed as set forth in Appendix 1.
Annex II is completed as provided in the Information Security Statement.
Annex III is completed as provided in Appendix 1 of this DPA for clarity.
Either Party may end this DPA as set out in Section 19 of the UK Addendum.
By entering into this DPA, the Parties are deemed to be signing the UK