This PayPal Data Protection Addendum for Card Processing Products (this "Addendum") applies to any product, service, or other offering where PayPal provides card processing, gateway and/or fraud protection services (the "Payment Services") to you. This Addendum does not apply to PayPal wallet services such as pay with PayPal, Venmo, or PayPal’s pay later offers. This Addendum forms part of the applicable agreement between you ("you" or "Merchant") and PayPal, Inc. ("PayPal") that governs PayPal’s provision of the card processing services to you (the "Agreement") and is incorporated by reference therein. In the event there is any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum will control. Capitalized terms used but not defined in this Addendum have the meaning set out in the Agreement.
This Addendum is effective as of the later of (i) the effective date specified in the Agreement or (ii) the effective date stated in the notice posted or provided to you in connection with this Addendum. We may amend this Addendum from time to time. The revised version will be effective at the time we post it on our website, unless otherwise noted. If our changes reduce your rights or increase your responsibilities, we will post a notice on the "Policy Updates" page of our website within the timeframe required by the Agreement. If you do not agree with any change to this Addendum, you may discontinue your use of the Payment Services.
The following terms have the following meanings when used in Part A of this Addendum:
"Controller" means an entity that determines the purposes and means of the processing of Personal Data, or, if such term (or terms addressing similar data protection and privacy roles) is defined in Data Protection Law, "Controller" shall have the meaning as defined in the applicable Data Protection Law including a "Business" as defined in the CCPA.
"Customer" means your customers who use the Payment Services in the United States and for the purposes of Part A of this Addendum, are data subjects.
"Customer Data" means the Personal Data that (i) the Customer provides to you and you pass on to PayPal through the use by you of the Payment Services and (ii) PayPal may collect from the Customer’s device and browser through use by you of the Payment Services.
"Data Protection Laws" means any applicable data protection laws, regulations, directives and regulatory requirements applicable to PayPal’s provision of the Payment Services, including any amendments thereto and any associated regulations or instruments (e.g., the California Consumer Privacy Act 2018, Cal. Civ. Code § 1798.100 et seq (“CCPA”), the General Data Protection Regulation (EU) 2016/679 (GDPR), the Australian Privacy Act 1988 (Cth) the Personal Information Protection and Electronic Documents Act (Canada), the Personal Data (Privacy) Ordinance (Cap.486) (Hong Kong), the Brazilian General Data Protection Law, Federal Law no. 13,709/2018 and the Personal Data Protection Act 2012 (Singapore)).
"Personal Data" means any information relating to an identified or identifiable natural person (a "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Process" or "Processed" or "Processing" means any operation or set of operations performed upon Personal Data, including collection, recording, retention, sharing, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction.
PayPal shall comply with the requirements of the Data Protection Laws applicable to Controllers in respect of the Processing of Customer Data under this Addendum (including without limitation, by implementing and maintaining at all times all appropriate security measures in relation to the Processing of Customer Data) and shall not knowingly do anything or permit anything to be done with respect to the Customer Data that likely would lead to a breach by Merchant of the Data Protection Laws. PayPal shall only transfer Customer Data to third parties, sub-processors or members of the PayPal Group Entity who shall sign written agreements which contain terms for the protection of Customer Data, which are no less protective than the terms set out in this Addendum.
The parties acknowledge and agree that Merchant and PayPal are each independent Controllers in respect of all Customer Data Processed in connection with the Payment Services. As such, PayPal independently determines the purpose and the means of the Processing of such Customer Data and is not a joint Controller with Merchant with respect to such Customer Data. The parties acknowledge and agree that PayPal is permitted to use, reproduce and Process Customer Data and payment transaction data for the following limited purposes:
The parties agree to co-operate with each other to the extent reasonably necessary to enable the other party to adequately discharge their responsibility as an independent Controller under Data Protection Laws. The parties agree that to the extent Merchant receives a subject access request or any exercise by a Customer of its rights under Data Protection Laws, Merchant shall respond to such Customer’s access request directly. Merchant also shall inform the Customer that they may exercise their data subject rights in connection with the Payment Services with PayPal according to the instructions described in the Privacy Statement available at www.paypal.com r. In addition, if in connection with any Security Incident, PayPal determines in its sole discretion that it must notify affected Customers and PayPal does not have the necessary contact information about an affected Customer to make such communication, then Merchant shall use commercially reasonable efforts to provide PayPal with information about Customers that Merchant may possess for the limited purpose of PayPal’s compliance with applicable notification obligations regarding affected Customers under Data Protection Laws.
We each agree that PayPal may transfer Customer Data Processed under the Agreement outside the country where it was collected as necessary to provide the Payment Services. If PayPal transfers Customer Data to a jurisdiction for which the applicable regulatory authority for the country in which the data was collected has not issued an adequacy decision, PayPal will ensure that appropriate safeguards have been implemented for the transfer of Customer Data in accordance with the applicable Data Protection Laws. For example, and for purposes of compliance with the GDPR, PayPal relies on Binding Corporate Rules approved by competent supervisory authorities and other data transfer mechanisms for transfers of Customer Data to other members of the PayPal Group.
With respect to your data transfers to PayPal Inc. of your Customers located in the European Union, Switzerland, the Europeans Economic Area, and/or their member states and the United Kingdom, the parties each agree that (i) your signing of the Agreement will be deemed to be signature and acceptance of the Controller to Controller Standard Contractual Clauses approved by EC Commission Decision of 27 December 2004 (C(2004)5721) ("C2C Transfer Clauses") by Merchant, as the data exporter and (ii) PayPal’s signature of this Agreement will be deemed to be signature and acceptance of the C2C Transfer Clauses by PayPal, as the data importer. In the event the European Commission revises and thereafter publishes new C2C Transfer Clauses or as otherwise required or implemented by the European Commission, the parties agree that such new C2C Transfer Clauses will supersede the present C2C Transfer Clauses. The C2C Transfer Clauses will be incorporated into the Agreement by reference and will be considered duly executed between the parties upon entering into force of this Agreement subject to the following details:
PayPal agrees it will process the Customer Data in accordance with Set II, clauses II(h)(iii) of the C2C Transfer Clauses and by signing the Agreement it will be deemed to duly initial and accept such clause II(h)(iii); and
The parties agree that the details required under the C2C transfer Clauses Annex B are as set forth on Attachment 1.
The personal data transferred concern the following categories of data subjects:
The data exporter and its Customers.
Purposes of the transfer(s)
The transfer is made for the following purposes:
Performance of the services provided by data importer to data exporter in accordance with the Agreement.
Categories of data
The personal data transferred may include the following categories of data:
Customer name, amount to be charged, date/time, bank account details, payment card details, CVC code, post code, country code, address, email address, fax, phone, website, expiry data, shipping details, tax status, unique customer identifier, IP Address, location, and any other data received by PayPal under the Agreement.
The personal data transferred may be disclosed only to the following recipients:
The importer’s service providers, affiliates, and personnel performing services in accordance with the Agreement.
Sensitive data (if appropriate)
The personal data transferred concern the following categories of sensitive data:
Not applicable, unless Merchant configures the service to capture such data.
Data protection registration information of data exporter (where applicable)
Additional useful information (storage limits and other relevant information)
As set forth in the Agreement.
Contact points for data protection enquiries
Data importer: Contact points for Data importer can be found in the Agreement.
Data exporter: Contact points for Data importer can be found in the Agreement.