1. Introduction
1.1 This Data Protection Addendum (this “DPA”) forms part of and is subject to the terms of the agreement which: (a) is entered into between a SaltPay group entity (“SaltPay”) and a merchant (the “Merchant”); and (b) refers to this DPA (the “Agreement”).
1.2 This DPA governs the parties’ Processing of Personal Data in connection with the Agreement. This includes the parties’ Processing of Personal Data relating to cardholders, to a transaction or otherwise relating to the personnel of each of the parties collected or shared in connection with the Agreement.
2. Definitions and Interpretation
2.1 The capitalised terms used in this DPA shall, unless expressly stated otherwise, have the meaning given to them in the Agreement. The rules of interpretation set out in the Agreement will apply to this DPA.
2.2 Should any provision of this DPA conflict with the other terms of the Agreement, this DPA shall prevail. Should any provision of this DPA conflict with any applicable Card Scheme Standards or Merchant Application Form, the Card Scheme Standards or Merchant Application Form shall prevail.
2.3 In this DPA, the following terms shall have the following meanings:
2.3.1 “Data Protection Legislation” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) which relates to the protection of individuals with regards to the processing of personal data to which a party is subject, including the Privacy and Electronic Communications Regulations 2003 (as amended by SI 2011 no. 6), the UK Data Protection Act 2018, the EU GDPR and the UK GDPR;
2.3.2 “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing” and “Supervisory Authority” shall have the meanings set out in the Data Protection Legislation (and “Process” and “Processed” shall be construed accordingly);
2.3.3 “Data Subject Request” means an actual or purported request or notice or complaint from (or on behalf of) a Data Subject exercising his rights under the Data Protection Legislation;
2.3.4 “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;
2.3.5 “ICO” means the UK Information Commissioner’s Office or any successor body which replaces it;
2.3.6 “Material Impact” means a materially detrimental effect on: (a) the reputation of a party or any members of its group, as appropriate; or (b) a party's relationship with the Data Subject; which, in each case could reasonably result in: (i) threatened or actual enforcement action (whether formal or informal) by any Supervisory Authority or the ICO for an infringement of the Data Protection Legislation; or (ii) a prospective or actual claim by a Data Subject or third party (whether for breach of contract, negligence or any other tort, under statute or otherwise);
2.3.7 “Supervisory Authority Correspondence” means any correspondence or communication (whether written or verbal) from a Supervisory Authority or the ICO in relation to the Processing of Personal Data in connection with the Agreement;
2.3.8 “Security Requirements” means the requirements regarding the security of the Personal Data, as set out in the Data Protection Legislation including, in particular, the measures set out in Article 32(1) of the EU GDPR and UK GDPR (as applicable) (taking due account of the matters described in Article 32(2) of the EU GDPR and UK GDPR (as applicable)); and
2.3.9 “UK GDPR” means the EU GDPR as amended in accordance with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by SI 2020 no. 1586) and incorporated into UK law under the UK European Union (Withdrawal) Act 2018.
3. Roles of the parties
3.1 The parties anticipate that, in respect of the Processing of Personal Data in connection with the Agreement, each party will act as an independent Controller of the Personal Data.
3.2 Neither party anticipates that they shall act as joint Controllers of the Personal Data, nor does either party appoint the other to act as its Processor for the purpose of Processing carried out in connection with the Agreement.
4. Data Protection
4.1 In respect of its Processing of Personal Data in connection with the Agreement, each party shall:
4.1.1 comply with its respective obligations under the Data Protection Legislation;
4.1.2 issue its own fair processing notices in order to be transparent with regard to its Processing of Personal Data;
4.1.3 implement and maintain appropriate technical and organisational measures sufficient to comply with the Security Requirements;
4.1.4 take reasonable steps to ensure the reliability of any of its personnel who shall have access to the Personal Data and ensure that each member of personnel with access to the Personal Data has entered into appropriate contractually-binding confidentiality undertakings;
4.1.5 cooperate with the other party to assist the other party in its reporting obligations in the event of a breach of the Data Protection Legislation in connection with the Agreement;
4.1.6 notify the other party of any Personal Data Breach which may have occurred in connection with the Agreement without undue delay upon becoming aware of the same; and
4.1.7 notify the other party promptly following its receipt of any Data Subject Request or Supervisory Authority Correspondence which that party believes, acting reasonably, is likely to have a Material Impact on the other party.